trustsource 0.2.0

package/mcp-server/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "trustsource-mcp",
+  "version": "0.1.0",
+  "description": "MCP server exposing TrustSource x402-paid domain verification APIs (trust score, SSL check, security headers, robots.txt) to any MCP-compatible client.",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "trustsource-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    ".env.example",
+    "smithery.yaml"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "dev": "tsx watch src/index.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "x402",
+    "trustsource",
+    "domain-verification",
+    "ssl",
+    "trust-score",
+    "ai-agents",
+    "agentic-payments",
+    "base-mainnet",
+    "usdc"
+  ],
+  "author": "TrustSource <hello@trustsource.cc>",
+  "license": "MIT",
+  "homepage": "https://trustsource.cc",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/SurfEther/TrustSourceX402.git",
+    "directory": "mcp-server"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@x402/fetch": "^2.13.0",
+    "viem": "^2.50.4",
+    "zod": "^3.23.0",
+    "dotenv": "^16.4.5"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "tsx": "^4.15.1",
+    "typescript": "^5.4.5"
+  }
+}

package/mcp-server/smithery.yaml

@@ -0,0 +1,45 @@
+startCommand:
+  type: stdio
+  configSchema:
+    type: object
+    required:
+      - walletPrivateKey
+    properties:
+      walletPrivateKey:
+        type: string
+        title: Wallet Private Key
+        description: >-
+          Base Mainnet wallet private key that holds USDC (for per-call fees) and
+          a small amount of ETH (for gas). Each TrustSource API call costs
+          $0.002–$0.003 USDC, settled atomically on Base via the x402 protocol.
+        format: password
+      apiUrl:
+        type: string
+        title: TrustSource API URL
+        description: Override the TrustSource API base URL. Leave default unless self-hosting.
+        default: https://api.trustsource.cc
+  commandFunction: |-
+    (config) => ({
+      command: 'npx',
+      args: ['-y', 'trustsource-mcp'],
+      env: {
+        WALLET_PRIVATE_KEY: config.walletPrivateKey,
+        TRUSTSOURCE_API_URL: config.apiUrl || 'https://api.trustsource.cc'
+      }
+    })
+build:
+  dockerfile: ../Dockerfile
+metadata:
+  name: TrustSource
+  description: >-
+    Four x402-paid domain verification tools for AI agents — trust scoring,
+    SSL/TLS certificate intelligence, HTTP security header audit, and
+    robots.txt + AI bot policy detection. Pays per call in USDC on Base
+    Mainnet. No API keys, no signups.
+  homepage: https://trustsource.cc
+  license: MIT
+  categories:
+    - security
+    - web
+    - verification
+    - x402

package/mcp-server/src/index.ts

@@ -0,0 +1,171 @@
+/**
+ * TrustSource MCP Server
+ *
+ * Exposes the four TrustSource x402-paid HTTP APIs as MCP tools:
+ *   - trustsource_score    — domain trust scoring ($0.003 USDC)
+ *   - trustsource_ssl      — TLS/SSL certificate intelligence ($0.002 USDC)
+ *   - trustsource_headers  — HTTP security header audit ($0.003 USDC)
+ *   - trustsource_robots   — robots.txt + AI bot policy ($0.002 USDC)
+ *
+ * Payment is per-call in USDC on Base Mainnet via the x402 protocol.
+ * The caller's wallet (set via WALLET_PRIVATE_KEY) must hold USDC and
+ * a small amount of ETH for gas. No API keys.
+ */
+
+import "dotenv/config";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { x402Client, wrapFetchWithPayment } from "@x402/fetch";
+import { registerExactEvmScheme } from "@x402/evm/exact/client";
+import { privateKeyToAccount } from "viem/accounts";
+import { z } from "zod";
+
+// ─── Config ──────────────────────────────────────────────────────────────────
+
+const BASE_URL =
+  process.env.TRUSTSOURCE_API_URL?.replace(/\/$/, "") ??
+  "https://api.trustsource.cc";
+
+const PRIVATE_KEY = process.env.WALLET_PRIVATE_KEY;
+
+if (!PRIVATE_KEY) {
+  // Write to stderr so it does not interfere with the stdio transport.
+  console.error(
+    "[trustsource-mcp] FATAL: WALLET_PRIVATE_KEY environment variable is required.\n" +
+      "Provide a Base Mainnet wallet private key that holds USDC and a small amount of ETH for gas.\n" +
+      "See https://trustsource.cc for funding instructions.",
+  );
+  process.exit(1);
+}
+
+const signer   = privateKeyToAccount(PRIVATE_KEY as `0x${string}`);
+const client   = new x402Client();
+registerExactEvmScheme(client, { signer });
+const fetch402 = wrapFetchWithPayment(fetch, client);
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+type ToolResult = {
+  content: { type: "text"; text: string }[];
+  isError?: boolean;
+};
+
+async function callApi(path: string, params: Record<string, string>): Promise<ToolResult> {
+  const qs = new URLSearchParams(params).toString();
+  const url = `${BASE_URL}${path}?${qs}`;
+
+  try {
+    const res = await fetch402(url, { method: "GET" });
+    const text = await res.text();
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      parsed = { raw: text, status: res.status };
+    }
+
+    if (!res.ok) {
+      return {
+        isError: true,
+        content: [
+          {
+            type: "text",
+            text: `HTTP ${res.status} from ${path}:\n${JSON.stringify(parsed, null, 2)}`,
+          },
+        ],
+      };
+    }
+
+    return {
+      content: [{ type: "text", text: JSON.stringify(parsed, null, 2) }],
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return {
+      isError: true,
+      content: [
+        {
+          type: "text",
+          text: `[trustsource-mcp] Request to ${path} failed: ${msg}`,
+        },
+      ],
+    };
+  }
+}
+
+// ─── Server ──────────────────────────────────────────────────────────────────
+
+const server = new McpServer({
+  name: "trustsource",
+  version: "0.1.0",
+});
+
+// Tool 1: TrustScore — domain trust scoring
+server.tool(
+  "trustsource_score",
+  "Score a domain's overall trustworthiness (0–100) using WHOIS age, TLD risk class, DNS presence (A + MX records), and registrar reputation. Returns tier TRUSTED (75+) / MODERATE (50–74) / CAUTION (25–49) / HIGH_RISK (0–24). Use before transacting with, recommending, or following links to an unfamiliar domain. Cost: $0.003 USDC per call. Cached 1 hour server-side.",
+  {
+    domain: z
+      .string()
+      .min(1)
+      .max(253)
+      .describe("Domain to score, e.g. 'example.com' (do not include scheme or path)"),
+  },
+  async ({ domain }) => callApi("/trustscore", { domain }),
+);
+
+// Tool 2: SslCheck — TLS certificate intelligence
+server.tool(
+  "trustsource_ssl",
+  "Perform a live TLS handshake to a domain and return SSL/TLS certificate intelligence: chain validity, trusted root CA detection, expiry date and days remaining, signature algorithm, TLS protocol version, and cipher quality. Returns 0–100 score and tier VALID / EXPIRING / WEAK / EXPIRED / UNTRUSTED / INVALID. Use before sending credentials, posting forms, downloading code, or making any HTTPS request to a domain you do not fully trust. Cost: $0.002 USDC per call. Cached 1 hour server-side.",
+  {
+    domain: z
+      .string()
+      .min(1)
+      .max(253)
+      .describe("Domain to check, e.g. 'example.com'"),
+  },
+  async ({ domain }) => callApi("/sslcheck", { domain }),
+);
+
+// Tool 3: Headers — HTTP security header audit
+server.tool(
+  "trustsource_headers",
+  "Audit a URL's HTTP security headers and return a defense-in-depth letter grade A+ through F. Checks HSTS (Strict-Transport-Security), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-* headers. Use when crawling, embedding, building integrations against, or auditing a site. Note: many legitimate marketing sites grade F — this measures hardening, not active vulnerabilities. Cost: $0.003 USDC per call. Cached up to 12 hours server-side.",
+  {
+    url: z
+      .string()
+      .min(1)
+      .max(2048)
+      .describe("Full URL to audit, e.g. 'https://example.com'"),
+  },
+  async ({ url }) => callApi("/headers", { url }),
+);
+
+// Tool 4: Robots — robots.txt + AI bot policy
+server.tool(
+  "trustsource_robots",
+  "Fetch and parse a domain's robots.txt, with policy detection across 24 known AI crawlers (GPTBot, ClaudeBot, PerplexityBot, Google-Extended, CCBot, Bytespider, etc.). Returns tier OPEN / SELECTIVE / BLOCKED_AI / BLOCKED_ALL / NO_ROBOTS_TXT. Use BEFORE any crawling, scraping, RAG ingestion, training-data collection, or page summarization. If tier is BLOCKED_AI or BLOCKED_ALL the agent should refuse to crawl. Cost: $0.002 USDC per call. Cached up to 12 hours server-side.",
+  {
+    domain: z
+      .string()
+      .min(1)
+      .max(253)
+      .describe("Domain to check, e.g. 'example.com'"),
+  },
+  async ({ domain }) => callApi("/robots", { domain }),
+);
+
+// ─── Boot ────────────────────────────────────────────────────────────────────
+
+async function main() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error(`[trustsource-mcp] Connected. Buyer wallet: ${signer.address}`);
+}
+
+main().catch((err) => {
+  console.error("[trustsource-mcp] FATAL:", err);
+  process.exit(1);
+});

package/mcp-server/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "esModuleInterop": true,
+    "allowSyntheticDefaultImports": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "types": ["node"],
+    "resolveJsonModule": true,
+    "outDir": "dist",
+    "rootDir": "src",
+    "declaration": false,
+    "sourceMap": false
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "trustsource",
+  "version": "0.2.0",
+  "description": "x402-powered intelligence APIs for AI agents",
+  "type": "module",
+  "scripts": {
+    "dev": "tsx watch src/server.ts",
+    "build": "tsc",
+    "start": "node dist/server.js"
+  },
+  "dependencies": {
+    "@coinbase/x402": "^2.1.0",
+    "@x402/core": "latest",
+    "@x402/evm": "latest",
+    "@x402/express": "^2.13.0",
+    "@x402/extensions": "latest",
+    "@x402/fetch": "^2.13.0",
+    "cors": "^2.8.5",
+    "dotenv": "^16.4.5",
+    "express": "^4.18.2",
+    "express-rate-limit": "^8.5.2",
+    "viem": "^2.50.4",
+    "whois-json": "^2.0.4"
+  },
+  "devDependencies": {
+    "@types/cors": "^2.8.17",
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.14.0",
+    "tsx": "^4.15.1",
+    "typescript": "^5.4.5"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}