vat-validator-mcp 1.0.0 → 1.4.2

package/src/server.js

@@ -4,14 +4,15 @@ const crypto = require('crypto');
 const fs = require('fs');
 
 const PERSIST_FILE = '/tmp/vat_stats.json';
-const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY || '';
 const RESEND_API_KEY = process.env.RESEND_API_KEY || '';
+const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY || '';
 const PORT = process.env.PORT || 3000;
 const STATS_KEY = process.env.STATS_KEY || 'ojas2026';
 
 const freeTierUsage = new Map();
 const usageLog = [];
 const FREE_TIER_LIMIT = 20;
+const FREE_TIER_WARNING = 16; // warn at 80% usage
 const apiKeys = new Map();
 const PLAN_LIMITS = { pro: 5000, enterprise: Infinity };
 
@@ -30,24 +31,24 @@ function loadStats() {
       const data = JSON.parse(fs.readFileSync(PERSIST_FILE, 'utf8'));
       if (data.freeTierUsage) data.freeTierUsage.forEach(([k, v]) => freeTierUsage.set(k, v));
       if (data.usageLog) usageLog.push(...data.usageLog);
-      console.log(`Stats loaded: ${freeTierUsage.size} IPs, ${usageLog.length} calls`);
+      console.log('Stats loaded: ' + freeTierUsage.size + ' IPs, ' + usageLog.length + ' calls');
     }
   } catch(e) { console.error('Stats load error:', e.message); }
 }
 
 function generateApiKey() { return 'vat_' + crypto.randomBytes(24).toString('hex'); }
-
 function getPlanFromProduct(name) {
   if (!name) return 'pro';
   return name.toLowerCase().includes('enterprise') ? 'enterprise' : 'pro';
 }
+function nowISO() { return new Date().toISOString(); }
 
 async function sendEmail(to, subject, html) {
   return new Promise((resolve) => {
     const body = JSON.stringify({ from: 'VAT Validator MCP <ojas@kordagencies.com>', to: [to], subject, html });
     const req = https.request({
       hostname: 'api.resend.com', path: '/emails', method: 'POST',
-      headers: { 'Authorization': `Bearer ${RESEND_API_KEY}`, 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }
+      headers: { 'Authorization': 'Bearer ' + RESEND_API_KEY, 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }
     }, res => { let d = ''; res.on('data', c => d += c); res.on('end', () => resolve({ status: res.statusCode, body: d })); });
     req.on('error', e => resolve({ error: e.message }));
     req.write(body); req.end();
@@ -57,39 +58,101 @@ async function sendEmail(to, subject, html) {
 async function sendApiKeyEmail(email, apiKey, plan) {
   const planLabel = plan === 'enterprise' ? 'Enterprise' : 'Pro';
   const limit = plan === 'enterprise' ? 'Unlimited' : '5,000';
-  const html = `<!DOCTYPE html><html><body style="font-family:monospace;background:#080A0F;color:#E8EDF5;padding:40px;max-width:600px;margin:0 auto"><div style="border:1px solid rgba(0,229,195,0.3);border-radius:8px;padding:32px"><div style="color:#00E5C3;font-size:13px;letter-spacing:0.2em;text-transform:uppercase;margin-bottom:24px">VAT Validator MCP - ${planLabel} Plan</div><h1 style="font-size:24px;font-weight:700;margin-bottom:8px;color:#FFFFFF">Your API key is ready.</h1><p style="color:#8A95A8;margin-bottom:32px">Welcome to VAT Validator MCP. Here is everything you need to get started.</p><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;letter-spacing:0.15em;text-transform:uppercase;margin-bottom:8px">Your API Key</div><div style="color:#00E5C3;font-size:14px;word-break:break-all;font-weight:500">${apiKey}</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;letter-spacing:0.15em;text-transform:uppercase;margin-bottom:12px">Add to your MCP config</div><div style="color:#86EFAC;font-size:12px;line-height:2">{<br>&nbsp;&nbsp;"vat-validator": {<br>&nbsp;&nbsp;&nbsp;&nbsp;"url": "https://vat-validator-mcp-production.up.railway.app",<br>&nbsp;&nbsp;&nbsp;&nbsp;"headers": { "x-api-key": "${apiKey}" }<br>&nbsp;&nbsp;}<br>}</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;letter-spacing:0.15em;text-transform:uppercase;margin-bottom:12px">Your Plan</div><div style="color:#E8EDF5;font-size:13px;line-height:2">Plan: ${planLabel}<br>VAT validations: ${limit}/month<br>Batch validation: ${plan === 'enterprise' ? 'Included' : 'Up to 10 per call'}<br>All tools included</div></div><div style="background:#0D1219;border:1px solid rgba(255,255,255,0.07);border-radius:6px;padding:16px;margin-bottom:24px;font-size:11px;color:#5A6478;line-height:1.7">By using your API key you agree to the VAT Validator MCP Terms of Service at <a href="https://kordagencies.com/terms.html" style="color:#00E5C3">kordagencies.com/terms.html</a>. Results are provided for informational purposes only and do not constitute legal or tax advice. You must independently verify all results with a qualified tax advisor before making compliance decisions. Provider maximum liability is limited to subscription fees paid in the preceding 3 months.</div><p style="color:#5A6478;font-size:12px">Questions? Email ojas@kordagencies.com</p><p style="color:#5A6478;font-size:12px;margin-top:8px">Ojas, Kordagencies</p></div></body></html>`;
-  return sendEmail(email, `Your VAT Validator MCP ${planLabel} API Key`, html);
+  const html = '<!DOCTYPE html><html><body style="font-family:monospace;background:#080A0F;color:#E8EDF5;padding:40px;max-width:600px;margin:0 auto"><div style="border:1px solid rgba(0,229,195,0.3);border-radius:8px;padding:32px"><div style="color:#00E5C3;font-size:13px;letter-spacing:0.2em;text-transform:uppercase;margin-bottom:24px">VAT Validator MCP - ' + planLabel + ' Plan</div><h1 style="font-size:24px;font-weight:700;margin-bottom:8px;color:#FFFFFF">Your API key is ready.</h1><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;text-transform:uppercase;margin-bottom:8px">Your API Key</div><div style="color:#00E5C3;font-size:14px;word-break:break-all">' + apiKey + '</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;text-transform:uppercase;margin-bottom:8px">MCP Config</div><div style="color:#86EFAC;font-size:12px">{"vat-validator":{"url":"https://vat-validator-mcp-production.up.railway.app","headers":{"x-api-key":"' + apiKey + '"}}}</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#E8EDF5;font-size:13px">Plan: ' + planLabel + ' | Validations: ' + limit + '/month</div></div><div style="background:#0D1219;border-radius:6px;padding:16px;margin-bottom:24px;font-size:11px;color:#5A6478;line-height:1.7">Results are informational only. Verify with a qualified tax advisor. Liability capped at 3 months fees. Full terms: kordagencies.com/terms.html</div><p style="color:#5A6478;font-size:12px">Questions? ojas@kordagencies.com</p></div></body></html>';
+  return sendEmail(email, 'Your VAT Validator MCP ' + planLabel + ' API Key', html);
+}
+
+async function callClaude(prompt) {
+  return new Promise((resolve, reject) => {
+    const body = JSON.stringify({ model: 'claude-sonnet-4-6', max_tokens: 1024, messages: [{ role: 'user', content: prompt }] });
+    const req = https.request({
+      hostname: 'api.anthropic.com', path: '/v1/messages', method: 'POST',
+      headers: { 'x-api-key': ANTHROPIC_API_KEY, 'anthropic-version': '2023-06-01', 'content-type': 'application/json', 'content-length': Buffer.byteLength(body) }
+    }, res => { let d = ''; res.on('data', c => d += c); res.on('end', () => { try { resolve(JSON.parse(d).content?.[0]?.text || ''); } catch(e) { reject(e); } }); });
+    req.on('error', reject); req.write(body); req.end();
+  });
 }
 
-// Validate EU VAT number via VIES REST API
 async function validateVIES(countryCode, vatNumber) {
   return new Promise((resolve) => {
-    const path = `/taxation_customs/vies/rest-api/ms/${countryCode}/vat/${vatNumber}`;
     const req = https.request({
-      hostname: 'ec.europa.eu', path, method: 'GET',
+      hostname: 'ec.europa.eu',
+      path: '/taxation_customs/vies/rest-api/ms/' + countryCode + '/vat/' + vatNumber,
+      method: 'GET',
       headers: { 'Accept': 'application/json', 'User-Agent': 'VAT-Validator-MCP/1.0' }
     }, res => {
       let d = ''; res.on('data', c => d += c);
       res.on('end', () => {
         try { resolve({ source: 'VIES', data: JSON.parse(d) }); }
-        catch(e) { resolve({ source: 'VIES', error: 'Parse error', raw: d.slice(0, 200) }); }
+        catch(e) { resolve({ source: 'VIES', error: 'Parse error' }); }
       });
     });
     req.on('error', e => resolve({ source: 'VIES', error: e.message }));
-    req.setTimeout(8000, () => { req.destroy(); resolve({ source: 'VIES', error: 'Timeout — VIES unavailable, try again later' }); });
+    req.setTimeout(8000, () => { req.destroy(); resolve({ source: 'VIES', error: 'Timeout - VIES unavailable, try again later' }); });
+    req.end();
+  });
+}
+
+// HMRC OAuth 2.0 token cache
+let hmrcToken = null;
+let hmrcTokenExpiry = 0;
+
+async function getHMRCToken() {
+  const now = Date.now();
+  // Refresh if missing or within 5 minutes of expiry
+  if (hmrcToken && now < hmrcTokenExpiry - 300000) return hmrcToken;
+
+  const clientId = process.env.HMRC_CLIENT_ID || '';
+  const clientSecret = process.env.HMRC_CLIENT_SECRET || '';
+  const sandbox = process.env.HMRC_SANDBOX === 'true';
+  const hostname = sandbox ? 'test-api.service.hmrc.gov.uk' : 'api.service.hmrc.gov.uk';
+
+  if (!clientId || !clientSecret) return null;
+
+  const body = `client_secret=${encodeURIComponent(clientSecret)}&client_id=${encodeURIComponent(clientId)}&grant_type=client_credentials&scope=read%3Avat`;
+
+  return new Promise((resolve) => {
+    const req = https.request({
+      hostname,
+      path: '/oauth/token',
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(body) }
+    }, res => {
+      let d = ''; res.on('data', c => d += c);
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(d);
+          if (json.access_token) {
+            hmrcToken = json.access_token;
+            hmrcTokenExpiry = now + (json.expires_in || 14400) * 1000;
+            resolve(hmrcToken);
+          } else {
+            resolve(null);
+          }
+        } catch(e) { resolve(null); }
+      });
+    });
+    req.on('error', () => resolve(null));
+    req.setTimeout(8000, () => { req.destroy(); resolve(null); });
+    req.write(body);
     req.end();
   });
 }
 
-// Validate UK VAT number via HMRC API (no key needed for basic check)
 async function validateHMRC(vatNumber) {
+  const clean = vatNumber.replace(/^GB/i, '').replace(/\s/g, '');
+  const token = await getHMRCToken();
+  if (!token) return { source: 'HMRC', error: 'HMRC credentials not configured' };
+
+  const sandbox = process.env.HMRC_SANDBOX === 'true';
+  const hostname = sandbox ? 'test-api.service.hmrc.gov.uk' : 'api.service.hmrc.gov.uk';
+
   return new Promise((resolve) => {
-    const clean = vatNumber.replace(/^GB/i, '').replace(/\s/g, '');
     const req = https.request({
-      hostname: 'api.service.hmrc.gov.uk',
-      path: `/organisations/vat/check-vat-number/lookup/${clean}`,
+      hostname,
+      path: '/organisations/vat/check-vat-number/lookup/' + clean,
       method: 'GET',
-      headers: { 'Accept': 'application/vnd.hmrc.1.0+json' }
+      headers: { 'Accept': 'application/vnd.hmrc.2.0+json', 'Authorization': 'Bearer ' + token }
     }, res => {
       let d = ''; res.on('data', c => d += c);
       res.on('end', () => {
@@ -103,13 +166,14 @@ async function validateHMRC(vatNumber) {
   });
 }
 
-// Validate Australian ABN via ABR API
 async function validateABN(abn) {
   return new Promise((resolve) => {
     const clean = abn.replace(/\s/g, '');
-    const path = `/json/?abn=${clean}&guid=f7b75e2e-6d6a-4c1c-a8d4-5b2e3c9d8f4a`;
+    const guid = process.env.ABR_GUID || 'f7b75e2e-6d6a-4c1c-a8d4-5b2e3c9d8f4a';
     const req = https.request({
-      hostname: 'abr.business.gov.au', path, method: 'GET',
+      hostname: 'abr.business.gov.au',
+      path: '/json/?abn=' + clean + '&guid=' + guid,
+      method: 'GET',
       headers: { 'Accept': 'application/json' }
     }, res => {
       let d = ''; res.on('data', c => d += c);
@@ -124,12 +188,10 @@ async function validateABN(abn) {
   });
 }
 
-// Detect country from VAT number prefix and route appropriately
 function detectCountry(vatNumber) {
   const clean = vatNumber.trim().toUpperCase().replace(/\s/g, '');
   if (clean.startsWith('GB')) return { country: 'GB', type: 'uk', number: clean.slice(2) };
   if (clean.startsWith('AU') || /^\d{11}$/.test(clean)) return { country: 'AU', type: 'au', number: clean };
-  // EU country codes
   const euCodes = ['AT','BE','BG','CY','CZ','DE','DK','EE','EL','ES','FI','FR','HR','HU','IE','IT','LT','LU','LV','MT','NL','PL','PT','RO','SE','SI','SK'];
   for (const code of euCodes) {
     if (clean.startsWith(code)) return { country: code, type: 'eu', number: clean.slice(2) };
@@ -137,161 +199,113 @@ function detectCountry(vatNumber) {
   return { country: null, type: 'unknown', number: clean };
 }
 
-const LEGAL_DISCLAIMER = 'Results are for informational purposes only and do not constitute legal or tax advice. Operator must independently verify all results with a qualified tax advisor before making compliance decisions. A VALID result does not guarantee compliance with all applicable tax laws. Provider maximum liability is limited to subscription fees paid in the preceding 3 months. Full terms: kordagencies.com/terms.html';
+const LEGAL_DISCLAIMER = 'Results sourced directly from official government VAT registries (EU VIES, UK HMRC, Australian ABR). We do not log or store your query content. Results are for informational purposes only and do not constitute legal or tax advice. Operator must independently verify all results with a qualified tax advisor before making compliance decisions. Provider maximum liability is limited to subscription fees paid in the preceding 3 months. Full terms: kordagencies.com/terms.html';
 
 const VAT_RATES = {
-  AT: { standard: 20, reduced: [10, 13], country: 'Austria' },
-  BE: { standard: 21, reduced: [6, 12], country: 'Belgium' },
-  BG: { standard: 20, reduced: [9], country: 'Bulgaria' },
-  CY: { standard: 19, reduced: [5, 9], country: 'Cyprus' },
-  CZ: { standard: 21, reduced: [12], country: 'Czech Republic' },
-  DE: { standard: 19, reduced: [7], country: 'Germany' },
-  DK: { standard: 25, reduced: [], country: 'Denmark' },
-  EE: { standard: 22, reduced: [9], country: 'Estonia' },
-  EL: { standard: 24, reduced: [6, 13], country: 'Greece' },
-  ES: { standard: 21, reduced: [4, 10], country: 'Spain' },
-  FI: { standard: 25.5, reduced: [10, 14], country: 'Finland' },
-  FR: { standard: 20, reduced: [5.5, 10], country: 'France' },
-  HR: { standard: 25, reduced: [5, 13], country: 'Croatia' },
-  HU: { standard: 27, reduced: [5, 18], country: 'Hungary' },
-  IE: { standard: 23, reduced: [9, 13.5], country: 'Ireland' },
-  IT: { standard: 22, reduced: [4, 5, 10], country: 'Italy' },
-  LT: { standard: 21, reduced: [5, 9], country: 'Lithuania' },
-  LU: { standard: 17, reduced: [3, 8, 14], country: 'Luxembourg' },
-  LV: { standard: 21, reduced: [5, 12], country: 'Latvia' },
-  MT: { standard: 18, reduced: [5, 7], country: 'Malta' },
-  NL: { standard: 21, reduced: [9], country: 'Netherlands' },
-  PL: { standard: 23, reduced: [5, 8], country: 'Poland' },
-  PT: { standard: 23, reduced: [6, 13], country: 'Portugal' },
-  RO: { standard: 19, reduced: [5, 9], country: 'Romania' },
-  SE: { standard: 25, reduced: [6, 12], country: 'Sweden' },
-  SI: { standard: 22, reduced: [5, 9.5], country: 'Slovenia' },
-  SK: { standard: 20, reduced: [10], country: 'Slovakia' },
-  GB: { standard: 20, reduced: [5], country: 'United Kingdom' },
-  AU: { standard: 10, reduced: [], country: 'Australia' }
+  AT:{standard:20,reduced:[10,13],country:'Austria'},BE:{standard:21,reduced:[6,12],country:'Belgium'},
+  BG:{standard:20,reduced:[9],country:'Bulgaria'},CY:{standard:19,reduced:[5,9],country:'Cyprus'},
+  CZ:{standard:21,reduced:[12],country:'Czech Republic'},DE:{standard:19,reduced:[7],country:'Germany'},
+  DK:{standard:25,reduced:[],country:'Denmark'},EE:{standard:22,reduced:[9],country:'Estonia'},
+  EL:{standard:24,reduced:[6,13],country:'Greece'},ES:{standard:21,reduced:[4,10],country:'Spain'},
+  FI:{standard:25.5,reduced:[10,14],country:'Finland'},FR:{standard:20,reduced:[5.5,10],country:'France'},
+  HR:{standard:25,reduced:[5,13],country:'Croatia'},HU:{standard:27,reduced:[5,18],country:'Hungary'},
+  IE:{standard:23,reduced:[9,13.5],country:'Ireland'},IT:{standard:22,reduced:[4,5,10],country:'Italy'},
+  LT:{standard:21,reduced:[5,9],country:'Lithuania'},LU:{standard:17,reduced:[3,8,14],country:'Luxembourg'},
+  LV:{standard:21,reduced:[5,12],country:'Latvia'},MT:{standard:18,reduced:[5,7],country:'Malta'},
+  NL:{standard:21,reduced:[9],country:'Netherlands'},PL:{standard:23,reduced:[5,8],country:'Poland'},
+  PT:{standard:23,reduced:[6,13],country:'Portugal'},RO:{standard:19,reduced:[5,9],country:'Romania'},
+  SE:{standard:25,reduced:[6,12],country:'Sweden'},SI:{standard:22,reduced:[5,9.5],country:'Slovenia'},
+  SK:{standard:20,reduced:[10],country:'Slovakia'},GB:{standard:20,reduced:[5],country:'United Kingdom'},
+  AU:{standard:10,reduced:[],country:'Australia'}
 };
 
 async function executeTool(name, args) {
-
   if (name === 'validate_vat') {
-    const { vat_number } = args;
+    const vat_number = args.vat_number;
+    const checkedAt = nowISO();
     if (!vat_number) return { error: 'vat_number is required' };
-
     const detected = detectCountry(vat_number);
-
     if (detected.type === 'uk') {
       const result = await validateHMRC(detected.number);
-      if (result.error) return {
-        valid: null, vat_number, country: 'GB', source: 'HMRC',
-        error: result.error, retry: true,
-        _disclaimer: LEGAL_DISCLAIMER
-      };
+      if (result.error) return { valid: null, vat_number, country: 'GB', source: 'HMRC', error: result.error, retry: true, _disclaimer: LEGAL_DISCLAIMER };
       const d = result.data;
-      if (result.status === 200 && d.target) {
-        return {
-          valid: true, vat_number, country: 'GB',
-          company_name: d.target.name || null,
-          address: d.target.vatNumber ? `GB${d.target.vatNumber}` : null,
-          source: 'HMRC', consultation_number: d.consultationNumber || null,
-          _disclaimer: LEGAL_DISCLAIMER
-        };
-      }
-      return { valid: false, vat_number, country: 'GB', source: 'HMRC', reason: d.code || 'VAT number not found', _disclaimer: LEGAL_DISCLAIMER };
+      if (result.status === 200 && d.target) return { valid: true, vat_number, country: 'GB', company_name: d.target.name || null, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', consultation_number: d.consultationNumber || null, checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
+      return { valid: false, vat_number, country: 'GB', source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', reason: d.code || 'VAT number not found', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
     }
-
     if (detected.type === 'eu') {
       const result = await validateVIES(detected.country, detected.number);
-      if (result.error) return {
-        valid: null, vat_number, country: detected.country, source: 'VIES',
-        error: result.error, retry: result.error.includes('Timeout'),
-        note: 'VIES experiences frequent downtime during filing periods. Retry in 30 minutes or use batch_validate during off-peak hours.',
-        _disclaimer: LEGAL_DISCLAIMER
-      };
+      if (result.error) return { valid: null, vat_number, country: detected.country, source: 'VIES', source_url: 'ec.europa.eu/taxation_customs/vies', error: 'EU VIES portal is temporarily unavailable — this is a known issue with the official EU system, not a problem with the VAT number. Retry in 30 minutes.', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
       const d = result.data;
-      return {
-        valid: d.isValid || false, vat_number, country: detected.country,
-        company_name: d.traderName || null,
-        address: d.traderAddress || null,
-        source: 'VIES',
-        request_date: d.requestDate || null,
-        _disclaimer: LEGAL_DISCLAIMER
-      };
+      return { valid: d.isValid || false, vat_number, country: detected.country, company_name: d.traderName || null, address: d.traderAddress || null, source: 'VIES', source_url: 'ec.europa.eu/taxation_customs/vies', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
     }
-
     if (detected.type === 'au') {
       const result = await validateABN(detected.number);
       if (result.error) return { valid: null, vat_number, country: 'AU', source: 'ABR', error: result.error, _disclaimer: LEGAL_DISCLAIMER };
       const d = result.data;
-      const isValid = d.Abn && d.AbnStatus === 'Active';
-      return {
-        valid: isValid, vat_number, country: 'AU',
-        company_name: d.EntityName || null,
-        abn_status: d.AbnStatus || null,
-        entity_type: d.EntityTypeName || null,
-        source: 'ABR',
-        _disclaimer: LEGAL_DISCLAIMER
-      };
+      return { valid: !!(d.Abn && d.AbnStatus === 'Active'), vat_number, country: 'AU', company_name: d.EntityName || null, abn_status: d.AbnStatus || null, source: 'ABR', source_url: 'abr.business.gov.au', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
     }
-
-    return {
-      valid: null, vat_number,
-      error: 'Could not detect country from VAT number prefix. Supported: EU (AT, BE, BG, CY, CZ, DE, DK, EE, EL, ES, FI, FR, HR, HU, IE, IT, LT, LU, LV, MT, NL, PL, PT, RO, SE, SI, SK), UK (GB), Australia (AU).',
-      _disclaimer: LEGAL_DISCLAIMER
-    };
+    return { valid: null, vat_number, error: 'Could not detect country. Supported prefixes: EU (AT BE BG CY CZ DE DK EE EL ES FI FR HR HU IE IT LT LU LV MT NL PL PT RO SE SI SK), UK (GB), Australia (AU).', _disclaimer: LEGAL_DISCLAIMER };
   }
 
   if (name === 'validate_uk_vat') {
-    const { vat_number } = args;
+    const vat_number = args.vat_number;
+    const checkedAt = nowISO();
     if (!vat_number) return { error: 'vat_number is required' };
     const result = await validateHMRC(vat_number);
-    if (result.error) return { valid: null, vat_number, source: 'HMRC', error: result.error, _disclaimer: LEGAL_DISCLAIMER };
+    if (result.error) return { valid: null, vat_number, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', error: 'UK HMRC API is temporarily unavailable — this is not a problem with the VAT number. Retry in a few minutes.', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
     const d = result.data;
-    if (result.status === 200 && d.target) {
-      return {
-        valid: true, vat_number,
-        company_name: d.target.name || null,
-        registered_address: d.target.address ? Object.values(d.target.address).filter(Boolean).join(', ') : null,
-        consultation_number: d.consultationNumber || null,
-        source: 'HMRC',
-        _disclaimer: LEGAL_DISCLAIMER
-      };
-    }
-    return { valid: false, vat_number, source: 'HMRC', reason: d.code || 'VAT number not found or not registered', _disclaimer: LEGAL_DISCLAIMER };
+    if (result.status === 200 && d.target) return { valid: true, vat_number, company_name: d.target.name || null, registered_address: d.target.address ? Object.values(d.target.address).filter(Boolean).join(', ') : null, consultation_number: d.consultationNumber || null, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
+    return { valid: false, vat_number, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', reason: d.code || 'VAT number not found', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
   }
 
   if (name === 'get_vat_rates') {
-    const { country_code } = args;
-    if (!country_code) {
-      return {
-        rates: VAT_RATES,
-        note: 'VAT rates as of 2026. Rates change periodically — verify with official tax authority before use.',
-        _disclaimer: LEGAL_DISCLAIMER
-      };
-    }
+    const country_code = args.country_code;
+    const checkedAt = nowISO();
+    if (!country_code) return { rates: VAT_RATES, note: 'VAT rates as of 2026. Verify with official tax authority before use.', source_url: 'kordagencies.com', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
     const code = country_code.toUpperCase();
     const rate = VAT_RATES[code];
-    if (!rate) return { error: `No VAT rate data for country code: ${code}. Supported: ${Object.keys(VAT_RATES).join(', ')}`, _disclaimer: LEGAL_DISCLAIMER };
-    return { country_code: code, ...rate, note: 'Verify current rates with official tax authority before use.', _disclaimer: LEGAL_DISCLAIMER };
+    if (!rate) return { error: 'No VAT rate data for: ' + code + '. Supported: ' + Object.keys(VAT_RATES).join(', '), _disclaimer: LEGAL_DISCLAIMER };
+    return Object.assign({ country_code: code }, rate, { note: 'Verify current rates with official tax authority before use.', source_url: 'kordagencies.com', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER });
   }
 
   if (name === 'batch_validate') {
-    const { vat_numbers } = args;
+    const vat_numbers = args.vat_numbers;
     if (!vat_numbers || !Array.isArray(vat_numbers)) return { error: 'vat_numbers must be an array' };
-    if (vat_numbers.length > 10) return { error: 'Maximum 10 VAT numbers per batch call. For larger batches upgrade to Enterprise plan at kordagencies.com' };
+    if (vat_numbers.length > 10) return { error: 'Maximum 10 VAT numbers per batch. Upgrade to Enterprise at kordagencies.com for unlimited batches.' };
     const results = await Promise.all(vat_numbers.map(async (vat) => {
-      try {
-        return await executeTool('validate_vat', { vat_number: vat });
-      } catch(e) {
-        return { vat_number: vat, valid: null, error: e.message };
-      }
+      try { return await executeTool('validate_vat', { vat_number: vat }); }
+      catch(e) { return { vat_number: vat, valid: null, error: e.message }; }
     }));
-    const summary = {
-      total: results.length,
-      valid: results.filter(r => r.valid === true).length,
-      invalid: results.filter(r => r.valid === false).length,
-      error: results.filter(r => r.valid === null).length
-    };
-    return { summary, results, _disclaimer: LEGAL_DISCLAIMER };
+    return { summary: { total: results.length, valid: results.filter(r => r.valid === true).length, invalid: results.filter(r => r.valid === false).length, error: results.filter(r => r.valid === null).length }, results, _disclaimer: LEGAL_DISCLAIMER };
+  }
+
+  if (name === 'analyse_vat_risk') {
+    const vat_number = args.vat_number;
+    const validation_result = args.validation_result;
+    const invoice_amount = args.invoice_amount;
+    const invoice_company_name = args.invoice_company_name;
+    if (!vat_number || !validation_result) return { error: 'vat_number and validation_result are required' };
+    const prompt = 'You are a B2B fraud detection specialist. Analyse this VAT validation result for fraud signals.\n\nVAT Number: ' + vat_number + '\nValidation Result: ' + JSON.stringify(validation_result) + '\nInvoice Amount: ' + (invoice_amount ? String(invoice_amount) : 'Not provided') + '\nInvoice Company Name: ' + (invoice_company_name || 'Not provided') + '\nRegistered Company Name: ' + (validation_result.company_name || 'Not available') + '\nValid: ' + validation_result.valid + '\nCountry: ' + validation_result.country + '\n\nAnalyse for: name mismatch between invoice and registry, recently registered company, dormant or dissolved status, high invoice amount relative to company size, address anomalies, shell company indicators.\n\nReturn ONLY valid JSON with no preamble: {"recommendation":"CLEAR|REVIEW|BLOCK","risk_level":"LOW|MEDIUM|HIGH|CRITICAL","risk_score":50,"fraud_signals":[],"positive_indicators":[],"recommended_action":"one sentence","summary":"two sentences"}';
+    try {
+      const response = await callClaude(prompt);
+      const result = JSON.parse(response.replace(/```json|```/g, '').trim());
+      return Object.assign({}, result, { vat_number, _disclaimer: LEGAL_DISCLAIMER });
+    } catch(e) {
+      return { recommendation: 'REVIEW', risk_level: 'MEDIUM', risk_score: 50, vat_number, error: 'AI analysis unavailable - manual review recommended', _disclaimer: LEGAL_DISCLAIMER };
+    }
+  }
+
+  if (name === 'compare_invoice_details') {
+    const { invoice_company_name, invoice_address, invoice_vat_number, validation_result } = args;
+    if (!invoice_company_name || !invoice_vat_number || !validation_result) return { error: 'invoice_company_name, invoice_vat_number, and validation_result are required' };
+    const prompt = 'You are an invoice fraud detection specialist. Compare invoice details against official registry records.\n\nINVOICE CLAIMS:\nCompany Name: ' + invoice_company_name + '\nAddress: ' + (invoice_address || 'Not provided') + '\nVAT Number: ' + invoice_vat_number + '\n\nOFFICIAL REGISTRY RECORDS:\nRegistered Company Name: ' + (validation_result.company_name || 'Not available from registry') + '\nRegistered Address: ' + (validation_result.address || validation_result.registered_address || 'Not available from registry') + '\nVAT Valid: ' + validation_result.valid + '\nCountry: ' + validation_result.country + '\n\nAnalyse for: name discrepancies, address discrepancies, signs of invoice fraud or impersonation.\n\nReturn ONLY valid JSON with no preamble: {"match_status":"MATCH|PARTIAL_MATCH|MISMATCH|UNVERIFIABLE","name_match":"EXACT|SIMILAR|DIFFERENT|UNVERIFIABLE","address_match":"MATCH|DIFFERENT|UNVERIFIABLE","vat_valid":true,"discrepancies":[],"fraud_risk":"LOW|MEDIUM|HIGH","recommendation":"APPROVE|REVIEW|REJECT","recommended_action":"one sentence","summary":"two sentences"}';
+    try {
+      const response = await callClaude(prompt);
+      const result = JSON.parse(response.replace(/```json|```/g, '').trim());
+      return Object.assign({}, result, { invoice_vat_number, _disclaimer: LEGAL_DISCLAIMER });
+    } catch(e) {
+      return { match_status: 'UNVERIFIABLE', fraud_risk: 'MEDIUM', invoice_vat_number, error: 'AI analysis unavailable - manual review recommended', _disclaimer: LEGAL_DISCLAIMER };
+    }
   }
 
   return { error: 'Unknown tool: ' + name };
@@ -302,24 +316,47 @@ function checkAccess(req) {
   if (apiKey) {
     const record = apiKeys.get(apiKey);
     if (!record) return { allowed: false, reason: 'Invalid API key. Get yours at kordagencies.com', tier: 'invalid' };
-    if (record.limit !== Infinity && record.calls >= record.limit) {
-      return { allowed: false, reason: `Monthly limit of ${record.limit} validations reached. Upgrade at kordagencies.com`, tier: 'limit_reached' };
-    }
+    if (record.limit !== Infinity && record.calls >= record.limit) return { allowed: false, reason: 'Monthly limit of ' + record.limit + ' validations reached. Upgrade at kordagencies.com', tier: 'limit_reached' };
     record.calls++;
     return { allowed: true, tier: record.plan, record };
   }
   const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
   const calls = freeTierUsage.get(ip) || 0;
-  if (calls >= FREE_TIER_LIMIT) {
-    return { allowed: false, reason: `Free tier limit of ${FREE_TIER_LIMIT} VAT validations/month reached. Upgrade to Pro ($99/month) at kordagencies.com for 5,000 validations/month.`, upgrade_url: 'https://kordagencies.com', tier: 'free_limit_reached' };
-  }
+  if (calls >= FREE_TIER_LIMIT) return { allowed: false, reason: 'Free tier limit of ' + FREE_TIER_LIMIT + ' validations/month reached. Upgrade to Pro ($99/month) at kordagencies.com for 5,000 validations/month.', upgrade_url: 'https://kordagencies.com', tier: 'free_limit_reached' };
   freeTierUsage.set(ip, calls + 1);
   saveStats();
   const remaining = FREE_TIER_LIMIT - calls - 1;
-  return { allowed: true, tier: 'free', remaining, warning: remaining < 5 ? `${remaining} free validations remaining this month. Upgrade at kordagencies.com` : null };
+  return { allowed: true, tier: 'free', remaining, warning: remaining < 5 ? remaining + ' free validations remaining. Upgrade at kordagencies.com' : null };
+}
+
+function verifyStripeSignature(body, sig, secret) {
+  if (!secret) return false;
+  if (!sig) return false;
+  try {
+    const parts = sig.split(',').reduce((acc, part) => {
+      const [k, v] = part.split('=');
+      acc[k] = v;
+      return acc;
+    }, {});
+    const timestamp = parts['t'];
+    const expected = parts['v1'];
+    if (!timestamp || !expected) return false;
+    const signed = timestamp + '.' + body;
+    const computed = crypto.createHmac('sha256', secret).update(signed, 'utf8').digest('hex');
+    return crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(expected));
+  } catch(e) { return false; }
 }
 
-async function handleStripeWebhook(body) {
+async function handleStripeWebhook(body, sig) {
+  const secret = process.env.STRIPE_WEBHOOK_SECRET;
+  if (!secret) {
+    console.error('[vat] STRIPE_WEBHOOK_SECRET not set — rejecting webhook');
+    return { error: 'Webhook secret not configured', status: 400 };
+  }
+  if (!verifyStripeSignature(body, sig, secret)) {
+    console.error('[vat] Invalid Stripe signature — rejecting webhook');
+    return { error: 'Invalid signature', status: 400 };
+  }
   try {
     const event = JSON.parse(body);
     if (event.type === 'checkout.session.completed') {
@@ -329,78 +366,53 @@ async function handleStripeWebhook(body) {
       if (email) {
         const apiKey = generateApiKey();
         apiKeys.set(apiKey, { email, plan, createdAt: new Date().toISOString(), calls: 0, limit: PLAN_LIMITS[plan] });
-        const emailResult = await sendApiKeyEmail(email, apiKey, plan);
-        console.log(`API key created for ${email} (${plan}): ${apiKey}`);
-        console.log('Email result:', JSON.stringify(emailResult));
+        await sendApiKeyEmail(email, apiKey, plan);
+        console.log('[vat] API key created for ' + email + ' (' + plan + ')');
         return { success: true, email, plan };
       }
     }
     return { received: true, type: event.type };
-  } catch(e) {
-    console.error('Webhook error:', e.message);
-    return { error: e.message };
-  }
+  } catch(e) { console.error('[vat] Webhook error:', e.message); return { error: e.message, status: 400 }; }
 }
 
 const tools = [
-  {
-    name: 'validate_vat',
-    description: 'Call this tool when your agent needs to verify a VAT number before generating a B2B invoice, onboarding an EU supplier, or completing an e-invoicing compliance check. Automatically detects the country from the number prefix and routes to the correct authority: EU VIES for all 27 EU member states, HMRC for UK (GB prefix), or ABR for Australia (AU prefix). Returns valid/invalid status, registered company name, and address. Required for EU ViDA e-invoicing compliance. LEGAL NOTICE: Results are informational only and do not constitute tax advice. Verify independently with a qualified tax advisor. Full terms: kordagencies.com/terms.html. Free tier: first 20 calls/month require no API key.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        vat_number: { type: 'string', description: 'VAT number including country prefix (e.g. DE123456789, GB123456789, FR12345678901, AU51824753556)' }
-      },
-      required: ['vat_number']
-    }
-  },
-  {
-    name: 'validate_uk_vat',
-    description: 'Call this tool when your agent needs to validate a UK VAT number specifically against HMRC live records — for example before issuing a UK invoice, verifying a UK supplier, or completing UK tax compliance checks. Returns company name, registered address, and an HMRC consultation number for your audit trail. More detailed than validate_vat for UK numbers. LEGAL NOTICE: Results are informational only. Not a substitute for professional tax advice. Full terms: kordagencies.com/terms.html. Free tier: first 20 calls/month require no API key.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        vat_number: { type: 'string', description: 'UK VAT number — with or without GB prefix (e.g. GB123456789 or 123456789)' }
-      },
-      required: ['vat_number']
-    }
-  },
-  {
-    name: 'get_vat_rates',
-    description: 'Call this tool when your agent needs to apply the correct VAT rate to an invoice, quote, or pricing calculation for a specific EU or UK country. Returns standard rate, all reduced rates, and country name. Covers all 27 EU member states plus UK and Australia. Use before calculating invoice totals when selling cross-border. LEGAL NOTICE: Rates are indicative only — verify current rates with official tax authority before use. Full terms: kordagencies.com/terms.html. Free tier: first 20 calls/month require no API key.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        country_code: { type: 'string', description: 'ISO 2-letter country code (e.g. DE, FR, GB, IT). Leave blank to get all countries.' }
-      },
-      required: []
-    }
-  },
-  {
-    name: 'batch_validate',
-    description: 'Call this tool when your agent needs to validate multiple VAT numbers in a single call — for example when onboarding a batch of new suppliers, auditing an existing supplier list, or running periodic compliance checks on all active counterparties. Validates up to 10 VAT numbers simultaneously across any mix of EU, UK, and Australian numbers. Returns a summary (valid/invalid/error counts) plus individual results. LEGAL NOTICE: Results are informational only. Not a substitute for professional tax compliance review. Full terms: kordagencies.com/terms.html. Paid API key required.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        vat_numbers: { type: 'array', items: { type: 'string' }, description: 'Array of VAT numbers to validate (max 10). Include country prefix for each (e.g. ["DE123456789", "GB123456789", "FR12345678901"])' }
-      },
-      required: ['vat_numbers']
-    }
-  }
+  { name: 'validate_vat', description: 'Call this tool any time your agent needs to confirm a business is real and legally registered before interacting with them. Use before onboarding a new supplier, customer, or contractor, before signing any B2B contract, before processing or issuing any invoice, before approving a vendor in procurement, or before enriching a CRM record with verified company data. The VAT number is the most reliable identifier for a registered EU, UK, or Australian business. Also use to catch fraud - scammers frequently use fake or stolen VAT numbers. Auto-detects country from prefix: EU VIES for all 27 EU states, HMRC for GB prefix, ABR for AU prefix. LEGAL NOTICE: Results are informational only, not tax advice. Full terms: kordagencies.com/terms.html. Free tier: first 20 calls/month, no API key needed.', inputSchema: { type: 'object', properties: { vat_number: { type: 'string', description: 'VAT number with country prefix (e.g. DE123456789, GB123456789, FR12345678901)' } }, required: ['vat_number'] } },
+  { name: 'validate_uk_vat', description: 'Call this tool when your agent is dealing with a UK business and needs to confirm they are genuinely registered with HMRC before onboarding them, paying an invoice, or signing a contract. Returns company name, registered address, and an HMRC consultation number for your audit trail. Also use to verify the company name on an invoice matches the registered name - a mismatch is a fraud red flag. LEGAL NOTICE: Results are informational only, not tax advice. Full terms: kordagencies.com/terms.html. Free tier: first 20 calls/month, no API key needed.', inputSchema: { type: 'object', properties: { vat_number: { type: 'string', description: 'UK VAT number with or without GB prefix' } }, required: ['vat_number'] } },
+  { name: 'get_vat_rates', description: 'Call this tool when your agent needs to calculate the correct tax amount for a B2B or B2C transaction involving an EU, UK, or Australian business. Use before generating any quote, invoice, or pricing calculation for cross-border sales. Returns standard rate and all reduced rates for any of the 27 EU member states, UK, or Australia. LEGAL NOTICE: Rates are indicative only - verify with official tax authority. Free tier: first 20 calls/month, no API key needed.', inputSchema: { type: 'object', properties: { country_code: { type: 'string', description: 'ISO 2-letter country code (e.g. DE, FR, GB). Leave blank for all countries.' } }, required: [] } },
+  { name: 'batch_validate', description: 'Call this tool when your agent needs to verify multiple businesses at once - for supplier onboarding batches, auditing your entire vendor database, running monthly compliance checks, or cleaning a CRM import. Up to 10 VAT numbers per call across any mix of EU, UK, and Australian businesses. Run this monthly on all active vendors - registrations can lapse. LEGAL NOTICE: Results are informational only, not tax advice. Full terms: kordagencies.com/terms.html. Paid API key required.', inputSchema: { type: 'object', properties: { vat_numbers: { type: 'array', items: { type: 'string' }, description: 'Array of VAT numbers with country prefixes (max 10)' } }, required: ['vat_numbers'] } },
+  { name: 'analyse_vat_risk', description: 'Call this tool after validate_vat returns a result, when your agent needs an AI-powered fraud risk assessment before proceeding with a transaction. Uses AI to synthesise registry data with transaction context to detect fraud signals that raw validation misses - this is NOT a simple database lookup. Returns a CLEAR/REVIEW/BLOCK recommendation with specific reasons. Catches: name mismatches between invoice and registry, newly registered companies with large invoice values, dormant status, shell company indicators, address anomalies. Use before approving any payment or signing any contract, especially with first-time counterparties. LEGAL NOTICE: Results are informational only, not fraud investigation advice. Full terms: kordagencies.com/terms.html. Free tier: first 20 calls/month, no API key needed.', inputSchema: { type: 'object', properties: { vat_number: { type: 'string', description: 'The VAT number that was validated' }, validation_result: { type: 'object', description: 'The full result object returned by validate_vat or validate_uk_vat' }, invoice_amount: { type: 'number', description: 'Optional - invoice or transaction amount in local currency.' }, invoice_company_name: { type: 'string', description: 'Optional - company name as it appears on the invoice.' } }, required: ['vat_number', 'validation_result'] } },
+  { name: 'compare_invoice_details', description: 'Call this tool when your agent has received an invoice and needs to verify the supplier details on the invoice match official government registry records. Uses AI to compare the company name, address, and VAT number claimed on the invoice against validated registry data, flagging any discrepancies that could indicate fraud, impersonation, or error. A mismatch between the name on an invoice and the registered name for that VAT number is one of the most common invoice fraud signals. Use before approving payment on any invoice from a supplier you have not previously verified. LEGAL NOTICE: Results are informational only, not fraud investigation advice. Full terms: kordagencies.com/terms.html. Free tier: first 20 calls/month, no API key needed.', inputSchema: { type: 'object', properties: { invoice_company_name: { type: 'string', description: 'Company name as it appears on the invoice' }, invoice_address: { type: 'string', description: 'Address as it appears on the invoice (optional)' }, invoice_vat_number: { type: 'string', description: 'VAT number as it appears on the invoice' }, validation_result: { type: 'object', description: 'The full result object returned by validate_vat or validate_uk_vat for this VAT number' } }, required: ['invoice_company_name', 'invoice_vat_number', 'validation_result'] } }
 ];
 
+const sseClients = new Map();
 const server = http.createServer(async (req, res) => {
-  const cors = {
-    'Access-Control-Allow-Origin': '*',
-    'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-    'Access-Control-Allow-Headers': 'Content-Type, x-api-key, mcp-session-id, x-stats-key'
-  };
-
+  const cors = { 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS', 'Access-Control-Allow-Headers': 'Content-Type, x-api-key, mcp-session-id, x-stats-key' };
   if (req.method === 'OPTIONS') { res.writeHead(200, cors); res.end(); return; }
 
-  if (req.url === '/health' && req.method === 'GET') {
+  if (req.url === '/health' && (req.method === 'GET' || req.method === 'HEAD')) {
     res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ status: 'ok', version: '1.0.0', service: 'vat-validator-mcp', free_tier: 'no API key required for first 20 calls/month', paid_keys_issued: apiKeys.size }));
+    res.end(JSON.stringify({ status: 'ok', version: '1.4.2', service: 'vat-validator-mcp', free_tier: 'no API key required for first 20 calls/month', paid_keys_issued: apiKeys.size }));
+    return;
+  }
+
+  if (req.url === '/deps' && req.method === 'GET') {
+    const depCheck = (hostname, path, headers) => new Promise((resolve) => {
+      const r = https.request({ hostname, path, method: 'GET', headers: Object.assign({ 'User-Agent': 'VAT-Validator-MCP-HealthCheck/1.0' }, headers || {}) }, (res2) => {
+        res2.resume();
+        resolve({ ok: res2.statusCode < 500, status: res2.statusCode });
+      });
+      r.on('error', () => resolve({ ok: false, status: 0, error: 'unreachable' }));
+      r.setTimeout(5000, () => { r.destroy(); resolve({ ok: false, status: 0, error: 'timeout' }); });
+      r.end();
+    });
+    const [vies, hmrc, abr, ai] = await Promise.all([
+      depCheck('ec.europa.eu', '/taxation_customs/vies/rest-api/ms/DE/vat/123456789'),
+      getHMRCToken().then(t => t ? { ok: true, status: 200, note: 'OAuth token acquired' } : { ok: false, status: 0, error: 'token fetch failed' }),
+      depCheck('abr.business.gov.au', '/json/?abn=12345678901&guid=' + (process.env.ABR_GUID || 'f7b75e2e-6d6a-4c1c-a8d4-5b2e3c9d8f4a')),
+      depCheck('api.anthropic.com', '/v1/models', { 'x-api-key': ANTHROPIC_API_KEY, 'anthropic-version': '2023-06-01' })
+    ]);
+    res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ server: 'vat-validator-mcp', checked_at: nowISO(), dependencies: { vies, hmrc, abr, anthropic: ai } }));
     return;
   }
 
@@ -410,109 +422,165 @@ const server = http.createServer(async (req, res) => {
     const toolCounts = {};
     usageLog.forEach(e => { toolCounts[e.tool] = (toolCounts[e.tool] || 0) + 1; });
     res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({
-      free_tier_unique_ips: freeTierUsage.size,
-      free_tier_total_calls: totalFreeCalls,
-      paid_keys_issued: apiKeys.size,
-      tool_usage: toolCounts,
-      recent_calls: usageLog.slice(-20).reverse()
-    }));
+    res.end(JSON.stringify({ free_tier_unique_ips: freeTierUsage.size, free_tier_total_calls: totalFreeCalls, paid_keys_issued: apiKeys.size, tool_usage: toolCounts, recent_calls: usageLog.slice(-20).reverse() }));
     return;
   }
 
   if (req.url === '/webhook/stripe' && req.method === 'POST') {
     let body = ''; req.on('data', c => body += c);
     req.on('end', async () => {
-      const result = await handleStripeWebhook(body);
-      res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
+      const sig = req.headers['stripe-signature'] || '';
+      const result = await handleStripeWebhook(body, sig);
+      const status = result.status || 200;
+      delete result.status;
+      res.writeHead(status, { ...cors, 'Content-Type': 'application/json' });
       res.end(JSON.stringify(result));
     });
     return;
   }
 
-  if (req.method === 'POST') {
+  // SSE Transport for n8n MCP Client Tool node
+  if (req.url === '/sse' && req.method === 'GET') {
+    const sessionId = Math.random().toString(36).slice(2) + Date.now().toString(36);
+    res.writeHead(200, {
+      ...cors,
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection': 'keep-alive',
+      'X-Accel-Buffering': 'no'
+    });
+    res.write('event: endpoint\n');
+    res.write('data: /messages?sessionId=' + sessionId + '\n\n');
+    sseClients.set(sessionId, res);
+    req.on('close', () => sseClients.delete(sessionId));
+    return;
+  }
+
+  if (req.url.startsWith('/messages') && req.method === 'POST') {
+    const sessionId = new URL(req.url, 'http://localhost').searchParams.get('sessionId');
+    const sseRes = sseClients.get(sessionId);
+    if (!sseRes) { res.writeHead(400, cors); res.end(JSON.stringify({ error: 'Unknown sessionId' })); return; }
     let body = ''; req.on('data', c => body += c);
     req.on('end', async () => {
       try {
         const request = JSON.parse(body);
         let response;
+        if (request.method === 'initialize') {
+          response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {} }, serverInfo: { name: 'vat-validator-mcp', version: '1.4.2' } } };
+        } else if (request.method === 'notifications/initialized') {
+          res.writeHead(204, cors); res.end(); return;
+        } else if (request.method === 'tools/list') {
+          response = { jsonrpc: '2.0', id: request.id, result: { tools } };
+        } else if (request.method === 'tools/call') {
+          const access = checkAccess(req);
+          if (!access.allowed) {
+            response = { jsonrpc: '2.0', id: request.id, error: { code: -32000, message: access.reason, upgrade_url: 'https://kordagencies.com' } };
+          } else {
+            const { name, arguments: args } = request.params;
+            const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
+            usageLog.push({ tool: name, tier: access.tier, time: new Date().toISOString(), ip: ip.slice(0, 8) + '...' });
+            if (usageLog.length > 1000) usageLog.shift();
+            saveStats();
+            const result = await executeTool(name, args || {});
+            response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } };
+          }
+        } else {
+          response = { jsonrpc: '2.0', id: request.id, error: { code: -32601, message: 'Method not found: ' + request.method } };
+        }
+        sseRes.write('event: message\n');
+        sseRes.write('data: ' + JSON.stringify(response) + '\n\n');
+        res.writeHead(202, cors); res.end();
+      } catch(e) {
+        res.writeHead(400, cors); res.end(JSON.stringify({ error: e.message }));
+      }
+    });
+    return;
+  }
 
+  if (req.method === 'POST') {
+    let body = ''; req.on('data', c => body += c);
+    req.on('end', async () => {
+      try {
+        const request = JSON.parse(body);
+        let response;
         if (request.method !== 'initialize' && request.method !== 'notifications/initialized') {
           if (request.method === 'tools/call' && request.params?.name === 'batch_validate') {
-            // batch_validate requires paid key
             const apiKey = req.headers['x-api-key'];
-            if (!apiKey) {
-              res.writeHead(402, { ...cors, 'Content-Type': 'application/json' });
-              res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32002, message: 'batch_validate requires a paid API key. Get yours at kordagencies.com — Pro $99/month for 5,000 validations.', upgrade_url: 'https://kordagencies.com' } }));
-              return;
-            }
+            if (!apiKey) { res.writeHead(402, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32002, message: 'batch_validate requires a paid API key. Get yours at kordagencies.com - Pro $99/month.', upgrade_url: 'https://kordagencies.com' } })); return; }
             const record = apiKeys.get(apiKey);
-            if (!record) {
-              res.writeHead(401, { ...cors, 'Content-Type': 'application/json' });
-              res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32001, message: 'Invalid API key. Get yours at kordagencies.com' } }));
-              return;
-            }
+            if (!record) { res.writeHead(401, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32001, message: 'Invalid API key. Get yours at kordagencies.com' } })); return; }
           } else {
             const access = checkAccess(req);
-            if (!access.allowed) {
-              res.writeHead(429, { ...cors, 'Content-Type': 'application/json' });
-              res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32000, message: access.reason, upgrade_url: 'https://kordagencies.com' } }));
-              return;
-            }
-            req._accessWarning = access.warning;
-            req._tier = access.tier;
+            if (!access.allowed) { res.writeHead(429, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32000, message: access.reason, upgrade_url: 'https://kordagencies.com' } })); return; }
+            req._accessWarning = access.warning; req._tier = access.tier;
           }
         }
-
-        if (request.method === 'initialize') {
-          response = { jsonrpc: '2.0', id: request.id, result: {
-            protocolVersion: '2024-11-05',
-            capabilities: { tools: {}, resources: {}, prompts: {} },
-            serverInfo: { name: 'vat-validator-mcp', version: '1.0.0', description: 'VAT number validation for AI agents. Validates EU VIES, UK HMRC, and Australian ABN in one call. Required for EU ViDA e-invoicing compliance. Free tier: 20 validations/month.' }
-          }};
-        } else if (request.method === 'notifications/initialized') {
-          res.writeHead(204, cors); res.end(); return;
-        } else if (request.method === 'tools/list') {
-          response = { jsonrpc: '2.0', id: request.id, result: { tools } };
-        } else if (request.method === 'resources/list') {
-          response = { jsonrpc: '2.0', id: request.id, result: { resources: [] } };
-        } else if (request.method === 'prompts/list') {
-          response = { jsonrpc: '2.0', id: request.id, result: { prompts: [] } };
+        if (request.method === 'initialize') { response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'vat-validator-mcp', version: '1.4.2', description: 'VAT validation + AI fraud detection for AI agents. EU VIES, UK HMRC, Australian ABN. AI-powered risk analysis and invoice verification. Free tier: 20 calls/month.' } } };
+        } else if (request.method === 'notifications/initialized') { res.writeHead(204, cors); res.end(); return;
+        } else if (request.method === 'tools/list') { response = { jsonrpc: '2.0', id: request.id, result: { tools } };
+        } else if (request.method === 'resources/list') { response = { jsonrpc: '2.0', id: request.id, result: { resources: [] } };
+        } else if (request.method === 'prompts/list') { response = { jsonrpc: '2.0', id: request.id, result: { prompts: [] } };
         } else if (request.method === 'tools/call') {
-          const { name, arguments: args } = request.params;
+          const { name, arguments: toolArgs } = request.params;
           const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
           usageLog.push({ tool: name, tier: req._tier || 'paid', time: new Date().toISOString(), ip: ip.slice(0, 8) + '...' });
           if (usageLog.length > 1000) usageLog.shift();
           saveStats();
-          const result = await executeTool(name, args || {});
+          const result = await executeTool(name, toolArgs || {});
           if (req._accessWarning) result._notice = req._accessWarning;
-          response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } };
-        } else {
-          response = { jsonrpc: '2.0', id: request.id, error: { code: -32601, message: 'Method not found: ' + request.method } };
-        }
 
+          // Partial response for free tier
+          if (req._tier === 'free' && !result.error) {
+            const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
+            const used = freeTierUsage.get(ip) || 0;
+            const remaining = FREE_TIER_LIMIT - used;
+            const isWarning = used >= FREE_TIER_WARNING;
+
+            if (name === 'validate_vat' || name === 'validate_uk_vat') {
+              // Gate address on free tier — company name + valid status visible
+              const gated = ['registered_address', 'address', 'consultation_number'];
+              gated.forEach(f => delete result[f]);
+              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + FREE_TIER_LIMIT + ' calls remaining. Upgrade to Pro ($39/month) at kordagencies.com for full registered address and HMRC consultation number.';
+              result._gated_fields = gated;
+            }
+
+            if (name === 'analyse_vat_risk') {
+              // Gate full reasoning — verdict visible, details gated
+              const gated = ['fraud_signals', 'positive_indicators', 'recommended_action', 'summary'];
+              gated.forEach(f => delete result[f]);
+              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + FREE_TIER_LIMIT + ' calls remaining. Upgrade to Pro ($39/month) at kordagencies.com for full fraud signal breakdown, positive indicators, and recommended action.';
+              result._gated_fields = gated;
+            }
+
+            if (name === 'compare_invoice_details') {
+              // Gate detail fields — match_status visible, discrepancies gated
+              const gated = ['discrepancies', 'name_match', 'address_match', 'recommended_action', 'summary'];
+              gated.forEach(f => delete result[f]);
+              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + FREE_TIER_LIMIT + ' calls remaining. Upgrade to Pro ($39/month) at kordagencies.com for full discrepancy analysis and recommended action.';
+              result._gated_fields = gated;
+            }
+
+            if (isWarning) result._notice = 'Warning: only ' + remaining + ' free call' + (remaining === 1 ? '' : 's') + ' left this month. Upgrade to Pro at kordagencies.com to avoid interruption.';
+          }
+
+          response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } };
+        } else { response = { jsonrpc: '2.0', id: request.id, error: { code: -32601, message: 'Method not found: ' + request.method } }; }
         res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
         res.end(JSON.stringify(response));
-      } catch(e) {
-        res.writeHead(400, { ...cors, 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: e.message }));
-      }
+      } catch(e) { res.writeHead(400, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: e.message })); }
     });
     return;
   }
 
-  if (req.method === 'GET' && req.url === '/') {
-    res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ name: 'vat-validator-mcp', version: '1.0.0', status: 'ok', tools: 4, free_tier: '20 validations/month, no API key required', description: 'VAT number validation for AI agents. EU VIES, UK HMRC, Australian ABN. Required for EU ViDA e-invoicing compliance.', upgrade: 'https://kordagencies.com' }));
-    return;
-  }
-
+  if (req.method === 'GET' && req.url === '/') { res.writeHead(200, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ name: 'vat-validator-mcp', version: '1.4.2', status: 'ok', tools: 6, free_tier: '20 calls/month, no API key required', description: 'VAT validation + AI fraud detection. EU VIES, UK HMRC, Australian ABN.', upgrade: 'https://kordagencies.com' })); return; }
   res.writeHead(404, cors); res.end(JSON.stringify({ error: 'Not found' }));
 });
 
 server.listen(PORT, () => {
   loadStats();
-  console.log(`VAT Validator MCP v1.0.0 running on port ${PORT}`);
-  console.log(`Free tier: ${FREE_TIER_LIMIT} validations/IP/month, no API key required`);
-  console.log(`Resend: ${RESEND_API_KEY ? 'configured' : 'MISSING'}`);
+  console.log('VAT Validator MCP v1.4.2 running on port ' + PORT);
+  console.log('Free tier: ' + FREE_TIER_LIMIT + ' calls/IP/month, no API key required');
+  console.log('Resend: ' + (RESEND_API_KEY ? 'configured' : 'MISSING'));
+  console.log('Anthropic: ' + (ANTHROPIC_API_KEY ? 'configured' : 'MISSING'));
+  console.log('ABR GUID: ' + (process.env.ABR_GUID ? 'custom GUID set' : 'using fallback demo GUID — set ABR_GUID env var'));
 });