vat-validator-mcp 1.4.12 → 2.0.1

package/glama.json

@@ -1,19 +1,45 @@
 {
-  "name": "vat-validator-mcp",
-  "title": "VAT Validator MCP",
-  "description": "Validate EU, UK, and Australian VAT numbers for AI agents. EU VIES, UK HMRC, Australian ABN. Required for EU ViDA e-invoicing compliance.",
-  "version": "1.0.0",
-  "homepage": "https://kordagencies.com",
-  "license": "UNLICENSED",
+  "$schema": "https://glama.ai/mcp/servers/schema.json",
+  "name": "VAT Validator MCP",
+  "description": "AI-powered VAT fraud detection and live VAT validation via EU VIES (27 member states), UK HMRC, and AU ABR. Call before invoice approval, supplier onboarding, or cross-border payment. Detects missing trader fraud, carousel fraud, deregistered entity re-use. Returns CLEAR/REVIEW/BLOCK verdict.",
+  "license": "MIT",
+  "categories": [
+    "finance",
+    "government-data",
+    "legal-and-compliance"
+  ],
+  "remote": {
+    "transport": "sse",
+    "url": "https://vat-validator-mcp-production.up.railway.app/sse"
+  },
   "tools": [
-    { "name": "validate_vat", "description": "Validate any EU, UK, or Australian VAT number" },
-    { "name": "validate_uk_vat", "description": "Validate UK VAT number against HMRC with consultation number" },
-    { "name": "get_vat_rates", "description": "Get VAT rates by country for EU, UK, Australia" },
-    { "name": "batch_validate", "description": "Validate up to 10 VAT numbers in one call (paid)" }
+    {
+      "name": "validate_vat",
+      "description": "Validates EU VAT numbers against EU VIES (all 27 member states) and AU ABR in real time. Returns valid/invalid, registered company name, address."
+    },
+    {
+      "name": "validate_uk_vat",
+      "description": "Validates UK VAT numbers against HMRC VAT API v2 via OAuth2. Returns valid/invalid, registered business name, address."
+    },
+    {
+      "name": "get_vat_rates",
+      "description": "Returns current standard, reduced, and zero VAT rates for all 27 EU member states and UK."
+    },
+    {
+      "name": "batch_validate",
+      "description": "Validates multiple VAT numbers against EU VIES and HMRC in one call. Returns per-number verdicts in structured JSON."
+    },
+    {
+      "name": "analyse_vat_risk",
+      "description": "AI-powered VAT fraud risk scoring. Detects missing trader fraud, carousel fraud, deregistered entity re-use. Returns CLEAR/REVIEW/BLOCK recommendation, risk score 0-100, fraud signals, agent_action (PROCEED/VERIFY_MANUALLY/HOLD)."
+    },
+    {
+      "name": "compare_invoice_details",
+      "description": "Cross-checks invoice VAT details against live VIES and HMRC registry data. Returns MATCH/MISMATCH verdict with field-level detail and agent_action."
+    }
   ],
-  "pricing": {
-    "free": "20 validations/month, no API key",
-    "pro": "$99/month — 5,000 validations/month",
-    "enterprise": "$299/month — unlimited + batch"
+  "links": {
+    "homepage": "https://kordagencies.com",
+    "npm": "https://www.npmjs.com/package/vat-validator-mcp"
   }
 }

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "vat-validator-mcp",
   "mcpName": "io.github.OjasKord/vat-validator-mcp",
-  "version": "1.4.12",
-  "description": "VAT number validation for AI agents. EU VIES, UK HMRC, Australian ABN in one call.",
+  "version": "2.0.1",
+  "description": "VAT number validator for AI agents. EU VIES, UK HMRC, AU ABR — auto-detects jurisdiction. Fraud risk scoring and invoice name cross-check in one call.",
   "main": "src/server.js",
   "scripts": {
     "start": "node src/server.js"
@@ -40,5 +40,8 @@
   },
   "engines": {
     "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "stripe": "^22.1.1"
   }
 }

package/server.json

@@ -3,7 +3,7 @@
   "name": "io.github.OjasKord/vat-validator-mcp",
   "title": "VAT Validator MCP",
   "description": "Validate EU, UK, AU VAT numbers for AI agents. EU ViDA e-invoicing compliance.",
-  "version": "1.4.12",
+  "version": "1.4.13",
   "websiteUrl": "https://kordagencies.com",
   "repository": {
     "url": "https://github.com/OjasKord/vat-validator-mcp",
@@ -13,7 +13,7 @@
     {
       "registryType": "npm",
       "identifier": "vat-validator-mcp",
-      "version": "1.4.12",
+      "version": "1.4.13",
       "transport": { "type": "stdio" },
       "environmentVariables": [
         { "name": "ANTHROPIC_API_KEY", "description": "Anthropic API key for AI-powered fraud risk analysis", "isRequired": true, "isSecret": true },

package/smithery.yaml

@@ -1,4 +1,4 @@
-description: "AI-powered VAT fraud detection and live VAT validation via EU VIES (27 member states), UK HMRC, and AU ABR. Call before invoice approval, supplier onboarding, or cross-border payment. Detects missing trader fraud, carousel fraud, deregistered entity re-use. Returns CLEAR/REVIEW/BLOCK verdict."
+description: "VAT number validator for AI agents. EU VIES, UK HMRC, AU ABR — auto-detects jurisdiction. Fraud risk scoring and invoice name cross-check in one call."
 startCommand:
   type: http
   url: https://vat-validator-mcp-production.up.railway.app
@@ -7,24 +7,15 @@ startCommand:
     properties:
       apiKey:
         type: string
-        description: "VAT Validator MCP API key from kordagencies.com. Leave blank for free tier (20 validations/month)."
+        description: "VAT Validator MCP API key from kordagencies.com. Leave blank for free tier (50 validations/month)."
         x-from:
           header: "x-api-key"
     required: []
 
 systemPrompt: |
-  VAT Validator MCP is a business identity verification and invoice fraud detection layer for AI agents.
+  VAT Validator MCP v2 is a business identity verification and invoice fraud detection layer for AI agents.
 
-  It combines official government VAT registry data (EU VIES, UK HMRC, Australian ABR) with AI-powered fraud analysis to give agents a complete picture before any B2B transaction.
-
-  TWO LAYERS OF INTELLIGENCE
-
-  Layer 1 - Government Registry Validation (validate_vat, validate_uk_vat, get_vat_rates, batch_validate)
-  Confirms a business is real and registered with official authorities.
-
-  Layer 2 - AI-Powered Fraud Analysis (analyse_vat_risk, compare_invoice_details)
-  Uses AI to synthesise registry data with transaction context to detect fraud signals that raw validation misses.
-  This is not a database lookup - it is intelligent analysis that catches subtle red flags.
+  It combines official government VAT registry data (EU VIES, UK HMRC, Australian ABR) with AI-powered fraud analysis in a single self-contained call. No chained tool calls required — validate_vat handles jurisdiction detection, live registry lookup, and fraud scoring internally.
 
   WHEN TO USE THIS SERVER
 
@@ -36,55 +27,35 @@ systemPrompt: |
   - Apply B2B tax exemptions in e-commerce
   - Audit or enrich CRM company records
   - Run periodic compliance checks on active counterparties
-
-  RECOMMENDED WORKFLOW FOR INVOICE PROCESSING
-
-  When your agent receives an invoice from a new or unverified supplier:
-  1. validate_vat - confirm the VAT number is real and active
-  2. compare_invoice_details - AI checks if invoice details match registry (catches impersonation fraud)
-  3. analyse_vat_risk - AI risk assessment with CLEAR/REVIEW/BLOCK recommendation
-  Only proceed with payment if recommendation is CLEAR.
-
-  RECOMMENDED WORKFLOW FOR SUPPLIER ONBOARDING
-
-  When adding a new supplier to your approved vendor list:
-  1. validate_vat - confirm registration
-  2. analyse_vat_risk - AI fraud signal check
-  3. batch_validate - periodic re-validation of all active suppliers monthly
+  - Calculate or verify VAT amounts on an invoice
 
   TOOLS
 
   validate_vat
-  - Validates any EU, UK, or Australian VAT number against live government registries
-  - Auto-detects country from prefix
-  - Free tier: first 20 calls/month, no API key needed
-
-  validate_uk_vat
-  - UK-specific HMRC validation with consultation number for audit trail
-  - Free tier: first 20 calls/month, no API key needed
+  - Auto-detects jurisdiction from VAT number prefix: EU (AT/BE/BG/CY/CZ/DE/DK/EE/EL/ES/FI/FR/HR/HU/IE/IT/LT/LU/LV/MT/NL/PL/PT/RO/SE/SI/SK), UK (GB), Australia (ABN)
+  - Validates against EU VIES, UK HMRC VAT API v2 (OAuth), or AU ABR
+  - Runs AI fraud risk analysis internally — returns score 0-100 and PROCEED/VERIFY_MANUALLY/HOLD verdict
+  - Optional: pass invoice_company_name to cross-check against registry and detect name mismatches
+  - Optional: pass invoice_amount to weight fraud risk scoring
+  - Free tier: first 50 calls/month, no API key needed
 
   get_vat_rates
-  - Current VAT rates for all 27 EU countries, UK, and Australia
-  - Free tier: first 20 calls/month, no API key needed
+  - Returns current standard and reduced VAT rates for all 27 EU member states, UK, and Australia
+  - Omit country_code to retrieve all countries at once
+  - Free tier: first 50 calls/month, no API key needed
 
-  batch_validate
-  - Validate up to 10 VAT numbers in one call
-  - Use for supplier audits and onboarding batches
-  - Paid API key required
+  WORKFLOW FOR INVOICE PROCESSING
+
+  When your agent receives an invoice from a new or unverified supplier:
+  1. Call validate_vat with vat_number AND invoice_company_name (and optionally invoice_amount)
+  2. Check agent_action: PROCEED = clear to pay, VERIFY_MANUALLY = human review needed, HOLD = block payment
+  That is the complete workflow — one call returns everything needed.
 
-  analyse_vat_risk (AI-POWERED)
-  - Call after validate_vat when you need a fraud risk assessment
-  - AI analyses registry data + transaction context for fraud signals
-  - Returns CLEAR/REVIEW/BLOCK recommendation with specific reasons
-  - Catches: name mismatches, newly registered companies, dormant status, shell company indicators
-  - Free tier: first 20 calls/month, no API key needed
+  WORKFLOW FOR VAT CALCULATION
 
-  compare_invoice_details (AI-POWERED)
-  - Call when processing an invoice to verify supplier details match registry records
-  - AI compares invoice name/address/VAT against official registered data
-  - Flags discrepancies that indicate fraud, impersonation, or error
-  - Returns APPROVE/REVIEW/REJECT recommendation
-  - Free tier: first 20 calls/month, no API key needed
+  When your agent needs to calculate or verify a VAT amount:
+  1. Call get_vat_rates with the relevant country_code
+  2. Apply the returned standard or reduced rate
 
   LEGAL NOTICE
   All results are for informational purposes only and do not constitute legal or tax advice.
@@ -92,5 +63,4 @@ systemPrompt: |
   Full terms: kordagencies.com/terms.html
 
   FREE TIER
-  20 calls/month with no API key.
-  Upgrade at kordagencies.com - Pro $99/month (5,000 calls), Enterprise $299/month (unlimited + batch).
+  50 calls/month with no API key. Upgrade at kordagencies.com.

package/src/server.js

@@ -2,26 +2,28 @@ const http = require('http');
 const https = require('https');
 const crypto = require('crypto');
 const fs = require('fs');
+const Stripe = require('stripe');
+const stripe = Stripe(process.env.STRIPE_SECRET_KEY);
 
 const PERSIST_FILE = '/tmp/vat_stats.json';
-const API_KEYS_FILE = '/tmp/vat_apikeys.json';
-const VERSION = '1.4.12';
-const PRO_UPGRADE_URL = 'https://buy.stripe.com/28EeVceUB06N1ty3teebu0l';
-const ENTERPRISE_UPGRADE_URL = 'https://buy.stripe.com/00w14m7s96vb1ty5Bmebu0m';
+const VERSION = '2.0.1';
 const RESEND_API_KEY = process.env.RESEND_API_KEY || '';
 const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY || '';
 const PORT = process.env.PORT || 3000;
 const STATS_KEY = process.env.STATS_KEY || 'ojas2026';
+const REDIS_PREFIX = 'vat';
+const FREE_TIER_LIMIT = 50;
+const METERED_SUBSCRIBE_URL = 'https://vat-validator-mcp-production.up.railway.app/subscribe';
+const BUNDLE_500_URL = 'https://buy.stripe.com/28EeVceUB06N1ty3teebu0l';
+const BUNDLE_2000_URL = 'https://buy.stripe.com/00w14m7s96vb1ty5Bmebu0m';
 
 const freeTierUsage = new Map();
 const usageLog = [];
 const toolUsageCounts = {};
 const trialExtensions = new Map();
-const FREE_TIER_LIMIT = 20;
-const FREE_TIER_WARNING = 16;
+const FREE_TIER_WARNING = 40;
 const TRIAL_EXTENSION_CALLS = 10;
 const apiKeys = new Map();
-const PLAN_LIMITS = { pro: 5000, enterprise: Infinity };
 
 function saveStats() {
   try {
@@ -56,27 +58,98 @@ function getEffectiveLimit(ip) {
   return FREE_TIER_LIMIT;
 }
 
-function saveApiKeys() {
-  try { fs.writeFileSync(API_KEYS_FILE, JSON.stringify(Array.from(apiKeys.entries()))); } catch(e) { console.error('API keys save error:', e.message); }
+const UPSTASH_URL = process.env.UPSTASH_REDIS_REST_URL;
+const UPSTASH_TOKEN = process.env.UPSTASH_REDIS_REST_TOKEN;
+
+async function redisGet(key) {
+  try {
+    const res = await fetch(
+      `${UPSTASH_URL}/get/${encodeURIComponent(key)}`,
+      { headers: { Authorization: `Bearer ${UPSTASH_TOKEN}` } }
+    );
+    const data = await res.json();
+    if (!data.result) return null;
+    return JSON.parse(data.result);
+  } catch(e) { return null; }
+}
+
+async function redisSet(key, value) {
+  try {
+    await fetch(
+      `${UPSTASH_URL}/set/${encodeURIComponent(key)}`,
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${UPSTASH_TOKEN}`,
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({ value: JSON.stringify(value) })
+      }
+    );
+  } catch(e) {}
 }
 
-function loadApiKeys() {
+async function redisKeys(pattern) {
   try {
-    if (fs.existsSync(API_KEYS_FILE)) {
-      const entries = JSON.parse(fs.readFileSync(API_KEYS_FILE, 'utf8'));
-      entries.forEach(([k, v]) => apiKeys.set(k, v));
-      console.log('API keys loaded: ' + apiKeys.size + ' keys');
+    const res = await fetch(
+      `${UPSTASH_URL}/keys/${encodeURIComponent(pattern)}`,
+      { headers: { Authorization: `Bearer ${UPSTASH_TOKEN}` } }
+    );
+    const data = await res.json();
+    return data.result || [];
+  } catch(e) { return []; }
+}
+
+async function saveKeyToRedis(apiKey, record, prefix) {
+  await redisSet(`${prefix}:key:${apiKey}`, record);
+}
+
+async function loadApiKeysFromRedis(prefix) {
+  const keys = await redisKeys(`${prefix}:key:*`);
+  for (const redisKey of keys) {
+    const record = await redisGet(redisKey);
+    if (record) {
+      const apiKey = redisKey.replace(`${prefix}:key:`, '');
+      apiKeys.set(apiKey, record);
     }
-  } catch(e) { console.error('API keys load error:', e.message); }
+  }
+  console.log(`Loaded ${apiKeys.size} API keys from Redis`);
 }
 
 function generateApiKey() { return 'vat_' + crypto.randomBytes(24).toString('hex'); }
-function getPlanFromProduct(name) {
-  if (!name) return 'pro';
-  return name.toLowerCase().includes('enterprise') ? 'enterprise' : 'pro';
+function getPlanFromProduct(productName) {
+  if (!productName) return 'bundle_500';
+  const n = productName.toLowerCase();
+  if (n.includes('metered') || n.includes('pay as you go') || n === 'metered') return 'metered';
+  if (n.includes('2000') || n.includes('2,000') || n.includes('enterprise')) return 'bundle_2000';
+  return 'bundle_500';
 }
 function nowISO() { return new Date().toISOString(); }
 
+function checkAndResetPeriod(record) {
+  const thirtyDays = 30 * 24 * 60 * 60 * 1000;
+  if (Date.now() - record.periodStart > thirtyDays) {
+    record.calls = 0;
+    record.periodStart = Date.now();
+    return true;
+  }
+  return false;
+}
+
+async function reportMeteredUsage(customerId, eventName) {
+  try {
+    await stripe.billing.meterEvents.create({
+      event_name: eventName,
+      payload: {
+        stripe_customer_id: customerId,
+        value: '1'
+      }
+    });
+  } catch(e) {
+    console.error('Stripe metered usage report failed:', e.message);
+  }
+}
+
 async function sendEmail(to, subject, html) {
   return new Promise((resolve) => {
     const body = JSON.stringify({ from: 'VAT Validator MCP <ojas@kordagencies.com>', to: [to], subject, html });
@@ -90,10 +163,10 @@ async function sendEmail(to, subject, html) {
 }
 
 async function sendApiKeyEmail(email, apiKey, plan) {
-  const planLabel = plan === 'enterprise' ? 'Enterprise' : 'Pro';
-  const limit = plan === 'enterprise' ? 'Unlimited' : '5,000';
-  const html = '<!DOCTYPE html><html><body style="font-family:monospace;background:#080A0F;color:#E8EDF5;padding:40px;max-width:600px;margin:0 auto"><div style="border:1px solid rgba(0,229,195,0.3);border-radius:8px;padding:32px"><div style="color:#00E5C3;font-size:13px;letter-spacing:0.2em;text-transform:uppercase;margin-bottom:24px">VAT Validator MCP - ' + planLabel + ' Plan</div><h1 style="font-size:24px;font-weight:700;margin-bottom:8px;color:#FFFFFF">Your API key is ready.</h1><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;text-transform:uppercase;margin-bottom:8px">Your API Key</div><div style="color:#00E5C3;font-size:14px;word-break:break-all">' + apiKey + '</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;text-transform:uppercase;margin-bottom:8px">MCP Config</div><div style="color:#86EFAC;font-size:12px">{"vat-validator":{"url":"https://vat-validator-mcp-production.up.railway.app","headers":{"x-api-key":"' + apiKey + '"}}}</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#E8EDF5;font-size:13px">Plan: ' + planLabel + ' | Validations: ' + limit + '/month</div></div><div style="background:#0D1219;border-radius:6px;padding:16px;margin-bottom:24px;font-size:11px;color:#5A6478;line-height:1.7">Results are informational only. Verify with a qualified tax advisor. Liability capped at 3 months fees. Full terms: kordagencies.com/terms.html</div><p style="color:#5A6478;font-size:12px">Questions? ojas@kordagencies.com</p></div></body></html>';
-  return sendEmail(email, 'Your VAT Validator MCP ' + planLabel + ' API Key', html);
+  const planLabel = plan === 'metered' ? 'Pay-as-you-go' : plan === 'bundle_2000' ? 'Bundle 2000' : 'Bundle 500';
+  const limitNote = plan === 'metered' ? 'Pay only for what you use — billed monthly' : plan === 'bundle_2000' ? '2,000 calls included' : '500 calls included';
+  const html = '<!DOCTYPE html><html><body style="font-family:monospace;background:#080A0F;color:#E8EDF5;padding:40px;max-width:600px;margin:0 auto"><div style="border:1px solid rgba(0,229,195,0.3);border-radius:8px;padding:32px"><div style="color:#00E5C3;font-size:13px;letter-spacing:0.2em;text-transform:uppercase;margin-bottom:24px">VAT Validator MCP - ' + planLabel + '</div><h1 style="font-size:24px;font-weight:700;margin-bottom:8px;color:#FFFFFF">Your API key is ready.</h1><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;text-transform:uppercase;margin-bottom:8px">Your API Key</div><div style="color:#00E5C3;font-size:14px;word-break:break-all">' + apiKey + '</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#5A6478;font-size:11px;text-transform:uppercase;margin-bottom:8px">MCP Config</div><div style="color:#86EFAC;font-size:12px">{"vat-validator":{"url":"https://vat-validator-mcp-production.up.railway.app","headers":{"x-api-key":"' + apiKey + '"}}}</div></div><div style="background:#141B24;border:1px solid rgba(255,255,255,0.1);border-radius:6px;padding:20px;margin-bottom:24px"><div style="color:#E8EDF5;font-size:13px">Plan: ' + planLabel + '<br>' + limitNote + '</div></div><div style="background:#0D1219;border-radius:6px;padding:16px;margin-bottom:24px;font-size:11px;color:#5A6478;line-height:1.7">Results are informational only. Verify with a qualified tax advisor. Liability capped at 3 months fees. Full terms: kordagencies.com/terms.html</div><p style="color:#5A6478;font-size:12px">Questions? ojas@kordagencies.com</p></div></body></html>';
+  return sendEmail(email, 'Your VAT Validator MCP API Key — ' + planLabel, html);
 }
 
 async function callClaude(prompt) {
@@ -225,6 +298,7 @@ async function validateABN(abn) {
 function detectCountry(vatNumber) {
   const clean = vatNumber.trim().toUpperCase().replace(/\s/g, '');
   if (clean.startsWith('GB')) return { country: 'GB', type: 'uk', number: clean.slice(2) };
+  if (clean.startsWith('ABN')) return { country: 'AU', type: 'au', number: clean.slice(3) };
   if (clean.startsWith('AU') || /^\d{11}$/.test(clean)) return { country: 'AU', type: 'au', number: clean };
   const euCodes = ['AT','BE','BG','CY','CZ','DE','DK','EE','EL','ES','FI','FR','HR','HU','IE','IT','LT','LU','LV','MT','NL','PL','PT','RO','SE','SI','SK'];
   for (const code of euCodes) {
@@ -255,116 +329,262 @@ const VAT_RATES = {
 
 async function executeTool(name, args) {
   if (name === 'validate_vat') {
-    const vat_number = args.vat_number;
+    const { vat_number, invoice_company_name, invoice_amount } = args;
     const checkedAt = nowISO();
-    if (!vat_number) return { error: 'vat_number is required', likely_cause: 'required field missing or malformed', agent_action: 'PROVIDE_REQUIRED_FIELD', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
+
+    if (!vat_number) return {
+      error: 'vat_number is required',
+      agent_action: 'PROVIDE_REQUIRED_FIELD',
+      category: 'invalid_input',
+      retryable: false,
+      retry_after_ms: null,
+      fallback_tool: null,
+      trace_id: Math.random().toString(36).slice(2, 10)
+    };
+
     const detected = detectCountry(vat_number);
+    let valid = false;
+    let company_name = null;
+    let address = null;
+    let jurisdiction = '';
+    let sourceUrl = '';
+
     if (detected.type === 'uk') {
+      jurisdiction = 'UK';
+      sourceUrl = 'api.service.hmrc.gov.uk';
       const result = await validateHMRC(detected.number);
-      if (result.error) return { valid: null, vat_number, country: 'GB', source: 'HMRC', error: result.error, likely_cause: 'external VAT registry temporarily unavailable', agent_action: 'RETRY_IN_2_MIN', category: 'upstream_unavailable', retryable: true, retry_after_ms: 120000, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), retry: true, _disclaimer: LEGAL_DISCLAIMER };
+      if (result.error) return {
+        error: result.error,
+        vat_number,
+        jurisdiction,
+        agent_action: 'RETRY_IN_2_MIN',
+        category: 'upstream_unavailable',
+        retryable: true,
+        retry_after_ms: 120000,
+        fallback_tool: null,
+        trace_id: Math.random().toString(36).slice(2, 10),
+        source_url: sourceUrl,
+        checked_at: checkedAt,
+        _disclaimer: LEGAL_DISCLAIMER
+      };
       const d = result.data;
-      if (result.status === 200 && d.target) return { valid: true, agent_action: 'PROCEED', vat_number, country: 'GB', company_name: d.target.name || null, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', consultation_number: d.consultationNumber || null, checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
-      return { valid: false, agent_action: 'VERIFY_MANUALLY', vat_number, country: 'GB', source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', reason: d.code || 'VAT number not found', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
-    }
-    if (detected.type === 'eu') {
+      if (result.status === 200 && d.target) {
+        valid = true;
+        company_name = d.target.name || null;
+        address = d.target.address ? Object.values(d.target.address).filter(Boolean).join(', ') : null;
+      }
+    } else if (detected.type === 'eu') {
+      jurisdiction = 'EU';
+      sourceUrl = 'ec.europa.eu/taxation_customs/vies';
       const result = await validateVIES(detected.country, detected.number);
-      if (result.error) return { valid: null, vat_number, agent_action: 'RETRY_IN_30_MIN', category: 'upstream_unavailable', retryable: true, retry_after_ms: 1800000, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), country: detected.country, source: 'VIES', source_url: 'ec.europa.eu/taxation_customs/vies', error: 'EU VIES portal is temporarily unavailable — this is a known issue with the official EU system, not a problem with the VAT number. Retry in 30 minutes.', likely_cause: 'external VAT registry temporarily unavailable', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
+      if (result.error) return {
+        error: 'EU VIES portal is temporarily unavailable — this is a known issue with the official EU system, not a problem with the VAT number. Retry in 30 minutes.',
+        vat_number,
+        jurisdiction,
+        agent_action: 'RETRY_IN_30_MIN',
+        category: 'upstream_unavailable',
+        retryable: true,
+        retry_after_ms: 1800000,
+        fallback_tool: null,
+        trace_id: Math.random().toString(36).slice(2, 10),
+        source_url: sourceUrl,
+        checked_at: checkedAt,
+        _disclaimer: LEGAL_DISCLAIMER
+      };
       const d = result.data;
-      return { valid: d.isValid || false, agent_action: d.isValid ? 'PROCEED' : 'VERIFY_MANUALLY', vat_number, country: detected.country, company_name: d.traderName || null, address: d.traderAddress || null, source: 'VIES', source_url: 'ec.europa.eu/taxation_customs/vies', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
-    }
-    if (detected.type === 'au') {
+      valid = d.isValid || false;
+      company_name = d.traderName || null;
+      address = d.traderAddress || null;
+    } else if (detected.type === 'au') {
+      jurisdiction = 'AU';
+      sourceUrl = 'abr.business.gov.au';
       const result = await validateABN(detected.number);
-      if (result.error) return { valid: null, vat_number, country: 'AU', source: 'ABR', error: result.error, likely_cause: 'external VAT registry temporarily unavailable', agent_action: 'RETRY_IN_2_MIN', category: 'upstream_unavailable', retryable: true, retry_after_ms: 120000, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), _disclaimer: LEGAL_DISCLAIMER };
+      if (result.error) return {
+        error: result.error,
+        vat_number,
+        jurisdiction,
+        agent_action: 'RETRY_IN_2_MIN',
+        category: 'upstream_unavailable',
+        retryable: true,
+        retry_after_ms: 120000,
+        fallback_tool: null,
+        trace_id: Math.random().toString(36).slice(2, 10),
+        source_url: sourceUrl,
+        checked_at: checkedAt,
+        _disclaimer: LEGAL_DISCLAIMER
+      };
       const d = result.data;
-      const isValidABN = !!(d.Abn && d.AbnStatus === 'Active');
-      return { valid: isValidABN, agent_action: isValidABN ? 'PROCEED' : 'VERIFY_MANUALLY', vat_number, country: 'AU', company_name: d.EntityName || null, abn_status: d.AbnStatus || null, source: 'ABR', source_url: 'abr.business.gov.au', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
+      valid = !!(d.Abn && d.AbnStatus === 'Active');
+      company_name = d.EntityName || null;
+    } else {
+      return {
+        error: 'Could not detect country. Supported prefixes: EU (AT BE BG CY CZ DE DK EE EL ES FI FR HR HU IE IT LT LU LV MT NL PL PT RO SE SI SK), UK (GB), Australia (AU or ABN).',
+        vat_number,
+        agent_action: 'PROVIDE_COUNTRY_PREFIX',
+        category: 'invalid_input',
+        retryable: false,
+        retry_after_ms: null,
+        fallback_tool: null,
+        trace_id: Math.random().toString(36).slice(2, 10),
+        _disclaimer: LEGAL_DISCLAIMER
+      };
     }
-    return { valid: null, vat_number, agent_action: 'PROVIDE_COUNTRY_PREFIX', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), error: 'Could not detect country. Supported prefixes: EU (AT BE BG CY CZ DE DK EE EL ES FI FR HR HU IE IT LT LU LV MT NL PL PT RO SE SI SK), UK (GB), Australia (AU).', likely_cause: 'required field missing or malformed', _disclaimer: LEGAL_DISCLAIMER };
-  }
 
-  if (name === 'validate_uk_vat') {
-    const vat_number = args.vat_number;
-    const checkedAt = nowISO();
-    if (!vat_number) return { error: 'vat_number is required', likely_cause: 'required field missing or malformed', agent_action: 'PROVIDE_REQUIRED_FIELD', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
-    const result = await validateHMRC(vat_number);
-    if (result.error) return { valid: null, vat_number, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', error: 'UK HMRC API is temporarily unavailable — this is not a problem with the VAT number. Retry in a few minutes.', likely_cause: 'external VAT registry temporarily unavailable', agent_action: 'RETRY_IN_2_MIN', category: 'upstream_unavailable', retryable: true, retry_after_ms: 120000, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
-    const d = result.data;
-    if (result.status === 200 && d.target) return { valid: true, agent_action: 'PROCEED', vat_number, company_name: d.target.name || null, registered_address: d.target.address ? Object.values(d.target.address).filter(Boolean).join(', ') : null, consultation_number: d.consultationNumber || null, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
-    return { valid: false, agent_action: 'VERIFY_MANUALLY', vat_number, source: 'HMRC', source_url: 'api.service.hmrc.gov.uk', reason: d.code || 'VAT number not found', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
-  }
+    // AI fraud risk analysis — runs internally, result is always returned in one call
+    const nameSection = invoice_company_name ? `Invoice Company Name: ${invoice_company_name}\n` : '';
+    const amountSection = invoice_amount != null ? `Invoice Amount: ${invoice_amount}\n` : '';
+    const prompt = `You are a B2B fraud detection specialist. Analyze this VAT validation result for fraud risk.
 
-  if (name === 'get_vat_rates') {
-    const country_code = args.country_code;
-    const checkedAt = nowISO();
-    if (!country_code) return { agent_action: 'PROCEED', rates: VAT_RATES, note: 'VAT rates as of 2026. Verify with official tax authority before use.', source_url: 'kordagencies.com', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
-    const code = country_code.toUpperCase();
-    const rate = VAT_RATES[code];
-    if (!rate) return { error: 'No VAT rate data for: ' + code + '. Supported: ' + Object.keys(VAT_RATES).join(', '), likely_cause: 'required field missing or malformed', agent_action: 'PROVIDE_REQUIRED_FIELD', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), _disclaimer: LEGAL_DISCLAIMER };
-    return Object.assign({ agent_action: 'PROCEED', country_code: code }, rate, { note: 'Verify current rates with official tax authority before use.', source_url: 'kordagencies.com', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER });
-  }
+VAT Number: ${vat_number}
+Jurisdiction: ${jurisdiction}
+Valid/Active: ${valid}
+Registered Company Name: ${company_name || 'Not available from registry'}
+Registered Address: ${address || 'Not available from registry'}
+${nameSection}${amountSection}
+Analyze for: registration status, jurisdiction risk factors, name mismatch between invoice and registry (if invoice company name provided), address anomalies, shell company indicators, missing trader fraud patterns, recently registered entity risk.
 
-  if (name === 'batch_validate') {
-    const vat_numbers = args.vat_numbers;
-    if (!vat_numbers || !Array.isArray(vat_numbers)) return { error: 'vat_numbers must be an array', likely_cause: 'required field missing or malformed', agent_action: 'PROVIDE_REQUIRED_FIELD', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
-    if (vat_numbers.length > 10) return { error: 'Maximum 10 VAT numbers per batch. Upgrade to Enterprise at kordagencies.com for unlimited batches.', likely_cause: 'required field missing or malformed', agent_action: 'Reduce batch to 10 or fewer, or upgrade to Enterprise at kordagencies.com', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
-    const results = await Promise.all(vat_numbers.map(async (vat) => {
-      try { return await executeTool('validate_vat', { vat_number: vat }); }
-      catch(e) { return { vat_number: vat, valid: null, error: e.message, likely_cause: 'external VAT registry temporarily unavailable', agent_action: 'RETRY_IN_2_MIN', category: 'upstream_unavailable', retryable: true, retry_after_ms: 120000, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) }; }
-    }));
-    return { agent_action: 'PROCEED', summary: { total: results.length, valid: results.filter(r => r.valid === true).length, invalid: results.filter(r => r.valid === false).length, error: results.filter(r => r.valid === null).length }, results, _disclaimer: LEGAL_DISCLAIMER };
-  }
+Name match rules: if no invoice_company_name was provided set name_match to "NOT_CHECKED". If provided and registry name unavailable set name_match to "NOT_CHECKED". If both available compare them: "MATCH" if they clearly refer to the same company (allow abbreviations and legal suffix variations), "MISMATCH" if clearly different companies.
+
+recommendation must be exactly one of: CLEAR, REVIEW, or BLOCK. No other values permitted. CLEAR = valid, low risk. REVIEW = valid but requires manual verification. BLOCK = invalid or high/critical risk.
+
+Return ONLY valid JSON with no preamble or markdown:
+{"fraud_risk_score":0,"fraud_risk_level":"LOW","fraud_signals":[],"name_match":"NOT_CHECKED","recommendation":"CLEAR","summary":"one sentence plain English"}`;
+
+    let fraudRiskScore = 50;
+    let fraudRiskLevel = 'MEDIUM';
+    let fraudSignals = [];
+    let nameMatch = 'NOT_CHECKED';
+    let recommendation = 'REVIEW';
+    let summary = 'Manual review recommended — AI analysis unavailable.';
 
-  if (name === 'analyse_vat_risk') {
-    const vat_number = args.vat_number;
-    const validation_result = args.validation_result;
-    const invoice_amount = args.invoice_amount;
-    const invoice_company_name = args.invoice_company_name;
-    if (!vat_number || !validation_result) return { error: 'vat_number and validation_result are required', likely_cause: 'required field missing or malformed', agent_action: 'PROVIDE_REQUIRED_FIELD', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
-    const prompt = 'You are a B2B fraud detection specialist. Analyse this VAT validation result for fraud signals.\n\nVAT Number: ' + vat_number + '\nValidation Result: ' + JSON.stringify(validation_result) + '\nInvoice Amount: ' + (invoice_amount ? String(invoice_amount) : 'Not provided') + '\nInvoice Company Name: ' + (invoice_company_name || 'Not provided') + '\nRegistered Company Name: ' + (validation_result.company_name || 'Not available') + '\nValid: ' + validation_result.valid + '\nCountry: ' + validation_result.country + '\n\nAnalyse for: name mismatch between invoice and registry, recently registered company, dormant or dissolved status, high invoice amount relative to company size, address anomalies, shell company indicators.\n\nReturn ONLY valid JSON with no preamble: {"recommendation":"CLEAR|REVIEW|BLOCK","risk_level":"LOW|MEDIUM|HIGH|CRITICAL","risk_score":50,"fraud_signals":[],"positive_indicators":[],"recommended_action":"one sentence","summary":"two sentences"}';
     try {
-      const response = await callClaude(prompt);
-      const result = JSON.parse(response.replace(/```json|```/g, '').trim());
-      const vatRiskAction = (result.risk_level === 'HIGH' || result.risk_level === 'CRITICAL') ? 'HOLD' : result.risk_level === 'MEDIUM' ? 'VERIFY_MANUALLY' : 'PROCEED';
-      return Object.assign({}, result, { vat_number, agent_action: vatRiskAction, _disclaimer: LEGAL_DISCLAIMER });
+      const aiResponse = await callClaude(prompt);
+      const parsed = JSON.parse(aiResponse.replace(/```json|```/g, '').trim());
+      fraudRiskScore = typeof parsed.fraud_risk_score === 'number' ? parsed.fraud_risk_score : fraudRiskScore;
+      fraudRiskLevel = parsed.fraud_risk_level || fraudRiskLevel;
+      fraudSignals = Array.isArray(parsed.fraud_signals) ? parsed.fraud_signals : [];
+      nameMatch = parsed.name_match || nameMatch;
+      recommendation = parsed.recommendation || recommendation;
+      summary = parsed.summary || summary;
     } catch(e) {
-      return { recommendation: 'REVIEW', risk_level: 'MEDIUM', risk_score: 50, vat_number, error: 'AI analysis unavailable - manual review recommended', likely_cause: 'AI analysis failed — transient Anthropic API issue', agent_action: 'RETRY_IN_2_MIN', category: 'upstream_unavailable', retryable: true, retry_after_ms: 120000, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), _disclaimer: LEGAL_DISCLAIMER };
+      if (!valid) {
+        fraudRiskLevel = 'HIGH';
+        fraudRiskScore = 75;
+        fraudSignals = ['VAT number invalid or deregistered'];
+        recommendation = 'BLOCK';
+        summary = 'VAT number is invalid or deregistered.';
+      }
     }
-  }
 
-  if (name === 'compare_invoice_details') {
-    const { invoice_company_name, invoice_address, invoice_vat_number, validation_result } = args;
-    if (!invoice_company_name || !invoice_vat_number || !validation_result) return { error: 'invoice_company_name, invoice_vat_number, and validation_result are required', likely_cause: 'required field missing or malformed', agent_action: 'PROVIDE_REQUIRED_FIELD', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
-    const prompt = 'You are an invoice fraud detection specialist. Compare invoice details against official registry records.\n\nINVOICE CLAIMS:\nCompany Name: ' + invoice_company_name + '\nAddress: ' + (invoice_address || 'Not provided') + '\nVAT Number: ' + invoice_vat_number + '\n\nOFFICIAL REGISTRY RECORDS:\nRegistered Company Name: ' + (validation_result.company_name || 'Not available from registry') + '\nRegistered Address: ' + (validation_result.address || validation_result.registered_address || 'Not available from registry') + '\nVAT Valid: ' + validation_result.valid + '\nCountry: ' + validation_result.country + '\n\nAnalyse for: name discrepancies, address discrepancies, signs of invoice fraud or impersonation.\n\nReturn ONLY valid JSON with no preamble: {"match_verdict":"MATCH|PARTIAL_MATCH|MISMATCH|UNVERIFIABLE","name_match":"EXACT|SIMILAR|DIFFERENT|UNVERIFIABLE","address_match":"MATCH|DIFFERENT|UNVERIFIABLE","vat_valid":true,"discrepancies":[],"fraud_risk":"LOW|MEDIUM|HIGH","recommendation":"APPROVE|REVIEW|REJECT","recommended_action":"one sentence","summary":"two sentences"}';
-    try {
-      const response = await callClaude(prompt);
-      const result = JSON.parse(response.replace(/```json|```/g, '').trim());
-      const agentAction = result.match_verdict === 'MATCH' ? 'PROCEED' : 'INVESTIGATE';
-      return Object.assign({}, result, { invoice_vat_number, agent_action: agentAction, discrepancies: result.discrepancies || [], _disclaimer: LEGAL_DISCLAIMER });
-    } catch(e) {
-      return { match_verdict: 'UNVERIFIABLE', agent_action: 'RETRY_IN_2_MIN', category: 'upstream_unavailable', retryable: true, retry_after_ms: 120000, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), fraud_risk: 'MEDIUM', invoice_vat_number, discrepancies: [], error: 'AI analysis unavailable -- manual review recommended', likely_cause: 'AI analysis failed — transient Anthropic API issue', _disclaimer: LEGAL_DISCLAIMER };
+    let agentAction;
+    if (!valid || fraudRiskLevel === 'CRITICAL' || nameMatch === 'MISMATCH') {
+      agentAction = 'HOLD';
+    } else if (fraudRiskLevel === 'HIGH' || fraudRiskLevel === 'MEDIUM') {
+      agentAction = 'VERIFY_MANUALLY';
+    } else {
+      agentAction = 'PROCEED';
     }
+
+    return {
+      agent_action: agentAction,
+      valid,
+      vat_number,
+      jurisdiction,
+      company_name,
+      address,
+      fraud_risk_score: fraudRiskScore,
+      fraud_risk_level: fraudRiskLevel,
+      fraud_signals: fraudSignals,
+      name_match: nameMatch,
+      recommendation,
+      summary,
+      source_url: sourceUrl,
+      checked_at: checkedAt,
+      _disclaimer: LEGAL_DISCLAIMER,
+      ai_notice: 'AI-powered fraud analysis — NOT a simple database lookup'
+    };
+  }
+
+  if (name === 'get_vat_rates') {
+    const country_code = args.country_code;
+    const checkedAt = nowISO();
+    if (!country_code) return { agent_action: 'PROCEED', rates: VAT_RATES, note: 'VAT rates as of 2026. Verify with official tax authority before use.', source_url: 'taxation-customs.ec.europa.eu/tedb/taxes-list.html', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER };
+    const code = country_code.toUpperCase();
+    const rate = VAT_RATES[code];
+    if (!rate) return { error: 'No VAT rate data for: ' + code + '. Supported: ' + Object.keys(VAT_RATES).join(', '), agent_action: 'PROVIDE_REQUIRED_FIELD', category: 'invalid_input', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10), _disclaimer: LEGAL_DISCLAIMER };
+    return Object.assign({ agent_action: 'PROCEED', country_code: code }, rate, { note: 'Verify current rates with official tax authority before use.', source_url: 'taxation-customs.ec.europa.eu/tedb/taxes-list.html', checked_at: checkedAt, _disclaimer: LEGAL_DISCLAIMER });
   }
 
-  return { error: 'Unknown tool: ' + name, likely_cause: 'required field missing or malformed', agent_action: 'RETRY_IN_2_MIN', category: 'unknown_tool', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
+  return { error: 'Unknown tool: ' + name, agent_action: 'RETRY_IN_2_MIN', category: 'unknown_tool', retryable: false, retry_after_ms: null, fallback_tool: null, trace_id: Math.random().toString(36).slice(2, 10) };
 }
 
 function checkAccess(req) {
   const apiKey = req.headers['x-api-key'];
   if (apiKey) {
     const record = apiKeys.get(apiKey);
-    if (!record) return { allowed: false, reason: 'Invalid API key. Get yours at kordagencies.com', tier: 'invalid' };
-    if (record.limit !== Infinity && record.calls >= record.limit) return { allowed: false, reason: 'Monthly limit of ' + record.limit + ' validations reached. Upgrade at kordagencies.com', tier: 'limit_reached' };
+    if (!record) {
+      return { allowed: false, error: 'Invalid API key' };
+    }
+
+    const wasReset = checkAndResetPeriod(record);
+    if (wasReset) {
+      saveKeyToRedis(apiKey, record, REDIS_PREFIX).catch(() => {});
+    }
+
+    if (record.plan === 'metered') {
+      record.calls++;
+      saveKeyToRedis(apiKey, record, REDIS_PREFIX).catch(() => {});
+      return {
+        allowed: true,
+        paid: true,
+        plan: 'metered',
+        stripeCustomerId: record.stripeCustomerId
+      };
+    }
+
+    if (record.calls >= record.limit) {
+      return {
+        allowed: false,
+        error: `Bundle exhausted. You have used all ${record.limit} calls in this bundle. Purchase another bundle or switch to pay-as-you-go.`,
+        subscribe_url: METERED_SUBSCRIBE_URL,
+        bundle_500_url: BUNDLE_500_URL,
+        bundle_2000_url: BUNDLE_2000_URL,
+        agent_action: 'PAUSE_AND_NOTIFY_USER'
+      };
+    }
+
     record.calls++;
-    return { allowed: true, tier: record.plan, record };
+    saveKeyToRedis(apiKey, record, REDIS_PREFIX).catch(() => {});
+    return { allowed: true, paid: true, plan: record.plan };
   }
   const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
   const monthKey = getMonthKey(ip);
   const calls = freeTierUsage.get(monthKey) || 0;
-  if (calls >= FREE_TIER_LIMIT) return { allowed: false, reason: 'Free tier limit of ' + FREE_TIER_LIMIT + ' calls/month reached. Option 1: POST /trial-extension with {"name":"...","email":"...","use_case":"..."} for 10 extra free calls. Option 2: Upgrade to Pro at ' + PRO_UPGRADE_URL + ' (500 calls, never expire).', upgrade_url: PRO_UPGRADE_URL, trial_extension: { endpoint: '/trial-extension', method: 'POST', body: { name: 'string', email: 'string', use_case: 'string' } }, tier: 'free_limit_reached' };
+  if (calls >= FREE_TIER_LIMIT) return {
+    allowed: false,
+    error: 'Free tier limit of 50 calls/month reached.',
+    options: {
+      pay_as_you_go: {
+        description: 'No commitment. Pay only for what you use. Billed monthly at end of period.',
+        pricing: {
+          vat_query: '$0.010 per query'
+        },
+        subscribe_url: METERED_SUBSCRIBE_URL
+      },
+      bundle: {
+        description: 'Buy a fixed call bundle. No subscription.',
+        options: [
+          { calls: 500, price: '$8', url: BUNDLE_500_URL },
+          { calls: 2000, price: '$28', url: BUNDLE_2000_URL }
+        ]
+      }
+    },
+    agent_action: 'PAUSE_AND_NOTIFY_USER'
+  };
   freeTierUsage.set(monthKey, calls + 1);
   saveStats();
   const remaining = FREE_TIER_LIMIT - calls - 1;
-  const warningMsg = remaining < 5 ? remaining + ' free validations remaining this month. Need more? POST /trial-extension with your email for 10 extra free calls, or upgrade at ' + PRO_UPGRADE_URL + ' (500 calls, never expire).' : null;
+  const warningMsg = remaining < 10 ? remaining + ' free validations remaining this month. Get 500 calls for $8 at ' + BUNDLE_500_URL + ' -- calls never expire.' : null;
   return { allowed: true, tier: 'free', remaining, warning: warningMsg };
 }
 
@@ -400,28 +620,67 @@ async function handleStripeWebhook(body, sig) {
     const event = JSON.parse(body);
     if (event.type === 'checkout.session.completed') {
       const session = event.data.object;
-      const email = session.customer_email || session.customer_details?.email;
-      const plan = getPlanFromProduct(session.metadata?.product_name || '');
-      if (email) {
-        const apiKey = generateApiKey();
-        apiKeys.set(apiKey, { email, plan, createdAt: new Date().toISOString(), calls: 0, limit: PLAN_LIMITS[plan] });
-        saveApiKeys();
-        await sendApiKeyEmail(email, apiKey, plan);
-        console.log('[vat] API key created for ' + email + ' (' + plan + ')');
-        return { success: true, email, plan };
+      const plan = getPlanFromProduct(session.metadata?.product_name);
+      const apiKey = generateApiKey();
+      const limit = plan === 'metered' ? null : plan === 'bundle_2000' ? 2000 : 500;
+      const record = {
+        email: session.customer_details?.email || 'unknown',
+        plan,
+        calls: 0,
+        periodStart: Date.now(),
+        limit,
+        stripeCustomerId: session.customer || null,
+        createdAt: Date.now()
+      };
+      apiKeys.set(apiKey, record);
+      await saveKeyToRedis(apiKey, record, REDIS_PREFIX);
+      await sendApiKeyEmail(record.email, apiKey, plan);
+      console.log('[vat] API key created for ' + record.email + ' (' + plan + ')');
+      return { success: true, email: record.email, plan };
+    }
+    if (event.type === 'customer.subscription.created') {
+      const sub = event.data.object;
+      const customerId = sub.customer;
+      for (const [key, record] of apiKeys.entries()) {
+        if (record.stripeCustomerId === customerId && !record.subscriptionId) {
+          record.subscriptionId = sub.id;
+          await saveKeyToRedis(key, record, REDIS_PREFIX);
+          break;
+        }
       }
+      return { received: true, type: event.type };
     }
     return { received: true, type: event.type };
   } catch(e) { console.error('[vat] Webhook error:', e.message); return { error: e.message, status: 400 }; }
 }
 
 const tools = [
-  { name: 'validate_vat', idempotent: true, description: 'Call this BEFORE your agent approves any EU supplier, issues a cross-border invoice, or processes an inbound EU payment. Validates VAT registration numbers against EU VIES (all 27 member states) and AU ABR in real time. Returns valid/invalid status, registered company name, and address — data your agent cannot retrieve reliably from training data. A deregistered or invalid VAT number on an approved invoice creates an unrecoverable tax liability. One call eliminates that risk. Returns structured JSON with machine-readable fields — no further analysis needed.', inputSchema: { type: 'object', properties: { vat_number: { type: 'string', description: 'VAT number with country prefix (e.g. DE123456789, GB123456789, FR12345678901)' } }, required: ['vat_number'] } },
-  { name: 'validate_uk_vat', idempotent: true, description: 'Call this BEFORE your agent approves any UK supplier, issues a UK VAT invoice, or processes a UK inbound payment. Validates UK VAT numbers directly against HMRC VAT API v2 via OAuth2 — the only authoritative UK source. Returns valid/invalid, registered business name, and address. An invalid UK VAT number on an approved invoice triggers HMRC penalties with no appeal path. One call, authoritative source, machine-readable verdict.', inputSchema: { type: 'object', properties: { vat_number: { type: 'string', description: 'UK VAT number with or without GB prefix' } }, required: ['vat_number'] } },
-  { name: 'get_vat_rates', idempotent: true, description: 'Call this BEFORE your agent calculates invoice totals, applies tax rates, or generates VAT-inclusive pricing for any EU country or UK. Returns current standard, reduced, and zero VAT rates for all 27 EU member states and UK. VAT rates change without notice — your agent cannot rely on training data for current rates. Returns structured JSON — no parsing needed.', inputSchema: { type: 'object', properties: { country_code: { type: 'string', description: 'ISO 2-letter country code (e.g. DE, FR, GB). Leave blank for all countries.' } }, required: [] } },
-  { name: 'batch_validate', idempotent: true, description: 'Call this when your agent needs to validate multiple supplier VAT numbers in a single workflow — onboarding a supplier list, auditing an invoice batch, or screening a counterparty database. Validates against EU VIES and HMRC in one call. One undetected invalid VAT number in a supplier batch creates downstream tax exposure across every transaction with that supplier. Returns per-number verdicts in structured JSON.', inputSchema: { type: 'object', properties: { vat_numbers: { type: 'array', items: { type: 'string' }, description: 'Array of VAT numbers with country prefixes (max 10)' } }, required: ['vat_numbers'] } },
-  { name: 'analyse_vat_risk', idempotent: true, description: 'Call this BEFORE your agent approves a high-value invoice, onboards a new EU or UK supplier, or processes any cross-border payment where VAT fraud is a material risk. AI-powered fraud risk scoring — NOT a simple database lookup. Analyses VAT registration patterns, company age, jurisdiction risk, and invoice behaviour to detect missing trader fraud, carousel fraud, and deregistered entity re-use. Returns CLEAR/REVIEW/BLOCK recommendation, risk score 0-100, fraud signals list, and agent_action field (PROCEED/VERIFY_MANUALLY/HOLD) — no further analysis needed. The only MCP that combines live VIES validation with AI fraud pattern detection.', inputSchema: { type: 'object', properties: { vat_number: { type: 'string', description: 'The VAT number that was validated' }, validation_result: { type: 'object', description: 'The full result object returned by validate_vat or validate_uk_vat' }, invoice_amount: { type: 'number', description: 'Optional - invoice or transaction amount in local currency.' }, invoice_company_name: { type: 'string', description: 'Optional - company name as it appears on the invoice.' } }, required: ['vat_number', 'validation_result'] } },
-  { name: 'compare_invoice_details', idempotent: true, description: 'Call this BEFORE your agent finalises payment on any invoice where the supplier VAT number, company name, or address requires verification. Cross-checks invoice details against live VIES and HMRC registry data. A single name mismatch between invoice and registry is the most common signal of invoice fraud — one call catches it before payment is authorised. Returns MATCH/MISMATCH verdict with field-level detail and agent_action. Machine-ready output, no parsing needed.', inputSchema: { type: 'object', properties: { invoice_company_name: { type: 'string', description: 'Company name as it appears on the invoice' }, invoice_address: { type: 'string', description: 'Address as it appears on the invoice (optional)' }, invoice_vat_number: { type: 'string', description: 'VAT number as it appears on the invoice' }, validation_result: { type: 'object', description: 'The full result object returned by validate_vat or validate_uk_vat for this VAT number' } }, required: ['invoice_company_name', 'invoice_vat_number', 'validation_result'] } }
+  {
+    name: 'validate_vat',
+    idempotent: true,
+    description: 'Call this BEFORE your agent approves any supplier invoice, onboards a new EU/UK/AU vendor, or processes any cross-border payment. Validates VAT numbers against EU VIES (all 27 member states), UK HMRC VAT API v2, and AU ABR — auto-detects jurisdiction from the number prefix. Returns valid/invalid status, registered company name, address, and AI-powered fraud risk score 0-100 with PROCEED/VERIFY_MANUALLY/HOLD verdict. An invalid or deregistered VAT number on an approved invoice creates unrecoverable tax liability. One call, three jurisdictions, machine-ready verdict — no further analysis needed.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        vat_number: { type: 'string', description: 'VAT number with country prefix. EU: DE123456789. UK: GB123456789. AU: ABN12345678901.' },
+        invoice_company_name: { type: 'string', description: 'Company name as it appears on the invoice — if provided, cross-checks against registry and flags mismatches.' },
+        invoice_amount: { type: 'number', description: 'Invoice amount in local currency — used in fraud risk weighting.' }
+      },
+      required: ['vat_number']
+    }
+  },
+  {
+    name: 'get_vat_rates',
+    idempotent: true,
+    description: 'Call this BEFORE your agent calculates invoice totals, applies tax rates, generates VAT-inclusive pricing, or validates that a VAT amount on an invoice is correct for a given country. Returns current standard, reduced, and zero VAT rates for all 27 EU member states and UK. VAT rates change without notice — your agent cannot rely on training data for current rates. Returns machine-readable JSON — no parsing needed. Omit country_code to get all countries.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        country_code: { type: 'string', description: 'ISO 2-letter code e.g. DE, FR, GB. Omit for all countries.' }
+      },
+      required: []
+    }
+  }
 ];
 
 const sseClients = new Map();
@@ -431,7 +690,7 @@ const server = http.createServer(async (req, res) => {
 
   if (req.url === '/health' && (req.method === 'GET' || req.method === 'HEAD')) {
     res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ status: 'ok', version: VERSION, service: 'vat-validator-mcp', free_tier: 'no API key required for first 20 calls/month', paid_keys_issued: apiKeys.size }));
+    res.end(JSON.stringify({ status: 'ok', version: VERSION, service: 'vat-validator-mcp', free_tier: 'no API key required for first ' + FREE_TIER_LIMIT + ' calls/month', paid_keys_issued: apiKeys.size }));
     return;
   }
 
@@ -480,7 +739,7 @@ const server = http.createServer(async (req, res) => {
         const { name, email, use_case } = JSON.parse(body);
         if (!name || !email) { res.writeHead(400, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'name and email are required', agent_action: 'PROVIDE_REQUIRED_FIELDS' })); return; }
         const emailKey = 'trial:' + email.toLowerCase().trim();
-        if (trialExtensions.has(emailKey)) { res.writeHead(409, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Trial extension already granted for this email.', upgrade_url: PRO_UPGRADE_URL, agent_action: 'INFORM_USER_TRIAL_ALREADY_USED' })); return; }
+        if (trialExtensions.has(emailKey)) { res.writeHead(409, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Trial extension already granted for this email.', bundle_url: BUNDLE_500_URL, agent_action: 'INFORM_USER_TRIAL_ALREADY_USED' })); return; }
         const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
         const monthKey = getMonthKey(ip);
         const currentCalls = freeTierUsage.get(monthKey) || 0;
@@ -490,9 +749,9 @@ const server = http.createServer(async (req, res) => {
         await sendEmail('ojas@kordagencies.com', 'VAT Validator -- Trial Extension: ' + name,
           '<p><b>Name:</b> ' + name + '<br><b>Email:</b> ' + email + '<br><b>Use case:</b> ' + (use_case || 'Not provided') + '<br><b>IP:</b> ' + ip + '<br><b>Calls granted:</b> ' + TRIAL_EXTENSION_CALLS + '</p>');
         await sendEmail(email, TRIAL_EXTENSION_CALLS + ' extra free calls added -- VAT Validator MCP',
-          '<p>Hi ' + name + ',</p><p>Your ' + TRIAL_EXTENSION_CALLS + ' extra free calls have been added. You can keep using VAT Validator MCP right now -- no action needed.</p><p>When you need more, Pro is $8/month for 500 calls (never expire): ' + PRO_UPGRADE_URL + '</p><p>Ojas<br>kordagencies.com</p>');
+          '<p>Hi ' + name + ',</p><p>Your ' + TRIAL_EXTENSION_CALLS + ' extra free calls have been added. You can keep using VAT Validator MCP right now -- no action needed.</p><p>When you need more, get 500 calls for $8: ' + BUNDLE_500_URL + '</p><p>Ojas<br>kordagencies.com</p>');
         res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ granted: true, additional_calls: TRIAL_EXTENSION_CALLS, message: TRIAL_EXTENSION_CALLS + ' extra free calls added. Check your email for confirmation.', upgrade_url: PRO_UPGRADE_URL }));
+        res.end(JSON.stringify({ granted: true, additional_calls: TRIAL_EXTENSION_CALLS, message: TRIAL_EXTENSION_CALLS + ' extra free calls added. Check your email for confirmation.', bundle_url: BUNDLE_500_URL }));
       } catch(e) { res.writeHead(400, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: e.message, agent_action: 'RETRY_IN_2_MIN' })); }
     });
     return;
@@ -513,7 +772,7 @@ const server = http.createServer(async (req, res) => {
 
   if (req.url === '/.well-known/mcp/server-card.json' && req.method === 'GET') {
     res.writeHead(200, { ...cors, 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ name: 'vat-validator-mcp', title: 'VAT Validator MCP', version: VERSION, description: 'VAT validation + AI fraud detection. EU VIES, UK HMRC, Australian ABN. Free tier: 20 calls/month.', tools: tools.map(t => t.name), transport: 'streamable-http', homepage: 'https://kordagencies.com', token_footprint_min: 100, token_footprint_max: 600, token_footprint_avg: 200, idempotent_tools: ['validate_vat', 'validate_uk_vat', 'get_vat_rates', 'batch_validate', 'analyse_vat_risk', 'compare_invoice_details'], circuit_breaker: false, health_endpoint: '/health', ready_endpoint: '/ready' }));
+    res.end(JSON.stringify({ name: 'vat-validator-mcp', title: 'VAT Validator MCP', version: VERSION, description: 'VAT number validator for AI agents. EU VIES, UK HMRC, AU ABR — auto-detects jurisdiction. Fraud risk scoring and invoice name cross-check in one call.', tools: tools.map(t => t.name), transport: 'streamable-http', homepage: 'https://kordagencies.com', token_footprint_min: 100, token_footprint_max: 600, token_footprint_avg: 200, idempotent_tools: ['validate_vat', 'get_vat_rates'], circuit_breaker: false, health_endpoint: '/health', ready_endpoint: '/ready' }));
     return;
   }
 
@@ -544,7 +803,7 @@ const server = http.createServer(async (req, res) => {
         const request = JSON.parse(body);
         let response;
         if (request.method === 'initialize') {
-          response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'vat-validator-mcp', version: VERSION, description: 'Every accounts-payable pipeline reaches a moment where an agent must validate a VAT registration or approve an invoice without being able to reason its way to a reliable answer. VAT Validator MCP answers that question in real time -- live checks against EU VIES, UK HMRC, and Australian ABR, with AI-powered invoice comparison. An agent acting on stale VAT data has no defence against a tax authority. Used before any invoice payment, supplier onboarding, or cross-border transaction.' } } };
+          response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'vat-validator-mcp', version: VERSION, description: 'VAT Validator MCP v2. validate_vat auto-detects EU/UK/AU jurisdiction, validates against live government registries, and returns AI-powered fraud risk scoring — all in one call. No chained inputs, no prior state required.' } } };
         } else if (request.method === 'notifications/initialized') {
           res.writeHead(204, cors); res.end(); return;
         } else if (request.method === 'tools/list') {
@@ -556,15 +815,18 @@ const server = http.createServer(async (req, res) => {
         } else if (request.method === 'tools/call') {
           const access = checkAccess(req);
           if (!access.allowed) {
-            response = { jsonrpc: '2.0', id: request.id, error: { code: -32000, message: access.reason, upgrade_url: PRO_UPGRADE_URL, agent_action: 'Inform user free tier quota is exhausted. Get 500 calls for $8 at ' + PRO_UPGRADE_URL + ' -- calls never expire.' } };
+            response = { jsonrpc: '2.0', id: request.id, error: { code: -32000, message: access.error || 'Access denied', data: access, agent_action: 'PAUSE_AND_NOTIFY_USER' } };
           } else {
             const { name, arguments: args } = request.params;
             const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
-            usageLog.push({ tool: name, tier: access.tier, time: new Date().toISOString(), ip: ip.slice(0, 8) + '...' });
+            usageLog.push({ tool: name, tier: access.tier || access.plan || 'paid', time: new Date().toISOString(), ip: ip.slice(0, 8) + '...' });
             if (usageLog.length > 1000) usageLog.shift();
             toolUsageCounts[name] = (toolUsageCounts[name] || 0) + 1;
             saveStats();
             const result = await executeTool(name, args || {});
+            if (access.plan === 'metered' && access.stripeCustomerId) {
+              reportMeteredUsage(access.stripeCustomerId, 'vat_query').catch(() => {});
+            }
             response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } };
           }
         } else {
@@ -587,18 +849,17 @@ const server = http.createServer(async (req, res) => {
         const request = JSON.parse(body);
         let response;
         if (request.method === 'tools/call') {
-          if (request.params?.name === 'batch_validate') {
-            const apiKey = req.headers['x-api-key'];
-            if (!apiKey) { res.writeHead(402, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32002, message: 'batch_validate requires a paid API key. Get 500 calls for $8 at ' + PRO_UPGRADE_URL + ' -- calls never expire.', upgrade_url: PRO_UPGRADE_URL, agent_action: 'Paid API key required for batch_validate. Get 500 calls for $8 at ' + PRO_UPGRADE_URL } })); return; }
-            const record = apiKeys.get(apiKey);
-            if (!record) { res.writeHead(401, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32001, message: 'Invalid API key. Get yours at kordagencies.com', agent_action: 'Invalid API key. Obtain a valid key at kordagencies.com' } })); return; }
-          } else {
-            const access = checkAccess(req);
-            if (!access.allowed) { res.writeHead(429, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32000, message: access.reason, upgrade_url: PRO_UPGRADE_URL, agent_action: 'Inform user free tier quota is exhausted. Get 500 calls for $8 at ' + PRO_UPGRADE_URL + ' -- calls never expire.' } })); return; }
-            req._accessWarning = access.warning; req._tier = access.tier;
+          const access = checkAccess(req);
+          if (!access.allowed) {
+            res.writeHead(429, { ...cors, 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ jsonrpc: '2.0', id: request.id, error: { code: -32000, message: access.error || 'Access denied', data: access, agent_action: 'PAUSE_AND_NOTIFY_USER' } }));
+            return;
           }
+          req._accessWarning = access.warning;
+          req._tier = access.tier;
+          req._accessResult = access;
         }
-        if (request.method === 'initialize') { response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'vat-validator-mcp', version: VERSION, description: 'Every accounts-payable pipeline reaches a moment where an agent must validate a VAT registration or approve an invoice without being able to reason its way to a reliable answer. VAT Validator MCP answers that question in real time -- live checks against EU VIES, UK HMRC, and Australian ABR, with AI-powered invoice comparison. An agent acting on stale VAT data has no defence against a tax authority. Used before any invoice payment, supplier onboarding, or cross-border transaction.' } } };
+        if (request.method === 'initialize') { response = { jsonrpc: '2.0', id: request.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'vat-validator-mcp', version: VERSION, description: 'VAT Validator MCP v2. validate_vat auto-detects EU/UK/AU jurisdiction, validates against live government registries, and returns AI-powered fraud risk scoring — all in one call. No chained inputs, no prior state required.' } } };
         } else if (request.method === 'notifications/initialized') { res.writeHead(204, cors); res.end(); return;
         } else if (request.method === 'tools/list') { response = { jsonrpc: '2.0', id: request.id, result: { tools } };
         } else if (request.method === 'resources/list') { response = { jsonrpc: '2.0', id: request.id, result: { resources: [] } };
@@ -606,46 +867,31 @@ const server = http.createServer(async (req, res) => {
         } else if (request.method === 'tools/call') {
           const { name, arguments: toolArgs } = request.params;
           const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
-          usageLog.push({ tool: name, tier: req._tier || 'paid', time: new Date().toISOString(), ip: ip.slice(0, 8) + '...' });
+          usageLog.push({ tool: name, tier: req._tier || req._accessResult?.plan || 'paid', time: new Date().toISOString(), ip: ip.slice(0, 8) + '...' });
           if (usageLog.length > 1000) usageLog.shift();
           toolUsageCounts[name] = (toolUsageCounts[name] || 0) + 1;
           saveStats();
           const result = await executeTool(name, toolArgs || {});
           if (req._accessWarning) result._notice = req._accessWarning;
 
-          // Partial response for free tier
+          if (req._accessResult && req._accessResult.plan === 'metered' && req._accessResult.stripeCustomerId) {
+            reportMeteredUsage(req._accessResult.stripeCustomerId, 'vat_query').catch(() => {});
+          }
+
           if (req._tier === 'free' && !result.error) {
-            const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
             const used = freeTierUsage.get(getMonthKey(ip)) || 0;
             const remaining = FREE_TIER_LIMIT - used;
             const isWarning = used >= FREE_TIER_WARNING;
             const effectiveLimit = getEffectiveLimit(ip);
 
-            if (name === 'validate_vat' || name === 'validate_uk_vat') {
-              // Gate address on free tier — company name + valid status visible
-              const gated = ['registered_address', 'address', 'consultation_number'];
-              gated.forEach(f => delete result[f]);
-              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + effectiveLimit + ' calls remaining. Get 500 calls for $8 at ' + PRO_UPGRADE_URL + ' -- calls never expire. Includes full registered address and HMRC consultation number.';
-              result._gated_fields = gated;
-            }
-
-            if (name === 'analyse_vat_risk') {
-              // Gate full reasoning — verdict visible, details gated
-              const gated = ['fraud_signals', 'positive_indicators', 'recommended_action', 'summary'];
-              gated.forEach(f => delete result[f]);
-              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + effectiveLimit + ' calls remaining. Get 500 calls for $8 at ' + PRO_UPGRADE_URL + ' -- calls never expire. Includes full fraud signal breakdown, positive indicators, and recommended action.';
-              result._gated_fields = gated;
-            }
-
-            if (name === 'compare_invoice_details') {
-              // Gate detail fields — match_status visible, discrepancies gated
-              const gated = ['discrepancies', 'name_match', 'address_match', 'recommended_action', 'summary'];
+            if (name === 'validate_vat') {
+              const gated = ['fraud_signals', 'address'];
               gated.forEach(f => delete result[f]);
-              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + effectiveLimit + ' calls remaining. Get 500 calls for $8 at ' + PRO_UPGRADE_URL + ' -- calls never expire. Includes full discrepancy analysis and recommended action.';
+              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + effectiveLimit + ' calls remaining. Get 500 calls for $8 at ' + BUNDLE_500_URL + ' -- calls never expire. Includes full registered address and detailed fraud signal breakdown.';
               result._gated_fields = gated;
             }
 
-            if (isWarning) result._notice = 'Warning: only ' + remaining + ' free call' + (remaining === 1 ? '' : 's') + ' left this month. Get 500 calls for $8 at ' + PRO_UPGRADE_URL + ' -- calls never expire.';
+            if (isWarning) result._notice = 'Warning: only ' + remaining + ' free call' + (remaining === 1 ? '' : 's') + ' left this month. Get 500 calls for $8 at ' + BUNDLE_500_URL + ' -- calls never expire.';
           }
 
           response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } };
@@ -657,7 +903,57 @@ const server = http.createServer(async (req, res) => {
     return;
   }
 
-  if (req.method === 'GET' && req.url === '/') { res.writeHead(200, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ name: 'vat-validator-mcp', version: VERSION, status: 'ok', tools: 6, free_tier: '20 calls/month, no API key required', description: 'VAT validation + AI fraud detection. EU VIES, UK HMRC, Australian ABN.', upgrade: PRO_UPGRADE_URL })); return; }
+  if (req.method === 'GET' && req.url === '/') { res.writeHead(200, { ...cors, 'Content-Type': 'application/json' }); res.end(JSON.stringify({ name: 'vat-validator-mcp', version: VERSION, status: 'ok', tools: 2, free_tier: '50 calls/month, no API key required', description: 'VAT validation + AI fraud detection. EU VIES, UK HMRC, Australian ABN.', subscribe_url: METERED_SUBSCRIBE_URL, bundle_500_url: BUNDLE_500_URL, bundle_2000_url: BUNDLE_2000_URL })); return; }
+
+  if (req.url === '/subscribe' && req.method === 'GET') {
+    try {
+      const session = await stripe.checkout.sessions.create({
+        mode: 'subscription',
+        line_items: [
+          { price: 'price_1TUkxWD6WvRe6sn3eFTaokqx' }
+        ],
+        success_url: 'https://vat-validator-mcp-production.up.railway.app/subscribed',
+        cancel_url: 'https://kordagencies.com/vat-validator.html',
+        metadata: { product_name: 'metered' }
+      });
+      res.writeHead(302, { Location: session.url });
+      res.end();
+    } catch(e) {
+      res.writeHead(500, { ...cors, 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Could not create checkout session', details: e.message }));
+    }
+    return;
+  }
+
+  if (req.url === '/subscribed' && req.method === 'GET') {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(`<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<title>Subscription confirmed</title>
+<style>
+body{background:#070910;color:#00E5C3;
+font-family:'DM Mono',monospace;padding:3rem;
+max-width:600px;margin:0 auto}
+h2{font-weight:400;margin-bottom:1rem}
+p{color:#8895AA;font-size:13px;line-height:1.6;
+margin-bottom:0.8rem}
+a{color:#00E5C3}
+</style>
+</head>
+<body>
+<h2>Subscription confirmed.</h2>
+<p>Your API key will arrive by email within 60 seconds.</p>
+<p>Add it to your agent config as the
+<span style="color:#fff">x-api-key</span> header.</p>
+<p>Full documentation at
+<a href="https://kordagencies.com">kordagencies.com</a></p>
+</body>
+</html>`);
+    return;
+  }
+
   res.writeHead(404, cors); res.end(JSON.stringify({ error: 'Not found' }));
 });
 
@@ -675,7 +971,7 @@ function setupStdio() {
       try { req = JSON.parse(line); } catch(e) { return; }
       let response;
       if (req.method === 'initialize') {
-        response = { jsonrpc: '2.0', id: req.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'vat-validator-mcp', version: VERSION, description: 'Every accounts-payable pipeline reaches a moment where an agent must validate a VAT registration or approve an invoice without being able to reason its way to a reliable answer. VAT Validator MCP answers that question in real time -- live checks against EU VIES, UK HMRC, and Australian ABR, with AI-powered invoice comparison. An agent acting on stale VAT data has no defence against a tax authority. Used before any invoice payment, supplier onboarding, or cross-border transaction.' } } };
+        response = { jsonrpc: '2.0', id: req.id, result: { protocolVersion: '2024-11-05', capabilities: { tools: {}, resources: {}, prompts: {} }, serverInfo: { name: 'vat-validator-mcp', version: VERSION, description: 'VAT Validator MCP v2. validate_vat auto-detects EU/UK/AU jurisdiction, validates against live government registries, and returns AI-powered fraud risk scoring — all in one call. No chained inputs, no prior state required.' } } };
       } else if (req.method === 'notifications/initialized') {
         return;
       } else if (req.method === 'tools/list') {
@@ -702,12 +998,14 @@ function setupStdio() {
 
 setupStdio();
 
-server.listen(PORT, () => {
+server.listen(PORT, async () => {
   loadStats();
-  loadApiKeys();
+  await loadApiKeysFromRedis('vat');
   console.log('VAT Validator MCP v' + VERSION + ' running on port ' + PORT);
   console.log('Free tier: ' + FREE_TIER_LIMIT + ' calls/IP/month, no API key required');
   console.log('Resend: ' + (RESEND_API_KEY ? 'configured' : 'MISSING'));
   console.log('Anthropic: ' + (ANTHROPIC_API_KEY ? 'configured' : 'MISSING'));
   console.log('ABR GUID: ' + (process.env.ABR_GUID ? 'custom GUID set' : 'using fallback demo GUID — set ABR_GUID env var'));
+  console.log('Upstash Redis: ' + (UPSTASH_URL ? 'configured' : 'MISSING - set UPSTASH_REDIS_REST_URL'));
+  console.log('Stripe: ' + (process.env.STRIPE_SECRET_KEY ? 'configured' : 'MISSING - set STRIPE_SECRET_KEY'));
 });