vat-validator-mcp 2.0.1 → 2.0.3

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "vat-validator-mcp",
   "mcpName": "io.github.OjasKord/vat-validator-mcp",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "description": "VAT number validator for AI agents. EU VIES, UK HMRC, AU ABR — auto-detects jurisdiction. Fraud risk scoring and invoice name cross-check in one call.",
   "main": "src/server.js",
   "scripts": {

package/privacy.html

@@ -0,0 +1,501 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Privacy Policy — Kord Agencies</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=DM+Mono:ital,wght@0,300;0,400;0,500;1,300;1,400&display=swap" rel="stylesheet">
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+
+    :root {
+      --bg:        #070910;
+      --bg-2:      #0C1018;
+      --bg-3:      #111722;
+      --teal:      #00E5C3;
+      --amber:     #F0A030;
+      --text:      #E2E8F2;
+      --text-2:    #8895AA;
+      --text-3:    #505A6A;
+      --border:    rgba(255,255,255,0.06);
+      --border-2:  rgba(255,255,255,0.12);
+      --teal-dim:  rgba(0,229,195,0.08);
+      --teal-border: rgba(0,229,195,0.25);
+    }
+
+    html { font-size: 14px; }
+
+    body {
+      background: var(--bg);
+      color: var(--text);
+      font-family: 'DM Mono', monospace;
+      line-height: 1.7;
+      min-height: 100vh;
+    }
+
+    /* ── Nav ── */
+    nav {
+      height: 44px;
+      border-bottom: 1px solid var(--border);
+      display: flex;
+      align-items: center;
+      padding: 0 1.5rem;
+      position: sticky;
+      top: 0;
+      background: var(--bg);
+      z-index: 10;
+    }
+    nav a {
+      color: var(--teal);
+      text-decoration: none;
+      font-size: 11px;
+      letter-spacing: 0.1em;
+      text-transform: uppercase;
+    }
+    nav .sep {
+      color: var(--text-3);
+      margin: 0 0.6rem;
+      font-size: 11px;
+    }
+    nav .current {
+      color: var(--text-2);
+      font-size: 11px;
+      letter-spacing: 0.05em;
+    }
+
+    /* ── Layout ── */
+    .wrap {
+      max-width: 780px;
+      margin: 0 auto;
+      padding: 3rem 1.5rem 5rem;
+    }
+
+    /* ── Header ── */
+    .page-header {
+      border-bottom: 1px solid var(--border);
+      padding-bottom: 2rem;
+      margin-bottom: 2.5rem;
+    }
+    .label {
+      font-size: 10px;
+      letter-spacing: 0.15em;
+      text-transform: uppercase;
+      color: var(--teal);
+      margin-bottom: 0.75rem;
+    }
+    h1 {
+      font-size: 1.4rem;
+      font-weight: 400;
+      color: var(--text);
+      letter-spacing: -0.01em;
+      margin-bottom: 0.75rem;
+    }
+    .meta {
+      font-size: 11px;
+      color: var(--text-3);
+      letter-spacing: 0.05em;
+    }
+    .meta span { color: var(--text-2); }
+
+    /* ── Sections ── */
+    section {
+      margin-bottom: 2.5rem;
+      padding-bottom: 2.5rem;
+      border-bottom: 1px solid var(--border);
+    }
+    section:last-of-type {
+      border-bottom: none;
+    }
+    h2 {
+      font-size: 11px;
+      font-weight: 500;
+      letter-spacing: 0.12em;
+      text-transform: uppercase;
+      color: var(--teal);
+      margin-bottom: 1rem;
+    }
+    p {
+      font-size: 13px;
+      color: var(--text-2);
+      margin-bottom: 0.9rem;
+      line-height: 1.75;
+    }
+    p:last-child { margin-bottom: 0; }
+
+    /* ── Callout box ── */
+    .callout {
+      background: var(--teal-dim);
+      border: 1px solid var(--teal-border);
+      border-radius: 4px;
+      padding: 1rem 1.25rem;
+      margin: 1.25rem 0;
+      font-size: 12px;
+      color: var(--text);
+      line-height: 1.7;
+    }
+    .callout strong {
+      color: var(--teal);
+      font-weight: 500;
+    }
+
+    /* ── Data table ── */
+    .data-table {
+      width: 100%;
+      border-collapse: collapse;
+      font-size: 12px;
+      margin: 1rem 0;
+    }
+    .data-table th {
+      text-align: left;
+      font-size: 10px;
+      letter-spacing: 0.1em;
+      text-transform: uppercase;
+      color: var(--text-3);
+      padding: 0.5rem 0.75rem;
+      border-bottom: 1px solid var(--border-2);
+      font-weight: 400;
+    }
+    .data-table td {
+      padding: 0.65rem 0.75rem;
+      border-bottom: 1px solid var(--border);
+      color: var(--text-2);
+      vertical-align: top;
+    }
+    .data-table tr:last-child td { border-bottom: none; }
+    .data-table td:first-child { color: var(--text); }
+    .tag {
+      display: inline-block;
+      font-size: 9px;
+      letter-spacing: 0.1em;
+      text-transform: uppercase;
+      padding: 2px 6px;
+      border-radius: 3px;
+      font-weight: 500;
+    }
+    .tag-no  { background: rgba(248,113,113,0.1); color: #F87171; border: 1px solid rgba(248,113,113,0.2); }
+    .tag-yes { background: rgba(0,229,195,0.1);   color: var(--teal); border: 1px solid var(--teal-border); }
+    .tag-ltd { background: rgba(240,160,48,0.1);  color: var(--amber); border: 1px solid rgba(240,160,48,0.2); }
+
+    /* ── Inline list ── */
+    ul.plain {
+      list-style: none;
+      margin: 0.5rem 0 0.9rem;
+      padding: 0;
+    }
+    ul.plain li {
+      font-size: 13px;
+      color: var(--text-2);
+      padding: 0.3rem 0;
+      padding-left: 1rem;
+      position: relative;
+    }
+    ul.plain li::before {
+      content: '—';
+      position: absolute;
+      left: 0;
+      color: var(--text-3);
+    }
+
+    /* ── Contact block ── */
+    .contact-block {
+      background: var(--bg-2);
+      border: 1px solid var(--border-2);
+      border-radius: 4px;
+      padding: 1.25rem;
+      font-size: 12px;
+      color: var(--text-2);
+      line-height: 1.9;
+    }
+    .contact-block a {
+      color: var(--teal);
+      text-decoration: none;
+    }
+    .contact-block a:hover { text-decoration: underline; }
+    .contact-block .field {
+      display: flex;
+      gap: 1rem;
+    }
+    .contact-block .field-label {
+      color: var(--text-3);
+      font-size: 10px;
+      letter-spacing: 0.1em;
+      text-transform: uppercase;
+      min-width: 80px;
+      padding-top: 1px;
+    }
+
+    /* ── Footer ── */
+    footer {
+      border-top: 1px solid var(--border);
+      padding: 1.5rem;
+      text-align: center;
+      font-size: 11px;
+      color: var(--text-3);
+      letter-spacing: 0.05em;
+    }
+    footer a { color: var(--text-3); text-decoration: none; }
+    footer a:hover { color: var(--text-2); }
+  </style>
+</head>
+<body>
+
+  <nav>
+    <a href="https://kordagencies.com">kordagencies.com</a>
+    <span class="sep">/</span>
+    <span class="current">Privacy Policy</span>
+  </nav>
+
+  <div class="wrap">
+
+    <div class="page-header">
+      <div class="label">Legal</div>
+      <h1>Privacy Policy</h1>
+      <div class="meta">
+        Kord Agencies &nbsp;·&nbsp; <span>Last updated May 2026</span>
+      </div>
+    </div>
+
+    <!-- 1 -->
+    <section>
+      <h2>Who we are</h2>
+      <p>
+        This policy applies to VAT Validator MCP and all services operated by
+        <strong style="color:var(--text)">Kord Agencies</strong>, a company incorporated in Singapore.
+      </p>
+      <div class="contact-block">
+        <div class="field"><span class="field-label">Company</span> Kord Agencies, Singapore</div>
+        <div class="field"><span class="field-label">Contact</span> <a href="mailto:ojas@kordagencies.com">ojas@kordagencies.com</a></div>
+        <div class="field"><span class="field-label">Service</span> VAT Validator MCP — <a href="https://kordagencies.com">kordagencies.com</a></div>
+      </div>
+    </section>
+
+    <!-- 2 -->
+    <section>
+      <h2>What we collect</h2>
+
+      <div class="callout">
+        <strong>VAT numbers you submit are never logged or stored.</strong> Query content — the VAT numbers, company names, and invoice amounts passed to our tools — is transmitted to the relevant government API and immediately discarded. It does not touch our database.
+      </div>
+
+      <table class="data-table">
+        <thead>
+          <tr>
+            <th>Data</th>
+            <th>Why</th>
+            <th>Stored</th>
+          </tr>
+        </thead>
+        <tbody>
+          <tr>
+            <td>Email address</td>
+            <td>Paid subscribers only — to deliver your API key</td>
+            <td><span class="tag tag-yes">Yes</span></td>
+          </tr>
+          <tr>
+            <td>Payment information</td>
+            <td>Processed by Stripe — we never see raw card data</td>
+            <td><span class="tag tag-no">Stripe only</span></td>
+          </tr>
+          <tr>
+            <td>API key</td>
+            <td>Authentication and usage tracking for paid plans</td>
+            <td><span class="tag tag-yes">Yes</span></td>
+          </tr>
+          <tr>
+            <td>IP address</td>
+            <td>Free tier rate limiting (50 calls/month/IP). Stored as truncated hash, not full address.</td>
+            <td><span class="tag tag-ltd">Truncated</span></td>
+          </tr>
+          <tr>
+            <td>Tool name + timestamp</td>
+            <td>Aggregate usage statistics (e.g. "validate_vat called at 14:22"). No query content.</td>
+            <td><span class="tag tag-ltd">Aggregate</span></td>
+          </tr>
+          <tr>
+            <td>VAT numbers / query content</td>
+            <td>Not applicable — not collected</td>
+            <td><span class="tag tag-no">Never</span></td>
+          </tr>
+        </tbody>
+      </table>
+    </section>
+
+    <!-- 3 -->
+    <section>
+      <h2>Where data is stored</h2>
+      <p>
+        Subscriber API keys and rate-limiting counters are stored in
+        <strong style="color:var(--text)">Upstash Redis</strong> (hosted in the United States).
+        The application itself runs on <strong style="color:var(--text)">Railway</strong>
+        (hosted in the United States). Both providers maintain industry-standard
+        encryption at rest and in transit.
+      </p>
+      <p>
+        We do not operate our own database servers. No data is stored in Singapore.
+      </p>
+    </section>
+
+    <!-- 4 -->
+    <section>
+      <h2>Third-party services</h2>
+      <p>
+        When you call our tools, your VAT number is forwarded to the relevant official
+        government registry to perform the lookup. These are read-only API calls — no
+        personal data about you is sent to them.
+      </p>
+      <table class="data-table">
+        <thead>
+          <tr>
+            <th>Third party</th>
+            <th>Purpose</th>
+            <th>Data sent</th>
+          </tr>
+        </thead>
+        <tbody>
+          <tr>
+            <td>Stripe</td>
+            <td>Payment processing and subscription management</td>
+            <td>Name, email, card details (handled entirely by Stripe)</td>
+          </tr>
+          <tr>
+            <td>UK HMRC VAT API v2</td>
+            <td>UK VAT number validation</td>
+            <td>VAT number only</td>
+          </tr>
+          <tr>
+            <td>EU VIES (ec.europa.eu)</td>
+            <td>EU VAT number validation (all 27 member states)</td>
+            <td>VAT number only</td>
+          </tr>
+          <tr>
+            <td>Australian ABR (abr.business.gov.au)</td>
+            <td>Australian ABN validation</td>
+            <td>ABN only</td>
+          </tr>
+          <tr>
+            <td>Anthropic (Claude API)</td>
+            <td>AI-powered fraud risk analysis</td>
+            <td>Validation result metadata — no raw VAT numbers or personal data</td>
+          </tr>
+          <tr>
+            <td>Upstash Redis</td>
+            <td>API key storage and rate limiting</td>
+            <td>API keys and truncated IP counters</td>
+          </tr>
+          <tr>
+            <td>Railway</td>
+            <td>Application hosting</td>
+            <td>Application logs (no query content)</td>
+          </tr>
+        </tbody>
+      </table>
+    </section>
+
+    <!-- 5 -->
+    <section>
+      <h2>Legal basis and UK GDPR</h2>
+      <p>
+        Where we process personal data relating to individuals in the UK or EEA, we do so
+        under the following legal bases:
+      </p>
+      <ul class="plain">
+        <li><strong style="color:var(--text)">Contract performance</strong> — processing your email and API key to deliver the service you subscribed to.</li>
+        <li><strong style="color:var(--text)">Legitimate interests</strong> — rate limiting by truncated IP address to prevent abuse of the free tier.</li>
+        <li><strong style="color:var(--text)">Legal obligation</strong> — retaining transaction records as required for tax compliance.</li>
+      </ul>
+      <p>
+        We comply with the UK General Data Protection Regulation (UK GDPR) and the
+        Data Protection Act 2018. For EEA residents, we comply with EU GDPR (Regulation
+        2016/679). Transfers of personal data to the United States (Upstash, Railway,
+        Anthropic) are made under Standard Contractual Clauses or equivalent adequacy
+        mechanisms.
+      </p>
+    </section>
+
+    <!-- 6 -->
+    <section>
+      <h2>Data retention</h2>
+      <ul class="plain">
+        <li>API keys and associated email addresses are retained for the lifetime of the subscription plus 90 days, then deleted.</li>
+        <li>Truncated IP rate-limit counters reset automatically each calendar month.</li>
+        <li>Aggregate tool usage statistics (tool name + timestamp, no content) are retained for up to 12 months for service improvement.</li>
+        <li>Stripe retains payment records in accordance with their own privacy policy and applicable financial regulations.</li>
+      </ul>
+    </section>
+
+    <!-- 7 -->
+    <section>
+      <h2>Your rights</h2>
+      <p>
+        Under UK GDPR and EU GDPR, you have the right to access, rectify, or erase
+        personal data we hold about you. You also have the right to restrict or object
+        to processing, and to data portability where applicable.
+      </p>
+      <p>
+        To exercise any of these rights — including requesting deletion of your API key
+        and associated email — contact us at:
+      </p>
+      <div class="contact-block" style="margin-top:0.75rem">
+        <div class="field">
+          <span class="field-label">Email</span>
+          <a href="mailto:ojas@kordagencies.com">ojas@kordagencies.com</a>
+        </div>
+        <div class="field">
+          <span class="field-label">Response</span>
+          Within 30 days of receipt
+        </div>
+      </div>
+      <p style="margin-top:1rem">
+        If you are located in the UK, you have the right to lodge a complaint with the
+        Information Commissioner's Office (ICO) at
+        <a href="https://ico.org.uk" style="color:var(--teal)">ico.org.uk</a>.
+        If you are in the EEA, you may contact your local supervisory authority.
+      </p>
+    </section>
+
+    <!-- 8 -->
+    <section>
+      <h2>Cookies and tracking</h2>
+      <p>
+        The VAT Validator MCP API does not use cookies, browser tracking, analytics
+        scripts, or fingerprinting of any kind. This privacy policy page itself does not
+        set any cookies.
+      </p>
+    </section>
+
+    <!-- 9 -->
+    <section>
+      <h2>Changes to this policy</h2>
+      <p>
+        We may update this policy from time to time. The date at the top of this page
+        reflects when it was last revised. Material changes will be communicated to
+        active subscribers by email.
+      </p>
+    </section>
+
+    <!-- 10 -->
+    <section>
+      <h2>Contact</h2>
+      <div class="contact-block">
+        <div class="field"><span class="field-label">Company</span> Kord Agencies, Singapore</div>
+        <div class="field"><span class="field-label">Email</span> <a href="mailto:ojas@kordagencies.com">ojas@kordagencies.com</a></div>
+        <div class="field"><span class="field-label">Website</span> <a href="https://kordagencies.com">kordagencies.com</a></div>
+      </div>
+    </section>
+
+  </div><!-- /wrap -->
+
+  <footer>
+    <a href="https://kordagencies.com">kordagencies.com</a>
+    &nbsp;·&nbsp;
+    <a href="https://kordagencies.com/terms.html">Terms</a>
+    &nbsp;·&nbsp;
+    Privacy Policy
+    &nbsp;·&nbsp;
+    &copy; 2026 Kord Agencies
+  </footer>
+
+</body>
+</html>

package/server.json

@@ -3,7 +3,7 @@
   "name": "io.github.OjasKord/vat-validator-mcp",
   "title": "VAT Validator MCP",
   "description": "Validate EU, UK, AU VAT numbers for AI agents. EU ViDA e-invoicing compliance.",
-  "version": "1.4.13",
+  "version": "2.0.2",
   "websiteUrl": "https://kordagencies.com",
   "repository": {
     "url": "https://github.com/OjasKord/vat-validator-mcp",
@@ -13,7 +13,7 @@
     {
       "registryType": "npm",
       "identifier": "vat-validator-mcp",
-      "version": "1.4.13",
+      "version": "2.0.2",
       "transport": { "type": "stdio" },
       "environmentVariables": [
         { "name": "ANTHROPIC_API_KEY", "description": "Anthropic API key for AI-powered fraud risk analysis", "isRequired": true, "isSecret": true },

package/src/server.js

@@ -2,11 +2,22 @@ const http = require('http');
 const https = require('https');
 const crypto = require('crypto');
 const fs = require('fs');
+const path = require('path');
 const Stripe = require('stripe');
 const stripe = Stripe(process.env.STRIPE_SECRET_KEY);
 
 const PERSIST_FILE = '/tmp/vat_stats.json';
-const VERSION = '2.0.1';
+const VERSION = '2.0.3';
+
+// Persistent device ID for HMRC fraud prevention headers (BATCH_PROCESS_DIRECT)
+const DEVICE_ID_FILE = path.join(__dirname, '..', 'device-id.txt');
+let DEVICE_ID;
+try {
+  DEVICE_ID = fs.readFileSync(DEVICE_ID_FILE, 'utf8').trim();
+} catch(e) {
+  DEVICE_ID = crypto.randomUUID();
+  try { fs.writeFileSync(DEVICE_ID_FILE, DEVICE_ID); } catch(we) {}
+}
 const RESEND_API_KEY = process.env.RESEND_API_KEY || '';
 const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY || '';
 const PORT = process.env.PORT || 3000;
@@ -200,6 +211,31 @@ async function validateVIES(countryCode, vatNumber) {
   });
 }
 
+async function hmrcFetchWithRetry(url, options, maxRetries = 3) {
+  for (let attempt = 1; attempt <= maxRetries; attempt++) {
+    const response = await fetch(url, options);
+    if (response.status !== 429) return response;
+    if (attempt === maxRetries) return response;
+    await new Promise(resolve => setTimeout(resolve, attempt * 1000));
+  }
+}
+
+function getFraudPreventionHeaders() {
+  return {
+    'Gov-Client-Connection-Method': 'BATCH_PROCESS_DIRECT',
+    'Gov-Client-Device-ID': DEVICE_ID,
+    'Gov-Client-Local-IPs': '127.0.0.1',
+    'Gov-Client-Local-IPs-Timestamp': new Date().toISOString().replace(/(\.\d{3})\d*Z/, '$1Z'),
+    'Gov-Client-MAC-Addresses': 'not-applicable',
+    'Gov-Client-Timezone': 'UTC+00:00',
+    'Gov-Client-User-Agent': 'os-family=Linux&os-version=Server&device-manufacturer=Railway&device-model=Cloud',
+    'Gov-Client-User-IDs': 'os=railway-service',
+    'Gov-Vendor-License-IDs': 'vat-validator-mcp=not-applicable',
+    'Gov-Vendor-Product-Name': 'VAT%20Validator%20MCP',
+    'Gov-Vendor-Version': 'vat-validator-mcp=2.0.3'
+  };
+}
+
 // HMRC OAuth 2.0 token cache
 let hmrcToken = null;
 let hmrcTokenExpiry = 0;
@@ -218,32 +254,23 @@ async function getHMRCToken() {
 
   const body = `client_secret=${encodeURIComponent(clientSecret)}&client_id=${encodeURIComponent(clientId)}&grant_type=client_credentials&scope=read%3Avat`;
 
-  return new Promise((resolve) => {
-    const req = https.request({
-      hostname,
-      path: '/oauth/token',
+  try {
+    const response = await hmrcFetchWithRetry(`https://${hostname}/oauth/token`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(body) }
-    }, res => {
-      let d = ''; res.on('data', c => d += c);
-      res.on('end', () => {
-        try {
-          const json = JSON.parse(d);
-          if (json.access_token) {
-            hmrcToken = json.access_token;
-            hmrcTokenExpiry = now + (json.expires_in || 14400) * 1000;
-            resolve(hmrcToken);
-          } else {
-            resolve(null);
-          }
-        } catch(e) { resolve(null); }
-      });
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', ...getFraudPreventionHeaders() },
+      body,
+      signal: AbortSignal.timeout(8000)
     });
-    req.on('error', () => resolve(null));
-    req.setTimeout(8000, () => { req.destroy(); resolve(null); });
-    req.write(body);
-    req.end();
-  });
+    const json = await response.json();
+    if (json.access_token) {
+      hmrcToken = json.access_token;
+      hmrcTokenExpiry = now + (json.expires_in || 14400) * 1000;
+      return hmrcToken;
+    }
+    return null;
+  } catch(e) {
+    return null;
+  }
 }
 
 async function validateHMRC(vatNumber) {
@@ -254,23 +281,18 @@ async function validateHMRC(vatNumber) {
   const sandbox = process.env.HMRC_SANDBOX === 'true';
   const hostname = sandbox ? 'test-api.service.hmrc.gov.uk' : 'api.service.hmrc.gov.uk';
 
-  return new Promise((resolve) => {
-    const req = https.request({
-      hostname,
-      path: '/organisations/vat/check-vat-number/lookup/' + clean,
+  try {
+    const response = await hmrcFetchWithRetry(`https://${hostname}/organisations/vat/check-vat-number/lookup/${clean}`, {
       method: 'GET',
-      headers: { 'Accept': 'application/vnd.hmrc.2.0+json', 'Authorization': 'Bearer ' + token }
-    }, res => {
-      let d = ''; res.on('data', c => d += c);
-      res.on('end', () => {
-        try { resolve({ source: 'HMRC', status: res.statusCode, data: JSON.parse(d) }); }
-        catch(e) { resolve({ source: 'HMRC', error: 'Parse error' }); }
-      });
+      headers: { 'Accept': 'application/vnd.hmrc.2.0+json', 'Authorization': 'Bearer ' + token, ...getFraudPreventionHeaders() },
+      signal: AbortSignal.timeout(8000)
     });
-    req.on('error', e => resolve({ source: 'HMRC', error: e.message }));
-    req.setTimeout(8000, () => { req.destroy(); resolve({ source: 'HMRC', error: 'Timeout' }); });
-    req.end();
-  });
+    const data = await response.json();
+    return { source: 'HMRC', status: response.status, data };
+  } catch(e) {
+    if (e.name === 'TimeoutError' || e.name === 'AbortError') return { source: 'HMRC', error: 'Timeout' };
+    return { source: 'HMRC', error: e.message };
+  }
 }
 
 async function validateABN(abn) {