xbird-mcp 0.1.0

package/src/server/config/pricing.ts

@@ -0,0 +1,217 @@
+import type { Network } from "@x402/core/types";
+import { declareDiscoveryExtension } from "@x402/extensions/bazaar";
+
+const isMainnet = process.env.XBIRD_NETWORK === "mainnet";
+
+export const NETWORK: Network = isMainnet ? "eip155:8453" : "eip155:84532";
+
+export const FACILITATOR_URL = process.env.XBIRD_FACILITATOR_URL ??
+  (isMainnet
+    ? "https://api.cdp.coinbase.com/platform/v2/x402"
+    : "https://www.x402.org/facilitator");
+
+/** Prices in USD per request */
+export const PRICES = {
+  read: "$0.001",
+  search: "$0.005",
+  bulk: "$0.01",
+  write: "$0.01",
+  media: "$0.05",
+} as const;
+
+export type PriceTier = keyof typeof PRICES;
+
+/** Map route patterns to price tiers (x402 uses [param] not :param) */
+export const ROUTE_PRICES: Record<string, PriceTier> = {
+  // Read — $0.001
+  "GET /api/tweets/[id]": "read",
+  "GET /api/tweets/[id]/thread": "read",
+  "GET /api/tweets/[id]/replies": "read",
+  "GET /api/users/[handle]": "read",
+  "GET /api/users/[handle]/about": "read",
+  "GET /api/timeline/home": "read",
+  "GET /api/news": "read",
+  "GET /api/lists": "read",
+  "GET /api/lists/[id]/tweets": "read",
+
+  // Search — $0.005
+  "GET /api/search": "search",
+  "GET /api/mentions/[handle]": "search",
+
+  // Bulk — $0.01
+  "GET /api/users/[id]/tweets": "bulk",
+  "GET /api/users/[id]/followers": "bulk",
+  "GET /api/users/[id]/following": "bulk",
+  "GET /api/users/[id]/likes": "bulk",
+  "GET /api/bookmarks": "bulk",
+
+  // Accounts — registration management (cheap to encourage onboarding)
+  "POST /api/accounts": "read",
+  "GET /api/accounts": "read",
+  "DELETE /api/accounts": "read",
+
+  // Write — $0.01
+  "POST /api/tweets": "write",
+  "POST /api/tweets/[id]/reply": "write",
+  "POST /api/tweets/[id]/like": "write",
+  "DELETE /api/tweets/[id]/like": "write",
+  "POST /api/tweets/[id]/retweet": "write",
+  "DELETE /api/tweets/[id]/retweet": "write",
+  "POST /api/tweets/[id]/bookmark": "write",
+  "DELETE /api/tweets/[id]/bookmark": "write",
+  "POST /api/users/[handle]/follow": "write",
+  "DELETE /api/users/[handle]/follow": "write",
+
+  // Media — $0.05
+  "POST /api/media": "media",
+
+  // Authorize — payment-only endpoints for MCP local execution
+  "POST /api/authorize/read": "read",
+  "POST /api/authorize/search": "search",
+  "POST /api/authorize/bulk": "bulk",
+  "POST /api/authorize/write": "write",
+  "POST /api/authorize/media": "media",
+};
+
+/** Bazaar discovery extensions per route — describe inputs/outputs for AI agent discoverability */
+const DISCOVERY: Record<string, ReturnType<typeof declareDiscoveryExtension>> = {
+  "GET /api/tweets/[id]": declareDiscoveryExtension({
+    input: { id: "1234567890" },
+    inputSchema: { properties: { id: { type: "string", description: "Tweet ID" } }, required: ["id"] },
+    output: { example: { id: "1234567890", text: "Hello world", author: { handle: "user", name: "User" }, createdAt: "2024-01-01T00:00:00Z" } },
+  }),
+  "GET /api/tweets/[id]/thread": declareDiscoveryExtension({
+    input: { id: "1234567890" },
+    inputSchema: { properties: { id: { type: "string", description: "Tweet ID" } }, required: ["id"] },
+    output: { example: { tweets: [{ id: "1234567890", text: "Thread tweet", author: { handle: "user" } }] } },
+  }),
+  "GET /api/tweets/[id]/replies": declareDiscoveryExtension({
+    input: { id: "1234567890", count: 20 },
+    inputSchema: { properties: { id: { type: "string" }, count: { type: "number" } }, required: ["id"] },
+    output: { example: { replies: [{ id: "9876543210", text: "A reply", author: { handle: "replier" } }] } },
+  }),
+  "GET /api/users/[handle]": declareDiscoveryExtension({
+    input: { handle: "elonmusk" },
+    inputSchema: { properties: { handle: { type: "string", description: "Twitter handle (without @)" } }, required: ["handle"] },
+    output: { example: { id: "44196397", handle: "elonmusk", name: "Elon Musk", followers: 200000000, following: 800 } },
+  }),
+  "GET /api/users/[handle]/about": declareDiscoveryExtension({
+    input: { handle: "elonmusk" },
+    inputSchema: { properties: { handle: { type: "string" } }, required: ["handle"] },
+    output: { example: { handle: "elonmusk", bio: "Mars & Cars", location: "Austin, TX", joined: "2009-06-02" } },
+  }),
+  "GET /api/search": declareDiscoveryExtension({
+    input: { q: "bitcoin", count: 20 },
+    inputSchema: { properties: { q: { type: "string", description: "Search query" }, count: { type: "number" } }, required: ["q"] },
+    output: { example: { tweets: [{ id: "123", text: "Bitcoin hits new ATH", author: { handle: "crypto" } }] } },
+  }),
+  "GET /api/mentions/[handle]": declareDiscoveryExtension({
+    input: { handle: "user" },
+    inputSchema: { properties: { handle: { type: "string" } }, required: ["handle"] },
+    output: { example: { tweets: [{ id: "123", text: "@user great post!", author: { handle: "fan" } }] } },
+  }),
+  "GET /api/timeline/home": declareDiscoveryExtension({
+    input: { count: 20 },
+    inputSchema: { properties: { count: { type: "number" } } },
+    output: { example: { tweets: [{ id: "123", text: "Latest from timeline", author: { handle: "friend" } }] } },
+  }),
+  "GET /api/news": declareDiscoveryExtension({
+    output: { example: { topics: [{ name: "Trending", tweets: [{ id: "123", text: "Breaking news" }] }] } },
+  }),
+  "GET /api/lists": declareDiscoveryExtension({
+    output: { example: { lists: [{ id: "123", name: "Tech", memberCount: 50 }] } },
+  }),
+  "GET /api/lists/[id]/tweets": declareDiscoveryExtension({
+    input: { id: "123" },
+    inputSchema: { properties: { id: { type: "string", description: "List ID" } }, required: ["id"] },
+    output: { example: { tweets: [{ id: "456", text: "List tweet", author: { handle: "member" } }] } },
+  }),
+  "GET /api/users/[id]/tweets": declareDiscoveryExtension({
+    input: { id: "44196397", count: 20 },
+    inputSchema: { properties: { id: { type: "string", description: "User ID" }, count: { type: "number" } }, required: ["id"] },
+    output: { example: { tweets: [{ id: "123", text: "User's tweet" }] } },
+  }),
+  "GET /api/users/[id]/followers": declareDiscoveryExtension({
+    input: { id: "44196397", count: 20 },
+    inputSchema: { properties: { id: { type: "string" }, count: { type: "number" } }, required: ["id"] },
+    output: { example: { users: [{ id: "789", handle: "follower", name: "Follower" }] } },
+  }),
+  "GET /api/users/[id]/following": declareDiscoveryExtension({
+    input: { id: "44196397", count: 20 },
+    inputSchema: { properties: { id: { type: "string" }, count: { type: "number" } }, required: ["id"] },
+    output: { example: { users: [{ id: "789", handle: "following", name: "Following" }] } },
+  }),
+  "GET /api/users/[id]/likes": declareDiscoveryExtension({
+    input: { id: "44196397", count: 20 },
+    inputSchema: { properties: { id: { type: "string" }, count: { type: "number" } }, required: ["id"] },
+    output: { example: { tweets: [{ id: "123", text: "Liked tweet" }] } },
+  }),
+  "GET /api/bookmarks": declareDiscoveryExtension({
+    input: { count: 20 },
+    inputSchema: { properties: { count: { type: "number" } } },
+    output: { example: { tweets: [{ id: "123", text: "Bookmarked tweet" }] } },
+  }),
+  "POST /api/accounts": declareDiscoveryExtension({
+    bodyType: "json",
+    input: { authToken: "your_auth_token", ct0: "your_ct0_token" },
+    inputSchema: { properties: { authToken: { type: "string" }, ct0: { type: "string" } }, required: ["authToken", "ct0"] },
+    output: { example: { registered: true, username: "yourhandle" } },
+  }),
+  "POST /api/tweets": declareDiscoveryExtension({
+    bodyType: "json",
+    input: { text: "Hello from xbird!" },
+    inputSchema: { properties: { text: { type: "string" }, mediaIds: { type: "array", items: { type: "string" } } }, required: ["text"] },
+    output: { example: { id: "1234567890", text: "Hello from xbird!" } },
+  }),
+  "POST /api/tweets/[id]/reply": declareDiscoveryExtension({
+    bodyType: "json",
+    input: { text: "Great tweet!" },
+    inputSchema: { properties: { text: { type: "string" } }, required: ["text"] },
+    output: { example: { id: "9876543210", text: "Great tweet!" } },
+  }),
+  "POST /api/tweets/[id]/like": declareDiscoveryExtension({
+    bodyType: "json",
+    input: {},
+    output: { example: { success: true } },
+  }),
+  "POST /api/tweets/[id]/retweet": declareDiscoveryExtension({
+    bodyType: "json",
+    input: {},
+    output: { example: { success: true } },
+  }),
+  "POST /api/tweets/[id]/bookmark": declareDiscoveryExtension({
+    bodyType: "json",
+    input: {},
+    output: { example: { success: true } },
+  }),
+  "POST /api/users/[handle]/follow": declareDiscoveryExtension({
+    bodyType: "json",
+    input: {},
+    output: { example: { success: true } },
+  }),
+  "POST /api/media": declareDiscoveryExtension({
+    bodyType: "form-data",
+    input: { file: "(binary image/video data)" },
+    inputSchema: { properties: { file: { type: "string", format: "binary" } }, required: ["file"] },
+    output: { example: { mediaId: "1234567890" } },
+  }),
+};
+
+/** Build x402 RoutesConfig from our pricing map with Bazaar discovery extensions */
+export function buildRoutesConfig(payTo: string): Record<string, { accepts: { scheme: string; network: Network; payTo: string; price: string }; extensions?: Record<string, unknown> }> {
+  const routes: Record<string, { accepts: { scheme: string; network: Network; payTo: string; price: string }; extensions?: Record<string, unknown> }> = {};
+
+  for (const [route, tier] of Object.entries(ROUTE_PRICES)) {
+    routes[route] = {
+      accepts: {
+        scheme: "exact",
+        network: NETWORK,
+        payTo,
+        price: PRICES[tier],
+      },
+      ...(DISCOVERY[route] ? { extensions: DISCOVERY[route] } : {}),
+    };
+  }
+
+  return routes;
+}

package/src/server/erc8004/register.ts

@@ -0,0 +1,77 @@
+/**
+ * One-time script to register xbird as an ERC-8004 agent on-chain.
+ *
+ * Usage: PRIVATE_KEY=0x... XBIRD_BASE_URL=https://... bun run src/server/erc8004/register.ts
+ *
+ * This registers the agent's metadata URL in the Identity Registry,
+ * allowing other AI agents to discover xbird via the Reputation Registry.
+ */
+import { createWalletClient, createPublicClient, http, parseAbi } from "viem";
+import { base } from "viem/chains";
+import { privateKeyToAccount } from "viem/accounts";
+
+const PRIVATE_KEY = process.env.PRIVATE_KEY as `0x${string}`;
+const BASE_URL = process.env.XBIRD_BASE_URL;
+
+if (!PRIVATE_KEY || !BASE_URL) {
+  console.error("Required env vars: PRIVATE_KEY, XBIRD_BASE_URL");
+  process.exit(1);
+}
+
+// ERC-8004 Identity Registry (same address on Base mainnet and Ethereum)
+const IDENTITY_REGISTRY = "0x8004A169FB4a3325136EB29fA0ceB6D2e539a432" as const;
+
+const abi = parseAbi([
+  "function register(string calldata agentURI) external returns (uint256 agentId)",
+  "event AgentRegistered(uint256 indexed agentId, address indexed owner, string agentURI)",
+]);
+
+const account = privateKeyToAccount(PRIVATE_KEY);
+
+const walletClient = createWalletClient({
+  account,
+  chain: base,
+  transport: http(),
+});
+
+const publicClient = createPublicClient({
+  chain: base,
+  transport: http(),
+});
+
+const agentURI = `${BASE_URL}/.well-known/agent.json`;
+console.log(`Registering agent at: ${agentURI}`);
+console.log(`Registry: ${IDENTITY_REGISTRY}`);
+console.log(`Chain: Base mainnet (${base.id})`);
+console.log(`Account: ${account.address}`);
+
+try {
+  const hash = await walletClient.writeContract({
+    address: IDENTITY_REGISTRY,
+    abi,
+    functionName: "register",
+    args: [agentURI],
+  });
+
+  console.log(`Transaction submitted: ${hash}`);
+  console.log("Waiting for confirmation...");
+
+  const receipt = await publicClient.waitForTransactionReceipt({ hash });
+  console.log(`Confirmed in block ${receipt.blockNumber}`);
+
+  // Extract agentId from AgentRegistered event logs
+  const registeredLog = receipt.logs.find(
+    (log) => log.address.toLowerCase() === IDENTITY_REGISTRY.toLowerCase()
+  );
+
+  if (registeredLog && registeredLog.topics[1]) {
+    const agentId = BigInt(registeredLog.topics[1]);
+    console.log(`Agent ID: ${agentId}`);
+  }
+
+  console.log(`Transaction: https://basescan.org/tx/${hash}`);
+  console.log("Done! Your agent is now discoverable via ERC-8004.");
+} catch (err) {
+  console.error("Registration failed:", err);
+  process.exit(1);
+}

package/src/server/middleware/account-pool.ts

@@ -0,0 +1,101 @@
+import type { Context, Next } from "hono";
+import { XClient } from "../../lib/client-full.ts";
+import type { AccountsDB } from "../storage/accounts-db.ts";
+
+/** Hono env type with injected XClient */
+export interface XbirdEnv {
+  Variables: {
+    xClient: XClient;
+    accountName: string;
+    payerAddress: string;
+  };
+}
+
+/**
+ * BYOA-first middleware — resolves an XClient from user's own credentials:
+ * 1. Per-request headers (X-Twitter-Auth-Token + X-Twitter-CT0)
+ * 2. Registered account (wallet → credentials from DB)
+ *
+ * No server pool fallback — users must bring their own Twitter account.
+ */
+export function accountPoolMiddleware(accountsDb: AccountsDB) {
+  return async (c: Context<XbirdEnv>, next: Next): Promise<Response> => {
+    // Skip for routes that don't need Twitter credentials
+    const path = new URL(c.req.url).pathname;
+    if (
+      path === "/api/accounts" ||
+      path === "/api/accounts/" ||
+      path.startsWith("/api/authorize/")
+    ) {
+      await next();
+      return c.res;
+    }
+
+    // 1. Per-request credentials via headers
+    const headerAuth = c.req.header("X-Twitter-Auth-Token");
+    const headerCt0 = c.req.header("X-Twitter-CT0");
+
+    // Reject partial BYOA headers — user clearly intended BYOA but missing one
+    if ((headerAuth && !headerCt0) || (!headerAuth && headerCt0)) {
+      return c.json(
+        { error: "Both X-Twitter-Auth-Token and X-Twitter-CT0 headers are required" },
+        400,
+      );
+    }
+
+    if (headerAuth && headerCt0) {
+      // Validate header credential length (same limit as registration)
+      if (headerAuth.length > 256 || headerCt0.length > 256) {
+        return c.json({ error: "Credential headers exceed max length (256)" }, 400);
+      }
+      try {
+        const client = new XClient({ authToken: headerAuth, ct0: headerCt0, source: "env" });
+        c.set("xClient", client);
+        c.set("accountName", "byoa-header");
+        await next();
+        return c.res;
+      } catch {
+        return c.json({ error: "Invalid Twitter credentials in headers" }, 400);
+      }
+    }
+
+    // 2. Registered account lookup by payer wallet
+    const payerAddress = c.get("payerAddress");
+    if (payerAddress) {
+      const registered = accountsDb.lookup(payerAddress);
+      if (registered) {
+        try {
+          const client = new XClient({
+            authToken: registered.auth_token,
+            ct0: registered.ct0,
+            source: "env",
+          });
+          c.set("xClient", client);
+          c.set("accountName", "byoa-registered");
+          accountsDb.updateLastUsed(payerAddress);
+          await next();
+          return c.res;
+        } catch {
+          return c.json(
+            {
+              error: "Registered account credentials expired or invalid. Please re-register via POST /api/accounts.",
+            },
+            401,
+          );
+        }
+      }
+    }
+
+    // No account found — require BYOA
+    return c.json(
+      {
+        error: "No Twitter account linked to your wallet. Register your account first.",
+        help: {
+          register: "POST /api/accounts with { authToken, ct0 } to link your Twitter account",
+          adhoc: "Or pass X-Twitter-Auth-Token and X-Twitter-CT0 headers per-request",
+        },
+      },
+      403,
+    );
+  };
+}

package/src/server/middleware/error-handler.ts

@@ -0,0 +1,27 @@
+import type { Context, Next } from "hono";
+
+/** Map known XClient error patterns to HTTP status codes */
+export async function errorHandler(c: Context, next: Next): Promise<Response> {
+  try {
+    await next();
+    return c.res;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+
+    if (message.includes("Rate limit") || message.includes("429")) {
+      return c.json({ error: "Rate limited — try again later" }, 429);
+    }
+    if (message.includes("not found") || message.includes("404")) {
+      return c.json({ error: "Not found" }, 404);
+    }
+    if (message.includes("unauthorized") || message.includes("401") || message.includes("auth")) {
+      return c.json({ error: "Upstream auth error" }, 502);
+    }
+    if (message.includes("suspended") || message.includes("locked")) {
+      return c.json({ error: "Account suspended or locked" }, 503);
+    }
+
+    console.error("[xbird] Unhandled error:", message);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+}

package/src/server/middleware/payer-extract.ts

@@ -0,0 +1,43 @@
+import type { Context, Next } from "hono";
+import { decodePaymentSignatureHeader } from "@x402/core/http";
+import type { XbirdEnv } from "./account-pool.ts";
+
+const EVM_ADDRESS_RE = /^0x[0-9a-fA-F]{40}$/;
+const MAX_HEADER_LENGTH = 8192;
+
+/**
+ * Middleware that extracts the payer wallet address from the payment-signature
+ * header — the same header that x402 middleware cryptographically verifies.
+ *
+ * SECURITY: We read `payment-signature` (verified by x402), NOT `X-PAYMENT`
+ * (unverified, client-controlled). This prevents wallet impersonation.
+ */
+export function payerExtractMiddleware() {
+  return async (c: Context<XbirdEnv>, next: Next): Promise<void> => {
+    const header = c.req.header("payment-signature");
+
+    if (!header || header.length > MAX_HEADER_LENGTH) {
+      await next();
+      return;
+    }
+
+    try {
+      const decoded = decodePaymentSignatureHeader(header);
+      const payload = decoded?.payload as Record<string, unknown> | undefined;
+
+      // EIP-3009: payload.authorization.from
+      // Permit2: payload.permit2Authorization.from
+      const auth = payload?.authorization as Record<string, unknown> | undefined;
+      const permit2 = payload?.permit2Authorization as Record<string, unknown> | undefined;
+      const from = (auth?.from ?? permit2?.from) as string | undefined;
+
+      if (from && EVM_ADDRESS_RE.test(from)) {
+        c.set("payerAddress", from.toLowerCase());
+      }
+    } catch {
+      // Malformed header — skip extraction, don't block the request
+    }
+
+    await next();
+  };
+}

package/src/server/middleware/x402.ts

@@ -0,0 +1,61 @@
+import { paymentMiddlewareFromConfig } from "@x402/hono";
+import { HTTPFacilitatorClient } from "@x402/core/server";
+import { ExactEvmScheme } from "@x402/evm/exact/server";
+import { bazaarResourceServerExtension } from "@x402/extensions/bazaar";
+import type { MiddlewareHandler } from "hono";
+import { buildRoutesConfig, NETWORK, FACILITATOR_URL } from "../config/pricing.ts";
+
+function createFacilitatorClient(): HTTPFacilitatorClient {
+  const cdpKeyId = process.env.CDP_API_KEY_ID;
+  const cdpKeySecret = process.env.CDP_API_KEY_SECRET;
+
+  if (cdpKeyId && cdpKeySecret) {
+    return new HTTPFacilitatorClient({
+      url: FACILITATOR_URL,
+      createAuthHeaders: async () => {
+        const { generateJwt } = await import("@coinbase/cdp-sdk/auth");
+        const facilitatorHost = new URL(FACILITATOR_URL).host;
+
+        const mkJwt = (method: string, path: string) =>
+          generateJwt({
+            apiKeyId: cdpKeyId,
+            apiKeySecret: cdpKeySecret,
+            requestMethod: method,
+            requestHost: facilitatorHost,
+            requestPath: path,
+          });
+
+        const basePath = new URL(FACILITATOR_URL).pathname;
+        const [verifyToken, settleToken, supportedToken] = await Promise.all([
+          mkJwt("POST", `${basePath}/verify`),
+          mkJwt("POST", `${basePath}/settle`),
+          mkJwt("GET", `${basePath}/supported`),
+        ]);
+
+        return {
+          verify: { Authorization: `Bearer ${verifyToken}` },
+          settle: { Authorization: `Bearer ${settleToken}` },
+          supported: { Authorization: `Bearer ${supportedToken}` },
+        };
+      },
+    });
+  }
+
+  // Testnet facilitator — no auth needed
+  return new HTTPFacilitatorClient({ url: FACILITATOR_URL });
+}
+
+/** Create x402 payment middleware configured for our routes */
+export function createPaymentMiddleware(payTo: string): MiddlewareHandler {
+  const routes = buildRoutesConfig(payTo);
+  const facilitator = createFacilitatorClient();
+
+  return paymentMiddlewareFromConfig(
+    routes,
+    facilitator,
+    [{ network: NETWORK, server: new ExactEvmScheme() }],
+    { extensions: [bazaarResourceServerExtension] },
+  );
+}
+
+export { FACILITATOR_URL, NETWORK };

package/src/server/routes/accounts.ts

@@ -0,0 +1,93 @@
+import { Hono } from "hono";
+import type { XbirdEnv } from "../middleware/account-pool.ts";
+import { XClient } from "../../lib/client-full.ts";
+import type { AccountsDB } from "../storage/accounts-db.ts";
+
+/** Max length for auth token / ct0 values */
+const MAX_CREDENTIAL_LENGTH = 256;
+
+function isValidCredential(value: unknown): value is string {
+  return typeof value === "string" && value.length > 0 && value.length <= MAX_CREDENTIAL_LENGTH;
+}
+
+export function createAccountsRoutes(accountsDb: AccountsDB): Hono<XbirdEnv> {
+  const accounts = new Hono<XbirdEnv>();
+
+  /** POST /api/accounts — register Twitter credentials for the payer wallet */
+  accounts.post("/", async (c) => {
+    const payerAddress = c.get("payerAddress");
+    if (!payerAddress) {
+      return c.json({ error: "Could not determine payer wallet from payment" }, 400);
+    }
+
+    let body: Record<string, unknown>;
+    try {
+      body = await c.req.json();
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+
+    const { authToken, ct0 } = body;
+
+    if (!isValidCredential(authToken) || !isValidCredential(ct0)) {
+      return c.json(
+        { error: `authToken and ct0 are required (string, max ${MAX_CREDENTIAL_LENGTH} chars)` },
+        400,
+      );
+    }
+
+    // Try to validate credentials (may fail from datacenter IPs — not a blocker)
+    const testClient = new XClient({ authToken, ct0, source: "env" });
+    let username: string | undefined;
+    try {
+      const result = await testClient.getCurrentUser();
+      if (result.success) {
+        username = result.user?.screenName;
+      }
+    } catch {
+      // Validation failed (likely IP-blocked by Twitter) — store anyway
+    }
+
+    accountsDb.register(payerAddress, authToken, ct0, username);
+
+    return c.json({
+      registered: true,
+      username: username ?? null,
+    }, 201);
+  });
+
+  /** GET /api/accounts — check registration status for the payer wallet */
+  accounts.get("/", async (c) => {
+    const payerAddress = c.get("payerAddress");
+    if (!payerAddress) {
+      return c.json({ error: "Could not determine payer wallet from payment" }, 400);
+    }
+
+    const record = accountsDb.lookup(payerAddress);
+    if (!record) {
+      return c.json({ registered: false });
+    }
+
+    return c.json({
+      registered: true,
+      username: record.twitter_username,
+    });
+  });
+
+  /** DELETE /api/accounts — remove registration for the payer wallet */
+  accounts.delete("/", async (c) => {
+    const payerAddress = c.get("payerAddress");
+    if (!payerAddress) {
+      return c.json({ error: "Could not determine payer wallet from payment" }, 400);
+    }
+
+    const removed = accountsDb.remove(payerAddress);
+    if (!removed) {
+      return c.json({ error: "No registered account found" }, 404);
+    }
+
+    return c.json({ removed: true });
+  });
+
+  return accounts;
+}

package/src/server/routes/authorize.ts

@@ -0,0 +1,19 @@
+import { Hono } from "hono";
+import { PRICES, type PriceTier } from "../config/pricing.ts";
+
+type AuthorizeEnv = {};
+
+const authorize = new Hono<AuthorizeEnv>();
+
+/** POST /api/authorize/:tier — verify x402 payment, return authorization */
+for (const tier of Object.keys(PRICES) as PriceTier[]) {
+  authorize.post(`/${tier}`, (c) => {
+    return c.json({
+      authorized: true,
+      tier,
+      price: PRICES[tier],
+    });
+  });
+}
+
+export { authorize };

package/src/server/routes/bookmarks.ts

@@ -0,0 +1,21 @@
+import { Hono } from "hono";
+import type { XbirdEnv } from "../middleware/account-pool.ts";
+
+const bookmarks = new Hono<XbirdEnv>();
+
+/** GET /api/bookmarks?count=...&cursor=...&folderId=... */
+bookmarks.get("/", async (c) => {
+  const client = c.get("xClient");
+  const count = Number(c.req.query("count") ?? 20);
+  const cursor = c.req.query("cursor");
+  const folderId = c.req.query("folderId");
+
+  const result = await client.getBookmarks(count, cursor, folderId);
+  if (!result.success) {
+    return c.json({ error: result.error ?? "Failed to fetch bookmarks" }, 400);
+  }
+
+  return c.json({ data: result.tweets, cursor: result.cursor });
+});
+
+export { bookmarks };