z-zero-mcp-server 1.0.0

package/README.md

@@ -0,0 +1,53 @@
+# Z-ZERO: AI Virtual Card MCP Server
+
+A Zero-Trust Payment Protocol built specifically for AI Agents utilizing the Model Context Protocol (MCP).
+
+## The Concept (Tokenized JIT Payments)
+This MCP server acts as an "Invisible Bridge" for your AI Agents. Instead of giving your LLM direct access to a 16-digit credit card number (which triggers safety filters and risks prompt injection theft), the AI only handles **temporary, single-use tokens**.
+
+The local MCP client resolves the token securely in RAM, injects the real card data directly into the payment form (via Playwright headless browser), and clicks "Pay". The virtual card and token are burned milliseconds later.
+
+## Features
+- **Zero PII (Blind Execution):** AI never sees card numbers.
+- **Exact-Match Funding:** Tokens are tied to virtual cards locked to the exact requested amount.
+- **Phantom Burn:** Single-use architecture. Cards self-destruct after checking out.
+- **Stripe/HTML Form Injection:** Automatically fills common checkout domains.
+
+## Documentation
+Check the `docs/` folder for complete system design and architecture:
+- [Product Plan & Core Concept](docs/ai_card_product_plan.md)
+- [MCP Implementation Plan](docs/implementation_plan.md)
+- [Mock Backend Architecture](docs/backend_architecture.md)
+- [Live Demo Walkthrough & Test Results](docs/walkthrough.md)
+
+## Getting Started
+
+### 1. Install Dependencies
+```bash
+npm install
+npx playwright install chromium
+```
+
+### 2. Build the Server
+```bash
+npm run build
+```
+
+### 3. Usage with Claude Desktop
+Add this to your `mcp_config.json`:
+```json
+{
+  "mcpServers": {
+    "ai-card-mcp": {
+      "command": "node",
+      "args": ["/absolute/path/to/ai-card-mcp/dist/index.js"]
+    }
+  }
+}
+```
+
+## Available MCP Tools
+- `list_cards`: View available virtual cards and balances.
+- `check_balance`: Query a specific card's real-time balance.
+- `request_payment_token`: Generate a JIT auth token locked to a specific amount.
+- `execute_payment`: Passes the token to the Playwright bridge to auto-fill the checkout URL and burn the token.

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+"use strict";
+// Z-ZERO MCP Server (z-zero-mcp-server)
+// Exposes secure JIT payment tools to AI Agents via Model Context Protocol
+// Connected to Z-ZERO Supabase backend via Z_ZERO_API_KEY
+Object.defineProperty(exports, "__esModule", { value: true });
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const zod_1 = require("zod");
+const supabase_backend_js_1 = require("./supabase_backend.js");
+const playwright_bridge_js_1 = require("./playwright_bridge.js");
+// ============================================================
+// CREATE MCP SERVER
+// ============================================================
+const server = new mcp_js_1.McpServer({
+    name: "z-zero-mcp-server",
+    version: "1.0.0",
+});
+// ============================================================
+// TOOL 1: List available cards (safe - no sensitive data)
+// ============================================================
+server.tool("list_cards", "List all available virtual card aliases and their balances. No sensitive data is returned.", {}, async () => {
+    const cards = await (0, supabase_backend_js_1.listCardsRemote)();
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify({
+                    cards,
+                    note: "Use card aliases to request payment tokens. Never ask for real card numbers.",
+                }, null, 2),
+            },
+        ],
+    };
+});
+// ============================================================
+// TOOL 2: Check card balance (safe)
+// ============================================================
+server.tool("check_balance", "Check the remaining balance of a virtual card by its alias.", {
+    card_alias: zod_1.z
+        .string()
+        .describe("The alias of the card to check, e.g. 'Card_01'"),
+}, async ({ card_alias }) => {
+    const balance = await (0, supabase_backend_js_1.getBalanceRemote)(card_alias);
+    if (!balance) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: `Card "${card_alias}" not found or API key is invalid. Use list_cards to see available cards.`,
+                },
+            ],
+            isError: true,
+        };
+    }
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify({ card_alias, ...balance }, null, 2),
+            },
+        ],
+    };
+});
+// ============================================================
+// TOOL 3: Request a temporary payment token
+// ============================================================
+server.tool("request_payment_token", "Request a temporary payment token for a specific amount. The token is valid for 15 minutes and locked to the specified amount. Use this token with execute_payment to complete a purchase.", {
+    card_alias: zod_1.z
+        .string()
+        .describe("Which card to charge, e.g. 'Card_01'"),
+    amount: zod_1.z
+        .number()
+        .positive()
+        .describe("Amount in USD to authorize"),
+    merchant: zod_1.z
+        .string()
+        .describe("Name or URL of the merchant/service being purchased"),
+}, async ({ card_alias, amount, merchant }) => {
+    const token = await (0, supabase_backend_js_1.issueTokenRemote)(card_alias, amount, merchant);
+    if (!token) {
+        const balance = await (0, supabase_backend_js_1.getBalanceRemote)(card_alias);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: balance
+                        ? `Insufficient balance. Card "${card_alias}" has $${balance.balance} but you requested $${amount}.`
+                        : `Card "${card_alias}" not found or API key is invalid.`,
+                },
+            ],
+            isError: true,
+        };
+    }
+    const expiresAt = new Date(token.created_at + token.ttl_seconds * 1000).toISOString();
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify({
+                    token: token.token,
+                    amount: token.amount,
+                    merchant: token.merchant,
+                    expires_at: expiresAt,
+                    instructions: "Use this token with execute_payment tool within 15 minutes.",
+                }, null, 2),
+            },
+        ],
+    };
+});
+// ============================================================
+// TOOL 4: Execute payment (The "Invisible Hand")
+// ============================================================
+server.tool("execute_payment", "Execute a payment using a temporary token. This tool will securely fill the checkout form on the target website. You will NEVER see the real card number - it is handled securely in the background.", {
+    token: zod_1.z
+        .string()
+        .describe("The temporary payment token from request_payment_token"),
+    checkout_url: zod_1.z
+        .string()
+        .url()
+        .describe("The full URL of the checkout/payment page"),
+}, async ({ token, checkout_url }) => {
+    // Step 1: Resolve token → card data (RAM only)
+    const cardData = (0, supabase_backend_js_1.resolveTokenRemote)(token);
+    if (!cardData) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: "Payment failed: Token is invalid, expired, or already used. Request a new token.",
+                },
+            ],
+            isError: true,
+        };
+    }
+    // Step 2: Use Playwright to inject card into checkout form
+    const result = await (0, playwright_bridge_js_1.fillCheckoutForm)(checkout_url, cardData);
+    // Step 3: Burn the token + deduct from Supabase wallet
+    await (0, supabase_backend_js_1.burnTokenRemote)(token);
+    // Step 4: Return result (NEVER includes card numbers)
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify({
+                    success: result.success,
+                    message: result.message,
+                    receipt_id: result.receipt_id || null,
+                    token_status: "BURNED",
+                    note: "Token has been permanently invalidated after this transaction.",
+                }, null, 2),
+            },
+        ],
+    };
+});
+// ============================================================
+// START SERVER
+// ============================================================
+async function main() {
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+    console.error("🔐 Z-ZERO MCP Server running...");
+    console.error("Connected to: Supabase backend");
+    console.error("Tools: list_cards, check_balance, request_payment_token, execute_payment");
+}
+main().catch(console.error);

package/dist/mock_backend.d.ts

@@ -0,0 +1,32 @@
+import type { PaymentToken, CardData } from "./types.js";
+/**
+ * Issue a temporary payment token for a specific card and amount.
+ * Token is valid for `ttlSeconds` (default: 900 = 15 minutes).
+ */
+export declare function issueToken(cardAlias: string, amount: number, merchant: string, ttlSeconds?: number): PaymentToken | null;
+/**
+ * Resolve a token to real card data.
+ * CRITICAL: The returned CardData object lives ONLY in RAM.
+ * It must NEVER be logged, serialized, or returned to the AI.
+ */
+export declare function resolveToken(tokenId: string): CardData | null;
+/**
+ * Burn a token after use - makes it permanently invalid.
+ * Also deducts the amount from the card balance.
+ */
+export declare function burnToken(tokenId: string): boolean;
+/**
+ * Check balance of a card (safe to expose to AI).
+ */
+export declare function getBalance(cardAlias: string): {
+    balance: number;
+    currency: string;
+} | null;
+/**
+ * List available card aliases (safe to expose to AI - no sensitive data).
+ */
+export declare function listCards(): Array<{
+    alias: string;
+    balance: number;
+    currency: string;
+}>;

package/dist/mock_backend.js

@@ -0,0 +1,150 @@
+"use strict";
+// Mock Neobank Backend - Simulates the card vault and token issuing system
+// In production, this would be replaced by your real Neobank API
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.issueToken = issueToken;
+exports.resolveToken = resolveToken;
+exports.burnToken = burnToken;
+exports.getBalance = getBalance;
+exports.listCards = listCards;
+const crypto_1 = __importDefault(require("crypto"));
+// ============================================================
+// CARD VAULT (In-memory store - simulates encrypted database)
+// ============================================================
+const cardVault = new Map([
+    [
+        "Card_01",
+        {
+            alias: "Card_01",
+            number: "4242424242424242", // Stripe test card
+            exp_month: "12",
+            exp_year: "2030",
+            cvv: "123",
+            name: "AI Agent Card 01",
+            balance: 50.0,
+            currency: "USD",
+        },
+    ],
+    [
+        "Card_02",
+        {
+            alias: "Card_02",
+            number: "5555555555554444", // Mastercard test
+            exp_month: "06",
+            exp_year: "2029",
+            cvv: "456",
+            name: "AI Agent Card 02",
+            balance: 100.0,
+            currency: "USD",
+        },
+    ],
+]);
+// ============================================================
+// TOKEN STORE (Active JIT tokens)
+// ============================================================
+const tokenStore = new Map();
+// ============================================================
+// PUBLIC API
+// ============================================================
+/**
+ * Issue a temporary payment token for a specific card and amount.
+ * Token is valid for `ttlSeconds` (default: 900 = 15 minutes).
+ */
+function issueToken(cardAlias, amount, merchant, ttlSeconds = 900) {
+    const card = cardVault.get(cardAlias);
+    if (!card) {
+        return null;
+    }
+    if (card.balance < amount) {
+        return null;
+    }
+    const token = {
+        token: `temp_auth_${crypto_1.default.randomBytes(4).toString("hex")}`,
+        card_alias: cardAlias,
+        amount,
+        merchant,
+        created_at: Date.now(),
+        ttl_seconds: ttlSeconds,
+        used: false,
+    };
+    tokenStore.set(token.token, token);
+    return token;
+}
+/**
+ * Resolve a token to real card data.
+ * CRITICAL: The returned CardData object lives ONLY in RAM.
+ * It must NEVER be logged, serialized, or returned to the AI.
+ */
+function resolveToken(tokenId) {
+    const token = tokenStore.get(tokenId);
+    if (!token) {
+        return null; // Token doesn't exist
+    }
+    if (token.used) {
+        return null; // Already burned
+    }
+    // Check TTL expiration
+    const age = (Date.now() - token.created_at) / 1000;
+    if (age > token.ttl_seconds) {
+        tokenStore.delete(tokenId); // Expired, clean up
+        return null;
+    }
+    const card = cardVault.get(token.card_alias);
+    if (!card) {
+        return null;
+    }
+    // Return card data (RAM only - never log this!)
+    return {
+        number: card.number,
+        exp_month: card.exp_month,
+        exp_year: card.exp_year,
+        cvv: card.cvv,
+        name: card.name,
+    };
+}
+/**
+ * Burn a token after use - makes it permanently invalid.
+ * Also deducts the amount from the card balance.
+ */
+function burnToken(tokenId) {
+    const token = tokenStore.get(tokenId);
+    if (!token)
+        return false;
+    token.used = true;
+    // Deduct balance
+    const card = cardVault.get(token.card_alias);
+    if (card) {
+        card.balance -= token.amount;
+    }
+    // Schedule complete removal from memory
+    setTimeout(() => {
+        tokenStore.delete(tokenId);
+    }, 5000);
+    return true;
+}
+/**
+ * Check balance of a card (safe to expose to AI).
+ */
+function getBalance(cardAlias) {
+    const card = cardVault.get(cardAlias);
+    if (!card)
+        return null;
+    return { balance: card.balance, currency: card.currency };
+}
+/**
+ * List available card aliases (safe to expose to AI - no sensitive data).
+ */
+function listCards() {
+    const result = [];
+    for (const card of cardVault.values()) {
+        result.push({
+            alias: card.alias,
+            balance: card.balance,
+            currency: card.currency,
+        });
+    }
+    return result;
+}

package/dist/playwright_bridge.d.ts

@@ -0,0 +1,6 @@
+import type { CardData, PaymentResult } from "./types.js";
+/**
+ * Detects and fills credit card form fields on a checkout page.
+ * Card data exists ONLY in RAM and is wiped after injection.
+ */
+export declare function fillCheckoutForm(checkoutUrl: string, cardData: CardData): Promise<PaymentResult>;

package/dist/playwright_bridge.js

@@ -0,0 +1,204 @@
+"use strict";
+// Playwright Bridge - The "Invisible Hand"
+// Securely injects card data into checkout forms without exposing it to AI
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fillCheckoutForm = fillCheckoutForm;
+const playwright_1 = require("playwright");
+/**
+ * Detects and fills credit card form fields on a checkout page.
+ * Card data exists ONLY in RAM and is wiped after injection.
+ */
+async function fillCheckoutForm(checkoutUrl, cardData) {
+    const browser = await playwright_1.chromium.launch({ headless: true });
+    const context = await browser.newContext();
+    const page = await context.newPage();
+    try {
+        await page.goto(checkoutUrl, { waitUntil: "networkidle", timeout: 30000 });
+        // ============================================================
+        // STRATEGY 1: Standard HTML form fields
+        // ============================================================
+        const standardSelectors = {
+            number: [
+                'input[name="cardnumber"]',
+                'input[name="card-number"]',
+                'input[name="cc-number"]',
+                'input[autocomplete="cc-number"]',
+                'input[data-elements-stable-field-name="cardNumber"]',
+                'input[placeholder*="card number" i]',
+                'input[placeholder*="Card number" i]',
+                'input[aria-label*="card number" i]',
+            ],
+            expiry: [
+                'input[name="exp-date"]',
+                'input[name="cc-exp"]',
+                'input[autocomplete="cc-exp"]',
+                'input[placeholder*="MM / YY" i]',
+                'input[placeholder*="MM/YY" i]',
+                'input[aria-label*="expir" i]',
+            ],
+            exp_month: [
+                'input[name="exp-month"]',
+                'select[name="exp-month"]',
+                'input[autocomplete="cc-exp-month"]',
+            ],
+            exp_year: [
+                'input[name="exp-year"]',
+                'select[name="exp-year"]',
+                'input[autocomplete="cc-exp-year"]',
+            ],
+            cvv: [
+                'input[name="cvc"]',
+                'input[name="cvv"]',
+                'input[name="cc-csc"]',
+                'input[autocomplete="cc-csc"]',
+                'input[placeholder*="CVC" i]',
+                'input[placeholder*="CVV" i]',
+                'input[aria-label*="security code" i]',
+            ],
+            name: [
+                'input[name="ccname"]',
+                'input[name="cc-name"]',
+                'input[autocomplete="cc-name"]',
+                'input[placeholder*="name on card" i]',
+                'input[aria-label*="name on card" i]',
+            ],
+        };
+        // Try to fill each field
+        let filledFields = 0;
+        // Card Number
+        for (const selector of standardSelectors.number) {
+            const el = await page.$(selector);
+            if (el) {
+                await el.fill(cardData.number);
+                filledFields++;
+                break;
+            }
+        }
+        // Expiry (combined MM/YY format)
+        let expiryFilled = false;
+        for (const selector of standardSelectors.expiry) {
+            const el = await page.$(selector);
+            if (el) {
+                await el.fill(`${cardData.exp_month}/${cardData.exp_year.slice(-2)}`);
+                filledFields++;
+                expiryFilled = true;
+                break;
+            }
+        }
+        // Expiry (separate month/year fields)
+        if (!expiryFilled) {
+            for (const selector of standardSelectors.exp_month) {
+                const el = await page.$(selector);
+                if (el) {
+                    await el.fill(cardData.exp_month);
+                    filledFields++;
+                    break;
+                }
+            }
+            for (const selector of standardSelectors.exp_year) {
+                const el = await page.$(selector);
+                if (el) {
+                    await el.fill(cardData.exp_year);
+                    filledFields++;
+                    break;
+                }
+            }
+        }
+        // CVV
+        for (const selector of standardSelectors.cvv) {
+            const el = await page.$(selector);
+            if (el) {
+                await el.fill(cardData.cvv);
+                filledFields++;
+                break;
+            }
+        }
+        // Name on Card
+        for (const selector of standardSelectors.name) {
+            const el = await page.$(selector);
+            if (el) {
+                await el.fill(cardData.name);
+                filledFields++;
+                break;
+            }
+        }
+        // ============================================================
+        // STRATEGY 2: Stripe Elements (iframe-based)
+        // ============================================================
+        if (filledFields === 0) {
+            const stripeFrames = page.frames().filter((f) => f.url().includes("js.stripe.com"));
+            for (const frame of stripeFrames) {
+                const cardInput = await frame.$('input[name="cardnumber"]');
+                if (cardInput) {
+                    await cardInput.fill(cardData.number);
+                    filledFields++;
+                }
+                const expInput = await frame.$('input[name="exp-date"]');
+                if (expInput) {
+                    await expInput.fill(`${cardData.exp_month}${cardData.exp_year.slice(-2)}`);
+                    filledFields++;
+                }
+                const cvcInput = await frame.$('input[name="cvc"]');
+                if (cvcInput) {
+                    await cvcInput.fill(cardData.cvv);
+                    filledFields++;
+                }
+            }
+        }
+        if (filledFields === 0) {
+            return {
+                success: false,
+                message: "Could not detect any credit card fields on this page. The checkout form may use an unsupported format.",
+            };
+        }
+        // ============================================================
+        // LOOK FOR "PAY" / "SUBMIT" BUTTON
+        // ============================================================
+        const payButtonSelectors = [
+            'button[type="submit"]',
+            'button:has-text("Pay")',
+            'button:has-text("Submit")',
+            'button:has-text("Place order")',
+            'button:has-text("Complete")',
+            'input[type="submit"]',
+        ];
+        let clicked = false;
+        for (const selector of payButtonSelectors) {
+            const btn = await page.$(selector);
+            if (btn && (await btn.isVisible())) {
+                await btn.click();
+                clicked = true;
+                break;
+            }
+        }
+        // Wait for navigation or response
+        if (clicked) {
+            await page.waitForTimeout(3000);
+        }
+        const receiptId = `rcpt_${Date.now().toString(36)}`;
+        return {
+            success: true,
+            message: `Payment form filled and submitted successfully. ${filledFields} fields injected.`,
+            receipt_id: receiptId,
+        };
+    }
+    catch (error) {
+        const errMsg = error instanceof Error ? error.message : String(error);
+        return {
+            success: false,
+            message: `Payment failed: ${errMsg}`,
+        };
+    }
+    finally {
+        // ============================================================
+        // RAM WIPE - Critical security step
+        // ============================================================
+        // Overwrite card data with zeros before dereferencing
+        cardData.number = "0000000000000000";
+        cardData.cvv = "000";
+        cardData.exp_month = "00";
+        cardData.exp_year = "0000";
+        cardData.name = "";
+        await browser.close();
+    }
+}

package/dist/supabase_backend.d.ts

@@ -0,0 +1,13 @@
+import type { CardData, PaymentToken } from "./types.js";
+export declare function listCardsRemote(): Promise<Array<{
+    alias: string;
+    balance: number;
+    currency: string;
+}>>;
+export declare function getBalanceRemote(cardAlias: string): Promise<{
+    balance: number;
+    currency: string;
+} | null>;
+export declare function issueTokenRemote(cardAlias: string, amount: number, merchant: string, ttlSeconds?: number): Promise<PaymentToken | null>;
+export declare function resolveTokenRemote(tokenId: string): CardData | null;
+export declare function burnTokenRemote(tokenId: string): Promise<boolean>;

package/dist/supabase_backend.js

@@ -0,0 +1,144 @@
+"use strict";
+// Z-ZERO Supabase Backend
+// Replaces mock_backend.ts - connects to real Supabase database
+// Card data is looked up from the 'cards' table via Z_ZERO_API_KEY
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listCardsRemote = listCardsRemote;
+exports.getBalanceRemote = getBalanceRemote;
+exports.issueTokenRemote = issueTokenRemote;
+exports.resolveTokenRemote = resolveTokenRemote;
+exports.burnTokenRemote = burnTokenRemote;
+const supabase_js_1 = require("@supabase/supabase-js");
+const crypto_1 = __importDefault(require("crypto"));
+// ============================================================
+// SUPABASE CLIENT (reads env vars at runtime)
+// ============================================================
+const SUPABASE_URL = process.env.Z_ZERO_SUPABASE_URL || process.env.NEXT_PUBLIC_SUPABASE_URL || "";
+const SUPABASE_ANON_KEY = process.env.Z_ZERO_SUPABASE_ANON_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || "";
+const API_KEY = process.env.Z_ZERO_API_KEY || "";
+if (!SUPABASE_URL || !SUPABASE_ANON_KEY) {
+    console.error("❌ Missing Z_ZERO_SUPABASE_URL or Z_ZERO_SUPABASE_ANON_KEY env vars");
+}
+if (!API_KEY) {
+    console.error("⚠️  Missing Z_ZERO_API_KEY — some tools will be limited");
+}
+const supabase = (0, supabase_js_1.createClient)(SUPABASE_URL, SUPABASE_ANON_KEY);
+// ============================================================
+// IN-MEMORY TOKEN STORE (tokens never hit the database)
+// ============================================================
+const tokenStore = new Map();
+// ============================================================
+// RESOLVE API KEY → USER + WALLET INFO
+// ============================================================
+async function resolveApiKey() {
+    if (!API_KEY)
+        return null;
+    // Lookup card by its stored key (card_number_encrypted stores the api key for now)
+    const { data: card, error } = await supabase
+        .from("cards")
+        .select("id, alias, user_id, allocated_limit_usd, is_active")
+        .eq("card_number_encrypted", API_KEY)
+        .eq("is_active", true)
+        .single();
+    if (error || !card) {
+        console.error("API Key not found or card is inactive:", error?.message);
+        return null;
+    }
+    // Get wallet balance for this user
+    const { data: wallet } = await supabase
+        .from("wallets")
+        .select("balance")
+        .eq("user_id", card.user_id)
+        .single();
+    return {
+        userId: card.user_id,
+        walletBalance: Number(wallet?.balance || 0),
+        cardId: card.id,
+        cardAlias: card.alias,
+    };
+}
+// ============================================================
+// PUBLIC API (mirrors mock_backend.ts interface)
+// ============================================================
+async function listCardsRemote() {
+    const info = await resolveApiKey();
+    if (!info)
+        return [];
+    return [{
+            alias: info.cardAlias,
+            balance: info.walletBalance,
+            currency: "USD",
+        }];
+}
+async function getBalanceRemote(cardAlias) {
+    const info = await resolveApiKey();
+    if (!info || info.cardAlias !== cardAlias)
+        return null;
+    return { balance: info.walletBalance, currency: "USD" };
+}
+async function issueTokenRemote(cardAlias, amount, merchant, ttlSeconds = 900) {
+    const info = await resolveApiKey();
+    if (!info)
+        return null;
+    if (info.cardAlias !== cardAlias)
+        return null;
+    if (info.walletBalance < amount)
+        return null;
+    const token = {
+        token: `temp_auth_${crypto_1.default.randomBytes(6).toString("hex")}`,
+        card_alias: cardAlias,
+        amount,
+        merchant,
+        created_at: Date.now(),
+        ttl_seconds: ttlSeconds,
+        used: false,
+    };
+    tokenStore.set(token.token, token);
+    return token;
+}
+function resolveTokenRemote(tokenId) {
+    const token = tokenStore.get(tokenId);
+    if (!token || token.used)
+        return null;
+    const age = (Date.now() - token.created_at) / 1000;
+    if (age > token.ttl_seconds) {
+        tokenStore.delete(tokenId);
+        return null;
+    }
+    // In Phase 2 this will return a real Airwallex JIT card
+    // For now, returns a Stripe test card for sandbox testing
+    return {
+        number: "4242424242424242",
+        exp_month: "12",
+        exp_year: "2030",
+        cvv: "123",
+        name: "Z-ZERO Agent",
+    };
+}
+async function burnTokenRemote(tokenId) {
+    const token = tokenStore.get(tokenId);
+    if (!token)
+        return false;
+    token.used = true;
+    // Deduct from Supabase wallet balance
+    const info = await resolveApiKey();
+    if (info) {
+        const newBalance = info.walletBalance - token.amount;
+        await supabase
+            .from("wallets")
+            .update({ balance: newBalance })
+            .eq("user_id", info.userId);
+        // Log the transaction
+        await supabase.from("transactions").insert({
+            card_id: info.cardId,
+            amount: token.amount,
+            merchant: token.merchant,
+            status: "SUCCESS",
+        });
+    }
+    setTimeout(() => tokenStore.delete(tokenId), 5000);
+    return true;
+}

package/dist/types.d.ts

@@ -0,0 +1,32 @@
+export interface VirtualCard {
+    alias: string;
+    number: string;
+    exp_month: string;
+    exp_year: string;
+    cvv: string;
+    name: string;
+    balance: number;
+    currency: string;
+}
+export interface PaymentToken {
+    token: string;
+    card_alias: string;
+    amount: number;
+    merchant: string;
+    created_at: number;
+    ttl_seconds: number;
+    used: boolean;
+}
+export interface CardData {
+    number: string;
+    exp_month: string;
+    exp_year: string;
+    cvv: string;
+    name: string;
+}
+export interface PaymentResult {
+    success: boolean;
+    message: string;
+    receipt_id?: string;
+    amount?: number;
+}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+// Shared TypeScript types for AI Virtual Card MCP Server
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,44 @@
+{
+    "name": "z-zero-mcp-server",
+    "version": "1.0.0",
+    "description": "Z-ZERO MCP Server — Secure JIT Virtual Card Payment tools for AI Agents (Claude, AutoGPT, CrewAI)",
+    "main": "dist/index.js",
+    "bin": {
+        "z-zero-mcp-server": "./dist/index.js"
+    },
+    "scripts": {
+        "build": "tsc",
+        "start": "node dist/index.js",
+        "dev": "npx tsx src/index.ts",
+        "prepublishOnly": "npm run build"
+    },
+    "keywords": [
+        "mcp",
+        "model-context-protocol",
+        "ai-agent",
+        "virtual-card",
+        "payment",
+        "z-zero",
+        "clawcard",
+        "jit",
+        "fintech"
+    ],
+    "author": "Z-ZERO",
+    "license": "MIT",
+    "files": [
+        "dist/",
+        "README.md"
+    ],
+    "dependencies": {
+        "@modelcontextprotocol/sdk": "^1.12.1",
+        "@supabase/supabase-js": "^2.49.4",
+        "dotenv": "^16.5.0",
+        "playwright": "^1.52.0",
+        "zod": "^3.25.11"
+    },
+    "devDependencies": {
+        "typescript": "^5.8.3",
+        "tsx": "^4.19.4",
+        "@types/node": "^22.15.21"
+    }
+}