z-zero-mcp-server 1.1.1 → 1.1.2

package/dist/index.js

@@ -270,7 +270,41 @@ server.tool("request_payment_token", "Request a temporary payment token for a sp
     };
 });
 // ============================================================
-// TOOL 4: Execute payment (The "Invisible Hand")
+// TOOL 4a: Get Merchant Hints (Agent Knowledge Base)
+// Agent MUST call this before execute_payment if unsure about a checkout page.
+// Returns domain-specific selectors and pre-steps from Z-ZERO cloud DB.
+// ============================================================
+server.tool("get_merchant_hints", "Fetch checkout hints for a specific domain from the Z-ZERO Knowledge Base. Call this BEFORE execute_payment when the checkout page is unusual, multi-step, or if a previous execute_payment attempt failed. Returns pre_steps (what to click first) and CSS selectors for card fields.", {
+    domain: zod_1.z
+        .string()
+        .describe("The main domain of the checkout page, e.g. 'amazon.com' or 'shopify.com'. Strip 'www.' prefix."),
+}, async ({ domain }) => {
+    const ZZERO_API = process.env.Z_ZERO_API_BASE || "https://www.clawcard.store";
+    const INTERNAL_SECRET = process.env.Z_ZERO_INTERNAL_SECRET || "";
+    try {
+        const resp = await fetch(`${ZZERO_API}/api/checkout-hints?domain=${encodeURIComponent(domain)}`, {
+            headers: {
+                "x-internal-secret": INTERNAL_SECRET,
+                "x-mcp-version": version_js_2.CURRENT_MCP_VERSION,
+            },
+        });
+        const data = await resp.json();
+        return {
+            content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+        };
+    }
+    catch (err) {
+        return {
+            content: [{ type: "text", text: JSON.stringify({
+                        found: false,
+                        hints: null,
+                        message: `Could not reach hints API: ${err?.message || "unknown error"}. Proceed with default Playwright selectors.`,
+                    }, null, 2) }],
+        };
+    }
+});
+// ============================================================
+// TOOL 4b: Execute payment (The "Invisible Hand")
 // ============================================================
 server.tool("execute_payment", "Execute a payment using a temporary token. This tool will securely fill the checkout form on the target website. You will NEVER see the real card number - it is handled securely in the background.", {
     token: zod_1.z
@@ -284,7 +318,20 @@ server.tool("execute_payment", "Execute a payment using a temporary token. This
         .number()
         .optional()
         .describe("The actual final amount on the checkout page. If different from token amount, system will auto-refund the difference."),
-}, async ({ token, checkout_url, actual_amount }) => {
+    hints: zod_1.z
+        .object({
+        pre_steps: zod_1.z.array(zod_1.z.string()).optional(),
+        card_selector: zod_1.z.string().optional(),
+        exp_selector: zod_1.z.string().optional(),
+        exp_month_selector: zod_1.z.string().optional(),
+        exp_year_selector: zod_1.z.string().optional(),
+        cvv_selector: zod_1.z.string().optional(),
+        name_selector: zod_1.z.string().optional(),
+        submit_selector: zod_1.z.string().optional(),
+    })
+        .optional()
+        .describe("Optional hints from get_merchant_hints — selectors and pre-steps to guide Playwright. Use when default selectors fail or for complex multi-step checkouts."),
+}, async ({ token, checkout_url, actual_amount, hints }) => {
     // Step 1: Resolve token → card data (RAM only)
     const cardData = await resolveTokenRemote(token);
     if (cardData?.error === "AUTH_REQUIRED") {
@@ -334,8 +381,8 @@ server.tool("execute_payment", "Execute a payment using a temporary token. This
             };
         }
     }
-    // Step 2: Use Playwright to inject card into checkout form
-    const result = await (0, playwright_bridge_js_1.fillCheckoutForm)(checkout_url, cardData);
+    // Step 2: Use Playwright to inject card into checkout form (with optional agent hints)
+    const result = await (0, playwright_bridge_js_1.fillCheckoutForm)(checkout_url, cardData, undefined, hints);
     // Step 3: Burn the token ONLY if payment succeeded
     // If merchant declines → keep token ACTIVE so webhook decline flow can refund correctly
     if (result.success) {
@@ -343,7 +390,7 @@ server.tool("execute_payment", "Execute a payment using a temporary token. This
     }
     else {
         // Payment failed — do NOT burn token
-        // Airwallex will fire a 'card.authorization.declined' webhook → refund handled there
+        // Partner card issuer will fire a 'card.authorization.declined' webhook → refund handled there
         return {
             content: [
                 {
@@ -519,7 +566,11 @@ server.tool("show_api_key_status", "Show whether a Passport Key is currently con
 server.tool("auto_pay_checkout", "[Phase 2] Autonomous Smart Routing checkout tool. Provide a checkout URL and this tool will:\n" +
     "1. Scan the page to detect if it supports Web3 (Crypto) payments via window.ethereum or EIP-681 links.\n" +
     "2. SCENARIO A (Web3): If detected, automatically send USDT on-chain via WDK (gas ~$0.001). No Visa card needed.\n" +
-    "3. SCENARIO B (Fiat): If no Web3 detected, scan DOM for total price, issue a JIT Visa card for exact amount, auto-fill form.", {
+    "3. SCENARIO B (Fiat): If no Web3 detected, scan DOM for total price, issue a JIT Visa card for exact amount, auto-fill form.\n" +
+    "WARNING: For PHYSICAL GOODS (Shopify, multi-step checkout), this tool may return PRICE_NOT_FOUND because the final price " +
+    "(including shipping) only appears after filling th shipping info. In that case, use browser tools to navigate manually, " +
+    "call get_merchant_hints to get platform-specific card selectors, fill shipping info first, then call " +
+    "request_payment_token + execute_payment once card fields are visible and the final total is confirmed.", {
     checkout_url: zod_1.z
         .string()
         .url()
@@ -715,6 +766,38 @@ It auto-detects Web3 checkout (pay on-chain with USDT) vs Fiat checkout (JIT Vis
 - Web3 route: sends USDT directly on-chain to merchant wallet
 - Fiat route: issues JIT card + fills checkout form automatically
 Call \`auto_pay_checkout\` with just \`checkout_url\` and \`card_alias\`. The tool handles the rest.
+
+## 🛒 Physical Goods / Multi-Step Checkout
+
+For physical goods (clothing, shoes, collectibles, etc.) the final price includes shipping
+and only appears AFTER filling the shipping form. \`auto_pay_checkout\` may return PRICE_NOT_FOUND.
+
+### ⛔ Card Issuance Gate — wait for BOTH conditions before calling request_payment_token:
+1. Shipping/personal info has been submitted successfully on this or a previous page
+2. Card input fields (or payment iframe) are visible on the current page
+
+If EITHER is false → DO NOT call \`request_payment_token\`. Keep navigating first.
+
+### Platform Detection Signals
+| Platform | Signals |
+|----------|---------|
+| Shopify | URL contains /checkouts/, "Powered by Shopify" in footer, cdn.shopify.com scripts |
+| Etsy | URL contains etsy.com/checkout |
+| WooCommerce | /checkout/ URL, woocommerce in body class |
+
+### Recommended Flow for Physical Goods:
+1. Navigate to product page using browser tools
+2. Select variant (color, size, etc.) → Add to cart → Proceed to checkout
+3. Fill shipping info (ask human via \`request_human_approval\` if not already known)
+4. Wait for payment/card fields section to appear
+5. Call \`get_merchant_hints\` with checkout domain (or \`_platform_shopify\` if Shopify detected)
+6. Read the FINAL total (after shipping + tax — hover over/scroll to order summary)
+7. Call \`request_payment_token\` with exact final amount
+8. Call \`execute_payment\` with token + checkout URL + hints
+
+### Known Limitations:
+- Some sites use Cloudflare bot detection (e.g. TeePublic) → \`execute_payment\` may be blocked → inform user
+- Card fields in iframes → \`execute_payment\` handles this automatically via \`iframe_selector\` in hints
 `;
     return {
         contents: [

package/dist/playwright_bridge.d.ts

@@ -1,7 +1,7 @@
-import type { CardData, PaymentResult } from "./types.js";
+import type { CardData, PaymentResult, CheckoutHints } from "./types.js";
 /**
  * Detects and fills credit card form fields on a checkout page.
  * Card data exists ONLY in RAM and is wiped after injection.
  * Hard timeout of 60s prevents merchant page from hanging indefinitely.
  */
-export declare function fillCheckoutForm(checkoutUrl: string, cardData: CardData, existingPage?: import("playwright").Page): Promise<PaymentResult>;
+export declare function fillCheckoutForm(checkoutUrl: string, cardData: CardData, existingPage?: import("playwright").Page, hints?: CheckoutHints): Promise<PaymentResult>;

package/dist/playwright_bridge.js

@@ -11,7 +11,7 @@ const CHECKOUT_HARD_TIMEOUT_MS = 60_000; // 60s absolute cap — prevents slow-l
  * Card data exists ONLY in RAM and is wiped after injection.
  * Hard timeout of 60s prevents merchant page from hanging indefinitely.
  */
-async function fillCheckoutForm(checkoutUrl, cardData, existingPage) {
+async function fillCheckoutForm(checkoutUrl, cardData, existingPage, hints) {
     let browser = null;
     let page;
     if (existingPage) {
@@ -23,7 +23,7 @@ async function fillCheckoutForm(checkoutUrl, cardData, existingPage) {
         page = await context.newPage();
     }
     try {
-        return await (0, with_timeout_js_1.withTimeout)(_fillCheckoutFormInner(page, checkoutUrl, cardData), CHECKOUT_HARD_TIMEOUT_MS, 'fillCheckoutForm', async () => {
+        return await (0, with_timeout_js_1.withTimeout)(_fillCheckoutFormInner(page, checkoutUrl, cardData, hints), CHECKOUT_HARD_TIMEOUT_MS, 'fillCheckoutForm', async () => {
             console.error('[PLAYWRIGHT] ⚠️ Hard timeout hit — force-closing browser');
             if (browser)
                 await browser.close().catch(() => { });
@@ -97,7 +97,7 @@ async function tryFillField(page, selectors, value) {
     return false;
 }
 /** Internal implementation — called by fillCheckoutForm inside a timeout wrapper */
-async function _fillCheckoutFormInner(page, checkoutUrl, cardData) {
+async function _fillCheckoutFormInner(page, checkoutUrl, cardData, hints) {
     try {
         // ✅ FIX: Skip navigation if page already loaded (Single Browser reuse from auto_pay_checkout)
         // Prevents double-navigate which would reload page and lose cart/session state.
@@ -107,6 +107,118 @@ async function _fillCheckoutFormInner(page, checkoutUrl, cardData) {
             await page.goto(checkoutUrl, { waitUntil: "domcontentloaded", timeout: 20_000 });
         }
         // ============================================================
+        // STRATEGY 0: Pre-steps — click to open/reveal the payment form
+        // Agent provides selectors to click BEFORE filling (e.g. accordion, tab, modal)
+        // ============================================================
+        if (hints?.pre_steps && hints.pre_steps.length > 0) {
+            for (const selector of hints.pre_steps) {
+                try {
+                    const el = await page.$(selector);
+                    if (el && await el.isVisible()) {
+                        await el.click();
+                        await page.waitForTimeout(500); // brief pause for animation
+                    }
+                }
+                catch { /* non-fatal — continue */ }
+            }
+        }
+        let filledFields = 0;
+        // ============================================================
+        // STRATEGY 0.5: Agent-provided selectors (from get_merchant_hints)
+        // Tried first — agent already read the DOM and knows exact locations.
+        // Supports iframe_selector: if provided, card fields are searched INSIDE
+        // matching iframes (e.g. Shopify "card-fields-iframe") rather than main page.
+        // Name on card is always searched on the main page (outside iframe).
+        // Falls through to Strategy 1 if nothing matched.
+        // ============================================================
+        if (hints && (hints.card_selector || hints.exp_selector || hints.cvv_selector)) {
+            const hintFillResults = [];
+            let cardContexts = [page];
+            if (hints.iframe_selector) {
+                const matchingFrames = page.frames().filter((f) => f.name().includes(hints.iframe_selector));
+                if (matchingFrames.length > 0)
+                    cardContexts = matchingFrames;
+            }
+            // Card number
+            if (hints.card_selector) {
+                for (const ctx of cardContexts) {
+                    const el = await ctx.$(hints.card_selector);
+                    if (el) {
+                        hintFillResults.push(await smartFill(el, cardData.number));
+                        break;
+                    }
+                }
+            }
+            // Expiry combined (with space-padded slash for Shopify: "MM / YY")
+            if (hints.exp_selector) {
+                const expiryVal = `${cardData.exp_month} / ${cardData.exp_year.slice(-2)}`;
+                for (const ctx of cardContexts) {
+                    const el = await ctx.$(hints.exp_selector);
+                    if (el) {
+                        hintFillResults.push(await smartFill(el, expiryVal));
+                        break;
+                    }
+                }
+            }
+            // Expiry split month/year
+            if (!hints.exp_selector && hints.exp_month_selector) {
+                for (const ctx of cardContexts) {
+                    const elM = await ctx.$(hints.exp_month_selector);
+                    if (elM) {
+                        hintFillResults.push(await smartFill(elM, cardData.exp_month));
+                        break;
+                    }
+                }
+                if (hints.exp_year_selector) {
+                    for (const ctx of cardContexts) {
+                        const elY = await ctx.$(hints.exp_year_selector);
+                        if (elY) {
+                            hintFillResults.push(await smartFill(elY, cardData.exp_year));
+                            break;
+                        }
+                    }
+                }
+            }
+            // CVV
+            if (hints.cvv_selector) {
+                for (const ctx of cardContexts) {
+                    const el = await ctx.$(hints.cvv_selector);
+                    if (el) {
+                        hintFillResults.push(await smartFill(el, cardData.cvv));
+                        break;
+                    }
+                }
+            }
+            // Name on card — ALWAYS on main page (outside iframe for Shopify/most platforms)
+            if (hints.name_selector) {
+                const el = await page.$(hints.name_selector);
+                if (el) {
+                    hintFillResults.push(await smartFill(el, cardData.name));
+                }
+            }
+            const hintSuccesses = hintFillResults.filter(Boolean).length;
+            if (hintSuccesses > 0) {
+                filledFields += hintSuccesses;
+                if (hints.submit_selector) {
+                    try {
+                        const btn = await page.$(hints.submit_selector);
+                        if (btn && await btn.isVisible()) {
+                            await btn.click();
+                            await page.waitForTimeout(3000);
+                        }
+                    }
+                    catch { /* non-fatal */ }
+                }
+                const receiptId = `rcpt_${Date.now().toString(36)}`;
+                return {
+                    success: true,
+                    message: `Payment form filled via agent hints${hints.iframe_selector ? ' (iframe mode)' : ''}. ${filledFields} fields injected.`,
+                    receipt_id: receiptId,
+                };
+            }
+            // hints provided but nothing matched → fall through to Strategy 1
+        }
+        // ============================================================
         // STRATEGY 1: Standard HTML form fields
         // Covers: plain forms, Shopify, WooCommerce, custom checkouts
         // Priority: autocomplete (W3C) → name → platform-specific → placeholder → aria-label
@@ -179,7 +291,6 @@ async function _fillCheckoutFormInner(page, checkoutUrl, cardData) {
                 'input[aria-label*="name on card" i]',
             ],
         };
-        let filledFields = 0;
         // Card Number
         if (await tryFillField(page, S.number, cardData.number))
             filledFields++;

package/dist/types.d.ts

@@ -37,3 +37,16 @@ export interface PaymentResult {
     receipt_id?: string;
     amount?: number;
 }
+export interface CheckoutHints {
+    pre_steps?: string[];
+    iframe_selector?: string;
+    card_selector?: string;
+    exp_selector?: string;
+    exp_month_selector?: string;
+    exp_year_selector?: string;
+    cvv_selector?: string;
+    name_selector?: string;
+    submit_selector?: string;
+    payment_type?: string;
+    notes?: string;
+}

package/dist/version.d.ts

@@ -1 +1 @@
-export declare const CURRENT_MCP_VERSION = "1.1.1";
+export declare const CURRENT_MCP_VERSION = "1.1.2";

package/dist/version.js

@@ -3,4 +3,4 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.CURRENT_MCP_VERSION = void 0;
 // Single source of truth for MCP version
 // Imported by both index.ts and wdk_backend.ts to avoid circular dependency
-exports.CURRENT_MCP_VERSION = "1.1.1";
+exports.CURRENT_MCP_VERSION = "1.1.2";

package/dist/wdk_backend.js

@@ -145,7 +145,7 @@ async function getDepositAddressesRemote() {
 // ──────────────────────────────────────────────────────────────────────────────
 async function issueTokenRemote(cardAlias, amount, merchant) {
     // WDK Flow (reversed from custodial):
-    // 1. Create Airwallex card first (reservation)
+    // 1. Create Partner card first (reservation)
     // 2. Send USDT on-chain from WDK wallet → system wallet
     // 3. Dashboard verifies on-chain tx, activates token
     // This is safe: if on-chain tx fails, Dashboard auto-cancels the card reservation.

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "z-zero-mcp-server",
-    "version": "1.1.1",
+    "version": "1.1.2",
     "description": "Z-ZERO MCP Server — Secure JIT Virtual Card Payment tools for AI Agents (Claude, Cursor, AutoGPT) — Real Single-Use Visa Cards",
     "main": "dist/index.js",
     "bin": "dist/index.js",

package/dist/api_backend.d.ts

@@ -1,9 +0,0 @@
-import type { CardData } from "./types.js";
-export declare function listCardsRemote(): Promise<any>;
-export declare function getBalanceRemote(cardAlias: string): Promise<any>;
-export declare function getDepositAddressesRemote(): Promise<any>;
-export declare function issueTokenRemote(cardAlias: string, amount: number, merchant: string): Promise<any | null>;
-export declare function resolveTokenRemote(token: string): Promise<CardData | null>;
-export declare function burnTokenRemote(token: string, receipt_id?: string): Promise<boolean>;
-export declare function cancelTokenRemote(token: string): Promise<any>;
-export declare function refundUnderspendRemote(token: string, actualSpent: number): Promise<void>;

package/dist/api_backend.js

@@ -1,159 +0,0 @@
-"use strict";
-// Z-ZERO Unified API Backend
-// Connects to the Dashboard Next.js API for all card and token operations.
-// This preserves the "Issuer Abstraction Layer" - the bot never sees direct DB or Banking keys.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.listCardsRemote = listCardsRemote;
-exports.getBalanceRemote = getBalanceRemote;
-exports.getDepositAddressesRemote = getDepositAddressesRemote;
-exports.issueTokenRemote = issueTokenRemote;
-exports.resolveTokenRemote = resolveTokenRemote;
-exports.burnTokenRemote = burnTokenRemote;
-exports.cancelTokenRemote = cancelTokenRemote;
-exports.refundUnderspendRemote = refundUnderspendRemote;
-const key_store_js_1 = require("./lib/key-store.js");
-const API_BASE_URL = process.env.Z_ZERO_API_BASE_URL || "https://www.clawcard.store";
-const INTERNAL_SECRET = process.env.Z_ZERO_INTERNAL_SECRET || "";
-if (!(0, key_store_js_1.hasPassportKey)()) {
-    console.error("❌ ERROR: Z_ZERO_API_KEY (Passport Key) is missing!");
-    console.error("🔐 Get your key: https://www.clawcard.store/dashboard/agents");
-    console.error("🛠️  Or call the set_api_key MCP tool to set it without restarting.");
-}
-async function apiRequest(endpoint, method = 'GET', body = null) {
-    const PASSPORT_KEY = (0, key_store_js_1.getPassportKey)(); // ✅ Hot-swap: read key dynamically each request
-    if (!PASSPORT_KEY) {
-        return { error: "AUTH_REQUIRED", message: "Z_ZERO_API_KEY is missing. Call set_api_key tool or set it in MCP config and restart." };
-    }
-    const url = `${API_BASE_URL.replace(/\/$/, '')}${endpoint}`;
-    try {
-        const res = await fetch(url, {
-            method,
-            headers: {
-                "Authorization": `Bearer ${PASSPORT_KEY}`,
-                "Content-Type": "application/json",
-            },
-            body: body ? JSON.stringify(body) : null,
-        });
-        if (!res.ok) {
-            const err = await res.json().catch(() => ({ error: res.statusText }));
-            console.error(`[API ERROR] ${endpoint}:`, err.error);
-            return { error: "API_ERROR", message: err.error || res.statusText };
-        }
-        return await res.json();
-    }
-    catch (err) {
-        console.error(`[NETWORK ERROR] ${endpoint}:`, err.message);
-        return { error: "NETWORK_ERROR", message: err.message };
-    }
-}
-// Internal API calls that require INTERNAL_SECRET (resolve PAN, burn token)
-async function internalApiRequest(endpoint, method, body) {
-    if (!INTERNAL_SECRET) {
-        console.error("[MCP] Z_ZERO_INTERNAL_SECRET is missing — cannot call secure endpoints");
-        return { error: "CONFIG_ERROR", message: "INTERNAL_SECRET not configured" };
-    }
-    const url = `${API_BASE_URL.replace(/\/$/, '')}${endpoint}`;
-    try {
-        const res = await fetch(url, {
-            method,
-            headers: {
-                "x-internal-secret": INTERNAL_SECRET,
-                "Content-Type": "application/json",
-            },
-            body: body ? JSON.stringify(body) : null,
-        });
-        if (!res.ok) {
-            const err = await res.json().catch(() => ({ error: res.statusText }));
-            console.error(`[INTERNAL API ERROR] ${endpoint}:`, err.error);
-            return { error: "API_ERROR", message: err.error || res.statusText };
-        }
-        return await res.json();
-    }
-    catch (err) {
-        console.error(`[NETWORK ERROR] ${endpoint}:`, err.message);
-        return { error: "NETWORK_ERROR", message: err.message };
-    }
-}
-async function listCardsRemote() {
-    return await apiRequest('/api/tokens/cards', 'GET');
-}
-async function getBalanceRemote(cardAlias) {
-    const data = await listCardsRemote();
-    if (data?.error)
-        return data;
-    const cards = data?.cards || [];
-    const card = cards.find((c) => c.alias === cardAlias);
-    if (!card)
-        return null;
-    return {
-        wallet_balance: card.balance,
-        currency: card.currency,
-        note: "This is the total wallet balance (human-level). Cards have 'limits' set at creation, not 'balances'. Use list_cards to see active token limits."
-    };
-}
-async function getDepositAddressesRemote() {
-    return await apiRequest('/api/tokens/cards', 'GET');
-}
-async function issueTokenRemote(cardAlias, amount, merchant) {
-    const data = await apiRequest('/api/tokens/issue', 'POST', {
-        card_alias: cardAlias,
-        amount,
-        merchant,
-        device_fingerprint: `mcp-host-${process.platform}-${process.arch}`,
-        network_id: process.env.NETWORK_ID || "unknown-local-net",
-        session_id: `sid-${Math.random().toString(36).substring(7)}`
-    });
-    if (!data)
-        return null;
-    // Forward API errors (402 insufficient, 429 max cards, etc.)
-    if (data.error)
-        return data;
-    // Adapt Dashboard API response to MCP expected format
-    return {
-        token: data.token,
-        card_alias: cardAlias,
-        amount: amount,
-        merchant: merchant,
-        created_at: Date.now(),
-        ttl_seconds: 1800,
-        used: false
-    };
-}
-async function resolveTokenRemote(token) {
-    // Uses INTERNAL_SECRET — this endpoint returns real PAN/CVV
-    const data = await internalApiRequest('/api/tokens/resolve', 'POST', { token });
-    if (!data || data.error)
-        return data;
-    return {
-        number: data.number,
-        exp_month: data.exp?.split('/')[0] || "12",
-        exp_year: "20" + (data.exp?.split('/')[1] || "30"),
-        cvv: data.cvv || "123",
-        name: data.name || "Z-ZERO AI AGENT",
-        authorized_amount: data.authorized_amount ? Number(data.authorized_amount) : undefined,
-    };
-}
-async function burnTokenRemote(token, receipt_id) {
-    // Uses INTERNAL_SECRET — burn endpoint requires it
-    const data = await internalApiRequest('/api/tokens/burn', 'POST', {
-        token,
-        receipt_id,
-        success: true
-    });
-    return !!data && !data.error;
-}
-async function cancelTokenRemote(token) {
-    const data = await apiRequest('/api/tokens/cancel', 'POST', { token });
-    if (data?.error)
-        return data;
-    return {
-        success: !!data,
-        refunded_amount: data?.refunded_amount || 0
-    };
-}
-async function refundUnderspendRemote(token, actualSpent) {
-    // Underspend is a complex feature that usually happens at the bank level, 
-    // but for JIT tokens, the burn tool in the dashboard could handle this in the future.
-    // Currently we burn the full authorized amount.
-    console.log(`[MCP] Burned token ${token} after spending $${actualSpent}`);
-}