stackapps-suite-mcp 0.1.5__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,4 @@
1
+ dist/
2
+ __pycache__/
3
+ *.pyc
4
+ .venv/
@@ -0,0 +1,24 @@
1
+ node_modules
2
+ dist
3
+ functions/lib
4
+ .DS_Store
5
+ server/public
6
+ vite.config.ts.*
7
+ *.tar.gz
8
+ .env
9
+ .env.local
10
+ *.key
11
+ *.pem
12
+ client/.env
13
+ client/.env.local
14
+ __pycache__
15
+ *.pyc
16
+ .venv
17
+ .firebase
18
+ **/node_modules/**
19
+ **/dist/**
20
+ **/__pycache__/**
21
+ **/*.firebase.json
22
+ **/*firebase-adminsdk*.json
23
+ **/*service-account*.json
24
+ **/*serviceAccount*.jsonfirebase-debug.log
@@ -0,0 +1,14 @@
1
+ FROM python:3.11-slim
2
+
3
+ WORKDIR /app
4
+
5
+ COPY pyproject.toml uv.lock ./
6
+ COPY stackapps_mcp ./stackapps_mcp
7
+
8
+ RUN pip install --no-cache-dir uv \
9
+ && uv sync --frozen --no-dev
10
+
11
+ ENV PORT=8080
12
+ EXPOSE 8080
13
+
14
+ CMD ["uv", "run", "python", "-m", "stackapps_mcp.http_main"]
@@ -0,0 +1,154 @@
1
+ # Joining the Gateway — Playbook for Adding a Member App
2
+
3
+ This is the authoritative checklist for adding a new StackApps member app's paid
4
+ tools to the stackapps-suite-mcp gateway. Follow it exactly — do not improvise
5
+ from other apps' code. When this document and existing code disagree, this
6
+ document wins; flag the discrepancy to Abe.
7
+
8
+ **Architecture recap:** There is exactly ONE MCP server for the whole suite
9
+ (this package). Member apps never get their own MCP server. Each member app
10
+ hosts its own x402 paid HTTP routes on its own backend; the gateway's tools
11
+ relay to those routes and handle payment. Cloud Run (`mcp.stackapps.app`)
12
+ serves blueprint discovery ONLY — paid tools run locally over stdio.
13
+
14
+ ---
15
+
16
+ ## Invariants — never change these
17
+
18
+ - `SUITE_PAY_TO` in `stackapps_mcp/x402_http.py` (`0x1f2A484ef654d49c58c625b09e78B538501D652D`).
19
+ Every member app's x402 middleware must pay to this exact address. The client
20
+ refuses to sign payments to any other address. If Abe ever rotates the wallet,
21
+ it changes in BOTH places (all app backends + this constant) in one release.
22
+ - Network `eip155:8453` (Base mainnet), asset USDC
23
+ (`0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913`).
24
+ - The payment guards in `SuiteX402Http` (pay-to pin + per-call amount cap).
25
+ Never bypass them "temporarily". If a new tool must cost more than $0.50,
26
+ raise `_DEFAULT_MAX_USD_PER_CALL` deliberately and update the `client-safety`
27
+ note in `blueprint.txt` in the same commit.
28
+ - `WALLET_PRIVATE_KEY` is NEVER set on Cloud Run. The hosted service is
29
+ discovery-only (`discovery_only=True`). See `http_main.py` and `deploy-mcp.sh`.
30
+ - `stateless_http=True` on the FastMCP constructor and the SSE guard middleware
31
+ stay in place (Cloud Run requirements — see global CLAUDE.md).
32
+ - Do NOT create a new MCP server for the new app. Tools plug in here.
33
+
34
+ ---
35
+
36
+ ## Part A — App side (the member app's repo, any stack)
37
+
38
+ The app must expose one POST route per paid capability, satisfying this
39
+ contract (framework doesn't matter; Imagcon's backend is the worked example):
40
+
41
+ 1. **Route:** `POST https://<app-domain>/routes/x402/<capability-name>`.
42
+ Public — no auth, no API key. Input is multipart form (for file uploads) or
43
+ JSON. Output is the deliverable (`application/zip`, JSON, etc.).
44
+ 2. **x402 middleware (v2):** on an unpaid request, respond `402` with the
45
+ challenge in the `Payment-Required` header (base64 JSON). The challenge's
46
+ `accepts` entry must be:
47
+ - `scheme: "exact"`, `network: "eip155:8453"`
48
+ - `asset: 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913` (USDC on Base)
49
+ - `payTo: 0x1f2A484ef654d49c58c625b09e78B538501D652D` (the suite wallet —
50
+ use the shared `X402_PAY_TO_ADDRESS` env var, never a new wallet)
51
+ - `amount`: price in USDC atomic units (6 decimals; $0.10 = `"100000"`).
52
+ Keep prices at or under $0.50 unless the gateway cap is raised first.
53
+ 3. **On paid retry** (request carries the signed payment header), settle via
54
+ the x402 middleware and return the result.
55
+ 4. **Optional but recommended:** include the Bazaar `extensions` metadata in
56
+ the challenge (input/output schema) — this is what gets the capability
57
+ indexed. Copy the shape from Imagcon's middleware config.
58
+ 5. **Verify before proceeding to Part B:**
59
+ `curl -s -D - -o /dev/null -X POST https://<app-domain>/routes/x402/<name> -H 'Content-Type: application/json' -d '{}'`
60
+ must return `HTTP 402` with a `Payment-Required` header whose decoded
61
+ `payTo` equals the suite wallet exactly.
62
+
63
+ ---
64
+
65
+ ## Identity & profile endpoints (if the app has them) — security rules
66
+
67
+ Learned from Imagcon's wallet-profile hardening (2026-07-04). If a member app
68
+ adds any account-ish surface to its x402 flows (profiles, saved data, tokens),
69
+ these rules apply:
70
+
71
+ 1. **Secrets never appear in unauthenticated reads.** A public lookup endpoint
72
+ may return status and dates — never tokens, API keys, or anything that
73
+ gates a write. (Imagcon originally returned `profile_token` in the public
74
+ wallet lookup, which made it derivable from public on-chain data.)
75
+ 2. **Public identifiers never authorize writes.** A wallet address is public
76
+ information; anyone can enumerate payers on-chain. Any endpoint that
77
+ creates/changes profile data must require proof of wallet control:
78
+ a signature from the wallet key over the request payload.
79
+ 3. **Signature checks must be replay-proof.** The signed message includes a
80
+ timestamp or nonce, and the server rejects stale/reused signatures.
81
+ 4. **Zero human friction.** The MCP client signs automatically with the same
82
+ key it pays with — no extra agent inputs, no user prompts. Agents bounce at
83
+ any extra step (empirically confirmed by Abe). If a security measure adds a
84
+ visible step, redesign it to ride on the payment key instead.
85
+ 5. **The strong credential (API key etc.) gates data access only** — saved
86
+ content, galleries, full MCP tools. Do not require it for activation or
87
+ profile writes; users who haven't activated yet don't have it.
88
+
89
+ ---
90
+
91
+ ## Part B — Gateway side (this package)
92
+
93
+ 1. **Adapter module:** create `stackapps_mcp/<app>.py` modeled on
94
+ `stackapps_mcp/imagcon.py`:
95
+ - URL constants for each endpoint.
96
+ - Constructor takes `(private_key, network)` and builds a `SuiteX402Http`.
97
+ - One method per capability calling `self._x402.post(...)`.
98
+ - Do NOT copy Imagcon's profile-token logic unless the app actually issues
99
+ `X-<App>-Token` headers.
100
+ - Never construct raw httpx clients or handle 402 responses in the adapter —
101
+ that is `SuiteX402Http`'s job (it owns the safety guards).
102
+ 2. **Tools:** add `@mcp.tool()` functions in `stackapps_mcp/server.py`, modeled
103
+ on the existing ones. Docstring must state what it does and the exact price
104
+ ("Costs $X.XX USDC"). If the tool writes files, use `_safe_extractall` for
105
+ zips and document `output_dir`.
106
+ 3. **Wiring:** `main.py` constructs clients and passes them to the server
107
+ (see `set_client`). Extend the same pattern — one client per member app,
108
+ all sharing the wallet key. Close all clients in the `finally` block.
109
+ 4. **Blueprint (`stackapps_mcp/blueprint.txt`):** update ALL of:
110
+ - `# Version:` (bump minor) and `# Updated:` date
111
+ - `## SUMMARY` capabilities list (one line, with price)
112
+ - `### MCP TOOLS` (one line: `tool | params | description ($price) | source: <domain>`)
113
+ - a full `## CAPABILITY:` block with `### MCP tool:` sub-block
114
+ - `## SUITE` members list (move the app from "planned" to "live")
115
+ 5. **Release:** bump `version` in `pyproject.toml`. Build the wheel
116
+ (`uv build`), copy it to `client/public/downloads/`, then update the wheel
117
+ filename in every place that references it:
118
+ - `_WHEEL_URL` in `stackapps_mcp/server.py`
119
+ - all install/config lines in `stackapps_mcp/blueprint.txt`
120
+ - `client/public/llms.txt` and the hub blueprint files if they mention it
121
+ Old wheel stays available for one release, then delete it.
122
+ 6. **Deploy discovery:** run `./deploy-mcp.sh` from the repo root (deploys the
123
+ blueprint-only Cloud Run service; scale-to-zero, no secrets).
124
+
125
+ ---
126
+
127
+ ## Verification checklist (all must pass)
128
+
129
+ - [ ] Live 402 probe of each new app endpoint shows `payTo` == suite wallet.
130
+ - [ ] Guard test: feed the engine a forged challenge (wrong wallet / over-cap)
131
+ and confirm `NoMatchingRequirementsError` refusal; a legit challenge signs.
132
+ (Use a throwaway key — see the test pattern in the session that built this.)
133
+ - [ ] `python -c "from stackapps_mcp import server, main"` imports cleanly in
134
+ the package venv.
135
+ - [ ] MCP inspector (or `claude mcp add` locally): new tools appear in the tool
136
+ list with correct descriptions and prices.
137
+ - [ ] One real paid call per new tool from a funded test wallet; deliverable
138
+ arrives; payment visible on Base for the correct amount.
139
+ - [ ] `https://mcp.stackapps.app/blueprint.txt` serves the updated version.
140
+ - [ ] Wheel installs: `uvx --from <wheel-url> stackapps-suite-mcp --help`.
141
+
142
+ ---
143
+
144
+ ## Current member apps
145
+
146
+ | App | Status | Adapter |
147
+ |---|---|---|
148
+ | imagcon.app | live (5 paid + 2 free capabilities) | `stackapps_mcp/imagcon.py` |
149
+ | stackbill.app | planned | — |
150
+ | stackslip.app | planned | — |
151
+
152
+ Candidate future members (shipped apps, no x402 routes yet): stackspent.app,
153
+ stacktax.app, stackvideo.app, stackagent.app, stacklaunch.app, calypterv.com,
154
+ easyhomeflow.com, dicta-notes.com.
@@ -0,0 +1,93 @@
1
+ Metadata-Version: 2.4
2
+ Name: stackapps-suite-mcp
3
+ Version: 0.1.5
4
+ Summary: MCP gateway for the StackApps tool suite — pay per call in USDC via x402, no account required
5
+ Project-URL: Homepage, https://stackapps.app
6
+ Project-URL: Source, https://github.com/Explorer-64/StackApps
7
+ Project-URL: Blueprint, https://mcp.stackapps.app/blueprint.txt
8
+ Author: Abe Reimer
9
+ License: MIT
10
+ Keywords: agent-payments,mcp,pwa-icons,stackapps,usdc,x402
11
+ Classifier: Development Status :: 4 - Beta
12
+ Classifier: Intended Audience :: Developers
13
+ Classifier: License :: OSI Approved :: MIT License
14
+ Classifier: Programming Language :: Python :: 3.11
15
+ Classifier: Programming Language :: Python :: 3.12
16
+ Classifier: Programming Language :: Python :: 3.13
17
+ Classifier: Topic :: Software Development :: Libraries
18
+ Requires-Python: >=3.11
19
+ Requires-Dist: eth-account>=0.13.0
20
+ Requires-Dist: httpx>=0.27.0
21
+ Requires-Dist: mcp>=1.27.1
22
+ Requires-Dist: uvicorn>=0.30.0
23
+ Requires-Dist: x402[clients,evm]>=2.0.0
24
+ Description-Content-Type: text/markdown
25
+
26
+ # stackapps-suite-mcp
27
+
28
+ mcp-name: io.github.explorer-64/stackapps-suite-mcp
29
+
30
+ One MCP server for the whole [StackApps](https://stackapps.app) tool suite.
31
+ Pay per call in USDC on Base mainnet via [x402](https://www.x402.org/) — no
32
+ account, no API key, no signup. Each member app (Imagcon today; more as they
33
+ ship) contributes tools; one install covers the suite.
34
+
35
+ ## Install
36
+
37
+ ```bash
38
+ claude mcp add stackapps-suite -- uvx stackapps-suite-mcp --wallet-key 0x...
39
+ ```
40
+
41
+ Or in any MCP client config (Claude Desktop, Cursor, Windsurf, Cline):
42
+
43
+ ```json
44
+ {
45
+ "mcpServers": {
46
+ "stackapps-suite": {
47
+ "command": "uvx",
48
+ "args": ["stackapps-suite-mcp"],
49
+ "env": { "WALLET_PRIVATE_KEY": "0x..." }
50
+ }
51
+ }
52
+ }
53
+ ```
54
+
55
+ Requirements: [uv](https://docs.astral.sh/uv/), Python 3.11+, an EVM wallet
56
+ holding USDC on Base mainnet (eip155:8453). Prefer the `WALLET_PRIVATE_KEY`
57
+ env var over the `--wallet-key` argument.
58
+
59
+ ## Tools
60
+
61
+ | Tool | Price (USDC) | What it does |
62
+ |---|---|---|
63
+ | `create_pwa_icons_from_image` | $0.10 | Full PWA icon set (27 files + manifest.json) from a local image |
64
+ | `create_splash_screens_from_image` | $0.10 | 16 iOS/iPad splash screens from a local image |
65
+ | `generate_pwa_icons` | $0.295 | AI-generated PWA icon set from a text description |
66
+ | `generate_image` | $0.195 | AI-generated source image (returns preview URL) |
67
+ | `generate_splash_screens` | $0.295 | AI-generated splash screens from a text description |
68
+ | `get_wallet_profile` | free | Check your wallet's Imagcon profile status |
69
+ | `setup_wallet_profile` | free | Activate a permanent account (wallet-signature verified) |
70
+
71
+ ## Payment safety
72
+
73
+ The server refuses to sign any payment challenge that does not pay the
74
+ StackApps suite wallet, or that exceeds the per-call cap ($0.50 USDC by
75
+ default; override with `STACKAPPS_MAX_USD_PER_CALL`). A compromised or spoofed
76
+ endpoint cannot redirect or inflate payments. Payments settle on-chain via
77
+ EIP-3009 — the gas is sponsored; your wallet needs only USDC.
78
+
79
+ Never commit your wallet key, and never run this server on a public host with
80
+ `WALLET_PRIVATE_KEY` set. The hosted endpoint at
81
+ [mcp.stackapps.app](https://mcp.stackapps.app/blueprint.txt) serves discovery
82
+ metadata only.
83
+
84
+ ## Discovery
85
+
86
+ Machine-readable capability contract (Blueprint Protocol):
87
+ [mcp.stackapps.app/blueprint.txt](https://mcp.stackapps.app/blueprint.txt)
88
+
89
+ ## Links
90
+
91
+ - Suite: https://stackapps.app
92
+ - Source: https://github.com/Explorer-64/StackApps (`stackapps-mcp/`)
93
+ - Imagcon (current member app): https://imagcon.app
@@ -0,0 +1,68 @@
1
+ # stackapps-suite-mcp
2
+
3
+ mcp-name: io.github.explorer-64/stackapps-suite-mcp
4
+
5
+ One MCP server for the whole [StackApps](https://stackapps.app) tool suite.
6
+ Pay per call in USDC on Base mainnet via [x402](https://www.x402.org/) — no
7
+ account, no API key, no signup. Each member app (Imagcon today; more as they
8
+ ship) contributes tools; one install covers the suite.
9
+
10
+ ## Install
11
+
12
+ ```bash
13
+ claude mcp add stackapps-suite -- uvx stackapps-suite-mcp --wallet-key 0x...
14
+ ```
15
+
16
+ Or in any MCP client config (Claude Desktop, Cursor, Windsurf, Cline):
17
+
18
+ ```json
19
+ {
20
+ "mcpServers": {
21
+ "stackapps-suite": {
22
+ "command": "uvx",
23
+ "args": ["stackapps-suite-mcp"],
24
+ "env": { "WALLET_PRIVATE_KEY": "0x..." }
25
+ }
26
+ }
27
+ }
28
+ ```
29
+
30
+ Requirements: [uv](https://docs.astral.sh/uv/), Python 3.11+, an EVM wallet
31
+ holding USDC on Base mainnet (eip155:8453). Prefer the `WALLET_PRIVATE_KEY`
32
+ env var over the `--wallet-key` argument.
33
+
34
+ ## Tools
35
+
36
+ | Tool | Price (USDC) | What it does |
37
+ |---|---|---|
38
+ | `create_pwa_icons_from_image` | $0.10 | Full PWA icon set (27 files + manifest.json) from a local image |
39
+ | `create_splash_screens_from_image` | $0.10 | 16 iOS/iPad splash screens from a local image |
40
+ | `generate_pwa_icons` | $0.295 | AI-generated PWA icon set from a text description |
41
+ | `generate_image` | $0.195 | AI-generated source image (returns preview URL) |
42
+ | `generate_splash_screens` | $0.295 | AI-generated splash screens from a text description |
43
+ | `get_wallet_profile` | free | Check your wallet's Imagcon profile status |
44
+ | `setup_wallet_profile` | free | Activate a permanent account (wallet-signature verified) |
45
+
46
+ ## Payment safety
47
+
48
+ The server refuses to sign any payment challenge that does not pay the
49
+ StackApps suite wallet, or that exceeds the per-call cap ($0.50 USDC by
50
+ default; override with `STACKAPPS_MAX_USD_PER_CALL`). A compromised or spoofed
51
+ endpoint cannot redirect or inflate payments. Payments settle on-chain via
52
+ EIP-3009 — the gas is sponsored; your wallet needs only USDC.
53
+
54
+ Never commit your wallet key, and never run this server on a public host with
55
+ `WALLET_PRIVATE_KEY` set. The hosted endpoint at
56
+ [mcp.stackapps.app](https://mcp.stackapps.app/blueprint.txt) serves discovery
57
+ metadata only.
58
+
59
+ ## Discovery
60
+
61
+ Machine-readable capability contract (Blueprint Protocol):
62
+ [mcp.stackapps.app/blueprint.txt](https://mcp.stackapps.app/blueprint.txt)
63
+
64
+ ## Links
65
+
66
+ - Suite: https://stackapps.app
67
+ - Source: https://github.com/Explorer-64/StackApps (`stackapps-mcp/`)
68
+ - Imagcon (current member app): https://imagcon.app
@@ -0,0 +1,41 @@
1
+ [build-system]
2
+ requires = ["hatchling"]
3
+ build-backend = "hatchling.build"
4
+
5
+ [project]
6
+ name = "stackapps-suite-mcp"
7
+ version = "0.1.5"
8
+ description = "MCP gateway for the StackApps tool suite — pay per call in USDC via x402, no account required"
9
+ readme = "README.md"
10
+ requires-python = ">=3.11"
11
+ license = { text = "MIT" }
12
+ authors = [{ name = "Abe Reimer" }]
13
+ keywords = ["mcp", "x402", "usdc", "pwa-icons", "stackapps", "agent-payments"]
14
+ classifiers = [
15
+ "Development Status :: 4 - Beta",
16
+ "Intended Audience :: Developers",
17
+ "License :: OSI Approved :: MIT License",
18
+ "Programming Language :: Python :: 3.11",
19
+ "Programming Language :: Python :: 3.12",
20
+ "Programming Language :: Python :: 3.13",
21
+ "Topic :: Software Development :: Libraries",
22
+ ]
23
+
24
+ dependencies = [
25
+ "eth-account>=0.13.0",
26
+ "httpx>=0.27.0",
27
+ "mcp>=1.27.1",
28
+ "uvicorn>=0.30.0",
29
+ "x402[evm,clients]>=2.0.0",
30
+ ]
31
+
32
+ [project.urls]
33
+ Homepage = "https://stackapps.app"
34
+ Source = "https://github.com/Explorer-64/StackApps"
35
+ Blueprint = "https://mcp.stackapps.app/blueprint.txt"
36
+
37
+ [project.scripts]
38
+ stackapps-suite-mcp = "stackapps_mcp.__main__:main"
39
+
40
+ [tool.hatch.build.targets.wheel]
41
+ packages = ["stackapps_mcp"]
File without changes
@@ -0,0 +1,4 @@
1
+ from stackapps_mcp.main import main
2
+
3
+ if __name__ == "__main__":
4
+ main()