npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@fidacy/mcp

v0.1.5

Published

Fidacy action firewall for AI agents. Mandate-gated payment authorization as an MCP server.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

lucasdelimalucasdelima

Keywords

mcpmodel-context-protocolai-agentspaymentsfirewallmandatetrustverdicted25519fidacy

Readme

@fidacy/mcp

The action firewall for AI agents. A drop-in MCP server that gates payment actions against a cryptographically signed mandate before money can move. Non-custodial: Fidacy authorizes and proves, it never holds funds.

Install once, works in any MCP-compatible agent: Claude Code, Claude Desktop, Hermes, OpenClaw, and anything else that speaks MCP.

Why

An agent can hallucinate or be prompt-injected into a payment: wrong payee, wrong amount, fabricated invoice. Prompt-level guardrails are probabilistic and bypassable. @fidacy/mcp is a deterministic gate between the agent's intent and the executor: the action is dead on arrival unless it validates against a signed mandate, and every decision lands in an immutable hash-chained audit trail.

Enforcement model

  1. Register @fidacy/mcp as the agent's only payment-capable tool. Do not give the agent a raw payment tool. Tool inventory is the runtime firewall.
  2. The agent calls request_payment. Fidacy checks it against the mandate (payee allowlist, per-tx cap, total cap, currency, time window, revocation).
  3. ALLOW returns a short-lived Ed25519 grant. DENY returns no grant and the violated rule. The downstream executor MUST require the grant, so a denied action cannot proceed.
  4. Every decision is appended to a hash-chained log. get_audit_proof returns the portable, verifiable proof.

One install, two backends

@fidacy/mcp ships two complementary capabilities in a single install:

  • Verdict layer (advisory): assess_action calls the live Fidacy engine and returns a signed trust verdict. It moves no money; it returns a judgment whose proof (riskPayloadJws + signingKeyId) is verifiable by anyone via @fidacy/verify against the engine JWKS at /.well-known/jwks.json.
  • Payment firewall (enforcement): request_payment / verify_mandate / get_audit_proof gate and prove a payment against a signed mandate through the core, returning short-lived Ed25519 grants.

Mental model: assess_action -> engine (signed verdict); request_payment and friends -> core (payment firewall).

Tools

| Tool | Backend | Purpose | |---|---|---| | assess_action | engine | Signed Fidacy trust verdict for a proposed action. Advisory. | | request_payment | core | Authorize a payment action. ALLOW + grant, or DENY + rule. | | verify_mandate | core | Read the mandate envelope + Fidacy public key. | | get_audit_proof | core | Hash-chained proof for a decision id. |

assess_action

Returns a signed Fidacy trust verdict from the live engine for a proposed action. The signed proof is riskPayloadJws + signingKeyId, verifiable by anyone via @fidacy/verify against {engineUrl}/.well-known/jwks.json.

Inputs:

  • kind (optional, default ap2_payment): one of ap2_payment, message_send, voice_call, custom, claim_document.
  • mandate (required): the action/mandate object for that kind.
  • mandateType, spendingMandate, idempotencyKey, a2a.task_id (optional).

Environment:

| Var | Default | Purpose | |---|---|---| | FIDACY_ENGINE_URL | https://api.fidacy.com | Base URL of the Fidacy engine. | | FIDACY_ENGINE_API_KEY | (none) | An fky_live_ / fky_test_ key with scope assess:write. |

The server boots without FIDACY_ENGINE_API_KEY; the tool is always registered. Only calling assess_action without the key returns a helpful error telling you to set it. The key is never logged, echoed, or attached to any error.

Install

npm install -g @fidacy/mcp   # or run via npx, no install

Claude Code

claude mcp add fidacy -- npx -y @fidacy/mcp

Claude Desktop (claude_desktop_config.json)

{
  "mcpServers": {
    "fidacy": { "command": "npx", "args": ["-y", "@fidacy/mcp"] }
  }
}

Hermes (config.yaml)

mcp_servers:
  fidacy:
    command: npx
    args: ["-y", "@fidacy/mcp"]

OpenClaw

Add the same server via the Tools panel, or the mcpServers block in your agent config. Any MCP-compatible host uses the same command.

Wiring the real core (production)

The MCP layer talks to your core through one interface (FidacyCore). Your repository stays private. Set FIDACY_MODE=http and implement three endpoints:

  • POST /v1/mandate/get -> Mandate
  • POST /v1/decide -> Decision (runs your Ed25519/AP2 verification + audit append)
  • POST /v1/audit/proof -> AuditProof

No change to the MCP layer is needed.

Dev

npm install
npm run build
npm start      # stdio server, in-memory demo mandate