# Pair LION with the Cloudflare Agents SDK x402 client

Run the LION Marketplace Visibility Audit from a Cloudflare-Worker-deployed agent. The Cloudflare Agents SDK has native x402 client support: when your agent's tool calls hit an HTTP 402, the SDK handles the EIP-3009 signature, pays in USDC on Base, and retries with the `Payment-Signature` header. LION does NOT perform the payment.

Endpoint #2 (Marketplace Visibility Audit) is **public beta**, launched 2026-05-27, awaiting its first external buyer. Payment rail is proven by prior controlled Endpoint #1 settlements. No external paid proof has been claimed for Endpoint #2. `external_paid_proof: false`.

## What this pair does

- **LION MCP server** exposes the `lion_marketplace_visibility_audit` tool over Streamable HTTP. On unpaid `tools/call`, the server returns a native JSON-RPC error `code: -32402` with an x402 v2 `paymentRequirement` in `error.data.payment`. The tool itself never charges your wallet.
- **Cloudflare Agents SDK x402 client** (`withX402Client` wrapper) sees the -32402 + paymentRequirement, signs an EIP-3009 TransferWithAuthorization with your configured wallet, and retries with the `Payment-Signature` header on the eventual HTTP fallback URL the tool returns.

## Install (one-time, on a Cloudflare Workers project)

In a Cloudflare Workers + Agents SDK project, install the x402 client and the MCP client:

```
npm install @cloudflare/agents @x402/fetch @x402/mcp
```

Configure your wallet credentials via Workers Secrets (never commit to source):

```
wrangler secret put X402_PRIVATE_KEY        # buyer wallet EOA private key (your wallet, NEVER LION's)
wrangler secret put X402_NETWORK            # e.g. "base-mainnet"
wrangler secret put X402_MAX_PER_REQUEST    # e.g. "100000" (atomic USDC cap per tool call)
```

LION does not see, touch, or accept any of these. They configure YOUR agent's wallet middleware only.

## Connect LION as a remote MCP server

In your agent's Workers `index.ts`, add LION to the MCP client list:

```ts
import { Agent } from '@cloudflare/agents';
import { withX402Client } from '@x402/fetch';
import { McpClient } from '@x402/mcp';

const x402Fetch = withX402Client(fetch, {
  privateKey: env.X402_PRIVATE_KEY,
  network: env.X402_NETWORK,
  maxAtomicPerRequest: env.X402_MAX_PER_REQUEST,
});

const lion = new McpClient({
  url: 'https://gleaming-cassata-d41682.netlify.app/api/mcp?src=buyer_runtime_cloudflare',
  transport: 'streamable-http',
  fetch: x402Fetch,
});

await lion.initialize();
const tools = await lion.listTools();
// tools[].name should include: lion_marketplace_visibility_audit
```

Replace `env.X402_*` with your Workers binding names.

## Call the audit tool

```ts
const result = await lion.callTool({
  name: 'lion_marketplace_visibility_audit',
  arguments: { url: 'https://example.com/api/x402/your-paid-route' },
});
// If unpaid: the McpClient receives JSON-RPC error -32402 + paymentRequirement.
// The x402Fetch wrapper intercepts; signs the EIP-3009 authorization using
// env.X402_PRIVATE_KEY; pays 50000 atomic USDC on Base (eip155:8453) to
// LION's payTo (0x84c2e2ec19a4b467D89fE3F008591DEEA884d9Ac); retries.
// On success: result is the audit JSON returned by the paid HTTP route.
```

## Payment terms LION will quote

When the SDK reads the -32402 error.data.payment.paymentRequirement, it sees:

- `x402Version`: `2`
- `accepts[0].scheme`: `exact`
- `accepts[0].network`: `eip155:8453` (Base mainnet)
- `accepts[0].amount`: `50000` atomic USDC (= $0.05)
- `accepts[0].asset`: `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913` (USDC on Base)
- `accepts[0].payTo`: `0x84c2e2ec19a4b467D89fE3F008591DEEA884d9Ac`
- `accepts[0].maxTimeoutSeconds`: `60`
- `accepts[0].extra`: `{ name: "USDC", version: "2" }`

These are the on-chain payment terms. Your wallet middleware constructs the EIP-3009 authorization against these exact values.

## What the audit returns (paid 200)

A structured JSON report with:

- `well_known_x402` status of the audited service
- `payment_required_body` validity
- extracted `payTo` / `amount` / `asset` / `network` / `scheme` of the audited 402
- `x402scan_status`, `mcp_registry_status`
- `machine_discovery_files`: `{ llms_txt, openapi, agents_json }` statuses
- `visibility_score` (0..100)
- `top_3_recommendations` (ranked remediation list)

## Spending guardrails (your agent, not LION)

The Cloudflare Agents x402 client will refuse the payment if:

- amount exceeds `X402_MAX_PER_REQUEST`
- network differs from `X402_NETWORK`
- spend policy denies the request
- wallet balance is insufficient

LION cannot bypass any of these. There is no fallback in LION that signs on your wallet's behalf.

## Constraints

- No API key.
- No PII collected.
- No claim of guaranteed conversion.
- No claim of external paid proof for Endpoint #2.
- LION does not perform any wallet operation.

## Discovery surfaces (alternative paths to find LION)

- Glama: https://glama.ai/mcp/connectors/app.netlify.gleaming-cassata-d41682/lion-mcp
- MCP Registry: https://registry.modelcontextprotocol.io/v0/servers?search=gleaming-cassata
- Direct MCP URL: `https://gleaming-cassata-d41682.netlify.app/api/mcp?src=buyer_runtime_cloudflare`

## Source attribution

Use the `?src=buyer_runtime_cloudflare` query tag in the MCP URL. LION's by_src ledger uses this to attribute Cloudflare-Agents-originated traffic separately from generic crawler hits.
