Browser-based tooling for the two layers of the agent stack: building MCP servers and integrating agentic payment rails. Lint tool definitions and a server.json, score spec-revision compliance, audit OAuth, scan for tool poisoning, orient across the fragmenting payment protocols (AP2, ACP, x402, Visa TAP, Mastercard Agent Pay), decode an x402 flow, and validate an A2A agent card — all deterministic, client-side, zero PII.
A path for developers shipping MCP-native, payment-capable agents: define and publish your server, then choose and integrate a payment rail. The security and spec tools span every stage.
Ten deterministic, client-side tools. Each validates pasted artifacts against published specs — no live handshake, token, or network. All export a Policy Mandate JSON for agent ingestion.
Lint a tool definition against JSON Schema 2020-12 and the current naming, output-schema, and annotation rules. Designs a consistent readOnly/destructive/idempotent/openWorld annotation set.
Open tool →Validate a server.json against the 2025-12-11 schema and the official registry publishing rules — reverse-DNS namespace, _meta 4KB cap, allowlisted base URLs, MCPB fileSha256 — then scaffold a compliant skeleton.
Open tool →Put AP2, ACP (Shared Payment Token), x402, Visa Trusted Agent Protocol, and Mastercard Agent Pay side by side across credential, signing, scope, rail, and audit — with a field crosswalk and scenario recommender.
Open tool →Decode x402 PAYMENT-REQUIRED / PAYMENT-SIGNATURE headers, lint an exact-scheme PaymentPayload, walk the HTTP-402 verify/settle flow, and check the scheme×network matrix.
Open tool →Validate the RFC 9728 protected-resource-metadata document, visualize the discovery chain, check RFC 8707 audience binding, and self-assess the two cardinal sins — token passthrough and the confused deputy.
Open tool →Decode and validate HTTP Message Signatures, lint a Web Bot Auth JWKS directory (Ed25519), and score readiness — the signature substrate under Visa's Trusted Agent Protocol.
Open tool →Score your server against a target revision (2025-06-18 / 2025-11-25 / 2026-07-28 RC) and get a breaking-change advisor for the stateless protocol core — the largest, most breaking MCP revision since launch.
Open tool →Validate an Agentic Commerce Protocol checkout-session object and lint a Shared Payment Token for the four properties that keep it safe: single-use, merchant-bound, amount-capped, and short-lived.
Open tool →Scan a tool description or manifest for poisoning and injection smells — instruction overrides, hidden zero-width unicode, role-play framing, tool-shadowing, and exfiltration hints. Maps to OWASP ASI01.
Open tool →Validate an Agent2Agent agent-card.json against the v1.0 shape, check the signed-card signatures block, and confirm AP2 / x402 extension declarations — the discovery layer AP2 rides on.
Open tool →Engineers shipping Model Context Protocol servers who need their tool definitions, server.json, auth, and security posture to pass review.
Teams adding payment capability to agents and choosing between AP2, ACP, x402, and the card-network protocols.
Architects mapping the fragmenting agentic-commerce landscape onto their existing rails and compliance posture.
Anyone auditing tool poisoning, OAuth confused-deputy risk, or agent identity — or who needs a fast, citable orientation without infrastructure.
Open T274, paste a tool definition, and resolve every error before publishing. Then validate your server.json (T275).