mcp-server

The core application uses FastAPI with Pydantic for input validation, supports Bearer token/JWT authentication, and integrates payment guardrails (budget, rate limit, recipient whitelist) via OmniAgentPay SDK. Structured logging and a health check are present. However, hardcoded example secrets (API keys, auth tokens) are directly embedded in the `deploy-first-time.sh` and `cloudbuild.yaml` scripts as environment variables. While documentation advises using secure methods like Google Cloud Secret Manager, the provided deployment scripts themselves demonstrate a critical security anti-pattern by exposing secrets in plaintext, which could lead to accidental exposure if real keys are used similarly. Webhook signature verification is bypassed in 'dev' environment and requires `OMNIAGENTPAY_WEBHOOK_SECRET` for production.