ar-agents is a Mercado Pago Agent Toolkit for the Vercel AI SDK 6. It ships 89 typed tools that an LLM agent can call directly to drive Mercado Pago billing flows: subscriptions, payments, refunds, checkout pro, marketplace OAuth, cuotas (installments), QR in-store, 3DS challenge resolution, point-of-sale devices, webhooks. Sidecar packages cover AFIP/ARCA, WhatsApp Business Cloud, banking (CBU/CVU + BCRA), and shipping (Andreani/OCA/Correo Argentino).

How is this different from the official mercadopago SDK?

The official mercadopago SDK is a thin REST client. It does not ship Vercel AI SDK tool schemas, does not implement webhook HMAC verification with replay protection, does not run on Edge Runtime (Node-only), and does not gate irreversible operations. ar-agents adds all of that on top of the underlying API: 89 typed tools, deterministic idempotency keys derived from inputs, programmatic human-in-the-loop on refund/cancel/delete, npm provenance attestation, Vercel KV adapters via subpath, OpenTelemetry instrumentation. You can use both packages in the same project; ar-agents wraps the underlying API directly without depending on the official SDK.

Does ar-agents work on Edge Runtime?

Yes. The whole package is Web Crypto-based with no node:crypto dependency, so it runs on Vercel Edge Functions, Cloudflare Workers, Deno, and any other V8-isolate runtime. Webhook signature verification, HMAC, and idempotency-key generation all use the Web Crypto API.

What is HITL (human-in-the-loop) in ar-agents?

Eight tools mutate state irreversibly (refund_payment, cancel_subscription, delete_customer_card, etc.). The toolkit accepts a requireConfirmation callback that gates each invocation: the tool function literally will not execute until your callback returns true. This is a programmatic gate, not just an LLM instruction. You can show the user a UI and wait for their explicit approval before any irreversible operation runs.

How does idempotency work?

Every POST request gets an auto-generated idempotency key. For LLM-driven retries, four mutating tools (create_payment, create_subscription, create_payment_preference, refund_payment) use a deterministic key derived from a SHA-256 hash of the meaningful inputs (external_reference, amount, payment_method, etc.). Same inputs produce the same key, so retries return the existing resource instead of double-charging the customer.

Yes. MIT license. No paid tier, no telemetry phone-home, no usage caps. The package is published to npm under the @ar-agents scope with SLSA v1 provenance attestations.

What about AFIP, WhatsApp, banking, shipping?

Sidecar packages cover the rest of the Argentine business stack: @ar-agents/identity (CUIT/CUIL validation + AFIP/ARCA padron lookup with monotributo category and IVA condition), @ar-agents/facturacion (AFIP/ARCA factura electronica via WSFE), @ar-agents/whatsapp (WhatsApp Business Cloud API with HMAC webhook verify and AR phone normalizer), @ar-agents/banking (CBU/CVU validation + BCRA Central de Deudores), @ar-agents/shipping (Andreani, OCA, Correo Argentino), @ar-agents/identity-attest (HMAC-signed verification orchestrator). Each ships independently to npm.

Is there a Model Context Protocol (MCP) server?

Yes. @ar-agents/mcp bundles all 7 ar-agents packages into a single MCP server compatible with Claude Desktop, Cursor, Codeium, Continue, Cline, or any MCP host. Auto-detects which packages to enable from environment variables. Listed on Glama (glama.ai/mcp/servers/ar-agents/ar-agents) and the official MCP Registry (io.github.ar-agents/mcp).

Security threat model

14 explicit threats, 14 explicit mitigations. What the toolkit covers, what the host is responsible for, what's out of scope. Updated for every release.

When agents move money, the threat surface widens. An LLM that can authorize a charge can also be coerced (via prompt injection, jailbreak, or compromised upstream model) into authorizing a fraudulent one. The toolkit's job is to make those attacks mechanically harder to execute, not just hope the model never gets confused.

This page enumerates every threat we have explicitly thought about, with the specific mitigation in code. Inspired by STRIDE + the OWASP LLM Top 10. Three statuses:

Mitigated by toolkit — code in @ar-agents/* eliminates or substantially raises the bar for the attack. Host is responsible — the toolkit gives you the primitives but you have to wire them correctly (e.g., using HSM/KMS for cert storage). Out of scope — the attack lives outside the boundary the toolkit can reasonably defend.

The 14 threats

T1Mitigated by toolkit

LLM agent retries a tool call after a network blip, double-charges the customer.

MITIGATIONDeterministic SHA-256 idempotency keys derived from input parameters in 4 mutating tools (create_payment, create_subscription, create_payment_preference, refund_payment). Same inputs → same key → MP server-side dedupes.

T2Mitigated by toolkit

Compromised LLM (jailbreak / prompt injection) authorizes a refund, cancellation, or card deletion the user didn't consent to.

MITIGATION8 irreversible tools (refund_payment, cancel_subscription, cancel_payment_preference, pause_subscription, delete_customer_card, cancel_qr_dynamic, delete_pos, revoke_marketplace_token) require a `requireConfirmation` callback. Tool execution blocks until the host confirms via UI / Slack / email. Programmatic gate, not LLM instruction.

T3Mitigated by toolkit

Webhook spoofing — attacker crafts fake MP webhooks to mark fake payments as completed.

MITIGATIONverifyWebhookSignature() does HMAC-SHA256 over (id, request-id, ts) with the shared secret. Constant-time comparison defangs timing attacks. 5-minute replay-tolerance window rejects old signed payloads.

T4Mitigated by toolkit

Webhook replay — attacker re-plays a legitimately-signed webhook to trigger duplicate downstream actions.

MITIGATIONWebhookDedup helper short-circuits duplicate webhook IDs server-side. Configurable TTL window (default 24h). Persisted via the same KV adapter the rest of the toolkit uses.

T5Mitigated by toolkit

Access token leak — MP/AFIP/Meta credentials end up in client-side JS bundles.

MITIGATIONMercadoPagoClient and WsfeClient throw at construction time when instantiated in a browser context (typeof window !== 'undefined' check). README warns 'use Server Components / Route Handlers / Server Actions only'. server-only side enforced; the agent loop runs on Edge or Node.

T6Host is responsible

AFIP cert exfiltration — private key in env vars ends up in logs / source maps / serverless cold-start traces.

MITIGATIONCert + key passed as PEM strings via env vars (Vercel secrets / AWS Secrets Manager / GCP Secret Manager). Never written to disk. The toolkit reads them once at boot, holds in memory, signs WSAA tokens with Web Crypto. RFC-001 § 3.2 mandates HSM/KMS for sociedades-IA in production.

T7Mitigated by toolkit

Supply-chain attack — malicious code injected into a published @ar-agents/* tarball.

MITIGATIONEvery published tarball ships an SLSA v1 npm provenance attestation tying it to a specific GitHub commit + GitHub Actions runner. Verifiable via `npm view <pkg> dist.attestations` against Sigstore transparency log. OpenSSF Scorecard auto-audits 18 supply-chain practices weekly.

T8Mitigated by toolkit

Dependency confusion — attacker publishes a typo-squat (`@ar-agent/mercadopago`).

MITIGATIONScoped npm org `@ar-agents` registered + locked to one publisher. Verified package metadata (homepage, repository, bugs.url) on every package. README badges + Glama listing + MCP Registry listing all cross-link to https://github.com/ar-agents/ar-agents.

T9Mitigated by toolkit

Hung agent / runaway loop — agent gets stuck retrying a failed tool call until quotas exhaust.

MITIGATIONstopWhen: stepCountIs(N) caps agent steps. CircuitBreaker on every external API client (rolling-window failure threshold). Per-request timeout via AbortSignal propagation. MaxRetries default = 1 for state mutations, 3 for read-only lookups.

T10Host is responsible

Cross-tenant data leak — multi-tenant host fetches Tenant A's MP payments and Tenant B sees them.

MITIGATIONEach MercadoPagoClient instance is bound to one accessToken. State adapters keyed on a host-supplied tenantId. The toolkit doesn't share state across instances — host wires per-tenant adapters.

T11Mitigated by toolkit

Audit log tampering — attacker who breached the host modifies past tool-call records to cover their tracks.

MITIGATIONAuditLogger wraps every tool call (input, output, duration, error) with an HMAC-signed timestamp using a separate audit secret. Append-only sink (Vercel KV, S3 with object lock, Postgres with row-level immutability). RFC-001 § 9.2 makes the log legally probative.

T12Mitigated by toolkit

OAuth token theft — marketplace seller's MP refresh-token leaked, attacker drains their account.

MITIGATIONVercelKVOAuthTokenStore (subpath `/vercel-kv`) encrypts at rest, scoped to your platform's Vercel project. Refresh tokens kept server-side. The toolkit's revoke_marketplace_token tool gated behind requireConfirmation (T2).

T13Mitigated by toolkit

Content injection in factura PDF (XSS via item description, or embedded executable).

MITIGATIONItem descriptions sanitized + length-capped before WSFE submit. AFIP's WSFE rejects malformed payloads server-side. PDF generation uses static templates with parameter binding — no user-supplied HTML/JS injection vector.

T14Out of scope

Browser-fingerprint MP fraud detection bypass — attacker scripts payment flow to look like legitimate browser traffic.

MITIGATIONOut of scope. MP's fraud team runs the detection; the toolkit's job is to surface their verdict via explainPaymentStatus(). Recipe 13 (anti-fraud middleware) layers additional pre-charge heuristics (CUIT validity, payer history, velocity, BCRA cross-check).

Reporting a vulnerability

If you find a security issue not covered above, please don't open a public GitHub issue. Email naza@helloastro.co with details and proof-of-concept. We'll respond within 48 hours and disclose responsibly per SECURITY.md in the repo.

For supply-chain audit: every published package ships SLSA v1 provenance attestations. Verify with npm view @ar-agents/<name> dist.attestations and cross-check the Sigstore transparency-log entry.

What this page is, and isn't

This page ISthe toolkit author's explicit thinking about the attack surface. Every claim maps to specific code. If a mitigation breaks, this page is wrong and we update it in the same PR.

This page IS NOTa third-party audit, a SOC 2 report, or a guarantee. The toolkit is MIT-licensed open source; you operate it under your own legal & compliance regime. For regulated workloads (banking, healthcare, government), commission a third-party review before production deployment.

Security threat model.

The 14 threats

Reporting a vulnerability

What this page is, and isn't