Money capture wave: /pricing, grade-page capture, free-execute on-ramp, behavioral moat ON#66
Merged
Merged
Conversation
… free-execute knob
Four conversion/SEO fixes from the 2026-06-06 money+monopoly audit. All
default-safe (no prod behavior change until env is set) and green.
SEO risk (thin content):
- u.ts: render `noindex,follow` on /u pages with 0 agent-callable tools, and
exclude them from the sitemap (engine.ts now records tool count `n` in seen:
metadata; legacy entries with no `n` are kept).
- mcp_grade.ts: isPublicGradableHost() rejects localhost / RFC1918+loopback+
link-local IPs / example.com / reserved TLDs / {template} vars. Applied at the
grade-page route (404 + noindex), recordGrade (no persist), the sitemap, and
the leaderboard — keeps ~40 junk "Trust grade F" pages off public surfaces.
GEO (be the cited source for "is X MCP server safe"):
- grade pages now render a visible Q&A answer block + FAQPage JSON-LD.
Capture identity at the grade (turn the 6.7k-server graph into a funnel):
- low-graded (score<60) commercial grade pages get a score-conditioned Deep
Audit / Monitoring pitch + email capture (records host+grade+finding via
/api/v1/leads); all network grade pages get a free "Claim it" hook.
The A–F grade itself stays free (hard rule).
/pricing (was 404):
- new pricing.ts page with BOTH locked ladders kept separate (self-serve
Free/$39/$99/$299 + managed $499/$999/$4,999+), reuses the inline cs_live
checkout, Product/Offer JSON-LD, self-canonical, added to sitemap.
Free-execute on-ramp:
- wrangler.toml exposes PROXY_FREE_CALLS_PER_DAY (kept "0" = current behavior;
bump to let users taste vaulted execute before the paywall — metering already
wired in auth.ts). Sharpened the 402 copy to point at /pricing.
Tests: +host_validation.test.ts (predicate + /pricing + grade-page capture/GEO);
moved RFC-reserved example.com fixtures to acmelabs.io. 244/244 pass, tsc clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…without waiting for traffic
The uncopyable half of the trust graph (observed p50/p95/error from REAL tool
calls) only activates after ≥5 proxied calls/host — so with ~0 user traffic it's
dark, and the grade is static-probe-only (copyable in a weekend). This seeds it.
- mcp_grade.ts: seedBehaviorForHost() exercises a host's READ-ONLY tools itself
and feeds behavior.ts (same recordToolCall path as the proxy, matching ok=
2xx-3xx semantics). SAFE BY CONSTRUCTION: isReadOnlyCallable() only allows
tools that are explicitly readOnlyHint (or safe-named AND non-destructive) AND
require zero args — mutating/destructive/required-arg tools are NEVER invoked;
auth-required, package, non-public, and non-streamable hosts are skipped.
- seedBehaviorBatch() runs a bounded, parallel pass over an admin-curated
flagship list (behaviorseed:list) + a rotating watch-set slice — not a blanket
sweep of 6,771 hosts (impolite + too sparse for behavior.ts's 30-day window).
- recordGrade marks verified_behavioral once the overlay folds in; gradeMeta
carries it so the leaderboard shows a "✓ verified" badge and the grade page a
"Behaviorally verified — measured from N real calls" pill. This is the visible,
uncopyable differentiator vs static scanners / CF AI Gateway / Anthropic.
- Cron-gated behind BEHAVIOR_SEED="1" (default off, wrangler.toml). Admin curates
+ triggers via POST /api/v1/admin/seed-behavior {hosts:[...]} (?run=1).
Tests: +behavior_seed.test.ts proves only safe tools are ever called and that
auth/package hosts make zero network calls. 248/248 pass, tsc clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…e in-extension 404 dead-end) Every in-extension upgrade CTA (popup, restock banner, options) and the Stripe cancel_url pointed at /quickcatch, which 404'd — dead-ending the whole $12/mo consumer funnel. This adds the page and makes checkouts measurable. - stripe.ts: quickCatchPage() renders the $12/mo buy page (email→checkout, install link, canceled-state note, self-canonical). The URL is unchanged, so this fixes ALREADY-INSTALLED extensions with NO Web Store re-publish. - createQuickCatchCheckout now threads an attribution `source` (body/query/utm_source) into Stripe client_reference_id + metadata, and counts checkout-starts per source in KV (qcsrc:<source>:<day>) — install→sub finally becomes measurable. - extension popup/content/options links tagged ?source=ext_popup|ext_paywall| ext_banner|ext_options (flows on the NEXT republish; untagged installs already work now and attribute as "quickcatch"). Tests: +attribution + page-render coverage in quickcatch.test.ts. 251/251, tsc clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-safe) Pre-stages display-ad inventory on brand-safe dev CONTENT (the whole blog corpus, one render fn) so the moment EA_PUBLISHER is set in ads.ts it earns site-wide — no further edits. adSlot() returns "" until configured, so this ships dark. Deliberately NOT on the /mcp/grade trust-report pages: those are the independent trust-authority surface the citation/acquisition thesis rests on, and they already monetize correctly via the monitoring/deep-audit CTAs + lead capture. Display ads there would read as "ad-supported grades" and undercut the credibility moat. 251/251 tests, tsc clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
punkpeye/awesome-mcp-servers (run by Glama's founder) requires the Glama score badge after the server link before merge. Added the badge to the README badges row and to both prepared PR entry lines (mcp-registry-submissions.md + registry SUBMISSION_PLAYBOOK Asset C), with a note to submit/claim at glama.ai/mcp/servers first. Repo is already public, so Glama can index + score it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…+ outbound wave Flip the deployed-dark free-execute knob live (deployed wmcp.sh version 950b9e3f): free-plan keys now get 25 live tool-calls/day before the 402, so new users feel vaulted-credential execute (the switching cost) before the paywall. Closes the #2 conversion leak from the 2026-06-06 audit. Add launch/outbound-wave-2026-06.md: 6 ready-to-send Deep-Audit emails to F-graded commercial MCP operators (re-verified F 45/100 live 2026-06-09; report pages carry working Deep Audit + Monitor checkout). The direct first-dollar path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Payram (Krishna Raj / t.me/krishnaxl / Calendly) STRONG; Agentra (@agentrapay X) MEDIUM; Crossfin (gh issue on bubilife1202/crossfin) LOW; Viridis no public contact (WHOIS redacted, no footprint). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…d default flagships + rotation - DEFAULT_BEHAVIOR_SEED_HOSTS: 10 live-verified A/A+ public streamable-HTTP servers (probed 2026-06-09: unauthenticated tools/list + >=2 read-only zero-arg tools each) used until the operator curates via the admin endpoint - seedBehaviorBatch now rotates the flagship list across runs so lists longer than the per-run budget still cycle every host (before: hosts past max never ran) - BEHAVIOR_SEED=1: the 2h cron now feeds behavior.ts -> '✓ verified' tier on the leaderboard + grade pages (the uncopyable behavioral moat goes live) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…/badges in robots - sitemap now only lists /u pages with a KNOWN tool count > 0 (was: kept unknown-n legacy entries -> 3,039 noindexed URLs / 24% of the sitemap, a 'Submitted URL marked noindex' contradiction in Search Console) - root cause: the directory-harvest cron's seen: writer never stamped n; it now stamps tool count exactly like engine.ts's writer - robots.txt: Allow /mcp/badges (nav-linked public page was crawl-blocked by the Disallow: /mcp/ group) - lock the sitemap contract with test/sitemap_u_filter.test.ts 255/255 green. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…tch v0.5.0 build - outreach-flow.html: owner-facing walkthrough of the outreach engine - wmcp-briefing.html: what wmcp.sh is / funnels / what's wired (shareable brief) - quickcatch-v0.5.0.zip: the build published on the Chrome Web Store (item bglmmkpaofofjnpkabfneeemgnjpjejl) — same precedent as the tracked quickcatch-0.4.0.zip Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings origin/main in line with what is (mostly) already deployed to wmcp.sh, plus turns the behavioral moat on.
254/254 tests green, typecheck clean.
🤖 Generated with Claude Code