Built on Tempo · Powered by Machine Payments Protocol

Pay with code,
not credentials.

Senior-level security code review for $0.05. No API keys. No accounts. No subscriptions. Just send code and pay with USDC.

Powered by gstack's production review checklist · AI by Claude

# One command. That's it.
tempo request -X POST \
--json '{"code": "your code here"}' \
https://mpp-review-api.vercel.app/api/review

Three steps. Zero friction.

No signup. No API key. No billing setup. Just install, send, and pay.

STEP 01

Install Tempo CLI

curl -fsSL https://tempo.xyz/install | bash
tempo add wallet && tempo wallet login

One-line install. Add the wallet extension, log in with your email, and fund with USDC.

STEP 02

Send your code

tempo request -X POST \
  --json '{"code":"..."}' \
  https://mpp-review-api.vercel.app/api/review

The server returns HTTP 402. tempo request auto-pays $0.05 USDC from your wallet.

STEP 03

Get your review

{ "review": "Pre-Landing Review: 2 issues (1 critical, 1 informational)..." }

Claude analyzes your code against gstack's security checklist. Results in seconds.

Try it yourself

Copy any example below and run it in your terminal. Each costs $0.05 USDC.

CRITICAL

SQL Injection

String interpolation in a database query — the #1 most exploited vulnerability in web applications.

tempo request -X POST \
  --json '{"code": "function getUser(id) { return db.query(\x60SELECT * FROM users WHERE id = \x24{id}\x60); }"}' \
  https://mpp-review-api.vercel.app/api/review
Expected: SQL injection via string interpolation → Use parameterized queries
CRITICAL

Race Condition

Read-then-write without atomicity. Two concurrent requests could both pass the check and double-claim a reward.

tempo request -X POST \
  --json '{"code": "async function claimReward(userId) {\n  const user = await db.findOne({ id: userId });\n  if (!user.claimed) {\n    await db.update({ id: userId }, { claimed: true, balance: user.balance + 100 });\n  }\n}"}' \
  https://mpp-review-api.vercel.app/api/review
Expected: Read-check-write without atomic WHERE → Use db.update({ id, claimed: false }, ...)
CRITICAL

Insecure Random

Math.random() is predictable and should never be used for tokens, passwords, or session IDs.

tempo request -X POST \
  --json '{"code": "function generateToken() { return Math.random().toString(36).slice(2); }"}' \
  https://mpp-review-api.vercel.app/api/review
Expected: Math.random() for security values → Use crypto.getRandomValues()
CRITICAL

XSS via dangerouslySetInnerHTML

Rendering user-controlled HTML without sanitization allows cross-site scripting attacks.

tempo request -X POST \
  --json '{"code": "function Comment({ text }) { return <div dangerouslySetInnerHTML={{ __html: text }} />; }"}' \
  https://mpp-review-api.vercel.app/api/review
Expected: Unsafe HTML rendering on user-controlled data → Sanitize or use textContent
PASS

Clean Code (No Issues)

Well-typed, pure function with no side effects. The reviewer confirms it's clean.

tempo request -X POST \
  --json '{"code": "function add(a: number, b: number): number { return a + b; }"}' \
  https://mpp-review-api.vercel.app/api/review
Expected: Pre-Landing Review: No issues found.

Why Tempo + MPP?

The Machine Payments Protocol turns HTTP 402 into a universal payment layer for the internet. Here's why that matters.

402

HTTP 402 — Finally Used

The "Payment Required" status code has existed since 1999. MPP is the first protocol to use it at scale — turning any API endpoint into a paywall with one middleware.

0.6s

Sub-Second Finality

Tempo confirms transactions in ~0.6 seconds with no re-orgs. Your payment settles before the AI finishes thinking.

$0

No Gas Token Needed

Unlike Ethereum or Solana, Tempo lets you pay fees in USDC. No volatile tokens to buy. No gas price anxiety.

0

Zero Accounts

Traditional APIs need signup → API key → billing. MPP needs nothing. The payment IS the authentication.

Traditional API vs MPP

Traditional API
xCreate account
xVerify email
xAdd credit card
xGenerate API key
xStore key securely
xHandle key rotation
xTrack usage / billing
xHandle failed payments
MPP
Install Tempo CLI
Run tempo request
That's it. Two steps.
TEMPO ECOSYSTEM
StripeParadigmVisaMastercardShopifyOpenAIAnthropicRevolut

$500M Series A · $5B valuation · 50+ MPP services live

What it catches

Based on gstack's production review checklist by Garry Tan. Two-pass analysis.

CRITICAL
  • SQL injection & data safety
  • Race conditions & concurrency
  • LLM output trust boundary
  • Enum & value completeness
  • XSS via unsafe HTML rendering
INFORMATIONAL
  • Conditional side effects
  • Dead code & stale comments
  • Test coverage gaps
  • Crypto & entropy issues
  • Type coercion at boundaries

Simple pricing

$0.05
USDC per review
No API keys
No accounts
No subscriptions
No rate limits
Pay-per-request
Instant receipts
On-chain proof
Works for AI agents

This is an MVP / proof-of-concept. See GitHub for limitations and source code.