Operated by

Name: Mercado Libre Agent Toolkit
Availability: InStock
Author: Nazareno Clemente

A vendor questionnaire, pre-filled. Adopt this package only if the answers below match your bar — every line is honest, even when the answer is uncomfortable.

1. Legal / Identity

Project name

@ar-agents/mercadolibre

Author / sole maintainer

Nazareno Clemente (Argentina)

Legal entity

None. Sole proprietorship under personal CUIT 20-41758101-5 (monotributista categoría A).

Jurisdiction

Argentine Republic

License

MIT (SPDX: MIT)

Trademarks

MERCADOLIBRE® is a registered trademark of Mercado Libre S.R.L. The package name uses it in a descriptive, nominative-fair-use sense to identify the API. No license, endorsement, or commercial relationship exists or is claimed.

Repository

github.com/ar-agents/ar-agents

npm

@ar-agents/mercadolibre

2. Contact + Disclosure

General contact

naza@helloastro.co

Security disclosures

Email naza@helloastro.co with subject prefix [security]. PGP / age-encryption available on request.

First-response target

72 hours (best-effort, no SLA)

Coordinated disclosure window

30 days minimum

Bug bounty

None. Reports are credited; not paid.

Public security policy

SECURITY.md

3. SLA / Incident Response

Production SLA

None. Best-effort community support.

Incident response runbook

None published. Single maintainer triage; coordinated disclosure window enforced.

Status page

None. Track via GitHub releases + npm publish history.

Rollback procedure

Pin a specific version (not latest). Use npm deprecate if a version is found unsafe in production.

Vendor lock-in mitigation

MIT license + the fork right. Anyone can fork at any time.

4. Bus factor / Continuity

Bus factorrisk

1 (single maintainer)

Mitigation

The package is MIT-licensed and forkable. We maintain a public GOVERNANCE.md describing the path to co-maintainer status (open PRs of substance, then a maintainer invitation after demonstrated commitment).

Co-maintainer invitation

Open. Email naza@helloastro.co with subject [co-maintain] and a sample PR. Response in 7 days.

Estimated total cost-to-replace

The lib is ~5 KLOC of TypeScript with 142 tests + cookbook + landing + MCP server. A senior eng could reproduce the surface in ~6-8 weeks (~$25-40K USD).

5. Security posture

Production CVEs

0 (verified via pnpm audit --prod, last run 2026-05-09)

Hard-coded secrets

None (audited)

eval / Function() / dynamic import

None

HTTP fallbacks

None — HTTPS only

OAuth tokens

Never logged. Telemetry hooks see method + URL + status, never headers or bodies.

SSRF protection

Path validator on MeliClient.buildUrl rejects schemes / authorities / NUL bytes.

Penetration test

None commissioned. Adversarial multi-agent code review completed 2026-05-09 (14 findings, all addressed).

Threat model

SECURITY.md

6. Supply chain

Build attestation

GitHub Actions, public workflow at .github/workflows/ci.yml

npm provenance

Will be enabled in next minor release (npm 9+ + OIDC)

SBOM

Auto-generated via pnpm install --json. Available on request.

Runtime dependencies

2 (zod peer, optional ai peer). No other production deps. No transitive surface.

OpenSSF Scorecard

.github/workflows/scorecard.yml

Dependabot / Renovate

Dependabot enabled (.github/dependabot.yml)

7. Data privacy / Compliance

Data we collect

None. The lib runs in your runtime; we have no telemetry pipeline.

Personal data handling

N/A — the lib does not exfiltrate, store, or transmit any data outside of your MELI calls.

GDPR / Argentine Law 25.326

Compliance is the adopter's responsibility (the lib is a transport layer).

Data residency

N/A — no data is stored by the lib.

8. Quality signals

Tests

142 (128 unit + 4 integration vs MELI live API + 10 property-based)

Type checking

TypeScript strict + exactOptionalPropertyTypes + isolatedModules

Validation

publint + arethetypeswrong: all 🟢

Bundle size

11 KB brotli (full ESM + all deps)

LLM-as-judge eval

18.7 / 20 mean across 10 scenarios

Daily integration cron

GitHub Actions, runs against live MELI public API at 12:00 UTC

9. Production latency (snapshot)

Methodology

50 sequential runs at concurrency 10 against bridge-hello.ar-agents.ar, measured from a Buenos Aires client.

When

2026-05-09 17:30 UTC (re-run anytime via test/bench/loadtest.mjs in the repo)

GET /.well-known/acp.json

p50 44ms · p95 1253ms · p99 1349ms · 0 errors. p95 includes one Vercel cold start; subsequent runs fit the p50.

GET /.well-known/agentic-feed.json

p50 30ms · p95 46ms · p99 105ms · 0 errors

GET /api/feed/products

p50 31ms · p95 228ms · p99 229ms · 0 errors (with valid Opt-In header; default returns 403)

POST /api/acp/checkout_sessions

p50 167ms · p95 396ms · p99 399ms · 0 errors

10. Termination

If we shut down

The npm package remains published; the GitHub repo remains public; the MIT license preserves your right to fork.

Notice period

Best-effort; no contractual notice.

Data export

N/A — no data is held by the lib.

This page is intended as a transparency artifact for security, procurement, and legal reviewers. Every answer is honest. If your adoption bar requires more (dedicated SLA, indemnification, audit rights, etc.), email naza@helloastro.co to discuss a commercial agreement.