@agentwonderland/mcp 0.1.38 → 0.1.39

package/dist/core/__tests__/mpp-client.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/core/__tests__/mpp-client.test.js

@@ -0,0 +1,46 @@
+import { describe, expect, it, vi } from "vitest";
+import { Credential, Method, Mppx, z } from "../mpp-client.js";
+describe("local MPP client", () => {
+    it("handles a 402 challenge and retries with a payment credential", async () => {
+        const challengeRequest = Buffer.from(JSON.stringify({
+            amount: "1000000",
+            currency: "USDC",
+            recipient: "0x0000000000000000000000000000000000000001",
+        })).toString("base64url");
+        const fetchMock = vi
+            .fn()
+            .mockResolvedValueOnce(new Response("payment required", {
+            status: 402,
+            headers: {
+                "WWW-Authenticate": `Payment id="test-id", realm="api.test", method="base", intent="charge", request="${challengeRequest}"`,
+            },
+        }))
+            .mockResolvedValueOnce(new Response("ok", { status: 200 }));
+        const method = Method.toClient(Method.from({
+            name: "base",
+            intent: "charge",
+            schema: {
+                credential: { payload: z.object({ type: z.literal("hash"), hash: z.string() }) },
+                request: z.object({ amount: z.string() }),
+            },
+        }), {
+            createCredential({ challenge }) {
+                return Credential.serialize({
+                    challenge,
+                    payload: { type: "hash", hash: "0xabc" },
+                    source: "did:pkh:eip155:8453:0x0000000000000000000000000000000000000002",
+                });
+            },
+        });
+        const client = Mppx.create({ fetch: fetchMock, methods: [method], polyfill: false });
+        const response = await client.fetch("https://api.test/agents/example/run", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: "{}",
+        });
+        expect(response.status).toBe(200);
+        expect(fetchMock).toHaveBeenCalledTimes(2);
+        const retryInit = fetchMock.mock.calls[1]?.[1];
+        expect(new Headers(retryInit?.headers).get("Authorization")).toMatch(/^Payment\s+/);
+    });
+});

package/dist/core/__tests__/payments.test.js

@@ -22,7 +22,7 @@ vi.mock("../config.js", () => ({
     getWallets: () => currentWallets,
     resolveWalletAndChain: () => currentResolvedMethod,
 }));
-vi.mock("mppx/client", () => ({
+vi.mock("../mpp-client.js", () => ({
     Mppx: {
         create: (config) => mockMppxCreate(config),
     },

package/dist/core/base-charge.js

@@ -4,7 +4,7 @@
  * Signs and sends a standard ERC-20 transfer on Base chain, then returns
  * the tx hash as a credential. Plugs into mppx's compose/dispatch system.
  */
-import { Method, Credential, z } from "mppx";
+import { Method, Credential, z } from "./mpp-client.js";
 import { toAtomicAmount } from "./amount-utils.js";
 // Base USDC (Circle native)
 const BASE_USDC = "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913";

package/dist/core/mpp-client.d.ts

@@ -0,0 +1,62 @@
+import * as z from "zod/mini";
+type Challenge = {
+    id: string;
+    realm: string;
+    method: string;
+    intent: string;
+    request: Record<string, unknown>;
+    description?: string;
+    digest?: string;
+    expires?: string;
+    opaque?: Record<string, string>;
+};
+type ClientMethod = {
+    name: string;
+    intent: string;
+    context?: {
+        parse(value: unknown): unknown;
+    };
+    createCredential(args: {
+        challenge: Challenge;
+        context?: unknown;
+    }): Promise<string> | string;
+};
+type MethodDefinition = {
+    name: string;
+    intent: string;
+    schema?: unknown;
+};
+type CreateConfig = {
+    methods: ClientMethod[];
+    fetch?: typeof fetch;
+    polyfill?: boolean;
+};
+type CredentialInput = {
+    challenge: Challenge;
+    payload: unknown;
+    source?: string;
+};
+export { z };
+export declare const Method: {
+    from<T extends MethodDefinition>(method: T): T;
+    toClient<T extends MethodDefinition>(method: T, options: {
+        context?: {
+            parse(value: unknown): unknown;
+        };
+        createCredential(args: {
+            challenge: Challenge;
+            context?: unknown;
+        }): Promise<string> | string;
+    }): T & ClientMethod;
+};
+export declare const Credential: {
+    serialize(credential: CredentialInput): string;
+};
+export declare const Mppx: {
+    create(config: CreateConfig): {
+        fetch: typeof fetch;
+        methods: ClientMethod[];
+        rawFetch: typeof fetch;
+    };
+};
+export declare function stripe(_parameters?: unknown): ClientMethod;

package/dist/core/mpp-client.js

@@ -0,0 +1,208 @@
+import * as z from "zod/mini";
+const PAYMENT_FETCH_WRAPPER = Symbol.for("agentwonderland.mpp.fetch.wrapper");
+export { z };
+export const Method = {
+    from(method) {
+        return method;
+    },
+    toClient(method, options) {
+        return {
+            ...method,
+            context: options.context,
+            createCredential: options.createCredential,
+        };
+    },
+};
+export const Credential = {
+    serialize(credential) {
+        const wire = {
+            challenge: {
+                ...credential.challenge,
+                request: serializePaymentRequest(credential.challenge.request),
+            },
+            payload: credential.payload,
+            ...(credential.source ? { source: credential.source } : {}),
+        };
+        return `Payment ${base64UrlEncode(JSON.stringify(wire))}`;
+    },
+};
+export const Mppx = {
+    create(config) {
+        const rawFetch = unwrapFetch(config.fetch ?? globalThis.fetch);
+        const methods = config.methods.flat();
+        const paymentFetch = createPaymentFetch(rawFetch, methods);
+        if (config.polyfill) {
+            globalThis.fetch = paymentFetch;
+        }
+        return {
+            fetch: paymentFetch,
+            methods,
+            rawFetch,
+        };
+    },
+};
+export function stripe(_parameters) {
+    throw new Error("Stripe card payments are temporarily unavailable.");
+}
+function createPaymentFetch(baseFetch, methods) {
+    const wrapped = (async (input, init) => {
+        const response = await baseFetch(input, init);
+        if (response.status !== 402) {
+            return response;
+        }
+        const challenges = challengesFromResponse(response);
+        const method = methods.find((candidate) => challenges.some((challenge) => challenge.method === candidate.name && challenge.intent === candidate.intent));
+        const challenge = method
+            ? challenges.find((candidate) => candidate.method === method.name && candidate.intent === method.intent)
+            : undefined;
+        if (!method || !challenge) {
+            throw new Error(`No method found for challenges: ${challenges.map((item) => `${item.method}.${item.intent}`).join(", ")}. ` +
+                `Available: ${methods.map((item) => `${item.name}.${item.intent}`).join(", ")}`);
+        }
+        const context = init?.context;
+        const parsedContext = method.context && context !== undefined ? method.context.parse(context) : undefined;
+        const credential = await method.createCredential(parsedContext !== undefined ? { challenge, context: parsedContext } : { challenge });
+        return baseFetch(input, {
+            ...init,
+            headers: withAuthorizationHeader(init?.headers, credential),
+        });
+    });
+    wrapped[PAYMENT_FETCH_WRAPPER] = baseFetch;
+    return wrapped;
+}
+function challengesFromResponse(response) {
+    const header = response.headers.get("WWW-Authenticate");
+    if (!header) {
+        throw new Error("Missing WWW-Authenticate header.");
+    }
+    const starts = Array.from(header.matchAll(/Payment\s+/gi), (match) => match.index).filter((index) => index !== undefined);
+    if (starts.length === 0) {
+        throw new Error("No Payment schemes found.");
+    }
+    return starts.map((start, index) => {
+        const end = index + 1 < starts.length ? starts[index + 1] : header.length;
+        return deserializeChallenge(header.slice(start, end).replace(/,\s*$/, ""));
+    });
+}
+function deserializeChallenge(value) {
+    const paramsStart = value.search(/\s/);
+    if (!/^Payment\s+/i.test(value) || paramsStart < 0) {
+        throw new Error("Missing Payment scheme.");
+    }
+    const params = parseAuthParams(value.slice(paramsStart + 1));
+    if (!params.request) {
+        throw new Error("Missing request parameter.");
+    }
+    if (!params.id || !params.realm || !params.method || !params.intent) {
+        throw new Error("Malformed payment challenge.");
+    }
+    return {
+        id: params.id,
+        realm: params.realm,
+        method: params.method,
+        intent: params.intent,
+        request: deserializePaymentRequest(params.request),
+        ...(params.description ? { description: params.description } : {}),
+        ...(params.digest ? { digest: params.digest } : {}),
+        ...(params.expires ? { expires: params.expires } : {}),
+        ...(params.opaque ? { opaque: deserializePaymentRequest(params.opaque) } : {}),
+    };
+}
+function parseAuthParams(input) {
+    const result = {};
+    let index = 0;
+    while (index < input.length) {
+        while (index < input.length && /[\s,]/.test(input[index] ?? ""))
+            index++;
+        if (index >= input.length)
+            break;
+        const keyStart = index;
+        while (index < input.length && /[A-Za-z0-9_-]/.test(input[index] ?? ""))
+            index++;
+        const key = input.slice(keyStart, index);
+        if (!key)
+            throw new Error("Malformed auth-param.");
+        while (index < input.length && /\s/.test(input[index] ?? ""))
+            index++;
+        if (input[index] !== "=")
+            break;
+        index++;
+        while (index < input.length && /\s/.test(input[index] ?? ""))
+            index++;
+        const [value, nextIndex] = readAuthParamValue(input, index);
+        result[key] = value;
+        index = nextIndex;
+    }
+    return result;
+}
+function readAuthParamValue(input, start) {
+    if (input[start] !== "\"") {
+        let index = start;
+        while (index < input.length && input[index] !== ",")
+            index++;
+        return [input.slice(start, index).trim(), index];
+    }
+    let index = start + 1;
+    let value = "";
+    let escaped = false;
+    while (index < input.length) {
+        const char = input[index];
+        index++;
+        if (escaped) {
+            value += char;
+            escaped = false;
+            continue;
+        }
+        if (char === "\\") {
+            escaped = true;
+            continue;
+        }
+        if (char === "\"") {
+            return [value, index];
+        }
+        value += char;
+    }
+    throw new Error("Unterminated quoted-string.");
+}
+function withAuthorizationHeader(headers, credential) {
+    const next = new Headers(headers);
+    next.set("Authorization", credential);
+    return next;
+}
+function unwrapFetch(candidate) {
+    let current = candidate;
+    while (current[PAYMENT_FETCH_WRAPPER]) {
+        current = current[PAYMENT_FETCH_WRAPPER];
+    }
+    return current;
+}
+function deserializePaymentRequest(encoded) {
+    return JSON.parse(base64UrlDecode(encoded));
+}
+function serializePaymentRequest(request) {
+    return base64UrlEncode(stableStringify(request));
+}
+function stableStringify(value) {
+    if (value === null || typeof value !== "object") {
+        return JSON.stringify(value);
+    }
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => stableStringify(item)).join(",")}]`;
+    }
+    const record = value;
+    return `{${Object.keys(record)
+        .sort()
+        .map((key) => `${JSON.stringify(key)}:${stableStringify(record[key])}`)
+        .join(",")}}`;
+}
+function base64UrlEncode(value) {
+    return Buffer.from(value, "utf8")
+        .toString("base64")
+        .replace(/=/g, "")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_");
+}
+function base64UrlDecode(value) {
+    const padded = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(value.length / 4) * 4, "=");
+    return Buffer.from(padded, "base64").toString("utf8");
+}

package/dist/core/payments.js

@@ -54,7 +54,7 @@ function clearStaleCardCache(activeKey) {
 // ── Per-protocol initializers ───────────────────────────────────
 async function initEvmMppForChain(wallet, chain) {
     try {
-        const { Mppx } = await import("mppx/client");
+        const { Mppx } = await import("./mpp-client.js");
         let account;
         if (wallet.keyType === "ows" && wallet.owsWalletId) {
             const { owsAccountFromWalletId } = await import("./ows-adapter.js");
@@ -88,7 +88,7 @@ async function initSolanaMpp(wallet) {
         if (wallet.keyType !== "ows" && !wallet.key) {
             return null;
         }
-        const { Mppx } = await import("mppx/client");
+        const { Mppx } = await import("./mpp-client.js");
         const { solanaChargeClient } = await import("./solana-charge.js");
         const mppx = Mppx.create({
             methods: [solanaChargeClient({ wallet })],
@@ -105,7 +105,7 @@ async function initCard() {
     if (!cardConfig)
         return null;
     try {
-        const { Mppx, stripe } = await import("mppx/client");
+        const { Mppx, stripe } = await import("./mpp-client.js");
         const apiUrl = getApiUrl();
         const pmId = cardConfig.paymentMethodId ?? undefined;
         const mppx = Mppx.create({

package/dist/core/solana-charge.js

@@ -4,7 +4,7 @@
  * Sends an SPL Token transfer on Solana mainnet and returns the transaction
  * signature as the payment credential.
  */
-import { Credential, Method, z } from "mppx";
+import { Credential, Method, z } from "./mpp-client.js";
 import { Connection, Keypair, PublicKey, Transaction, sendAndConfirmTransaction } from "@solana/web3.js";
 import { ASSOCIATED_TOKEN_PROGRAM_ID, TOKEN_PROGRAM_ID, createAssociatedTokenAccountInstruction, createTransferCheckedInstruction, getAssociatedTokenAddressSync, } from "@solana/spl-token";
 import { toAtomicAmount } from "./amount-utils.js";

package/dist/core/tempo-charge.js

@@ -4,7 +4,7 @@
  * Sends a standard ERC-20 transfer on Tempo and returns the tx hash as the
  * payment credential.
  */
-import { Method, Credential, z } from "mppx";
+import { Method, Credential, z } from "./mpp-client.js";
 import { toAtomicAmount } from "./amount-utils.js";
 const TEMPO_USDC = "0x20c000000000000000000000b9537d11c60e8b50";
 const PATH_USD = "0x20c0000000000000000000000000000000000000";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentwonderland/mcp",
-  "version": "0.1.38",
+  "version": "0.1.39",
   "type": "module",
   "description": "MCP server for the Agent Wonderland AI agent marketplace",
   "bin": {
@@ -24,8 +24,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.1",
     "@solana/spl-token": "^0.4.14",
-    "@solana/web3.js": "^1.98.4",
-    "mppx": "^0.5.10",
+    "@solana/web3.js": "1.95.8",
     "qrcode": "^1.5.4",
     "viem": "^2.47.6",
     "zod": "^4.3.6"

package/src/core/__tests__/mpp-client.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, it, vi } from "vitest";
+import { Credential, Method, Mppx, z } from "../mpp-client.js";
+
+describe("local MPP client", () => {
+  it("handles a 402 challenge and retries with a payment credential", async () => {
+    const challengeRequest = Buffer.from(JSON.stringify({
+      amount: "1000000",
+      currency: "USDC",
+      recipient: "0x0000000000000000000000000000000000000001",
+    })).toString("base64url");
+    const fetchMock = vi
+      .fn<typeof fetch>()
+      .mockResolvedValueOnce(new Response("payment required", {
+        status: 402,
+        headers: {
+          "WWW-Authenticate": `Payment id="test-id", realm="api.test", method="base", intent="charge", request="${challengeRequest}"`,
+        },
+      }))
+      .mockResolvedValueOnce(new Response("ok", { status: 200 }));
+
+    const method = Method.toClient(
+      Method.from({
+        name: "base",
+        intent: "charge",
+        schema: {
+          credential: { payload: z.object({ type: z.literal("hash"), hash: z.string() }) },
+          request: z.object({ amount: z.string() }),
+        },
+      }),
+      {
+        createCredential({ challenge }) {
+          return Credential.serialize({
+            challenge,
+            payload: { type: "hash", hash: "0xabc" },
+            source: "did:pkh:eip155:8453:0x0000000000000000000000000000000000000002",
+          });
+        },
+      },
+    );
+
+    const client = Mppx.create({ fetch: fetchMock, methods: [method], polyfill: false });
+    const response = await client.fetch("https://api.test/agents/example/run", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: "{}",
+    });
+
+    expect(response.status).toBe(200);
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+    const retryInit = fetchMock.mock.calls[1]?.[1];
+    expect(new Headers(retryInit?.headers).get("Authorization")).toMatch(/^Payment\s+/);
+  });
+});

package/src/core/__tests__/payments.test.ts

@@ -28,7 +28,7 @@ vi.mock("../config.js", () => ({
   resolveWalletAndChain: () => currentResolvedMethod,
 }));
 
-vi.mock("mppx/client", () => ({
+vi.mock("../mpp-client.js", () => ({
   Mppx: {
     create: (config: unknown) => mockMppxCreate(config),
   },

package/src/core/base-charge.ts

@@ -4,7 +4,7 @@
  * Signs and sends a standard ERC-20 transfer on Base chain, then returns
  * the tx hash as a credential. Plugs into mppx's compose/dispatch system.
  */
-import { Method, Credential, z } from "mppx";
+import { Method, Credential, z } from "./mpp-client.js";
 import type { LocalAccount } from "viem/accounts";
 import { toAtomicAmount } from "./amount-utils.js";
 

package/src/core/mpp-client.ts

@@ -0,0 +1,286 @@
+import * as z from "zod/mini";
+
+type Challenge = {
+  id: string;
+  realm: string;
+  method: string;
+  intent: string;
+  request: Record<string, unknown>;
+  description?: string;
+  digest?: string;
+  expires?: string;
+  opaque?: Record<string, string>;
+};
+
+type ClientMethod = {
+  name: string;
+  intent: string;
+  context?: { parse(value: unknown): unknown };
+  createCredential(args: { challenge: Challenge; context?: unknown }): Promise<string> | string;
+};
+
+type MethodDefinition = {
+  name: string;
+  intent: string;
+  schema?: unknown;
+};
+
+type CreateConfig = {
+  methods: ClientMethod[];
+  fetch?: typeof fetch;
+  polyfill?: boolean;
+};
+
+type CredentialInput = {
+  challenge: Challenge;
+  payload: unknown;
+  source?: string;
+};
+
+const PAYMENT_FETCH_WRAPPER = Symbol.for("agentwonderland.mpp.fetch.wrapper");
+
+export { z };
+
+export const Method = {
+  from<T extends MethodDefinition>(method: T): T {
+    return method;
+  },
+
+  toClient<T extends MethodDefinition>(
+    method: T,
+    options: {
+      context?: { parse(value: unknown): unknown };
+      createCredential(args: { challenge: Challenge; context?: unknown }): Promise<string> | string;
+    },
+  ): T & ClientMethod {
+    return {
+      ...method,
+      context: options.context,
+      createCredential: options.createCredential,
+    };
+  },
+};
+
+export const Credential = {
+  serialize(credential: CredentialInput): string {
+    const wire = {
+      challenge: {
+        ...credential.challenge,
+        request: serializePaymentRequest(credential.challenge.request),
+      },
+      payload: credential.payload,
+      ...(credential.source ? { source: credential.source } : {}),
+    };
+    return `Payment ${base64UrlEncode(JSON.stringify(wire))}`;
+  },
+};
+
+export const Mppx = {
+  create(config: CreateConfig): { fetch: typeof fetch; methods: ClientMethod[]; rawFetch: typeof fetch } {
+    const rawFetch = unwrapFetch(config.fetch ?? globalThis.fetch);
+    const methods = config.methods.flat();
+    const paymentFetch = createPaymentFetch(rawFetch, methods);
+
+    if (config.polyfill) {
+      globalThis.fetch = paymentFetch;
+    }
+
+    return {
+      fetch: paymentFetch,
+      methods,
+      rawFetch,
+    };
+  },
+};
+
+export function stripe(_parameters?: unknown): ClientMethod {
+  throw new Error("Stripe card payments are temporarily unavailable.");
+}
+
+function createPaymentFetch(baseFetch: typeof fetch, methods: ClientMethod[]): typeof fetch {
+  const wrapped = (async (input: Parameters<typeof fetch>[0], init?: Parameters<typeof fetch>[1]) => {
+    const response = await baseFetch(input, init);
+    if (response.status !== 402) {
+      return response;
+    }
+
+    const challenges = challengesFromResponse(response);
+    const method = methods.find((candidate) =>
+      challenges.some((challenge) => challenge.method === candidate.name && challenge.intent === candidate.intent),
+    );
+    const challenge = method
+      ? challenges.find((candidate) => candidate.method === method.name && candidate.intent === method.intent)
+      : undefined;
+
+    if (!method || !challenge) {
+      throw new Error(
+        `No method found for challenges: ${challenges.map((item) => `${item.method}.${item.intent}`).join(", ")}. ` +
+          `Available: ${methods.map((item) => `${item.name}.${item.intent}`).join(", ")}`,
+      );
+    }
+
+    const context = (init as RequestInit & { context?: unknown } | undefined)?.context;
+    const parsedContext = method.context && context !== undefined ? method.context.parse(context) : undefined;
+    const credential = await method.createCredential(
+      parsedContext !== undefined ? { challenge, context: parsedContext } : { challenge },
+    );
+
+    return baseFetch(input, {
+      ...init,
+      headers: withAuthorizationHeader(init?.headers, credential),
+    });
+  }) as typeof fetch & { [PAYMENT_FETCH_WRAPPER]?: typeof fetch };
+
+  wrapped[PAYMENT_FETCH_WRAPPER] = baseFetch;
+  return wrapped;
+}
+
+function challengesFromResponse(response: Response): Challenge[] {
+  const header = response.headers.get("WWW-Authenticate");
+  if (!header) {
+    throw new Error("Missing WWW-Authenticate header.");
+  }
+
+  const starts = Array.from(header.matchAll(/Payment\s+/gi), (match) => match.index).filter((index) => index !== undefined);
+  if (starts.length === 0) {
+    throw new Error("No Payment schemes found.");
+  }
+
+  return starts.map((start, index) => {
+    const end = index + 1 < starts.length ? starts[index + 1] : header.length;
+    return deserializeChallenge(header.slice(start, end).replace(/,\s*$/, ""));
+  });
+}
+
+function deserializeChallenge(value: string): Challenge {
+  const paramsStart = value.search(/\s/);
+  if (!/^Payment\s+/i.test(value) || paramsStart < 0) {
+    throw new Error("Missing Payment scheme.");
+  }
+
+  const params = parseAuthParams(value.slice(paramsStart + 1));
+  if (!params.request) {
+    throw new Error("Missing request parameter.");
+  }
+  if (!params.id || !params.realm || !params.method || !params.intent) {
+    throw new Error("Malformed payment challenge.");
+  }
+
+  return {
+    id: params.id,
+    realm: params.realm,
+    method: params.method,
+    intent: params.intent,
+    request: deserializePaymentRequest(params.request),
+    ...(params.description ? { description: params.description } : {}),
+    ...(params.digest ? { digest: params.digest } : {}),
+    ...(params.expires ? { expires: params.expires } : {}),
+    ...(params.opaque ? { opaque: deserializePaymentRequest(params.opaque) as Record<string, string> } : {}),
+  };
+}
+
+function parseAuthParams(input: string): Record<string, string> {
+  const result: Record<string, string> = {};
+  let index = 0;
+
+  while (index < input.length) {
+    while (index < input.length && /[\s,]/.test(input[index] ?? "")) index++;
+    if (index >= input.length) break;
+
+    const keyStart = index;
+    while (index < input.length && /[A-Za-z0-9_-]/.test(input[index] ?? "")) index++;
+    const key = input.slice(keyStart, index);
+    if (!key) throw new Error("Malformed auth-param.");
+
+    while (index < input.length && /\s/.test(input[index] ?? "")) index++;
+    if (input[index] !== "=") break;
+    index++;
+    while (index < input.length && /\s/.test(input[index] ?? "")) index++;
+
+    const [value, nextIndex] = readAuthParamValue(input, index);
+    result[key] = value;
+    index = nextIndex;
+  }
+
+  return result;
+}
+
+function readAuthParamValue(input: string, start: number): [string, number] {
+  if (input[start] !== "\"") {
+    let index = start;
+    while (index < input.length && input[index] !== ",") index++;
+    return [input.slice(start, index).trim(), index];
+  }
+
+  let index = start + 1;
+  let value = "";
+  let escaped = false;
+  while (index < input.length) {
+    const char = input[index];
+    index++;
+    if (escaped) {
+      value += char;
+      escaped = false;
+      continue;
+    }
+    if (char === "\\") {
+      escaped = true;
+      continue;
+    }
+    if (char === "\"") {
+      return [value, index];
+    }
+    value += char;
+  }
+  throw new Error("Unterminated quoted-string.");
+}
+
+function withAuthorizationHeader(headers: HeadersInit | undefined, credential: string): HeadersInit {
+  const next = new Headers(headers);
+  next.set("Authorization", credential);
+  return next;
+}
+
+function unwrapFetch(candidate: typeof fetch): typeof fetch {
+  let current = candidate as typeof fetch & { [PAYMENT_FETCH_WRAPPER]?: typeof fetch };
+  while (current[PAYMENT_FETCH_WRAPPER]) {
+    current = current[PAYMENT_FETCH_WRAPPER] as typeof fetch & { [PAYMENT_FETCH_WRAPPER]?: typeof fetch };
+  }
+  return current;
+}
+
+function deserializePaymentRequest(encoded: string): Record<string, unknown> {
+  return JSON.parse(base64UrlDecode(encoded)) as Record<string, unknown>;
+}
+
+function serializePaymentRequest(request: Record<string, unknown>): string {
+  return base64UrlEncode(stableStringify(request));
+}
+
+function stableStringify(value: unknown): string {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return `[${value.map((item) => stableStringify(item)).join(",")}]`;
+  }
+
+  const record = value as Record<string, unknown>;
+  return `{${Object.keys(record)
+    .sort()
+    .map((key) => `${JSON.stringify(key)}:${stableStringify(record[key])}`)
+    .join(",")}}`;
+}
+
+function base64UrlEncode(value: string): string {
+  return Buffer.from(value, "utf8")
+    .toString("base64")
+    .replace(/=/g, "")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_");
+}
+
+function base64UrlDecode(value: string): string {
+  const padded = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(value.length / 4) * 4, "=");
+  return Buffer.from(padded, "base64").toString("utf8");
+}

package/src/core/payments.ts

@@ -77,7 +77,7 @@ async function initEvmMppForChain(
   chain: "tempo" | "base",
 ): Promise<typeof fetch | null> {
   try {
-    const { Mppx } = await import("mppx/client");
+    const { Mppx } = await import("./mpp-client.js");
     let account;
 
     if (wallet.keyType === "ows" && wallet.owsWalletId) {
@@ -112,7 +112,7 @@ async function initSolanaMpp(wallet: WalletEntry): Promise<typeof fetch | null>
       return null;
     }
 
-    const { Mppx } = await import("mppx/client");
+    const { Mppx } = await import("./mpp-client.js");
     const { solanaChargeClient } = await import("./solana-charge.js");
     const mppx = Mppx.create({
       methods: [solanaChargeClient({ wallet })] as any,
@@ -129,7 +129,7 @@ async function initCard(): Promise<typeof fetch | null> {
   if (!cardConfig) return null;
 
   try {
-    const { Mppx, stripe } = await import("mppx/client");
+    const { Mppx, stripe } = await import("./mpp-client.js");
     const apiUrl = getApiUrl();
     const pmId = cardConfig.paymentMethodId ?? undefined;
     const mppx = Mppx.create({

package/src/core/solana-charge.ts

@@ -4,7 +4,7 @@
  * Sends an SPL Token transfer on Solana mainnet and returns the transaction
  * signature as the payment credential.
  */
-import { Credential, Method, z } from "mppx";
+import { Credential, Method, z } from "./mpp-client.js";
 import { Connection, Keypair, PublicKey, Transaction, sendAndConfirmTransaction } from "@solana/web3.js";
 import {
   ASSOCIATED_TOKEN_PROGRAM_ID,

package/src/core/tempo-charge.ts

@@ -4,7 +4,7 @@
  * Sends a standard ERC-20 transfer on Tempo and returns the tx hash as the
  * payment credential.
  */
-import { Method, Credential, z } from "mppx";
+import { Method, Credential, z } from "./mpp-client.js";
 import type { LocalAccount } from "viem/accounts";
 import { toAtomicAmount } from "./amount-utils.js";