npm - mppx - Versions diffs - 0.4.7 → 0.4.9 - Mend

mppx 0.4.7 → 0.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/CHANGELOG.md +15 -3
package/README.md +13 -13
package/dist/BodyDigest.d.ts.map +1 -1
package/dist/BodyDigest.js.map +1 -1
package/dist/Challenge.d.ts.map +1 -1
package/dist/Challenge.js.map +1 -1
package/dist/Credential.d.ts.map +1 -1
package/dist/Credential.js.map +1 -1
package/dist/Errors.js +64 -67
package/dist/Errors.js.map +1 -1
package/dist/PaymentRequest.d.ts.map +1 -1
package/dist/PaymentRequest.js.map +1 -1
package/dist/Receipt.d.ts.map +1 -1
package/dist/Receipt.js.map +1 -1
package/dist/Store.d.ts +14 -4
package/dist/Store.d.ts.map +1 -1
package/dist/Store.js +17 -0
package/dist/Store.js.map +1 -1
package/dist/cli/account.d.ts.map +1 -1
package/dist/cli/account.js +40 -5
package/dist/cli/account.js.map +1 -1
package/dist/cli/cli.d.ts.map +1 -1
package/dist/cli/cli.js +24 -8
package/dist/cli/cli.js.map +1 -1
package/dist/cli/internal.d.ts.map +1 -1
package/dist/cli/internal.js.map +1 -1
package/dist/cli/plugins/stripe.d.ts.map +1 -1
package/dist/cli/plugins/stripe.js.map +1 -1
package/dist/cli/plugins/tempo.d.ts.map +1 -1
package/dist/cli/plugins/tempo.js +11 -23
package/dist/cli/plugins/tempo.js.map +1 -1
package/dist/cli/utils.d.ts.map +1 -1
package/dist/cli/utils.js.map +1 -1
package/dist/client/internal/Fetch.d.ts +2 -0
package/dist/client/internal/Fetch.d.ts.map +1 -1
package/dist/client/internal/Fetch.js +1 -1
package/dist/client/internal/Fetch.js.map +1 -1
package/dist/internal/types.d.ts.map +1 -1
package/dist/mcp-sdk/client/McpClient.d.ts.map +1 -1
package/dist/mcp-sdk/client/McpClient.js +1 -1
package/dist/mcp-sdk/client/McpClient.js.map +1 -1
package/dist/mcp-sdk/server/Transport.d.ts.map +1 -1
package/dist/mcp-sdk/server/Transport.js.map +1 -1
package/dist/middlewares/elysia.d.ts.map +1 -1
package/dist/middlewares/elysia.js +5 -1
package/dist/middlewares/elysia.js.map +1 -1
package/dist/middlewares/express.d.ts.map +1 -1
package/dist/middlewares/express.js +5 -2
package/dist/middlewares/express.js.map +1 -1
package/dist/middlewares/hono.d.ts.map +1 -1
package/dist/middlewares/hono.js.map +1 -1
package/dist/proxy/Proxy.d.ts.map +1 -1
package/dist/proxy/Proxy.js +3 -1
package/dist/proxy/Proxy.js.map +1 -1
package/dist/proxy/Service.js +1 -1
package/dist/proxy/Service.js.map +1 -1
package/dist/proxy/internal/Route.d.ts +2 -2
package/dist/proxy/internal/Route.d.ts.map +1 -1
package/dist/proxy/internal/Route.js +4 -2
package/dist/proxy/internal/Route.js.map +1 -1
package/dist/server/Mppx.d.ts.map +1 -1
package/dist/server/Mppx.js +47 -11
package/dist/server/Mppx.js.map +1 -1
package/dist/server/Request.d.ts.map +1 -1
package/dist/server/Request.js.map +1 -1
package/dist/stripe/Methods.d.ts.map +1 -1
package/dist/stripe/Methods.js.map +1 -1
package/dist/tempo/Methods.d.ts.map +1 -1
package/dist/tempo/Methods.js.map +1 -1
package/dist/tempo/client/ChannelOps.d.ts.map +1 -1
package/dist/tempo/client/ChannelOps.js.map +1 -1
package/dist/tempo/client/Charge.d.ts.map +1 -1
package/dist/tempo/client/Charge.js.map +1 -1
package/dist/tempo/client/Session.d.ts.map +1 -1
package/dist/tempo/client/Session.js.map +1 -1
package/dist/tempo/client/SessionManager.d.ts.map +1 -1
package/dist/tempo/client/SessionManager.js +1 -1
package/dist/tempo/client/SessionManager.js.map +1 -1
package/dist/tempo/internal/address.d.ts +3 -0
package/dist/tempo/internal/address.d.ts.map +1 -0
package/dist/tempo/internal/address.js +4 -0
package/dist/tempo/internal/address.js.map +1 -0
package/dist/tempo/internal/auto-swap.d.ts.map +1 -1
package/dist/tempo/internal/auto-swap.js +4 -4
package/dist/tempo/internal/auto-swap.js.map +1 -1
package/dist/tempo/internal/fee-payer.d.ts +4 -1
package/dist/tempo/internal/fee-payer.d.ts.map +1 -1
package/dist/tempo/internal/fee-payer.js +12 -4
package/dist/tempo/internal/fee-payer.js.map +1 -1
package/dist/tempo/server/Charge.d.ts +11 -0
package/dist/tempo/server/Charge.d.ts.map +1 -1
package/dist/tempo/server/Charge.js +110 -51
package/dist/tempo/server/Charge.js.map +1 -1
package/dist/tempo/server/Session.d.ts +1 -1
package/dist/tempo/server/Session.d.ts.map +1 -1
package/dist/tempo/server/Session.js +31 -23
package/dist/tempo/server/Session.js.map +1 -1
package/dist/tempo/server/internal/transport.d.ts +1 -1
package/dist/tempo/server/internal/transport.d.ts.map +1 -1
package/dist/tempo/server/internal/transport.js +41 -1
package/dist/tempo/server/internal/transport.js.map +1 -1
package/dist/tempo/session/Chain.d.ts.map +1 -1
package/dist/tempo/session/Chain.js +51 -10
package/dist/tempo/session/Chain.js.map +1 -1
package/dist/tempo/session/ChannelStore.d.ts +2 -0
package/dist/tempo/session/ChannelStore.d.ts.map +1 -1
package/dist/tempo/session/ChannelStore.js +4 -2
package/dist/tempo/session/ChannelStore.js.map +1 -1
package/dist/tempo/session/Receipt.d.ts.map +1 -1
package/dist/tempo/session/Receipt.js.map +1 -1
package/dist/tempo/session/Sse.d.ts.map +1 -1
package/dist/tempo/session/Sse.js.map +1 -1
package/dist/tempo/session/Voucher.d.ts.map +1 -1
package/dist/tempo/session/Voucher.js +3 -2
package/dist/tempo/session/Voucher.js.map +1 -1
package/dist/viem/Client.d.ts.map +1 -1
package/dist/viem/Client.js.map +1 -1
package/package.json +2 -2
package/src/BodyDigest.ts +1 -0
package/src/Challenge.test-d.ts +1 -0
package/src/Challenge.ts +1 -0
package/src/Credential.ts +1 -0
package/src/Errors.test.ts +27 -39
package/src/Expires.test.ts +1 -0
package/src/PaymentRequest.ts +1 -0
package/src/Receipt.ts +1 -0
package/src/Store.test-d.ts +59 -0
package/src/Store.test.ts +56 -6
package/src/Store.ts +31 -4
package/src/cli/account.ts +65 -30
package/src/cli/cli.test.ts +127 -1
package/src/cli/cli.ts +23 -8
package/src/cli/config.test.ts +1 -0
package/src/cli/internal.ts +1 -0
package/src/cli/plugins/stripe.ts +1 -0
package/src/cli/plugins/tempo.ts +21 -24
package/src/cli/utils.ts +1 -0
package/src/client/Mppx.test-d.ts +1 -0
package/src/client/internal/Fetch.browser.test.ts +1 -0
package/src/client/internal/Fetch.test-d.ts +1 -0
package/src/client/internal/Fetch.test.ts +1 -0
package/src/client/internal/Fetch.ts +1 -1
package/src/internal/constantTimeEqual.test.ts +1 -0
package/src/internal/types.ts +1 -3
package/src/mcp-sdk/client/McpClient.test-d.ts +1 -0
package/src/mcp-sdk/client/McpClient.test.ts +1 -0
package/src/mcp-sdk/client/McpClient.ts +2 -0
package/src/mcp-sdk/server/Transport.test.ts +1 -0
package/src/mcp-sdk/server/Transport.ts +1 -0
package/src/middlewares/elysia.test.ts +90 -0
package/src/middlewares/elysia.ts +5 -1
package/src/middlewares/express.test.ts +62 -2
package/src/middlewares/express.ts +6 -2
package/src/middlewares/hono.ts +1 -0
package/src/middlewares/internal/mppx.test.ts +1 -0
package/src/middlewares/nextjs.test.ts +1 -0
package/src/proxy/Proxy.test.ts +57 -0
package/src/proxy/Proxy.ts +8 -1
package/src/proxy/Service.test.ts +1 -0
package/src/proxy/Service.ts +8 -2
package/src/proxy/internal/Headers.test.ts +1 -0
package/src/proxy/internal/Route.test.ts +57 -0
package/src/proxy/internal/Route.ts +3 -1
package/src/proxy/services/openai.test.ts +1 -0
package/src/server/Mppx.test.ts +438 -0
package/src/server/Mppx.ts +51 -13
package/src/server/Request.test.ts +1 -0
package/src/server/Request.ts +1 -0
package/src/server/Response.test.ts +1 -0
package/src/server/Transport.test.ts +1 -0
package/src/stripe/Methods.ts +1 -0
package/src/stripe/client/Charge.test.ts +1 -0
package/src/stripe/server/Charge.test.ts +1 -0
package/src/tempo/Attribution.test.ts +1 -0
package/src/tempo/Methods.ts +1 -0
package/src/tempo/client/ChannelOps.test.ts +1 -0
package/src/tempo/client/ChannelOps.ts +1 -0
package/src/tempo/client/Charge.ts +1 -0
package/src/tempo/client/Session.test.ts +1 -0
package/src/tempo/client/Session.ts +1 -0
package/src/tempo/client/SessionManager.test.ts +28 -0
package/src/tempo/client/SessionManager.ts +2 -1
package/src/tempo/internal/address.ts +6 -0
package/src/tempo/internal/auto-swap.test.ts +1 -0
package/src/tempo/internal/auto-swap.ts +4 -3
package/src/tempo/internal/defaults.test.ts +1 -0
package/src/tempo/internal/fee-payer.test.ts +1 -0
package/src/tempo/internal/fee-payer.ts +19 -4
package/src/tempo/server/Charge.test.ts +1081 -31
package/src/tempo/server/Charge.ts +159 -63
package/src/tempo/server/Session.test.ts +896 -107
package/src/tempo/server/Session.ts +41 -23
package/src/tempo/server/Sse.test.ts +2 -0
package/src/tempo/server/internal/transport.test.ts +30 -0
package/src/tempo/server/internal/transport.ts +41 -2
package/src/tempo/session/Chain.test.ts +145 -0
package/src/tempo/session/Chain.ts +59 -10
package/src/tempo/session/Channel.test.ts +1 -0
package/src/tempo/session/ChannelStore.test.ts +11 -0
package/src/tempo/session/ChannelStore.ts +7 -3
package/src/tempo/session/Receipt.test.ts +1 -0
package/src/tempo/session/Receipt.ts +1 -0
package/src/tempo/session/Sse.test.ts +2 -0
package/src/tempo/session/Sse.ts +1 -0
package/src/tempo/session/Voucher.test.ts +1 -0
package/src/tempo/session/Voucher.ts +4 -2
package/src/viem/Account.test.ts +1 -0
package/src/viem/Client.test.ts +1 -0
package/src/viem/Client.ts +1 -0

package/src/tempo/server/Charge.test.ts CHANGED Viewed

@@ -2,14 +2,19 @@ import { Challenge, Credential, Receipt } from 'mppx'
 import { Mppx as Mppx_client, tempo as tempo_client } from 'mppx/client'
 import { Mppx as Mppx_server, tempo as tempo_server } from 'mppx/server'
 import type { Hex } from 'ox'
+import { TxEnvelopeTempo } from 'ox/tempo'
 import { Handler } from 'tempo.ts/server'
-import { encodeFunctionData, parseUnits } from 'viem'
+import { createClient, custom, encodeFunctionData, parseUnits } from 'viem'
 import { getTransactionReceipt, prepareTransactionRequest, signTransaction } from 'viem/actions'
-import { Abis, Actions, Addresses, Tick } from 'viem/tempo'
+import { Abis, Account, Actions, Addresses, Secp256k1, Tick, Transaction } from 'viem/tempo'
 import { beforeAll, describe, expect, test } from 'vitest'
 import * as Http from '~test/Http.js'
+import { closeChannelOnChain, deployEscrow, openChannel } from '~test/tempo/session.js'
 import { accounts, asset, chain, client, fundAccount } from '~test/tempo/viem.js'
+import * as Store from '../../Store.js'
 import * as Attribution from '../Attribution.js'
+import { signVoucher } from '../session/Voucher.js'
 const realm = 'api.example.com'
 const secretKey = 'test-secret-key'
@@ -108,6 +113,222 @@ describe('tempo', () => {
       httpServer.close()
     })
+    test('behavior: rejects replayed transaction hash', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+      const credential1 = Credential.from({
+        challenge: challenge1,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential1) },
+        })
+        expect(response.status).toBe(200)
+      }
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+      const challenge2 = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+      const mixedCaseHash = `0x${receipt.transactionHash.slice(2).toUpperCase()}` as Hex.Hex
+      const credential2 = Credential.from({
+        challenge: challenge2,
+        payload: { hash: mixedCaseHash, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential2) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Transaction hash has already been used.')
+      }
+      httpServer.close()
+    })
+    test('behavior: rejects replayed hash with alternating case', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+      // Submit original hash with alternating case (aB, not all upper or lower)
+      const hex = receipt.transactionHash.slice(2)
+      const alternating = `0x${hex
+        .split('')
+        .map((c, i) => (i % 2 === 0 ? c.toUpperCase() : c.toLowerCase()))
+        .join('')}` as Hex.Hex
+      const credential1 = Credential.from({
+        challenge: challenge1,
+        payload: { hash: alternating, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential1) },
+        })
+        expect(response.status).toBe(200)
+      }
+      // Replay with lowercase — should be rejected
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+      const challenge2 = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+      const credential2 = Credential.from({
+        challenge: challenge2,
+        payload: { hash: receipt.transactionHash.toLowerCase() as Hex.Hex, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential2) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Transaction hash has already been used.')
+      }
+      httpServer.close()
+    })
+    test('behavior: accepts uppercase hash on first use', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+      const upperHash = `0x${receipt.transactionHash.slice(2).toUpperCase()}` as Hex.Hex
+      const credential1 = Credential.from({
+        challenge: challenge1,
+        payload: { hash: upperHash, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential1) },
+        })
+        expect(response.status).toBe(200)
+      }
+      httpServer.close()
+    })
     test('behavior: rejects hash with non-matching Transfer log', async () => {
       const wrongRecipient = accounts[2].address
@@ -149,6 +370,286 @@ describe('tempo', () => {
       httpServer.close()
     })
+    test('behavior: rejects session settlement tx hash used as charge credential', async () => {
+      const chargeAmount = parseUnits('1', 6)
+      const recipient = accounts[0].address
+      const external = accounts[3]
+      const escrow = await deployEscrow()
+      await fundAccount({ address: external.address, token: Addresses.pathUsd })
+      await fundAccount({ address: external.address, token: asset })
+      const salt = '0x0000000000000000000000000000000000000000000000000000000000000001' as Hex.Hex
+      const { channelId } = await openChannel({
+        escrow,
+        payer: external,
+        payee: recipient,
+        token: asset,
+        deposit: chargeAmount,
+        salt,
+      })
+      const voucherSig = await signVoucher(
+        client,
+        external,
+        { channelId, cumulativeAmount: chargeAmount },
+        escrow,
+        chain.id,
+      )
+      const { txHash: settleTxHash } = await closeChannelOnChain({
+        escrow,
+        payee: accounts[0],
+        channelId,
+        cumulativeAmount: chargeAmount,
+        signature: voucherSig,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(server.charge({ amount: '1' }))(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: settleTxHash, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Payment verification failed: no matching transfer found.')
+      }
+      httpServer.close()
+    })
+    test('behavior: rejects replayed transaction hash', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+      const credential1 = Credential.from({
+        challenge: challenge1,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential1) },
+        })
+        expect(response.status).toBe(200)
+      }
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+      const challenge2 = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+      const mixedCaseHash = `0x${receipt.transactionHash.slice(2).toUpperCase()}` as Hex.Hex
+      const credential2 = Credential.from({
+        challenge: challenge2,
+        payload: { hash: mixedCaseHash, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential2) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Transaction hash has already been used.')
+      }
+      httpServer.close()
+    })
+    test('behavior: rejects replayed hash with alternating case', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+      const hex = receipt.transactionHash.slice(2)
+      const alternating = `0x${hex
+        .split('')
+        .map((c, i) => (i % 2 === 0 ? c.toUpperCase() : c.toLowerCase()))
+        .join('')}` as Hex.Hex
+      const credential1 = Credential.from({
+        challenge: challenge1,
+        payload: { hash: alternating, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential1) },
+        })
+        expect(response.status).toBe(200)
+      }
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+      const challenge2 = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+      const credential2 = Credential.from({
+        challenge: challenge2,
+        payload: { hash: receipt.transactionHash.toLowerCase() as Hex.Hex, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential2) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Transaction hash has already been used.')
+      }
+      httpServer.close()
+    })
+    test('behavior: accepts uppercase hash on first use', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+      const upperHash = `0x${receipt.transactionHash.slice(2).toUpperCase()}` as Hex.Hex
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: upperHash, type: 'hash' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(200)
+      }
+      httpServer.close()
+    })
     test('behavior: rejects expired request', async () => {
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(
@@ -225,43 +726,279 @@ describe('tempo', () => {
         }
       })
-      const response = await fetch(httpServer.url)
-      expect(response.status).toBe(500)
-      expect(await response.text()).toMatchInlineSnapshot(
-        `"No client configured with chainId 123456."`,
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(500)
+      expect(await response.text()).toMatchInlineSnapshot(
+        `"No client configured with chainId 123456."`,
+      )
+      httpServer.close()
+    })
+    test('behavior: rejects when client not configured for chainId', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        try {
+          const result = await Mppx_server.toNodeListener(
+            server.charge({
+              amount: '1',
+              chainId: 999999,
+            }),
+          )(req, res)
+          if (result.status === 402) return
+          res.end('OK')
+        } catch (e) {
+          res.statusCode = 500
+          res.end((e as Error).message)
+        }
+      })
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(500)
+      expect(await response.text()).toMatchInlineSnapshot(
+        `"Client not configured with chainId 999999."`,
+      )
+      httpServer.close()
+    })
+  })
+  describe('intent: charge; type: transaction; via Mppx', () => {
+    test('behavior: rejects pull then push replay of the same transaction hash', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const pullClient = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'pull',
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          dedupServer.charge({ amount: '1', currency: asset, recipient: accounts[0].address }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const challengeResponse = await fetch(httpServer.url)
+      expect(challengeResponse.status).toBe(402)
+      const pullCredentialSerialized = await pullClient.createCredential(challengeResponse)
+      const pullAuthResponse = await fetch(httpServer.url, {
+        headers: { Authorization: pullCredentialSerialized },
+      })
+      expect(pullAuthResponse.status).toBe(200)
+      const pullReceipt = Receipt.fromResponse(pullAuthResponse)
+      const replayChallengeResponse = await fetch(httpServer.url)
+      expect(replayChallengeResponse.status).toBe(402)
+      const replayChallenge = Challenge.fromResponse(replayChallengeResponse, {
+        methods: [tempo_client.charge()],
+      })
+      const replayCredential = Credential.from({
+        challenge: replayChallenge,
+        payload: { hash: pullReceipt.reference as Hex.Hex, type: 'hash' as const },
+      })
+      const replayResponse = await fetch(httpServer.url, {
+        headers: { Authorization: Credential.serialize(replayCredential) },
+      })
+      expect(replayResponse.status).toBe(402)
+      const replayBody = (await replayResponse.json()) as { detail: string }
+      expect(replayBody.detail).toContain('Transaction hash has already been used.')
+      httpServer.close()
+    })
+    test('behavior: rejects concurrent replay of same serialized transaction', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          dedupServer.charge({ amount: '1', currency: asset, recipient: accounts[0].address }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      // Get two challenges concurrently
+      const [challengeResponse1, challengeResponse2] = await Promise.all([
+        fetch(httpServer.url),
+        fetch(httpServer.url),
+      ])
+      expect(challengeResponse1.status).toBe(402)
+      expect(challengeResponse2.status).toBe(402)
+      // Create credential from first challenge (signs transaction)
+      const credential1 = await mppx.createCredential(challengeResponse1)
+      // Extract the serialized tx and re-wrap it with the second challenge
+      const decoded1 = Credential.deserialize(credential1)
+      const challenge2 = Challenge.fromResponse(challengeResponse2, {
+        methods: [tempo_client.charge()],
+      })
+      const credential2 = Credential.serialize(
+        Credential.from({
+          challenge: challenge2,
+          payload: decoded1.payload,
+        }),
+      )
+      // Submit SAME signed tx to both challenges concurrently
+      const [resA, resB] = await Promise.all([
+        fetch(httpServer.url, { headers: { Authorization: credential1 } }),
+        fetch(httpServer.url, { headers: { Authorization: credential2 } }),
+      ])
+      const statuses = [resA.status, resB.status].sort()
+      // One should succeed (200), the other should be rejected (402)
+      expect(statuses).toEqual([200, 402])
+      httpServer.close()
+    })
+    test('behavior: rejects malleable variants with different feePayerSignature', async () => {
+      const dedupStore = Store.memory()
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: dedupStore,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          dedupServer.charge({
+            feePayer: accounts[0],
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      // Get two challenges
+      const challengeResponse1 = await fetch(httpServer.url)
+      const challengeResponse2 = await fetch(httpServer.url)
+      expect(challengeResponse1.status).toBe(402)
+      expect(challengeResponse2.status).toBe(402)
+      // Sign a transaction via the first challenge (produces 0x78 fee
+      // payer format with sender address in feePayerSignatureOrSender).
+      const credential1 = await mppx.createCredential(challengeResponse1)
+      // Submit the original transaction, should succeed.
+      const res1 = await fetch(httpServer.url, {
+        headers: { Authorization: credential1 },
+      })
+      expect(res1.status).toBe(200)
+      // Create a malleable variant of the SAME signed tx by
+      // re-serializing in 0x76 format with feePayerSignature=null
+      // (0x00 marker). Both deserialize to the same transaction
+      // (same calls, signature, from), but the raw bytes differ so
+      // keccak256 produces different hashes.
+      const decoded1 = Credential.deserialize(credential1)
+      const serializedTx = (decoded1.payload as { signature: string }).signature
+      const deserialized = TxEnvelopeTempo.deserialize(serializedTx as TxEnvelopeTempo.Serialized)
+      const malleableVariant = TxEnvelopeTempo.serialize(
+        TxEnvelopeTempo.from({ ...deserialized, feePayerSignature: null }),
       )
+      expect(malleableVariant).not.toEqual(serializedTx)
-      httpServer.close()
-    })
-    test('behavior: rejects when client not configured for chainId', async () => {
-      const httpServer = await Http.createServer(async (req, res) => {
-        try {
-          const result = await Mppx_server.toNodeListener(
-            server.charge({
-              amount: '1',
-              chainId: 999999,
-            }),
-          )(req, res)
-          if (result.status === 402) return
-          res.end('OK')
-        } catch (e) {
-          res.statusCode = 500
-          res.end((e as Error).message)
-        }
+      // Wrap the malleable variant into the second challenge's credential
+      const challenge2 = Challenge.fromResponse(challengeResponse2, {
+        methods: [tempo_client.charge()],
       })
-      const response = await fetch(httpServer.url)
-      expect(response.status).toBe(500)
-      expect(await response.text()).toMatchInlineSnapshot(
-        `"Client not configured with chainId 999999."`,
+      const credential2 = Credential.serialize(
+        Credential.from({
+          challenge: challenge2,
+          payload: { signature: malleableVariant, type: 'transaction' as const },
+        }),
       )
+      // Submit the malleable variant. It bypasses the old
+      // keccak256(serializedTransaction) dedup (different raw bytes), but
+      // the post-broadcast dedup on the tx hash catches duplicates.
+      const res2 = await fetch(httpServer.url, {
+        headers: { Authorization: credential2 },
+      })
+      expect(res2.status).toBe(402)
       httpServer.close()
     })
-  })
-  describe('intent: charge; type: transaction; via Mppx', () => {
     test('default', async () => {
       const mppx = Mppx_client.create({
         polyfill: false,
@@ -544,6 +1281,133 @@ describe('tempo', () => {
       feePayerServer.close()
     })
+    test('behavior: access keys', async () => {
+      const rootAccount = accounts[1]
+      const accessKey = Account.fromSecp256k1(Secp256k1.randomPrivateKey(), {
+        access: rootAccount,
+      })
+      await Actions.accessKey.authorizeSync(client, {
+        account: rootAccount,
+        accessKey,
+        feeToken: asset,
+      })
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accessKey,
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response = await mppx.fetch(httpServer.url)
+      expect(response.status).toBe(200)
+      const receipt = Receipt.fromResponse(response)
+      expect({
+        ...receipt,
+        reference: '[reference]',
+        timestamp: '[timestamp]',
+      }).toMatchInlineSnapshot(`
+          {
+            "method": "tempo",
+            "reference": "[reference]",
+            "status": "success",
+            "timestamp": "[timestamp]",
+          }
+        `)
+      httpServer.close()
+    })
+    test('behavior: access keys (fee payer)', async () => {
+      const rootAccount = accounts[1]
+      const accessKey = Account.fromSecp256k1(Secp256k1.randomPrivateKey(), {
+        access: rootAccount,
+      })
+      await Actions.accessKey.authorizeSync(client, {
+        account: rootAccount,
+        accessKey,
+        feeToken: asset,
+      })
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accessKey,
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+      const server = Mppx_server.create({
+        methods: [
+          tempo_server({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            feePayer: true,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response = await mppx.fetch(httpServer.url)
+      expect(response.status).toBe(200)
+      const receipt = Receipt.fromResponse(response)
+      expect({
+        ...receipt,
+        reference: '[reference]',
+        timestamp: '[timestamp]',
+      }).toMatchInlineSnapshot(`
+          {
+            "method": "tempo",
+            "reference": "[reference]",
+            "status": "success",
+            "timestamp": "[timestamp]",
+          }
+        `)
+      httpServer.close()
+    })
     test('error: rejects fee-payer transaction with unauthorized calls', async () => {
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(
@@ -608,6 +1472,192 @@ describe('tempo', () => {
       httpServer.close()
     })
+    test('error: rejects unsigned transaction (fee payer becomes sender)', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({
+            feePayer: accounts[0],
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const request = challenge.request
+      // Craft an unsigned 0x76 transaction — no user signature.
+      // This is the exact attack vector from the fee payer POC: without a
+      // signature check the fee payer signs as both sender AND fee payer,
+      // letting the attacker control the tx content.
+      const unsignedTx = (await Transaction.serialize({
+        calls: [
+          {
+            to: request.currency as `0x${string}`,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'transfer',
+              args: [request.recipient as `0x${string}`, BigInt(request.amount)],
+            }),
+          },
+        ],
+        chainId: chain.id,
+        gas: 100_000n,
+        maxFeePerGas: 1_000_000_000n,
+        maxPriorityFeePerGas: 1_000_000_000n,
+        nonce: 0,
+      } as never)) as string
+      const credential = Credential.from({
+        challenge,
+        payload: { signature: unsignedTx, type: 'transaction' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain(
+          'Transaction must be signed by the sender before fee payer co-signing.',
+        )
+      }
+      httpServer.close()
+    })
+    test('error: rejects non-Tempo transaction type', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({
+            feePayer: accounts[0],
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      // Submit a non-0x76 serialized transaction (e.g. EIP-1559 0x02 prefix)
+      const fakeTx =
+        '0x02f8650182a5bf843b9aca00843b9aca008252089400000000000000000000000000000000000000008080c001a00000000000000000000000000000000000000000000000000000000000000000a00000000000000000000000000000000000000000000000000000000000000000'
+      const credential = Credential.from({
+        challenge,
+        payload: { signature: fakeTx, type: 'transaction' as const },
+      })
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Only Tempo (0x76/0x78) transactions are supported.')
+      }
+      httpServer.close()
+    })
+  })
+  describe('intent: charge; type: transaction; defense-in-depth', () => {
+    test('behavior: rejects pull transaction when receipt has no Transfer log', async () => {
+      // Even when calldata looks correct, the server should verify that a Transfer
+      // event actually appears in the on-chain receipt.
+      // This guards against edge cases where calldata validation passes but the
+      // transfer doesn't actually execute (e.g. contract upgrade, unexpected
+      // silent no-op, or a bug in calldata matching).
+      let interceptReceipt = false
+      const interceptingClient = createClient({
+        chain: client.chain,
+        transport: custom({
+          async request(args: any) {
+            const result = await client.transport.request(args)
+            if (interceptReceipt && args?.method === 'eth_sendRawTransactionSync') {
+              return { ...(result as any), logs: [] }
+            }
+            return result
+          },
+        }),
+      })
+      const serverProxy = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return interceptingClient
+            },
+            currency: asset,
+            account: accounts[0],
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'pull',
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          serverProxy.charge({
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+      const credential = await mppx.createCredential(response)
+      // Enable interception so the receipt comes back with empty logs
+      interceptReceipt = true
+      const authResponse = await fetch(httpServer.url, {
+        headers: { Authorization: credential },
+      })
+      // Should reject: receipt has no Transfer log proving the payment occurred
+      expect(authResponse.status).toBe(402)
+      const body = (await authResponse.json()) as { detail: string }
+      expect(body.detail).toContain('no matching transfer found')
+      httpServer.close()
+    })
   })
   describe('intent: charge; type: transaction; waitForConfirmation: false', () => {