mppx 0.4.7 → 0.4.9

package/src/proxy/Service.ts

@@ -267,8 +267,14 @@ function resolvePayment(endpoint: Endpoint): Record<string, unknown> | null {
   if (endpoint === true) return null
   const handler = typeof endpoint === 'function' ? endpoint : endpoint.pay
   if (!('_internal' in handler)) return {}
-  const { name, intent, defaults, schema, _canonicalRequest, ...rest } =
-    handler._internal as Record<string, unknown>
+  const {
+    name,
+    intent,
+    defaults: _,
+    schema: _s,
+    _canonicalRequest,
+    ...rest
+  } = handler._internal as Record<string, unknown>
   const amount = (() => {
     if (typeof rest.amount === 'string' && typeof rest.decimals === 'number')
       return String(Value.from(rest.amount, rest.decimals))

package/src/proxy/internal/Headers.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from 'vitest'
+
 import * as Headers from './Headers.js'
 
 describe('scrub', () => {

package/src/proxy/internal/Route.test.ts

@@ -141,3 +141,60 @@ describe('match', () => {
     expect(Route.match(routes, 'GET', '/v1/chat/completions')).toBeNull()
   })
 })
+
+describe('matchPath', () => {
+  const paidOnly = (v: unknown) => v !== true
+
+  test('behavior: matches route by path without filter', () => {
+    const routes = { 'GET /v1/models': true }
+    expect(Route.matchPath(routes, '/v1/models')).toMatchObject({
+      key: 'GET /v1/models',
+    })
+  })
+
+  test('behavior: matches paid endpoint by path', () => {
+    const routes = { 'GET /v1/generate': { pay: () => {} } }
+    expect(Route.matchPath(routes, '/v1/generate', paidOnly)).toMatchObject({
+      key: 'GET /v1/generate',
+    })
+  })
+
+  test('behavior: skips free passthrough routes with filter', () => {
+    const routes = {
+      'GET /v1/models': true,
+      'POST /v1/generate': { pay: () => {} },
+    }
+    expect(Route.matchPath(routes, '/v1/models', paidOnly)).toBeNull()
+  })
+
+  test('behavior: matches paid route even with different method', () => {
+    const routes = {
+      'GET /v1/stream': { pay: () => {} },
+    }
+    expect(Route.matchPath(routes, '/v1/stream', paidOnly)).toMatchObject({
+      key: 'GET /v1/stream',
+    })
+  })
+
+  test('behavior: skips free and matches next paid route', () => {
+    const routes = {
+      'GET /v1/*': true,
+      'POST /v1/*': { pay: () => {} },
+    }
+    const result = Route.matchPath(routes, '/v1/cachedContents', paidOnly)
+    expect(result).toMatchObject({ key: 'POST /v1/*' })
+  })
+
+  test('error: returns null when all routes are free', () => {
+    const routes = {
+      'GET /v1/models': true,
+      'GET /v1/status': true,
+    }
+    expect(Route.matchPath(routes, '/v1/models', paidOnly)).toBeNull()
+  })
+
+  test('error: returns null when no path match', () => {
+    const routes = { 'POST /v1/generate': { pay: () => {} } }
+    expect(Route.matchPath(routes, '/v2/unknown', paidOnly)).toBeNull()
+  })
+})

package/src/proxy/internal/Route.ts

@@ -36,12 +36,14 @@ export function match(
   return null
 }
 
-/** Finds the first route matching just the path, ignoring the HTTP method. Used for management POST fallback. */
+/** Finds the first route matching the path, ignoring the HTTP method. Optional `filter` predicate can exclude routes. */
 export function matchPath(
   routes: Record<string, unknown>,
   path: string,
+  filter?: (value: unknown) => boolean,
 ): { key: string; value: unknown } | null {
   for (const [key, value] of Object.entries(routes)) {
+    if (filter && !filter(value)) continue
     const { pattern } = parseRouteKey(key)
     const urlPattern = new URLPattern({ pathname: pattern })
     if (urlPattern.test({ pathname: path })) return { key, value }

package/src/proxy/services/openai.test.ts

@@ -4,6 +4,7 @@ import { Mppx as Mppx_server, tempo as tempo_server } from 'mppx/server'
 import { afterEach, describe, expect, test } from 'vitest'
 import * as Http from '~test/Http.js'
 import { accounts, asset, client } from '~test/tempo/viem.js'
+
 import * as ApiProxy from '../Proxy.js'
 import { openai } from './openai.js'
 

package/src/server/Mppx.test.ts

@@ -180,6 +180,198 @@ describe('request handler', () => {
     expect(body.detail).toContain('does not match')
   })
 
+  test('topUp credential bypasses cross-route amount validation', async () => {
+    // Use a session method whose schema defines action: 'topUp'
+    const sessionMethod = Method.from({
+      name: 'mock',
+      intent: 'session',
+      schema: {
+        credential: {
+          payload: z.discriminatedUnion('action', [
+            z.object({ action: z.literal('open'), token: z.string() }),
+            z.object({ action: z.literal('topUp'), token: z.string() }),
+          ]),
+        },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          recipient: z.string(),
+        }),
+      },
+    })
+    const sessionServerMethod = Method.toServer(sessionMethod, {
+      async verify() {
+        return {
+          status: 'settled',
+          method: 'mock',
+          timestamp: new Date().toISOString(),
+          reference: 'ref',
+        } as any
+      },
+    })
+    const handler = Mppx.create({ methods: [sessionServerMethod], realm, secretKey })
+
+    // Get a challenge from the "cheap" route (simulates HEAD-obtained challenge)
+    const cheapHandle = handler['mock/session']({
+      amount: '1',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/cheap'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Build a topUp credential from the cheap challenge (echoed from HEAD)
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { action: 'topUp', token: 'valid' },
+    })
+
+    // Present it at the "expensive" route — topUp should bypass amount check
+    const expensiveHandle = handler['mock/session']({
+      amount: '1000000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/expensive', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should NOT get 402 for amount mismatch — topUp bypasses the check.
+    // It will fail at a later stage (payload validation), but not with
+    // "does not match this route's requirements".
+    if (result.status === 402) {
+      const body = (await result.challenge.json()) as { detail?: string }
+      expect(body.detail).not.toContain('does not match')
+    }
+  })
+
+  test('voucher credential bypasses cross-route amount validation', async () => {
+    const sessionMethod = Method.from({
+      name: 'mock',
+      intent: 'session',
+      schema: {
+        credential: {
+          payload: z.discriminatedUnion('action', [
+            z.object({ action: z.literal('open'), token: z.string() }),
+            z.object({
+              action: z.literal('voucher'),
+              cumulativeAmount: z.string(),
+              signature: z.string(),
+            }),
+          ]),
+        },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          recipient: z.string(),
+        }),
+      },
+    })
+    const sessionServerMethod = Method.toServer(sessionMethod, {
+      async verify() {
+        return {
+          status: 'settled',
+          method: 'mock',
+          timestamp: new Date().toISOString(),
+          reference: 'ref',
+        } as any
+      },
+    })
+    const handler = Mppx.create({ methods: [sessionServerMethod], realm, secretKey })
+
+    // Get a challenge from the "cheap" route (simulates initial SSE request)
+    const cheapHandle = handler['mock/session']({
+      amount: '1',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/chat'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Build a voucher credential echoing the original challenge — mid-stream
+    // the server may re-price (dynamic pricing), so the route's amount differs
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { action: 'voucher', cumulativeAmount: '500', signature: '0xabc' },
+    })
+
+    // Present it at the same route but with a higher price — voucher should
+    // bypass the cross-route amount check just like topUp does
+    const expensiveHandle = handler['mock/session']({
+      amount: '1000000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/chat', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should NOT get 402 for amount mismatch — voucher bypasses the check.
+    if (result.status === 402) {
+      const body = (await result.challenge.json()) as { detail?: string }
+      expect(body.detail).not.toContain('does not match')
+    }
+  })
+
+  test('rejects charge credential with injected action: topUp (cross-route bypass attempt)', async () => {
+    const handler = Mppx.create({ methods: [method], realm, secretKey })
+
+    // Get a challenge from the "cheap" route
+    const cheapHandle = handler.charge({
+      amount: '1',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/cheap'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Malicious client injects action: 'topUp' into a regular charge credential
+    // to try to bypass the cross-route amount check
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { action: 'topUp', signature: '0x123', type: 'transaction' },
+    })
+
+    // Present it at the "expensive" route — should still be rejected
+    const expensiveHandle = handler.charge({
+      amount: '1000000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/expensive', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Injecting action: 'topUp' on a charge credential must not bypass
+    // the cross-route amount check. The credential should be rejected
+    // with "does not match" just like a normal charge credential would be.
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+    const body = (await result.challenge.json()) as { detail: string }
+    expect(body.detail).toContain('does not match')
+  })
+
   test('returns 402 when credential challenge is expired', async () => {
     const pastExpires = new Date(Date.now() - 60_000).toISOString()
 
@@ -1130,6 +1322,252 @@ describe('nested accessors', () => {
   })
 })
 
+describe('cross-route credential replay via scope binding flaw', () => {
+  // Method whose schema transform moves `amount`, `currency`, and `recipient`
+  // into `methodDetails`, removing them from the top-level request. This mirrors
+  // real-world methods (e.g. Tempo) that restructure fields via z.transform.
+  const transformingMethod = Method.from({
+    name: 'mock',
+    intent: 'charge',
+    schema: {
+      credential: {
+        payload: z.object({ token: z.string() }),
+      },
+      request: z.pipe(
+        z.object({
+          amount: z.string(),
+          currency: z.string(),
+          decimals: z.number(),
+          recipient: z.string(),
+        }),
+        z.transform(({ amount, currency, decimals, recipient }) => ({
+          methodDetails: { amount: String(Number(amount) * 10 ** decimals), currency, recipient },
+        })),
+      ),
+    },
+  })
+
+  function mockReceipt() {
+    return {
+      method: 'mock',
+      reference: 'tx-ref',
+      status: 'success' as const,
+      timestamp: new Date().toISOString(),
+    }
+  }
+
+  const serverMethod = Method.toServer(transformingMethod, {
+    async verify() {
+      return mockReceipt()
+    },
+  })
+
+  test('rejects cheap credential replayed at expensive route when schema transform moves scope fields', async () => {
+    const handler = Mppx.create({ methods: [serverMethod], realm, secretKey })
+
+    // Get a challenge from the "cheap" route ($0.01)
+    const cheapHandle = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/cheap'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Build a credential from the cheap challenge
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // Present the cheap credential at the "expensive" route ($100)
+    const expensiveHandle = handler.charge({
+      amount: '100',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/expensive', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should be 402 (credential was for $0.01, not $100)
+    expect(result.status).toBe(402)
+  })
+
+  test('rejects credential with mismatched method field', async () => {
+    const otherMethod = Method.from({
+      name: 'other',
+      intent: 'charge',
+      schema: {
+        credential: { payload: z.object({ token: z.string() }) },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          decimals: z.number(),
+          recipient: z.string(),
+        }),
+      },
+    })
+
+    const otherServerMethod = Method.toServer(otherMethod, {
+      async verify() {
+        return mockReceipt()
+      },
+    })
+
+    const handler = Mppx.create({ methods: [serverMethod, otherServerMethod], realm, secretKey })
+
+    // Get challenge from mock/charge
+    const mockHandle = handler['mock/charge']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const mockResult = await mockHandle(new Request('https://example.com/mock'))
+    expect(mockResult.status).toBe(402)
+    if (mockResult.status !== 402) throw new Error()
+
+    const mockChallenge = Challenge.fromResponse(mockResult.challenge)
+    const credential = Credential.from({
+      challenge: mockChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // Present mock/charge credential at other/charge route
+    const otherHandle = handler['other/charge']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const result = await otherHandle(
+      new Request('https://example.com/other', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should reject (credential was for method "mock", not "other")
+    expect(result.status).toBe(402)
+  })
+
+  test('rejects credential with mismatched intent field', async () => {
+    const sessionMethod = Method.from({
+      name: 'mock',
+      intent: 'session',
+      schema: {
+        credential: { payload: z.object({ token: z.string() }) },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          decimals: z.number(),
+          recipient: z.string(),
+        }),
+      },
+    })
+
+    const sessionServerMethod = Method.toServer(sessionMethod, {
+      async verify() {
+        return mockReceipt()
+      },
+    })
+
+    const handler = Mppx.create({ methods: [serverMethod, sessionServerMethod], realm, secretKey })
+
+    // Get challenge from mock/charge
+    const chargeHandle = handler['mock/charge']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const chargeResult = await chargeHandle(new Request('https://example.com/charge'))
+    expect(chargeResult.status).toBe(402)
+    if (chargeResult.status !== 402) throw new Error()
+
+    const chargeChallenge = Challenge.fromResponse(chargeResult.challenge)
+    const credential = Credential.from({
+      challenge: chargeChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // Present charge credential at session route
+    const sessionHandle = handler['mock/session']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const result = await sessionHandle(
+      new Request('https://example.com/session', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should reject (credential was for intent "charge", not "session")
+    expect(result.status).toBe(402)
+  })
+
+  test('compose: rejects cheap credential replayed at expensive route when schema transform moves scope fields', async () => {
+    const handler = Mppx.create({ methods: [serverMethod], realm, secretKey })
+
+    const cheapHandle = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const expensiveHandle = handler.charge({
+      amount: '100',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+
+    const composed = Mppx.compose(cheapHandle, expensiveHandle)
+
+    // Get challenge (pick the cheap one)
+    const firstResult = await composed(new Request('https://example.com/resource'))
+    expect(firstResult.status).toBe(402)
+    if (firstResult.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(firstResult.challenge)
+    const cheapChallenge = challenges[0]!
+
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // The composed handler should NOT route the cheap credential to the expensive handler
+    const result = await composed(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // If scope binding works, the credential should route to the cheap handler only.
+    // It should NOT match the expensive handler's canonical request.
+    // The result should be 200 (matched to cheap), not routed to expensive.
+    expect(result.status).toBe(200)
+  })
+})
+
 describe('withReceipt', () => {
   const mockCharge = Method.from({
     name: 'mock',

package/src/server/Mppx.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
+
 import * as Challenge from '../Challenge.js'
 import * as Credential from '../Credential.js'
 import * as Errors from '../Errors.js'
@@ -329,20 +330,22 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
         }
 
         // Verify the credential's challenge matches this route's configured
-        // request. Prevents cross-route scope confusion where a credential
-        // issued for a cheap route is presented at an expensive route.
+        // method, intent, realm, and request. Prevents cross-route scope
+        // confusion where a credential issued for a cheap route (or different
+        // method/intent) is presented at an expensive route.
         // Note: we compare specific payment parameters rather than the full
         // request because the `request` hook may produce credential-dependent
         // output (e.g. `feePayer` differs between 402 and credential calls).
+        //
+        // Skip this check for topUp and voucher actions: the route's
+        // `request` hook may produce a different amount because these
+        // requests carry no application body (e.g. no model field for
+        // dynamic pricing). The credential echoes a challenge obtained
+        // from the original request which had the correct amount; the
+        // on-chain voucher signature is the real validation.
         {
-          const routeReq = challenge.request as Record<string, unknown>
-          const echoedReq = credential.challenge.request as Record<string, unknown>
-          for (const field of ['amount', 'currency', 'recipient'] as const) {
-            if (
-              routeReq[field] !== undefined &&
-              echoedReq[field] !== undefined &&
-              String(routeReq[field]) !== String(echoedReq[field])
-            ) {
+          for (const field of ['method', 'intent', 'realm'] as const) {
+            if (credential.challenge[field] !== challenge[field]) {
               const response = await transport.respondChallenge({
                 challenge,
                 input,
@@ -354,6 +357,39 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
               return { challenge: response, status: 402 }
             }
           }
+
+          // Use safeParse (not raw payload) so only methods whose schema
+          // defines `action` can trigger the skip. Without this, a client
+          // could inject `action: 'topUp'` on a charge credential to bypass
+          // the amount check. Zod strips unknown keys, so charge payloads
+          // (which don't define `action`) will have it removed.
+          const parsed = method.schema.credential.payload.safeParse(credential.payload)
+          const action = parsed.success
+            ? (parsed.data as Record<string, unknown>)?.action
+            : undefined
+          if (action !== 'topUp' && action !== 'voucher') {
+            const routeReq = challenge.request as Record<string, unknown>
+            const echoedReq = credential.challenge.request as Record<string, unknown>
+            const routeDetails = (routeReq.methodDetails ?? {}) as Record<string, unknown>
+            const echoedDetails = (echoedReq.methodDetails ?? {}) as Record<string, unknown>
+            for (const field of ['amount', 'currency', 'recipient'] as const) {
+              const routeVal = routeReq[field] ?? routeDetails[field]
+              if (
+                routeVal !== undefined &&
+                String(routeVal) !== String(echoedReq[field] ?? echoedDetails[field])
+              ) {
+                const response = await transport.respondChallenge({
+                  challenge,
+                  input,
+                  error: new Errors.InvalidChallengeError({
+                    id: credential.challenge.id,
+                    reason: `credential ${field} does not match this route's requirements`,
+                  }),
+                })
+                return { challenge: response, status: 402 }
+              }
+            }
+          }
         }
 
         // Reject expired credentials
@@ -578,22 +614,24 @@ export function compose(
       if (credential) {
         const { method: credMethod, intent: credIntent } = credential.challenge
         const credReq = credential.challenge.request as Record<string, unknown>
+        const credDetails = (credReq.methodDetails ?? {}) as Record<string, unknown>
 
         // Filter by name+intent, then narrow by comparing stable request fields
         // from the echoed challenge against each handler's canonical request.
         // Uses the schema-parsed canonical form (not raw options) so that
         // transformed fields (e.g. amount with decimals) match correctly.
+        // Also checks inside methodDetails for fields moved there by transforms.
         const candidates = handlers.filter((h) => {
           const meta = (h as ConfiguredHandler)._internal
           if (!meta || meta.name !== credMethod || meta.intent !== credIntent) return false
           const canonical = meta._canonicalRequest
           if (!canonical) return true
+          const canonicalDetails = (canonical.methodDetails ?? {}) as Record<string, unknown>
           for (const field of ['amount', 'currency', 'recipient', 'chainId'] as const) {
-            const canonicalVal = canonical[field]
+            const canonicalVal = canonical[field] ?? canonicalDetails[field]
             if (
               canonicalVal !== undefined &&
-              credReq[field] !== undefined &&
-              String(canonicalVal) !== String(credReq[field])
+              String(canonicalVal) !== String(credReq[field] ?? credDetails[field])
             )
               return false
           }

package/src/server/Request.test.ts

@@ -1,5 +1,6 @@
 import { EventEmitter } from 'node:events'
 import type { IncomingMessage, ServerResponse } from 'node:http'
+
 import { Request } from 'mppx/server'
 import { describe, expect, test } from 'vitest'
 

package/src/server/Request.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage, RequestListener, ServerResponse } from 'node:http'
+
 import * as FetchServer from '@remix-run/node-fetch-server'
 
 export type FetchHandler = (request: Request) => Promise<Response> | Response