mppx 0.5.11 → 0.5.12

package/src/server/Mppx.test.ts

@@ -127,6 +127,50 @@ describe('request handler', () => {
     expect(body.detail).not.toContain('rpc.example.com')
   })
 
+  test('returns 402 when challenge ID mismatch', async () => {
+    const wrongChallenge = Challenge.from({
+      id: 'wrong-id',
+      intent: 'charge',
+      method: 'tempo',
+      realm,
+      request: { amount: '1000', currency: asset, recipient: accounts[0].address },
+    })
+    const credential = Credential.from({
+      challenge: wrongChallenge,
+      payload: { signature: '0x123', type: 'transaction' },
+    })
+
+    const request = new Request('https://example.com/resource', {
+      headers: { Authorization: Credential.serialize(credential) },
+    })
+
+    const result = await Mppx.create({ methods: [method], realm, secretKey }).charge({
+      amount: '1000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })(request)
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const body = (await result.challenge.json()) as object
+    expect({
+      ...body,
+      challengeId: '[challengeId]',
+      instance: '[instance]',
+    }).toMatchInlineSnapshot(`
+      {
+        "challengeId": "[challengeId]",
+        "detail": "Challenge "wrong-id" is invalid: challenge was not issued by this server.",
+        "instance": "[instance]",
+        "status": 402,
+        "title": "Invalid Challenge",
+        "type": "https://paymentauth.org/problems/invalid-challenge",
+      }
+    `)
+  })
+
   test('captures each transport request once and threads the verified envelope additively', async () => {
     const requestMethod = Method.from({
       name: 'mock',
@@ -232,50 +276,6 @@ describe('request handler', () => {
     expect(receiptEnvelope?.challenge.id).toBe(credential.challenge.id)
   })
 
-  test('returns 402 when challenge ID mismatch', async () => {
-    const wrongChallenge = Challenge.from({
-      id: 'wrong-id',
-      intent: 'charge',
-      method: 'tempo',
-      realm,
-      request: { amount: '1000', currency: asset, recipient: accounts[0].address },
-    })
-    const credential = Credential.from({
-      challenge: wrongChallenge,
-      payload: { signature: '0x123', type: 'transaction' },
-    })
-
-    const request = new Request('https://example.com/resource', {
-      headers: { Authorization: Credential.serialize(credential) },
-    })
-
-    const result = await Mppx.create({ methods: [method], realm, secretKey }).charge({
-      amount: '1000',
-      currency: asset,
-      expires: new Date(Date.now() + 60_000).toISOString(),
-      recipient: accounts[0].address,
-    })(request)
-
-    expect(result.status).toBe(402)
-    if (result.status !== 402) throw new Error()
-
-    const body = (await result.challenge.json()) as object
-    expect({
-      ...body,
-      challengeId: '[challengeId]',
-      instance: '[instance]',
-    }).toMatchInlineSnapshot(`
-      {
-        "challengeId": "[challengeId]",
-        "detail": "Challenge "wrong-id" is invalid: challenge was not issued by this server.",
-        "instance": "[instance]",
-        "status": 402,
-        "title": "Invalid Challenge",
-        "type": "https://paymentauth.org/problems/invalid-challenge",
-      }
-    `)
-  })
-
   test('returns 402 when credential is from a different route (cross-route scope confusion)', async () => {
     const handler = Mppx.create({ methods: [method], realm, secretKey })
 
@@ -982,6 +982,103 @@ describe('compose', () => {
     expect(wwwAuth).toContain('method="beta"')
   })
 
+  test('filters compose challenges using Accept-Payment', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'beta/charge' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges).toHaveLength(1)
+    expect(challenges[0]?.method).toBe('beta')
+  })
+
+  test('orders compose challenges by Accept-Payment q-value', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'beta/charge;q=0.9, alpha/charge;q=0.3' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges.map((challenge) => challenge.method)).toEqual(['beta', 'alpha'])
+  })
+
+  test('applies a specific Accept-Payment opt-out before broader wildcards', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'alpha/*;q=1, alpha/charge;q=0, beta/*;q=0.5' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges).toHaveLength(1)
+    expect(challenges[0]?.method).toBe('beta')
+  })
+
+  test('falls back to all compose challenges when Accept-Payment has no matches', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'gamma/charge' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges.map((challenge) => challenge.method)).toEqual(['alpha', 'beta'])
+  })
+
+  test('falls back to all compose challenges when Accept-Payment is invalid', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'not a valid header' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges.map((challenge) => challenge.method)).toEqual(['alpha', 'beta'])
+  })
+
   test('dispatches to matching handler when credential matches alpha', async () => {
     const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
 

package/src/server/Mppx.ts

@@ -5,8 +5,9 @@ import * as Challenge from '../Challenge.js'
 import * as Credential from '../Credential.js'
 import * as Errors from '../Errors.js'
 import * as Expires from '../Expires.js'
+import * as AcceptPayment from '../internal/AcceptPayment.js'
 import * as Env from '../internal/env.js'
-import * as Method from '../Method.js'
+import type * as Method from '../Method.js'
 import * as PaymentRequest from '../PaymentRequest.js'
 import type * as Receipt from '../Receipt.js'
 import type * as z from '../zod.js'
@@ -447,22 +448,22 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
           withReceipt<response>(response?: response) {
             if (managementResponse) {
               return transport.respondReceipt({
+                challengeId: credential.challenge.id,
                 credential,
                 envelope,
                 input,
                 receipt: receiptData,
                 response: managementResponse as never,
-                challengeId: credential.challenge.id,
               }) as response
             }
             if (!response) throw new Error('withReceipt() requires a response argument')
             return transport.respondReceipt({
+              challengeId: credential.challenge.id,
               credential,
               envelope,
               input,
               receipt: receiptData,
               response: response as never,
-              challengeId: credential.challenge.id,
             }) as response
           },
         }
@@ -883,38 +884,58 @@ export function compose(
     // No credential — call all handlers and merge 402 challenges.
     const results = await Promise.all(handlers.map((h) => h(input)))
 
-    // Merge WWW-Authenticate headers from all 402 responses.
-    const mergedHeaders = new Headers()
-    mergedHeaders.set('Cache-Control', 'no-store')
-
-    for (const result of results) {
-      if (result.status !== 402) continue
-      const response = result.challenge as Response
-      const wwwAuth = response.headers.get('WWW-Authenticate')
-      if (wwwAuth) mergedHeaders.append('WWW-Authenticate', wwwAuth)
-    }
-
-    // Collect html-enabled handlers and their challenges
-    const htmlEntries = (() => {
+    const challengeEntries = (() => {
       const entries: {
         handler: ConfiguredHandler
         challenge: Challenge.Challenge
+        result: Extract<MethodFn.Response<Transport.Http>, { status: 402 }>
       }[] = []
+
       for (let i = 0; i < handlers.length; i++) {
-        const meta = (handlers[i] as ConfiguredHandler)._internal
-        if (!meta?.html) continue
         const result = results[i]
         if (result?.status !== 402) continue
-        const wwwAuth = result.challenge.headers.get('WWW-Authenticate')
+
+        const response = result.challenge as Response
+        const wwwAuth = response.headers.get('WWW-Authenticate')
         if (!wwwAuth) continue
+
         entries.push({
           handler: handlers[i] as ConfiguredHandler,
           challenge: Challenge.deserialize(wwwAuth),
+          result,
         })
       }
-      return entries
+
+      const acceptPayment = input.headers.get('Accept-Payment')
+      if (!acceptPayment) return entries
+
+      try {
+        const ranked = AcceptPayment.rank(
+          entries.map((entry) => entry.challenge),
+          AcceptPayment.parse(acceptPayment),
+        )
+        if (ranked.length === 0) return entries
+
+        const entriesById = new Map(entries.map((entry) => [entry.challenge.id, entry] as const))
+        return ranked.map((challenge) => entriesById.get(challenge.id)!)
+      } catch {
+        return entries
+      }
     })()
 
+    // Merge WWW-Authenticate headers from all 402 responses.
+    const mergedHeaders = new Headers()
+    mergedHeaders.set('Cache-Control', 'no-store')
+
+    for (const entry of challengeEntries) {
+      const response = entry.result.challenge as Response
+      const wwwAuth = response.headers.get('WWW-Authenticate')
+      if (wwwAuth) mergedHeaders.append('WWW-Authenticate', wwwAuth)
+    }
+
+    // Collect html-enabled handlers and their challenges
+    const htmlEntries = challengeEntries.filter((entry) => entry.handler._internal?.html)
+
     const wantsHtml = input.headers.get('Accept')?.includes('text/html')
     if (wantsHtml && htmlEntries.length > 0) {
       const { theme, text } = Html.resolveOptions(
@@ -962,10 +983,9 @@ export function compose(
 
     // Non-HTML fallback: use first handler's body
     let body: string | null = null
-    for (const result of results) {
-      if (result.status !== 402) continue
+    for (const entry of challengeEntries) {
       if (!body) {
-        const response = result.challenge as Response
+        const response = entry.result.challenge as Response
         const contentType = response.headers.get('Content-Type')
         if (contentType) mergedHeaders.set('Content-Type', contentType)
         body = await response.text()

package/src/stripe/internal/constants.ts

@@ -0,0 +1,7 @@
+/**
+ * Stripe API version with `.preview` suffix.
+ *
+ * Required for `shared_payment_granted_token` (SPTs are in private preview).
+ * Bump this when upgrading to a newer Stripe API version.
+ */
+export const stripePreviewVersion = '2026-02-25.preview'

package/src/stripe/server/Charge.ts

@@ -5,6 +5,7 @@ import type { LooseOmit, OneOf } from '../../internal/types.js'
 import * as Method from '../../Method.js'
 import type * as Html from '../../server/internal/html/config.ts'
 import type * as z from '../../zod.js'
+import { stripePreviewVersion } from '../internal/constants.js'
 import type {
   StripeClient,
   CreatePaymentMethodFromElements,
@@ -202,13 +203,16 @@ async function createWithClient(parameters: {
         // `shared_payment_granted_token` is not yet in the Stripe SDK types (SPTs are in private preview).
         shared_payment_granted_token: spt,
       } as any,
-      { idempotencyKey: `mppx_${challenge.id}_${spt}` },
+      { idempotencyKey: `mppx_${challenge.id}_${spt}`, apiVersion: stripePreviewVersion },
     )
     // https://docs.stripe.com/error-low-level#idempotency
     const replayed = result.lastResponse?.headers?.['idempotent-replayed'] === 'true'
     return { id: result.id, status: result.status, replayed }
-  } catch {
-    throw new VerificationFailedError({ reason: 'Stripe PaymentIntent failed' })
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error)
+    throw new VerificationFailedError({
+      reason: `Stripe PaymentIntent failed: ${detail}`,
+    })
   }
 }
 
@@ -240,11 +244,25 @@ async function createWithSecretKey(parameters: {
       Authorization: `Basic ${btoa(`${secretKey}:`)}`,
       'Content-Type': 'application/x-www-form-urlencoded',
       'Idempotency-Key': `mppx_${challenge.id}_${spt}`,
+      'Stripe-Version': stripePreviewVersion,
     },
     body,
   })
 
-  if (!response.ok) throw new VerificationFailedError({ reason: 'Stripe PaymentIntent failed' })
+  if (!response.ok) {
+    const body = await response.text().catch(() => '')
+    const detail = (() => {
+      try {
+        const parsed = JSON.parse(body) as { error?: { message?: string } }
+        return parsed.error?.message ?? body
+      } catch {
+        return body
+      }
+    })()
+    throw new VerificationFailedError({
+      reason: `Stripe PaymentIntent failed: ${detail}`,
+    })
+  }
   // https://docs.stripe.com/error-low-level#idempotency
   const replayed = response.headers.get('idempotent-replayed') === 'true'
   const result = (await response.json()) as { id: string; status: string }

package/src/tempo/Proof.test-d.ts

@@ -0,0 +1,13 @@
+import { expectTypeOf, test } from 'vp/test'
+
+import { Proof } from './index.js'
+
+test('Proof exports public proof source helpers', () => {
+  expectTypeOf(Proof.proofSource).toEqualTypeOf<
+    (parameters: { address: string; chainId: number }) => string
+  >()
+
+  expectTypeOf(Proof.parseProofSource).toEqualTypeOf<
+    (source: string) => { address: `0x${string}`; chainId: number } | null
+  >()
+})

package/src/tempo/Proof.test.ts

@@ -0,0 +1,31 @@
+import { describe, expect, test } from 'vp/test'
+
+import * as tempo from './index.js'
+
+describe('tempo.Proof', () => {
+  test('proofSource constructs a did:pkh:eip155 source', () => {
+    expect(
+      tempo.Proof.proofSource({
+        address: '0xAbCdEf1234567890AbCdEf1234567890AbCdEf12',
+        chainId: 42431,
+      }),
+    ).toBe('did:pkh:eip155:42431:0xAbCdEf1234567890AbCdEf1234567890AbCdEf12')
+  })
+
+  test('parseProofSource parses a valid did:pkh:eip155 source', () => {
+    expect(
+      tempo.Proof.parseProofSource(
+        'did:pkh:eip155:42431:0xa5cc3c03994db5b0d9ba5e4f6d2efbd9f213b141',
+      ),
+    ).toEqual({
+      address: '0xa5cc3c03994db5b0d9ba5e4f6d2efbd9f213b141',
+      chainId: 42431,
+    })
+  })
+
+  test('parseProofSource rejects invalid source values', () => {
+    expect(
+      tempo.Proof.parseProofSource('did:pkh:eip155:01:0xa5cc3c03994db5b0d9ba5e4f6d2efbd9f213b141'),
+    ).toBe(null)
+  })
+})

package/src/tempo/Proof.ts

@@ -0,0 +1,13 @@
+import type { Address } from 'viem'
+
+import * as Proof_internal from './internal/proof.js'
+
+/** Constructs the canonical `did:pkh:eip155` source DID for Tempo proof credentials. */
+export function proofSource(parameters: { address: string; chainId: number }): string {
+  return Proof_internal.proofSource(parameters)
+}
+
+/** Parses a Tempo proof credential source DID into its chain ID and wallet address. */
+export function parseProofSource(source: string): { address: Address; chainId: number } | null {
+  return Proof_internal.parseProofSource(source)
+}

package/src/tempo/client/SessionManager.test.ts

@@ -225,13 +225,10 @@ describe('Session', () => {
         // drain
       }
 
-      const calledHeaders = (mockFetch.mock.calls[0]![1] as RequestInit).headers as Record<
-        string,
-        string
-      >
-      expect(calledHeaders['content-type']).toBe('application/json')
-      expect(calledHeaders['x-custom']).toBe('value')
-      expect(calledHeaders.Accept).toBe('text/event-stream')
+      const calledHeaders = new Headers((mockFetch.mock.calls[0]![1] as RequestInit).headers)
+      expect(calledHeaders.get('content-type')).toBe('application/json')
+      expect(calledHeaders.get('x-custom')).toBe('value')
+      expect(calledHeaders.get('accept')).toBe('text/event-stream')
     })
   })
 

package/src/tempo/index.ts

@@ -1,2 +1,3 @@
+export * as Proof from './Proof.js'
 export * as Methods from './Methods.js'
 export * as Session from './session/index.js'

package/src/tempo/internal/fee-payer.test.ts

@@ -322,7 +322,7 @@ describe('prepareSponsoredTransaction', () => {
         transaction: {
           ...baseTransaction,
           gas: 1_500_000n,
-          maxFeePerGas: 10_000_000_000n,
+          maxFeePerGas: 50_000_000_000n,
         } as any,
       }),
     ).toThrow('total fee budget exceeds sponsor policy')

package/src/tempo/internal/fee-payer.ts

@@ -26,11 +26,15 @@ export const callScopes = [
   [Selectors.approve, Selectors.swapExactAmountOut, Selectors.transferWithMemo],
 ]
 
+/**
+ * maxTotalFee must be high enough to cover `transferWithMemo` and
+ * swap transactions at peak gas prices. Bumped from 0.01 ETH in #327.
+ */
 const policy = {
   maxGas: 2_000_000n,
   maxFeePerGas: 100_000_000_000n,
   maxPriorityFeePerGas: 10_000_000_000n,
-  maxTotalFee: 10_000_000_000_000_000n,
+  maxTotalFee: 50_000_000_000_000_000n,
   maxValidityWindowSeconds: 15 * 60,
 } as const
 

package/src/tempo/server/Charge.test.ts

@@ -25,6 +25,11 @@ import { signVoucher } from '../session/Voucher.js'
 const realm = 'api.example.com'
 const secretKey = 'test-secret-key'
 
+type ProofAccessKeyContext = {
+  accessKey: ReturnType<typeof Account.fromSecp256k1>
+  rootAccount: (typeof accounts)[number]
+}
+
 const server = Mppx_server.create({
   methods: [
     tempo_server.charge({
@@ -2114,6 +2119,124 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    for (const testCase of [
+      {
+        name: 'accepts proof signed by an authorized access key for the root source',
+        expectedStatus: 200,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+        },
+      },
+      {
+        name: 'rejects proof signed by an unauthorized access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+      },
+      {
+        name: 'rejects proof signed by a revoked access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+          await fundAccount({ address: rootAccount.address, token: asset })
+          await Actions.accessKey.revokeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+        },
+      },
+      {
+        name: 'rejects proof signed by an expired access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            expiry: Math.floor(Date.now() / 1000) + 10,
+            feeToken: asset,
+          })
+
+          const metadata = await Actions.accessKey.getMetadata(client, {
+            account: rootAccount.address,
+            accessKey,
+          })
+          const originalNow = Date.now
+          Date.now = () => (Number(metadata.expiry) + 5) * 1000
+
+          return () => {
+            Date.now = originalNow
+          }
+        },
+      },
+    ] as const) {
+      test(`behavior: ${testCase.name}`, async () => {
+        const rootAccount = accounts[1]
+        const accessKey = Account.fromSecp256k1(Secp256k1.randomPrivateKey(), {
+          access: rootAccount,
+        })
+
+        let cleanup: (() => void) | undefined
+        let httpServer: Awaited<ReturnType<typeof Http.createServer>> | undefined
+
+        try {
+          const maybeCleanup = await testCase.prepare?.({ accessKey, rootAccount })
+          cleanup = typeof maybeCleanup === 'function' ? maybeCleanup : undefined
+
+          httpServer = await Http.createServer(async (req, res) => {
+            const result = await Mppx_server.toNodeListener(
+              server.charge({ amount: '0', decimals: 6 }),
+            )(req, res)
+            if (result.status === 402) return
+            res.end('OK')
+          })
+
+          const response1 = await fetch(httpServer.url)
+          expect(response1.status).toBe(402)
+
+          const challenge = Challenge.fromResponse(response1, {
+            methods: [tempo_client.charge()],
+          })
+
+          const signature = await signTypedData(client, {
+            account: accessKey,
+            domain: Proof.domain(chain.id),
+            types: Proof.types,
+            primaryType: 'Proof',
+            message: Proof.message(challenge.id),
+          })
+
+          const credential = Credential.from({
+            challenge,
+            payload: { signature, type: 'proof' as const },
+            source: `did:pkh:eip155:${chain.id}:${rootAccount.address}`,
+          })
+
+          const response2 = await fetch(httpServer.url, {
+            headers: { Authorization: Credential.serialize(credential) },
+          })
+          expect(response2.status).toBe(testCase.expectedStatus)
+
+          if (testCase.expectedDetail) {
+            const body = (await response2.json()) as { detail: string }
+            expect(body.detail).toContain(testCase.expectedDetail)
+          }
+        } finally {
+          cleanup?.()
+          httpServer?.close()
+        }
+      })
+    }
+
     test('behavior: rejects replayed proof credential when store is configured', async () => {
       const replayStore = Store.memory()
       const server_ = Mppx_server.create({