mppx 0.5.11 → 0.5.13

package/src/tempo/client/SessionManager.test.ts

@@ -225,13 +225,10 @@ describe('Session', () => {
         // drain
       }
 
-      const calledHeaders = (mockFetch.mock.calls[0]![1] as RequestInit).headers as Record<
-        string,
-        string
-      >
-      expect(calledHeaders['content-type']).toBe('application/json')
-      expect(calledHeaders['x-custom']).toBe('value')
-      expect(calledHeaders.Accept).toBe('text/event-stream')
+      const calledHeaders = new Headers((mockFetch.mock.calls[0]![1] as RequestInit).headers)
+      expect(calledHeaders.get('content-type')).toBe('application/json')
+      expect(calledHeaders.get('x-custom')).toBe('value')
+      expect(calledHeaders.get('accept')).toBe('text/event-stream')
     })
   })
 

package/src/tempo/index.ts

@@ -1,2 +1,3 @@
+export * as Proof from './Proof.js'
 export * as Methods from './Methods.js'
 export * as Session from './session/index.js'

package/src/tempo/internal/fee-payer.test.ts

@@ -285,6 +285,80 @@ describe('prepareSponsoredTransaction', () => {
     ).not.toThrow()
   })
 
+  test('accepts higher Moderato priority fees by default', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: bogus,
+        transaction: {
+          ...baseTransaction,
+          gas: 626_497n,
+          maxFeePerGas: 24_000_000_000n,
+          maxPriorityFeePerGas: 24_000_000_000n,
+        } as any,
+      }),
+    ).not.toThrow()
+  })
+
+  test('accepts fee-payer policy overrides', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 4217,
+        details,
+        expectedFeeToken: bogus,
+        policy: { maxPriorityFeePerGas: 50_000_000_000n },
+        transaction: {
+          ...baseTransaction,
+          chainId: 4217,
+          gas: 626_497n,
+          maxFeePerGas: 24_000_000_000n,
+          maxPriorityFeePerGas: 24_000_000_000n,
+        } as any,
+      }),
+    ).not.toThrow()
+  })
+
+  test('error: rejects excessive priority fee under a custom policy override', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 4217,
+        details,
+        expectedFeeToken: bogus,
+        policy: { maxPriorityFeePerGas: 20_000_000_000n },
+        transaction: {
+          ...baseTransaction,
+          chainId: 4217,
+          gas: 626_497n,
+          maxFeePerGas: 24_000_000_000n,
+          maxPriorityFeePerGas: 24_000_000_000n,
+        } as any,
+      }),
+    ).toThrow('maxPriorityFeePerGas exceeds sponsor policy')
+  })
+
+  test('ignores undefined policy override values', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 4217,
+        details,
+        expectedFeeToken: bogus,
+        policy: { maxPriorityFeePerGas: undefined } as any,
+        transaction: {
+          ...baseTransaction,
+          chainId: 4217,
+          gas: 626_497n,
+          maxFeePerGas: 24_000_000_000n,
+          maxPriorityFeePerGas: 24_000_000_000n,
+        } as any,
+      }),
+    ).toThrow('maxPriorityFeePerGas exceeds sponsor policy')
+  })
+
   test('drops unknown top-level fields from the sponsored transaction', () => {
     const sponsored = prepareSponsoredTransaction({
       account: sponsor,
@@ -322,7 +396,7 @@ describe('prepareSponsoredTransaction', () => {
         transaction: {
           ...baseTransaction,
           gas: 1_500_000n,
-          maxFeePerGas: 10_000_000_000n,
+          maxFeePerGas: 50_000_000_000n,
         } as any,
       }),
     ).toThrow('total fee budget exceeds sponsor policy')

package/src/tempo/internal/fee-payer.ts

@@ -5,6 +5,7 @@ import { decodeFunctionData } from 'viem'
 import { Abis, Addresses, Transaction } from 'viem/tempo'
 
 import * as TempoAddress_internal from './address.js'
+import * as defaults from './defaults.js'
 import * as Selectors from './selectors.js'
 
 /** Returns true if the serialized transaction has a Tempo envelope prefix. */
@@ -26,13 +27,47 @@ export const callScopes = [
   [Selectors.approve, Selectors.swapExactAmountOut, Selectors.transferWithMemo],
 ]
 
-const policy = {
+export type Policy = {
+  maxGas: bigint
+  maxFeePerGas: bigint
+  maxPriorityFeePerGas: bigint
+  maxTotalFee: bigint
+  maxValidityWindowSeconds: number
+}
+
+/**
+ * maxTotalFee must be high enough to cover `transferWithMemo` and
+ * swap transactions at peak gas prices. Bumped from 0.01 ETH in #327.
+ */
+const defaultPolicy: Policy = {
   maxGas: 2_000_000n,
   maxFeePerGas: 100_000_000_000n,
   maxPriorityFeePerGas: 10_000_000_000n,
-  maxTotalFee: 10_000_000_000_000_000n,
+  maxTotalFee: 50_000_000_000_000_000n,
   maxValidityWindowSeconds: 15 * 60,
-} as const
+}
+
+const policyByChainId = {
+  [defaults.chainId.mainnet]: defaultPolicy,
+  // Moderato regularly needs a higher priority fee than mainnet.
+  [defaults.chainId.testnet]: {
+    ...defaultPolicy,
+    maxPriorityFeePerGas: 50_000_000_000n,
+  },
+} as const satisfies Record<defaults.ChainId, Policy>
+
+function getPolicy(chainId: number, overrides: Partial<Policy> | undefined): Policy {
+  const base = policyByChainId[chainId as defaults.ChainId] ?? defaultPolicy
+  if (!overrides) return base
+
+  return {
+    maxGas: overrides.maxGas ?? base.maxGas,
+    maxFeePerGas: overrides.maxFeePerGas ?? base.maxFeePerGas,
+    maxPriorityFeePerGas: overrides.maxPriorityFeePerGas ?? base.maxPriorityFeePerGas,
+    maxTotalFee: overrides.maxTotalFee ?? base.maxTotalFee,
+    maxValidityWindowSeconds: overrides.maxValidityWindowSeconds ?? base.maxValidityWindowSeconds,
+  }
+}
 
 /** Validates that a set of transaction calls matches an allowed fee-payer pattern. */
 export function validateCalls(
@@ -85,6 +120,7 @@ export function prepareSponsoredTransaction(parameters: {
   details: Record<string, string>
   expectedFeeToken?: TempoAddress.Address | undefined
   now?: Date | undefined
+  policy?: Partial<Policy> | undefined
   transaction: ReturnType<(typeof Transaction)['deserialize']>
 }) {
   const {
@@ -94,8 +130,10 @@ export function prepareSponsoredTransaction(parameters: {
     details,
     expectedFeeToken,
     now = new Date(),
+    policy: policyOverrides,
     transaction,
   } = parameters
+  const policy = getPolicy(chainId, policyOverrides)
 
   const {
     accessList,

package/src/tempo/server/Charge.test.ts

@@ -15,7 +15,7 @@ import { Abis, Account, Actions, Addresses, Secp256k1, Tick, Transaction } from
 import { beforeAll, describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
 import { closeChannelOnChain, deployEscrow, openChannel } from '~test/tempo/session.js'
-import { accounts, asset, chain, client, fundAccount } from '~test/tempo/viem.js'
+import { accounts, asset, chain, client, fundAccount, http } from '~test/tempo/viem.js'
 
 import * as Store from '../../Store.js'
 import * as Attribution from '../Attribution.js'
@@ -25,6 +25,11 @@ import { signVoucher } from '../session/Voucher.js'
 const realm = 'api.example.com'
 const secretKey = 'test-secret-key'
 
+type ProofAccessKeyContext = {
+  accessKey: ReturnType<typeof Account.fromSecp256k1>
+  rootAccount: (typeof accounts)[number]
+}
+
 const server = Mppx_server.create({
   methods: [
     tempo_server.charge({
@@ -119,6 +124,166 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('behavior: client rejects unsupported explicit push mode', async () => {
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'push',
+            getClient: () => client,
+          }),
+        ],
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6, supportedModes: ['pull'] }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      await expect(mppx.createCredential(response)).rejects.toThrow(
+        'Challenge does not support push mode.',
+      )
+
+      httpServer.close()
+    })
+
+    test('behavior: falls back to pull when push is not advertised', async () => {
+      const jsonRpcClient = createClient({
+        account: accounts[0].address,
+        chain,
+        transport: http(),
+      })
+
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            getClient: () => jsonRpcClient,
+          }),
+        ],
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({
+            amount: '1',
+            decimals: 6,
+            recipient: accounts[2].address,
+            supportedModes: ['pull'],
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const credential = Credential.deserialize<{ type: 'hash' | 'proof' | 'transaction' }>(
+        await mppx.createCredential(response),
+      )
+      expect(credential.payload.type).toBe('transaction')
+
+      const authResponse = await fetch(httpServer.url, {
+        headers: { Authorization: Credential.serialize(credential) },
+      })
+      expect(authResponse.status).toBe(200)
+
+      httpServer.close()
+    })
+
+    test('behavior: rejects hash credential when challenge supports only pull', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6, supportedModes: ['pull'] }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+      })
+
+      const rejected = await fetch(httpServer.url, {
+        headers: { Authorization: Credential.serialize(credential) },
+      })
+      expect(rejected.status).toBe(402)
+
+      const body = (await rejected.json()) as { detail: string }
+      expect(body.detail).toContain('Hash credentials are not supported for this challenge.')
+
+      httpServer.close()
+    })
+
+    test('behavior: rejects transaction credential when challenge supports only push', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6, supportedModes: ['push'] }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+
+      const prepared = await prepareTransactionRequest(client, {
+        account: accounts[1]!,
+        calls: [
+          Actions.token.transfer.call({
+            amount: BigInt(challenge.request.amount),
+            to: challenge.request.recipient as Hex.Hex,
+            token: challenge.request.currency as Hex.Hex,
+          }),
+        ],
+        nonceKey: 'expiring',
+      } as never)
+      prepared.gas = prepared.gas! + 5_000n
+      const signature = await signTransaction(client, prepared as never)
+
+      const credential = Credential.from({
+        challenge,
+        payload: { signature, type: 'transaction' as const },
+      })
+
+      const rejected = await fetch(httpServer.url, {
+        headers: { Authorization: Credential.serialize(credential) },
+      })
+      expect(rejected.status).toBe(402)
+
+      const body = (await rejected.json()) as { detail: string }
+      expect(body.detail).toContain('Transaction credentials are not supported for this challenge.')
+
+      httpServer.close()
+    })
+
     test('behavior: rejects replayed transaction hash', async () => {
       const dedupServer = Mppx_server.create({
         methods: [
@@ -2114,6 +2279,124 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    for (const testCase of [
+      {
+        name: 'accepts proof signed by an authorized access key for the root source',
+        expectedStatus: 200,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+        },
+      },
+      {
+        name: 'rejects proof signed by an unauthorized access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+      },
+      {
+        name: 'rejects proof signed by a revoked access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+          await fundAccount({ address: rootAccount.address, token: asset })
+          await Actions.accessKey.revokeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+        },
+      },
+      {
+        name: 'rejects proof signed by an expired access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            expiry: Math.floor(Date.now() / 1000) + 10,
+            feeToken: asset,
+          })
+
+          const metadata = await Actions.accessKey.getMetadata(client, {
+            account: rootAccount.address,
+            accessKey,
+          })
+          const originalNow = Date.now
+          Date.now = () => (Number(metadata.expiry) + 5) * 1000
+
+          return () => {
+            Date.now = originalNow
+          }
+        },
+      },
+    ] as const) {
+      test(`behavior: ${testCase.name}`, async () => {
+        const rootAccount = accounts[1]
+        const accessKey = Account.fromSecp256k1(Secp256k1.randomPrivateKey(), {
+          access: rootAccount,
+        })
+
+        let cleanup: (() => void) | undefined
+        let httpServer: Awaited<ReturnType<typeof Http.createServer>> | undefined
+
+        try {
+          const maybeCleanup = await testCase.prepare?.({ accessKey, rootAccount })
+          cleanup = typeof maybeCleanup === 'function' ? maybeCleanup : undefined
+
+          httpServer = await Http.createServer(async (req, res) => {
+            const result = await Mppx_server.toNodeListener(
+              server.charge({ amount: '0', decimals: 6 }),
+            )(req, res)
+            if (result.status === 402) return
+            res.end('OK')
+          })
+
+          const response1 = await fetch(httpServer.url)
+          expect(response1.status).toBe(402)
+
+          const challenge = Challenge.fromResponse(response1, {
+            methods: [tempo_client.charge()],
+          })
+
+          const signature = await signTypedData(client, {
+            account: accessKey,
+            domain: Proof.domain(chain.id),
+            types: Proof.types,
+            primaryType: 'Proof',
+            message: Proof.message(challenge.id),
+          })
+
+          const credential = Credential.from({
+            challenge,
+            payload: { signature, type: 'proof' as const },
+            source: `did:pkh:eip155:${chain.id}:${rootAccount.address}`,
+          })
+
+          const response2 = await fetch(httpServer.url, {
+            headers: { Authorization: Credential.serialize(credential) },
+          })
+          expect(response2.status).toBe(testCase.expectedStatus)
+
+          if (testCase.expectedDetail) {
+            const body = (await response2.json()) as { detail: string }
+            expect(body.detail).toContain(testCase.expectedDetail)
+          }
+        } finally {
+          cleanup?.()
+          httpServer?.close()
+        }
+      })
+    }
+
     test('behavior: rejects replayed proof credential when store is configured', async () => {
       const replayStore = Store.memory()
       const server_ = Mppx_server.create({
@@ -2993,6 +3276,31 @@ describe('tempo', () => {
       })
       expect(challenge.request.currency).toBe(asset)
     })
+
+    test('challenge contains supportedModes when configured', async () => {
+      const handler = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient: () => client,
+            account: accounts[0].address,
+            currency: asset,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const result = await handler.charge({ amount: '1', supportedModes: ['pull'] })(
+        new Request('https://example.com'),
+      )
+      expect(result.status).toBe(402)
+      if (result.status !== 402) throw new Error()
+
+      const challenge = Challenge.fromResponse(result.challenge, {
+        methods: [tempo_client.charge()],
+      })
+      expect(challenge.request.methodDetails?.supportedModes).toEqual(['pull'])
+    })
   })
 
   describe('attribution memo', () => {

package/src/tempo/server/Charge.ts

@@ -1,6 +1,8 @@
+import * as SignatureEnvelope from 'ox/tempo/SignatureEnvelope'
 import {
   decodeFunctionData,
   formatUnits,
+  hashTypedData,
   keccak256,
   parseEventLogs,
   type TransactionReceipt,
@@ -58,6 +60,7 @@ export function charge<const parameters extends charge.Parameters>(
     decimals = defaults.decimals,
     description,
     externalId,
+    feePayerPolicy,
     html,
     memo,
     waitForConfirmation = true,
@@ -160,6 +163,9 @@ export function charge<const parameters extends charge.Parameters>(
 
       const { amount, methodDetails } = resolvedRequest
       const expires = challenge.expires
+      const supportedModes = methodDetails?.supportedModes as
+        | readonly Methods.ChargeMode[]
+        | undefined
 
       const currency = resolvedRequest.currency as `0x${string}`
       const recipient = resolvedRequest.recipient as `0x${string}`
@@ -176,6 +182,9 @@ export function charge<const parameters extends charge.Parameters>(
 
       switch (payload.type) {
         case 'hash': {
+          if (supportedModes && !supportedModes.includes('push'))
+            throw new MismatchError('Hash credentials are not supported for this challenge.', {})
+
           const hash = payload.hash as `0x${string}`
           if (!(await markHashUsed(store, hash))) {
             throw new VerificationFailedError({ reason: 'Transaction hash has already been used' })
@@ -227,7 +236,21 @@ export function charge<const parameters extends charge.Parameters>(
             message: Proof.message(challenge.id),
             signature: payload.signature as `0x${string}`,
           })
-          if (!valid) throw new MismatchError('Proof signature does not match source.', {})
+          if (!valid) {
+            const proofSigner = recoverAuthorizedProofSigner({
+              chainId: resolvedChainId,
+              challengeId: challenge.id,
+              signature: payload.signature as `0x${string}`,
+              sourceAddress: source.address,
+            })
+            const authorized = proofSigner
+              ? await isActiveAccessKey(client, {
+                  accessKey: proofSigner,
+                  account: source.address,
+                })
+              : false
+            if (!authorized) throw new MismatchError('Proof signature does not match source.', {})
+          }
 
           if (proofStore && !(await markProofUsed(proofStore, challenge.id))) {
             throw new VerificationFailedError({ reason: 'Proof credential has already been used' })
@@ -242,6 +265,12 @@ export function charge<const parameters extends charge.Parameters>(
         }
 
         case 'transaction': {
+          if (supportedModes && !supportedModes.includes('pull'))
+            throw new MismatchError(
+              'Transaction credentials are not supported for this challenge.',
+              {},
+            )
+
           const serializedTransaction = payload.signature as Transaction.TransactionSerializedTempo
 
           // Pre-broadcast dedup: catch exact byte-for-byte replays early.
@@ -285,6 +314,7 @@ export function charge<const parameters extends charge.Parameters>(
                   chainId: chainId ?? client.chain!.id,
                   details: { amount, currency, recipient },
                   expectedFeeToken,
+                  policy: feePayerPolicy,
                   transaction: {
                     ...transaction,
                     ...(resolvedFeeToken ? { feeToken: resolvedFeeToken } : {}),
@@ -369,6 +399,15 @@ export declare namespace charge {
   type Parameters = {
     /** Render payment page when Accept header is text/html (e.g. in browsers) */
     html?: boolean | Html.Config | undefined
+    /**
+     * Override the fee-sponsor policy used when co-signing Tempo charge
+     * transactions. Defaults resolve per chain, including a higher
+     * priority-fee ceiling on Moderato.
+     *
+     * If you increase `maxGas` or `maxFeePerGas`, you may also need to raise
+     * `maxTotalFee` so the combined fee budget remains valid.
+     */
+    feePayerPolicy?: FeePayerPolicy | undefined
     /** Testnet mode. */
     testnet?: boolean | undefined
     /**
@@ -408,6 +447,8 @@ export declare namespace charge {
   > & {
     decimals: number
   }
+
+  type FeePayerPolicy = Partial<FeePayer.Policy>
 }
 
 type ExpectedTransfer = {
@@ -651,6 +692,63 @@ async function markProofUsed(
   })
 }
 
+function recoverAuthorizedProofSigner(parameters: {
+  chainId: number
+  challengeId: string
+  signature: `0x${string}`
+  sourceAddress: `0x${string}`
+}): `0x${string}` | null {
+  const { chainId, challengeId, signature, sourceAddress } = parameters
+
+  try {
+    const envelope = SignatureEnvelope.from(signature)
+    const proofHash = hashTypedData({
+      domain: Proof.domain(chainId),
+      types: Proof.types,
+      primaryType: 'Proof',
+      message: Proof.message(challengeId),
+    })
+
+    if (envelope.type === 'keychain') {
+      if (!TempoAddress.isEqual(envelope.userAddress, sourceAddress)) return null
+
+      const keychainPayload =
+        envelope.version === 'v2'
+          ? keccak256(`0x04${proofHash.slice(2)}${sourceAddress.slice(2)}` as `0x${string}`)
+          : proofHash
+
+      const signer = SignatureEnvelope.extractAddress({
+        payload: keychainPayload,
+        signature: envelope.inner,
+      })
+      const valid = SignatureEnvelope.verify(envelope.inner, {
+        address: signer,
+        payload: keychainPayload,
+      })
+      if (!valid) return null
+
+      return signer
+    }
+
+    return SignatureEnvelope.extractAddress({ payload: proofHash, signature: envelope })
+  } catch {
+    return null
+  }
+}
+
+async function isActiveAccessKey(
+  client: Awaited<ReturnType<ReturnType<typeof Client.getResolver>>>,
+  parameters: { account: `0x${string}`; accessKey: `0x${string}` },
+): Promise<boolean> {
+  try {
+    const metadata = await Actions.accessKey.getMetadata(client, parameters)
+    const nowSeconds = BigInt(Math.floor(Date.now() / 1000))
+    return !metadata.isRevoked && metadata.expiry > nowSeconds
+  } catch {
+    return false
+  }
+}
+
 /** @internal */
 function toReceipt(receipt: TransactionReceipt) {
   const { status, transactionHash } = receipt