mppx 0.5.13 → 0.5.16

package/src/proxy/Proxy.test.ts

@@ -1,16 +1,22 @@
 import { Challenge, Credential, Method, Receipt, z } from 'mppx'
 import { Mppx as Mppx_client, tempo as tempo_client } from 'mppx/client'
 import { Mppx as Mppx_server, tempo as tempo_server } from 'mppx/server'
-import { afterEach, describe, expect, test } from 'vp/test'
+import type { Address } from 'viem'
+import { afterEach, beforeAll, describe, expect, test } from 'vp/test'
+import { nodeEnv } from '~test/config.js'
 import * as Http from '~test/Http.js'
+import { deployEscrow } from '~test/tempo/session.js'
 import { accounts, asset, client } from '~test/tempo/viem.js'
 
+import { sessionManager } from '../tempo/client/SessionManager.js'
+import { deserializeSessionReceipt } from '../tempo/session/Receipt.js'
 import * as ApiProxy from './Proxy.js'
 import * as Service from './Service.js'
 import { anthropic } from './services/anthropic.js'
 import { openai } from './services/openai.js'
 
 const secretKey = 'test-secret-key'
+const isLocalnet = nodeEnv === 'localnet'
 
 const mppx_server = Mppx_server.create({
   methods: [
@@ -36,6 +42,12 @@ const mppx_client = Mppx_client.create({
 
 let upstream: Awaited<ReturnType<typeof Http.createServer>> | undefined
 let proxyServer: Awaited<ReturnType<typeof Http.createServer>> | undefined
+let sessionEscrow: Address
+
+beforeAll(async () => {
+  if (!isLocalnet) return
+  sessionEscrow = await deployEscrow()
+})
 
 afterEach(() => {
   upstream?.close()
@@ -696,3 +708,139 @@ describe('create', () => {
     expect(await res.json()).toEqual({ search: '?q=hello&limit=10' })
   })
 })
+
+describe.runIf(isLocalnet)('plain HTTP session proxy', () => {
+  test('charges proxied content requests and keeps management POSTs off the upstream', async () => {
+    let upstreamRequests = 0
+    upstream = await createUpstream((req) => {
+      upstreamRequests += 1
+      return Response.json({
+        method: req.method,
+        path: new URL(req.url).pathname,
+      })
+    })
+
+    const sessionHandler = Mppx_server.create({
+      methods: [
+        tempo_server.session({
+          account: accounts[0],
+          currency: asset,
+          escrowContract: sessionEscrow,
+          getClient: () => client,
+          chainId: client.chain!.id,
+        }),
+      ],
+      secretKey,
+    })
+
+    const proxy = ApiProxy.create({
+      services: [
+        Service.from('api', {
+          baseUrl: upstream.url,
+          routes: {
+            'GET /v1/scrape': sessionHandler.session({
+              amount: '1',
+              decimals: 6,
+              unitType: 'page',
+            }),
+          },
+        }),
+      ],
+    })
+    proxyServer = await Http.createServer(proxy.listener)
+
+    const manager = sessionManager({
+      account: accounts[1],
+      client,
+      escrowContract: sessionEscrow,
+      fetch: globalThis.fetch,
+      maxDeposit: '3',
+    })
+
+    const first = await manager.fetch(`${proxyServer.url}/api/v1/scrape`)
+    expect(first.status).toBe(200)
+    expect(await first.json()).toEqual({ method: 'GET', path: '/v1/scrape' })
+    expect(first.receipt?.spent).toBe('1000000')
+    expect(first.receipt?.units).toBe(1)
+
+    const second = await manager.fetch(`${proxyServer.url}/api/v1/scrape`)
+    expect(second.status).toBe(200)
+    expect(await second.json()).toEqual({ method: 'GET', path: '/v1/scrape' })
+    expect(second.receipt?.spent).toBe('2000000')
+    expect(second.receipt?.units).toBe(2)
+
+    const closeReceipt = await manager.close()
+    expect(closeReceipt?.status).toBe('success')
+    expect(closeReceipt?.spent).toBe('2000000')
+    expect(upstreamRequests).toBe(2)
+  })
+
+  test('attaches receipts to proxied error responses and rejects same-voucher replay', async () => {
+    upstream = await createUpstream(() =>
+      Response.json({ error: 'upstream failed' }, { status: 500 }),
+    )
+
+    const sessionHandler = Mppx_server.create({
+      methods: [
+        tempo_server.session({
+          account: accounts[0],
+          currency: asset,
+          escrowContract: sessionEscrow,
+          getClient: () => client,
+          chainId: client.chain!.id,
+        }),
+      ],
+      secretKey,
+    })
+
+    const proxy = ApiProxy.create({
+      services: [
+        Service.from('api', {
+          baseUrl: upstream.url,
+          routes: {
+            'GET /v1/scrape': sessionHandler.session({
+              amount: '1',
+              decimals: 6,
+              unitType: 'page',
+            }),
+          },
+        }),
+      ],
+    })
+    proxyServer = await Http.createServer(proxy.listener)
+
+    const sessionClient = Mppx_client.create({
+      polyfill: false,
+      methods: [
+        tempo_client({
+          account: accounts[1],
+          getClient: () => client,
+          maxDeposit: '2',
+        }),
+      ],
+    })
+
+    const challengeResponse = await fetch(`${proxyServer.url}/api/v1/scrape`)
+    expect(challengeResponse.status).toBe(402)
+
+    const authorization = await sessionClient.createCredential(challengeResponse)
+
+    const first = await fetch(`${proxyServer.url}/api/v1/scrape`, {
+      headers: { Authorization: authorization },
+    })
+    expect(first.status).toBe(500)
+    expect(await first.json()).toEqual({ error: 'upstream failed' })
+
+    const receiptHeader = first.headers.get('Payment-Receipt')
+    expect(receiptHeader).toBeTruthy()
+    const receipt = deserializeSessionReceipt(receiptHeader!)
+    expect(receipt.spent).toBe('1000000')
+    expect(receipt.units).toBe(1)
+
+    const replay = await fetch(`${proxyServer.url}/api/v1/scrape`, {
+      headers: { Authorization: authorization },
+    })
+    expect(replay.status).toBe(402)
+    expect(replay.headers.get('Payment-Receipt')).toBeNull()
+  })
+})

package/src/server/Mppx.test.ts

@@ -198,6 +198,7 @@ describe('request handler', () => {
         captureCount++
         return (
           baseTransport.captureRequest?.(request) ?? {
+            hasBody: request.body !== null,
             headers: new Headers(request.headers),
             method: request.method,
             url: new URL(request.url),
@@ -1389,6 +1390,38 @@ describe('compose', () => {
     expect(result.status).toBe(200)
   })
 
+  test('dispatches correctly with same name/intent and same economics but different meta', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod], realm, secretKey })
+
+    const handle = mppx.compose(
+      [alphaMethod, { ...challengeOpts, meta: { route: 'a' } }],
+      [alphaMethod, { ...challengeOpts, meta: { route: 'b' } }],
+    )
+
+    const firstResult = await handle(new Request('https://example.com/resource'))
+    expect(firstResult.status).toBe(402)
+    if (firstResult.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(firstResult.challenge)
+    expect(challenges).toHaveLength(2)
+    expect(challenges[0]?.opaque).toEqual({ route: 'a' })
+    expect(challenges[1]?.opaque).toEqual({ route: 'b' })
+
+    const secondChallenge = challenges[1]!
+    const credential = Credential.from({
+      challenge: secondChallenge,
+      payload: { token: 'valid' },
+    })
+
+    const result = await handle(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    expect(result.status).toBe(200)
+  })
+
   describe('html', () => {
     const htmlOptionsA = {
       config: { providerA: true },
@@ -1979,6 +2012,93 @@ describe('cross-route credential replay via scope binding flaw', () => {
     expect(result.status).toBe(402)
   })
 
+  test('rejects same-economics credential replayed across sibling routes with different meta', async () => {
+    const handler = Mppx.create({ methods: [serverMethod], realm, secretKey })
+
+    const routeA = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+      meta: { route: 'a' },
+    })
+    const routeB = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+      meta: { route: 'b' },
+    })
+
+    const routeAChallengeResult = await routeA(new Request('https://example.com/a'))
+    expect(routeAChallengeResult.status).toBe(402)
+    if (routeAChallengeResult.status !== 402) throw new Error()
+
+    const routeBChallengeResult = await routeB(new Request('https://example.com/b'))
+    expect(routeBChallengeResult.status).toBe(402)
+    if (routeBChallengeResult.status !== 402) throw new Error()
+
+    const routeAChallenge = Challenge.fromResponse(routeAChallengeResult.challenge)
+    const routeBChallenge = Challenge.fromResponse(routeBChallengeResult.challenge)
+
+    expect(routeAChallenge.opaque).toEqual({ route: 'a' })
+    expect(routeBChallenge.opaque).toEqual({ route: 'b' })
+
+    const credential = Credential.from({
+      challenge: routeAChallenge,
+      payload: { token: 'valid' },
+    })
+
+    const result = await routeB(
+      new Request('https://example.com/b', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+  })
+
+  test('rejects same-economics credential replayed across sibling routes when meta differs only by case', async () => {
+    const handler = Mppx.create({ methods: [serverMethod], realm, secretKey })
+
+    const routeA = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+      meta: { route: '0xAbC123' },
+    })
+    const routeB = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+      meta: { route: '0xabc123' },
+    })
+
+    const routeAChallengeResult = await routeA(new Request('https://example.com/a'))
+    expect(routeAChallengeResult.status).toBe(402)
+    if (routeAChallengeResult.status !== 402) throw new Error()
+
+    const routeAChallenge = Challenge.fromResponse(routeAChallengeResult.challenge)
+    const credential = Credential.from({
+      challenge: routeAChallenge,
+      payload: { token: 'valid' },
+    })
+
+    const result = await routeB(
+      new Request('https://example.com/b', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+  })
+
   test('rejects credential with mismatched method field', async () => {
     const otherMethod = Method.from({
       name: 'other',

package/src/server/Mppx.ts

@@ -366,12 +366,12 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
         // matches *this route's current configuration* when the request
         // hook transforms fields between calls.
         //
-        // This check compares only the economically significant "pinned"
-        // fields (method, intent, realm, amount, currency, recipient, etc.)
-        // that MUST be stable across both calls. Fields like `opaque`,
-        // `digest`, and `expires` don't need explicit pinning here because
-        // they are set by server config (not derived from the request hook)
-        // and are already fully covered by the HMAC binding in Tier 1.
+        // This check compares the fields that MUST be stable across both
+        // calls. That includes the economically significant request fields
+        // plus `opaque`, which can carry route-scoping metadata (for example,
+        // sibling route identity) that must not be replayable across handlers.
+        // `expires` still is not pinned here because its default is generated
+        // per invocation, and `digest` is already bound by the echoed HMAC.
         {
           const mismatch = getPinnedChallengeMismatch(challenge, credential.challenge)
           if (mismatch) {
@@ -561,12 +561,14 @@ async function captureRequest(
 
 function captureRequestFromInput(input: unknown): Method.CapturedRequest {
   const source = input as {
+    body?: unknown
     headers?: HeadersInit | undefined
     method?: string | undefined
     url?: string | URL | undefined
   }
 
   return {
+    hasBody: source.body !== undefined && source.body !== null,
     headers: new Headers(source.headers),
     method: source.method ?? 'POST',
     url: Transport.safeUrl(source.url),
@@ -580,7 +582,7 @@ const pinnedRequestBindingFields = [...coreBindingFields, ...methodBindingFields
 type CoreBindingField = (typeof coreBindingFields)[number]
 type MethodBindingField = (typeof methodBindingFields)[number]
 type PinnedRequestBindingField = (typeof pinnedRequestBindingFields)[number]
-type PinnedChallengeField = 'method' | 'intent' | 'realm' | PinnedRequestBindingField
+type PinnedChallengeField = 'method' | 'intent' | 'realm' | 'opaque' | PinnedRequestBindingField
 
 /**
  * Compares only the fields that MUST be stable across request-hook transforms.
@@ -601,6 +603,8 @@ function getPinnedChallengeMismatch(
     if (actualChallenge[field] !== expectedChallenge[field]) return field
   }
 
+  if (!opaqueValuesMatch(expectedChallenge.opaque, actualChallenge.opaque)) return 'opaque'
+
   return getPinnedRequestBindingMismatch(
     expectedChallenge.request as Record<string, unknown>,
     actualChallenge.request as Record<string, unknown>,
@@ -683,6 +687,13 @@ function normalizeComparable(value: unknown): unknown {
   return typeof value === 'string' ? normalizeHex(value) : value
 }
 
+function opaqueValuesMatch(
+  expected: Record<string, string> | undefined,
+  actual: Record<string, string> | undefined,
+): boolean {
+  return isDeepStrictEqual(expected, actual)
+}
+
 type CoreBinding = {
   [field in CoreBindingField]?: string
 }
@@ -739,6 +750,7 @@ type ConfiguredHandler = ((input: Request) => Promise<MethodFn.Response<Transpor
     name: string
     intent: string
     html: Html.Options | undefined
+    meta?: Record<string, string> | undefined
     _canonicalRequest: Record<string, unknown>
   }
 }
@@ -860,11 +872,15 @@ export function compose(
         // transformed fields (e.g. amount with decimals) match correctly.
         // Also checks inside methodDetails for fields moved there by transforms.
         const candidates = handlers.filter((h) => {
-          const meta = (h as ConfiguredHandler)._internal
-          if (!meta || meta.name !== credMethod || meta.intent !== credIntent) return false
-          const canonical = meta._canonicalRequest
+          const internal = (h as ConfiguredHandler)._internal
+          if (!internal || internal.name !== credMethod || internal.intent !== credIntent)
+            return false
+          const canonical = internal._canonicalRequest
           if (!canonical) return true
-          return !getPinnedRequestBindingMismatch(canonical, credReq)
+          return (
+            !getPinnedRequestBindingMismatch(canonical, credReq) &&
+            opaqueValuesMatch(internal.meta, credential.challenge.opaque)
+          )
         })
 
         const match =

package/src/server/Request.test.ts

@@ -112,7 +112,14 @@ describe('fromNodeListener', () => {
   test('streams body for POST requests', async () => {
     const [req, res] = createMockRequest({
       method: 'POST',
-      rawHeaders: ['Host', 'example.com', 'Content-Type', 'application/json'],
+      rawHeaders: [
+        'Host',
+        'example.com',
+        'Content-Length',
+        '17',
+        'Content-Type',
+        'application/json',
+      ],
     })
 
     const request = Request.fromNodeListener(req, res)
@@ -126,4 +133,42 @@ describe('fromNodeListener', () => {
     const body = await request.text()
     expect(body).toBe('{"hello":"world"}')
   })
+
+  test('does not attach a body stream for empty POST requests', () => {
+    const [req, res] = createMockRequest({
+      method: 'POST',
+      rawHeaders: ['Host', 'example.com'],
+    })
+
+    const request = Request.fromNodeListener(req, res)
+
+    expect(request.body).toBeNull()
+  })
+
+  test('does not attach a body stream for content-length: 0', () => {
+    const [req, res] = createMockRequest({
+      method: 'POST',
+      rawHeaders: ['Host', 'example.com', 'Content-Length', '0'],
+    })
+
+    const request = Request.fromNodeListener(req, res)
+
+    expect(request.body).toBeNull()
+  })
+
+  test('attaches a body stream for chunked POST requests', async () => {
+    const [req, res] = createMockRequest({
+      method: 'POST',
+      rawHeaders: ['Host', 'example.com', 'Transfer-Encoding', 'chunked'],
+    })
+
+    const request = Request.fromNodeListener(req, res)
+
+    setImmediate(() => {
+      req.emit('data', Buffer.from('hello'))
+      req.emit('end')
+    })
+
+    expect(await request.text()).toBe('hello')
+  })
 })

package/src/server/Request.ts

@@ -94,7 +94,7 @@ export function fromNodeListener(
     signal: controller.signal,
   }
 
-  if (method !== 'GET' && method !== 'HEAD') {
+  if (method !== 'GET' && method !== 'HEAD' && hasBody(headers)) {
     init.body = new ReadableStream({
       start(c) {
         req.on('data', (chunk: Buffer) => {
@@ -111,6 +111,11 @@ export function fromNodeListener(
   return new Request(url, init)
 }
 
+function hasBody(headers: Headers): boolean {
+  const contentLength = headers.get('content-length')
+  return (contentLength !== null && contentLength !== '0') || headers.has('transfer-encoding')
+}
+
 function normalizeRequestTarget(url: string | undefined): string {
   if (!url) return '/'
 

package/src/server/Transport.test.ts

@@ -43,6 +43,7 @@ describe('http', () => {
 
       const captured = await transport.captureRequest?.(request)
       expect(captured).toEqual({
+        hasBody: false,
         headers: new Headers(request.headers),
         method: 'POST',
         url: new URL('https://example.com/resource?foo=bar'),
@@ -431,6 +432,7 @@ describe('mcp', () => {
       const transport = Transport.mcp()
 
       expect(await transport.captureRequest?.(mcpRequest)).toEqual({
+        hasBody: true,
         headers: new Headers(),
         method: 'POST',
         url: new URL('mcp://request/tools%2Fcall'),

package/src/server/Transport.ts

@@ -125,6 +125,7 @@ export function http(): Http {
 
     captureRequest(request) {
       return {
+        hasBody: request.body !== null,
         headers: new Headers(request.headers),
         method: request.method,
         url: safeUrl(request.url),
@@ -221,6 +222,9 @@ export function mcp() {
 
     captureRequest(request) {
       return {
+        // MCP tool invocations are application content requests even though
+        // they do not carry HTTP body headers on the transport boundary.
+        hasBody: true,
         headers: new Headers(),
         method: 'POST',
         url: new URL(`mcp://request/${encodeURIComponent(request.method ?? 'unknown')}`),