mppx 0.6.10 → 0.6.12

package/dist/tempo/server/internal/html.gen.js.map

@@ -1 +1 @@
-{"version":3,"file":"html.gen.js","sourceRoot":"","sources":["../../../../src/tempo/server/internal/html.gen.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,MAAM,CAAC,MAAM,IAAI,GAAG,6wtcAA6wtc,CAAA"}
+{"version":3,"file":"html.gen.js","sourceRoot":"","sources":["../../../../src/tempo/server/internal/html.gen.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,MAAM,CAAC,MAAM,IAAI,GAAG,ixtcAAixtc,CAAA"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "mppx",
   "type": "module",
-  "version": "0.6.10",
+  "version": "0.6.12",
   "main": "./dist/index.js",
   "license": "MIT",
   "files": [

package/src/cli/cli.test.ts

@@ -4,13 +4,13 @@ import * as os from 'node:os'
 import * as path from 'node:path'
 import { pathToFileURL } from 'node:url'
 
-import { parseUnits } from 'viem'
+import { decodeFunctionData, erc20Abi, parseUnits, type Address } from 'viem'
 import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts'
-import { Addresses } from 'viem/tempo'
+import { Addresses, Transaction } from 'viem/tempo'
 import { afterAll, describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
 import { rpcUrl } from '~test/tempo/prool.js'
-import { deployEscrow } from '~test/tempo/session.js'
+import { deployEscrow, escrowAbi } from '~test/tempo/session.js'
 import { accounts, asset, chain, client, fundAccount } from '~test/tempo/viem.js'
 
 import * as Challenge from '../Challenge.js'
@@ -29,6 +29,10 @@ import cli from './cli.js'
 const testPrivateKey = generatePrivateKey()
 const testAccount = privateKeyToAccount(testPrivateKey)
 const cliTestXdgDataHome = fs.mkdtempSync(path.join(os.tmpdir(), 'mppx-cli-xdg-'))
+const cliSessionFeePayerPolicy = {
+  maxGas: 2_250_000n,
+  maxTotalFee: 60_000_000_000_000_000n,
+}
 
 afterAll(() => {
   fs.rmSync(cliTestXdgDataHome, { recursive: true, force: true })
@@ -698,6 +702,7 @@ describe('session multi-fetch (examples/session/multi-fetch)', () => {
           escrowContract: escrow,
           chainId: client.chain.id,
           feePayer: true,
+          feePayerPolicy: cliSessionFeePayerPolicy,
         }),
       ],
       realm: 'cli-test-multifetch',
@@ -727,6 +732,89 @@ describe('session multi-fetch (examples/session/multi-fetch)', () => {
     }
   })
 
+  test('prefers CLI deposit over server suggestedDeposit', { timeout: 120_000 }, async () => {
+    await fundAccount({ address: testAccount.address, token: Addresses.pathUsd })
+    await fundAccount({ address: testAccount.address, token: asset })
+
+    const escrow = await deployEscrow()
+    let openCredential: SessionCredentialPayload | undefined
+
+    const httpServer = await Http.createServer(async (req, res) => {
+      const authHeader = req.headers.authorization
+      if (!authHeader) {
+        res.writeHead(402, {
+          'WWW-Authenticate': Challenge.serialize(
+            Challenge.from({
+              id: 'cli-deposit-override',
+              realm: 'cli-test-deposit-override',
+              method: 'tempo',
+              intent: 'session',
+              request: {
+                amount: '1000000',
+                currency: asset,
+                decimals: 6,
+                recipient: accounts[0].address,
+                suggestedDeposit: '7000000',
+                unitType: 'token',
+                methodDetails: {
+                  chainId: chain.id,
+                  escrowContract: escrow,
+                },
+              },
+            }),
+          ),
+        })
+        res.end()
+        return
+      }
+
+      try {
+        const cred = Credential.deserialize<SessionCredentialPayload>(authHeader)
+        if (cred.payload.action === 'open') openCredential = cred.payload
+      } catch {}
+
+      res.writeHead(200)
+      res.end('scraped-content')
+    })
+
+    try {
+      await serve([httpServer.url, '--rpc-url', rpcUrl, '-s', '-M', 'deposit=10'], {
+        env: { MPPX_PRIVATE_KEY: testPrivateKey },
+      })
+
+      expect(openCredential).toBeDefined()
+      expect(openCredential?.action).toBe('open')
+      if (!openCredential || openCredential.action !== 'open')
+        throw new Error('missing open credential')
+
+      const transaction = Transaction.deserialize(openCredential.transaction)
+      if (!('calls' in transaction)) throw new Error('unexpected transaction type')
+      const [approveCall, openCall] = transaction.calls as readonly [
+        { to?: Address; data?: `0x${string}` },
+        { to?: Address; data?: `0x${string}` },
+      ]
+      const approve = decodeFunctionData({ abi: erc20Abi, data: approveCall.data ?? '0x' })
+      const open = decodeFunctionData({ abi: escrowAbi, data: openCall.data ?? '0x' })
+      const approveArgs = approve.args as readonly [Address, bigint]
+      const openArgs = open.args as readonly [Address, Address, bigint, string, Address]
+
+      expect(approveCall.to).toBe(asset)
+      expect(approve.functionName).toBe('approve')
+      expect(approveArgs[0].toLowerCase()).toBe(escrow.toLowerCase())
+      expect(approveArgs[1]).toBe(10_000_000n)
+
+      expect(openCall.to?.toLowerCase()).toBe(escrow.toLowerCase())
+      expect(open.functionName).toBe('open')
+      expect(openArgs[0].toLowerCase()).toBe(accounts[0].address.toLowerCase())
+      expect(openArgs[1].toLowerCase()).toBe(asset.toLowerCase())
+      expect(openArgs[2]).toBe(10_000_000n)
+      expect(openArgs[3]).toEqual(expect.any(String))
+      expect(openArgs[4].toLowerCase()).toBe(testAccount.address.toLowerCase())
+    } finally {
+      httpServer.close()
+    }
+  })
+
   test('bug: non-SSE open should not double-charge tick amount', { timeout: 120_000 }, async () => {
     await fundAccount({ address: testAccount.address, token: Addresses.pathUsd })
     await fundAccount({ address: testAccount.address, token: asset })
@@ -744,6 +832,7 @@ describe('session multi-fetch (examples/session/multi-fetch)', () => {
           escrowContract: escrow,
           chainId: client.chain.id,
           feePayer: true,
+          feePayerPolicy: cliSessionFeePayerPolicy,
         }),
       ],
       realm: 'cli-test-double-charge',
@@ -806,6 +895,7 @@ describe('session multi-fetch (examples/session/multi-fetch)', () => {
           escrowContract: escrow,
           chainId: client.chain.id,
           feePayer: true,
+          feePayerPolicy: cliSessionFeePayerPolicy,
         }),
       ],
       realm: 'cli-test-close-action',
@@ -883,6 +973,7 @@ describe('session sse (examples/session/sse)', () => {
           escrowContract: escrow,
           chainId: client.chain.id,
           feePayer: true,
+          feePayerPolicy: cliSessionFeePayerPolicy,
         }),
       ],
       realm: 'cli-test-sse',

package/src/cli/plugins/tempo.ts

@@ -164,7 +164,7 @@ export function tempo() {
             .suggestedDeposit as string | undefined
           const cliDeposit = tempoOpts.deposit !== undefined ? String(tempoOpts.deposit) : undefined
           const resolved =
-            suggestedDeposit ?? cliDeposit ?? (isTestnet(client!.chain!) ? '10' : undefined)
+            cliDeposit ?? suggestedDeposit ?? (isTestnet(client!.chain!) ? '10' : undefined)
           if (!resolved) {
             throw new Errors.IncurError({
               code: 'MISSING_DEPOSIT',

package/src/tempo/client/ChannelOps.test.ts

@@ -51,12 +51,12 @@ function makeChallenge(overrides?: Partial<Challenge>): Challenge {
 }
 
 describe('resolveEscrow', () => {
-  test('prefers challenge.request.methodDetails.escrowContract', () => {
+  test('prefers escrowContractOverride over challenge.request.methodDetails.escrowContract', () => {
     const challenge = {
       request: { methodDetails: { escrowContract: '0xChallengeEscrow' } },
     }
     const result = resolveEscrow(challenge, 42431, '0xOverride' as Address)
-    expect(result).toBe('0xChallengeEscrow')
+    expect(result).toBe('0xOverride')
   })
 
   test('falls back to escrowContractOverride', () => {

package/src/tempo/client/ChannelOps.ts

@@ -46,8 +46,8 @@ export function resolveEscrow(
   const challengeEscrow = (challenge.request.methodDetails as { escrowContract?: string })
     ?.escrowContract as Address | undefined
   const escrow =
-    challengeEscrow ??
     escrowContractOverride ??
+    challengeEscrow ??
     defaults.escrowContract[chainId as keyof typeof defaults.escrowContract]
   if (!escrow)
     throw new Error(

package/src/tempo/client/Session.test.ts

@@ -1,6 +1,6 @@
-import { type Address, createClient, type Hex, http } from 'viem'
+import { type Address, createClient, decodeFunctionData, erc20Abi, type Hex, http } from 'viem'
 import { privateKeyToAccount } from 'viem/accounts'
-import { Addresses } from 'viem/tempo'
+import { Addresses, Transaction } from 'viem/tempo'
 import { beforeAll, describe, expect, test } from 'vp/test'
 import { nodeEnv } from '~test/config.js'
 import { deployEscrow, openChannel } from '~test/tempo/session.js'
@@ -11,6 +11,7 @@ const isLocalnet = nodeEnv === 'localnet'
 import * as Challenge from '../../Challenge.js'
 import * as Credential from '../../Credential.js'
 import { chainId, escrowContract as escrowContractDefaults } from '../internal/defaults.js'
+import { escrowAbi } from '../session/Chain.js'
 import type { SessionCredentialPayload } from '../session/Types.js'
 import { session } from './Session.js'
 
@@ -287,11 +288,11 @@ describe.runIf(isLocalnet)('session (on-chain)', () => {
       expect(cred.source).toContain(`did:pkh:eip155:${chain.id}:`)
     })
 
-    test('suggestedDeposit alone', async () => {
+    test('suggestedDeposit used when below maxDeposit', async () => {
       const method = session({
         getClient: () => client,
         account: payer,
-        deposit: '99',
+        maxDeposit: '10',
         escrowContract,
       })
 
@@ -306,6 +307,61 @@ describe.runIf(isLocalnet)('session (on-chain)', () => {
       }
     })
 
+    test('prefers local escrowContract and deposit over server challenge overrides', async () => {
+      const maliciousEscrow = '0x4444444444444444444444444444444444444444' as Address
+      const method = session({
+        getClient: () => client,
+        account: payer,
+        deposit: '10',
+        escrowContract,
+      })
+
+      const result = await method.createCredential({
+        challenge: makeLiveChallenge({
+          suggestedDeposit: '7000000',
+          methodDetails: {
+            chainId: chain.id,
+            escrowContract: maliciousEscrow,
+          },
+        }),
+        context: {},
+      })
+
+      const cred = deserializePayload(result)
+      expect(cred.payload.action).toBe('open')
+      if (cred.payload.action !== 'open') throw new Error('unexpected action')
+
+      const transaction = Transaction.deserialize(cred.payload.transaction)
+      if (!('calls' in transaction)) throw new Error('unexpected transaction type')
+      const [approveCall, openCall] = transaction.calls as readonly [
+        { to?: Address; data?: Hex },
+        { to?: Address; data?: Hex },
+      ]
+      const approve = decodeFunctionData({
+        abi: erc20Abi,
+        data: approveCall.data ?? '0x',
+      })
+      const open = decodeFunctionData({
+        abi: escrowAbi,
+        data: openCall.data ?? '0x',
+      })
+      const approveArgs = approve.args as readonly [Address, bigint]
+      const openArgs = open.args as readonly [Address, Address, bigint, string, Address]
+
+      expect(approveCall.to).toBe(asset)
+      expect(approve.functionName).toBe('approve')
+      expect(approveArgs[0].toLowerCase()).toBe(escrowContract.toLowerCase())
+      expect(approveArgs[1]).toBe(10_000_000n)
+
+      expect(openCall.to?.toLowerCase()).toBe(escrowContract.toLowerCase())
+      expect(open.functionName).toBe('open')
+      expect(openArgs[0].toLowerCase()).toBe(payee.toLowerCase())
+      expect(openArgs[1].toLowerCase()).toBe(asset.toLowerCase())
+      expect(openArgs[2]).toBe(10_000_000n)
+      expect(openArgs[3]).toEqual(expect.any(String))
+      expect(openArgs[4].toLowerCase()).toBe(payer.address.toLowerCase())
+    })
+
     test('maxDeposit alone', async () => {
       const method = session({
         getClient: () => client,

package/src/tempo/client/Session.ts

@@ -131,11 +131,11 @@ export function session(parameters: session.Parameters = {}) {
 
     const deposit = (() => {
       if (context?.depositRaw) return BigInt(context.depositRaw)
+      if (parameters.deposit !== undefined) return parseUnits(parameters.deposit, decimals)
       if (suggestedDeposit !== undefined && maxDeposit !== undefined)
         return suggestedDeposit < maxDeposit ? suggestedDeposit : maxDeposit
-      if (suggestedDeposit !== undefined) return suggestedDeposit
       if (maxDeposit !== undefined) return maxDeposit
-      if (parameters.deposit !== undefined) return parseUnits(parameters.deposit, decimals)
+      if (suggestedDeposit !== undefined) return suggestedDeposit
       throw new Error(
         'No deposit amount available. Set `deposit`, `maxDeposit`, or ensure the server challenge includes `suggestedDeposit`.',
       )

package/src/tempo/server/Charge.test.ts

@@ -890,6 +890,7 @@ describe('tempo', () => {
       const splits = challenge.request.methodDetails?.splits ?? []
       const primaryAmount =
         BigInt(challenge.request.amount) - BigInt(splits[0]!.amount) - BigInt(splits[1]!.amount)
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
 
       const prepared = await prepareTransactionRequest(client, {
         account: accounts[1]!,
@@ -901,6 +902,7 @@ describe('tempo', () => {
           }),
           Actions.token.transfer.call({
             amount: primaryAmount,
+            memo: memo as Hex.Hex,
             to: challenge.request.recipient as Hex.Hex,
             token: challenge.request.currency as Hex.Hex,
           }),
@@ -2139,6 +2141,7 @@ describe('tempo', () => {
       const splits = challenge.request.methodDetails?.splits ?? []
       const primaryAmount =
         BigInt(challenge.request.amount) - BigInt(splits[0]!.amount) - BigInt(splits[1]!.amount)
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
 
       const prepared = await prepareTransactionRequest(client, {
         account: accounts[1]!,
@@ -2150,6 +2153,7 @@ describe('tempo', () => {
           }),
           Actions.token.transfer.call({
             amount: primaryAmount,
+            memo: memo as Hex.Hex,
             to: challenge.request.recipient as Hex.Hex,
             token: challenge.request.currency as Hex.Hex,
           }),
@@ -3640,6 +3644,147 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('server rejects transaction with wrong challenge nonce (stolen signed tx)', async () => {
+      const chargeServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'pull',
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          chargeServer.charge({ amount: '1', currency: asset, recipient: accounts[0].address }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const [challengeResponse1, challengeResponse2] = await Promise.all([
+        fetch(httpServer.url),
+        fetch(httpServer.url),
+      ])
+      expect(challengeResponse1.status).toBe(402)
+      expect(challengeResponse2.status).toBe(402)
+
+      const credential1 = await mppx.createCredential(challengeResponse1)
+      const decoded1 = Credential.deserialize<{
+        signature: string
+        type: 'transaction'
+      }>(credential1)
+      const challenge2 = Challenge.fromResponse(challengeResponse2, {
+        methods: [tempo_client.charge()],
+      })
+
+      const replayCredential = Credential.serialize(
+        Credential.from({
+          challenge: challenge2,
+          payload: decoded1.payload,
+        }),
+      )
+
+      const replayResponse = await fetch(httpServer.url, {
+        headers: { Authorization: replayCredential },
+      })
+      expect(replayResponse.status).toBe(402)
+      const body = (await replayResponse.json()) as { detail: string }
+      expect(body.detail).toContain('memo is not bound to this challenge')
+
+      httpServer.close()
+    })
+
+    test('server rejects optimistic transaction with wrong challenge nonce', async () => {
+      const chargeServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+            waitForConfirmation: false,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'pull',
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          chargeServer.charge({ amount: '1', currency: asset, recipient: accounts[0].address }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const [challengeResponse1, challengeResponse2] = await Promise.all([
+        fetch(httpServer.url),
+        fetch(httpServer.url),
+      ])
+      expect(challengeResponse1.status).toBe(402)
+      expect(challengeResponse2.status).toBe(402)
+
+      const credential1 = await mppx.createCredential(challengeResponse1)
+      const decoded1 = Credential.deserialize<{
+        signature: string
+        type: 'transaction'
+      }>(credential1)
+      const challenge2 = Challenge.fromResponse(challengeResponse2, {
+        methods: [tempo_client.charge()],
+      })
+
+      const replayCredential = Credential.serialize(
+        Credential.from({
+          challenge: challenge2,
+          payload: decoded1.payload,
+        }),
+      )
+
+      const replayResponse = await fetch(httpServer.url, {
+        headers: { Authorization: replayCredential },
+      })
+      expect(replayResponse.status).toBe(402)
+      const body = (await replayResponse.json()) as { detail: string }
+      expect(body.detail).toContain('memo is not bound to this challenge')
+
+      httpServer.close()
+    })
+
     test('server rejects plain transfer without challenge-bound memo', async () => {
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(

package/src/tempo/server/Charge.ts

@@ -310,7 +310,16 @@ export function charge<const parameters extends charge.Parameters>(
             }[]
             const transfers = getExpectedTransfers({ amount, memo, methodDetails, recipient })
             const isFeePayerTx = !!(feePayer || feePayerUrl) && methodDetails?.feePayer !== false
-            assertTransferCalls(calls, { currency, exactCount: isFeePayerTx, transfers })
+            const matchedCalls = assertTransferCalls(calls, {
+              currency,
+              exactCount: isFeePayerTx,
+              transfers,
+            })
+            if (!memo)
+              assertChallengeBoundCallMemo(matchedCalls, {
+                challengeId: challenge.id,
+                realm: challenge.realm,
+              })
 
             if (isFeePayerTx)
               FeePayer.validateCalls(transaction.calls, { amount, currency, recipient })
@@ -347,11 +356,16 @@ export function charge<const parameters extends charge.Parameters>(
               const receipt = await sendRawTransactionSync(client, {
                 serializedTransaction: serializedTransaction_final,
               })
-              assertTransferLogs(receipt, {
+              const matchedLogs = assertTransferLogs(receipt, {
                 currency,
                 sender: transaction.from! as `0x${string}`,
                 transfers,
               })
+              if (!memo)
+                assertChallengeBoundMemo(matchedLogs, {
+                  challengeId: challenge.id,
+                  realm: challenge.realm,
+                })
               // Post-broadcast dedup: catch malleable input variants
               // (different serialized bytes, same underlying tx) that
               // bypass the pre-broadcast check. Skip if the broadcast
@@ -511,8 +525,6 @@ function assertTransferCalls(
       actualCalls: String(transferCalls.length),
     })
 
-  const used = new Set<number>()
-
   // Match memo-specific transfers before wildcards to avoid greedy
   // consumption of memo-bearing calls by allowAnyMemo entries.
   const sorted = [...parameters.transfers].sort((a, b) => {
@@ -521,6 +533,8 @@ function assertTransferCalls(
     return 0
   })
 
+  const used = new Set<number>()
+  const matched: Charge_internal.Transfer[] = []
   for (const expected of sorted) {
     const matchIndex = transferCalls.findIndex((call, index) => {
       if (used.has(index)) return false
@@ -545,7 +559,10 @@ function assertTransferCalls(
     }
 
     used.add(matchIndex)
+    matched.push(decodeTransferCall(transferCalls[matchIndex]!, parameters.currency)!)
   }
+
+  return matched
 }
 
 function getTransferCalls(
@@ -814,6 +831,21 @@ function assertChallengeBoundMemo(
     throw new MismatchError('Payment verification failed: memo is not bound to this challenge.', {})
 }
 
+function assertChallengeBoundCallMemo(
+  matchedCalls: readonly Charge_internal.Transfer[],
+  parameters: { challengeId: string; realm: string },
+) {
+  const bound = matchedCalls.some((call) => {
+    if (!call.memo) return false
+    const memo = call.memo as `0x${string}`
+    if (!Attribution.verifyServer(memo, parameters.realm)) return false
+    return Attribution.verifyChallengeBinding(memo, parameters.challengeId)
+  })
+
+  if (!bound)
+    throw new MismatchError('Payment verification failed: memo is not bound to this challenge.', {})
+}
+
 /** @internal */
 class MismatchError extends PaymentError {
   override readonly name = 'MismatchError'