mppx 0.6.12 → 0.6.14

package/src/cli/plugins/tempo.ts

@@ -247,6 +247,7 @@ export function tempo() {
       const channelId = parsed.payload.channelId
       const escrowContract = sessionMd?.escrowContract as Address | undefined
       const chainId = sessionMd?.chainId ?? 0
+      const tickCost = BigInt(challengeRequest.amount as string)
       let cumulativeAmount =
         'cumulativeAmount' in parsed.payload && parsed.payload.cumulativeAmount
           ? BigInt(parsed.payload.cumulativeAmount)
@@ -287,11 +288,11 @@ export function tempo() {
       if (receiptHeader) {
         try {
           const receiptJson = JSON.parse(Base64.toString(receiptHeader)) as Record<string, unknown>
+          assertReceiptWithinCliState(receiptJson, cumulativeAmount)
           if (
             typeof receiptJson.acceptedCumulative === 'string' &&
             receiptJson.acceptedCumulative
           ) {
-            cumulativeAmount = BigInt(receiptJson.acceptedCumulative)
             writeChannelCumulative(channelId, cumulativeAmount)
           }
           if (verbose >= 1)
@@ -315,6 +316,7 @@ export function tempo() {
           escrowContract,
           chainId,
           cumulativeAmount,
+          tickCost,
           fetchUrl,
           fetchInit,
           session: _session,
@@ -415,6 +417,24 @@ function printReceipt(
   if (opts.prefix) opts.info('\n')
 }
 
+function assertReceiptWithinCliState(
+  receiptJson: Record<string, unknown>,
+  cumulativeAmount: bigint,
+) {
+  if (typeof receiptJson.acceptedCumulative !== 'string') return
+  const acceptedCumulative = BigInt(receiptJson.acceptedCumulative)
+  const spent = typeof receiptJson.spent === 'string' ? BigInt(receiptJson.spent) : 0n
+  if (spent > acceptedCumulative) {
+    throw new Error('receipt spent exceeds accepted cumulative voucher amount')
+  }
+  if (acceptedCumulative > cumulativeAmount) {
+    throw new Error('receipt accepted cumulative exceeds locally signed voucher amount')
+  }
+  if (spent > cumulativeAmount) {
+    throw new Error('receipt spent exceeds locally signed voucher amount')
+  }
+}
+
 async function handleSseStream(
   response: Response,
   opts: {
@@ -423,6 +443,7 @@ async function handleSseStream(
     escrowContract: Address | undefined
     chainId: number
     cumulativeAmount: bigint
+    tickCost: bigint
     fetchUrl: string
     fetchInit: RequestInit
     session: {
@@ -500,7 +521,13 @@ async function handleSseStream(
             channelId: string
             requiredCumulative: string
           }
+          if (event.channelId !== opts.channelId) {
+            throw new Error('payment-need-voucher channelId does not match current session')
+          }
           const required = BigInt(event.requiredCumulative)
+          if (required > cumulativeAmount + opts.tickCost) {
+            throw new Error('payment-need-voucher exceeds next locally billable amount')
+          }
           cumulativeAmount = cumulativeAmount > required ? cumulativeAmount : required
 
           const voucherCred = await opts.session.signVoucher({

package/src/middlewares/express.test.ts

@@ -253,6 +253,33 @@ describe('session', () => {
 })
 
 describe('payment', () => {
+  test('short-circuits management responses', async () => {
+    let handlerRan = false
+    const managementResponse = new Response(null, {
+      status: 204,
+      headers: { 'Payment-Receipt': 'management-receipt' },
+    })
+    const intent = () => async () => ({
+      status: 200 as const,
+      withReceipt: () => managementResponse,
+    })
+
+    const app = express()
+    app.get('/', payment(intent as any, {} as any), (_req, res) => {
+      handlerRan = true
+      res.json({ data: 'content' })
+    })
+
+    const server = await createServer(app)
+    const response = await globalThis.fetch(server.url)
+    expect(response.status).toBe(204)
+    expect(response.headers.get('Payment-Receipt')).toBe('management-receipt')
+    expect(await response.text()).toBe('')
+    expect(handlerRan).toBe(false)
+
+    server.close()
+  })
+
   test('returns 402 when no credential', async () => {
     const { mppx } = createCoreChargeHarness(false)
 

package/src/middlewares/express.ts

@@ -76,6 +76,30 @@ export function payment<const intent extends Mppx_internal.AnyMethodFn>(
       return
     }
 
+    const managementResponse = (() => {
+      try {
+        return (result.withReceipt as () => Response)()
+      } catch (error) {
+        if (
+          error instanceof Error &&
+          error.message === 'withReceipt() requires a response argument'
+        )
+          return null
+        throw error
+      }
+    })()
+
+    if (managementResponse) {
+      res.status(managementResponse.status)
+      for (const [key, value] of managementResponse.headers) res.setHeader(key, value)
+      if (managementResponse.body === null) {
+        res.end()
+        return
+      }
+      res.send(Buffer.from(await managementResponse.arrayBuffer()))
+      return
+    }
+
     const originalJson = res.json.bind(res)
     res.json = (body: any) => {
       const wrapped = result.withReceipt(Response.json(body))

package/src/tempo/client/SessionManager.ts

@@ -138,10 +138,28 @@ export function sessionManager(parameters: sessionManager.Parameters): SessionMa
 
   function updateSpentFromReceipt(receipt: SessionReceipt | null | undefined) {
     if (!receipt || receipt.channelId !== channel?.channelId) return
+    assertReceiptWithinLocalState(receipt)
     const next = BigInt(receipt.spent)
     spent = spent > next ? spent : next
   }
 
+  function assertReceiptWithinLocalState(receipt: SessionReceipt) {
+    if (!channel || receipt.channelId !== channel.channelId) return
+    const acceptedCumulative = BigInt(receipt.acceptedCumulative)
+    const receiptSpent = BigInt(receipt.spent)
+    if (receiptSpent > acceptedCumulative) {
+      throw new Error('receipt spent exceeds accepted cumulative voucher amount')
+    }
+    if (acceptedCumulative > channel.cumulativeAmount) {
+      throw new Error('receipt accepted cumulative exceeds local voucher state')
+    }
+    if (receiptSpent > channel.cumulativeAmount) {
+      throw new Error('receipt spent exceeds local voucher state')
+    }
+    assertVoucherWithinLocalLimit(acceptedCumulative)
+    assertVoucherWithinLocalLimit(receiptSpent)
+  }
+
   function waitForReceipt(predicate: (receipt: SessionReceipt) => boolean = () => true) {
     if (receiptWaiter) throw new Error('receipt wait already in progress')
     return new Promise<SessionReceipt>((resolve, reject) => {
@@ -762,7 +780,14 @@ export function sessionManager(parameters: sessionManager.Parameters): SessionMa
         context: {
           action: 'close',
           channelId: closeChannelId,
-          cumulativeAmountRaw: getFallbackCloseAmount(closeChallenge, closeChannelId),
+          cumulativeAmountRaw: (() => {
+            const closeAmount = BigInt(getFallbackCloseAmount(closeChallenge, closeChannelId))
+            if (closeAmount > channel.cumulativeAmount) {
+              throw new Error('fallback close amount exceeds local voucher state')
+            }
+            assertVoucherWithinLocalLimit(closeAmount)
+            return closeAmount.toString()
+          })(),
         },
       })
 

package/src/tempo/internal/fee-payer.test.ts

@@ -123,6 +123,145 @@ describe('validateCalls', () => {
     ).not.toThrow()
   })
 
+  test('accepts approve + buy + exact expected split transfers', () => {
+    expect(() =>
+      validateCalls(
+        [
+          {
+            to: swapTokenIn,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'approve',
+              args: [Addresses.stablecoinDex, 100n],
+            }),
+          },
+          {
+            to: Addresses.stablecoinDex,
+            data: swapData,
+          },
+          {
+            to: swapTokenOut,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'transfer',
+              args: [bogus, 90n],
+            }),
+          },
+          {
+            to: swapTokenOut,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'transferWithMemo',
+              args: [
+                '0x0000000000000000000000000000000000000002',
+                10n,
+                '0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef',
+              ],
+            }),
+          },
+        ],
+        details,
+        {
+          currency: swapTokenOut,
+          expectedTransfers: [
+            { amount: '90', recipient: bogus },
+            {
+              amount: '10',
+              memo: '0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef',
+              recipient: '0x0000000000000000000000000000000000000002',
+            },
+          ],
+        },
+      ),
+    ).not.toThrow()
+  })
+
+  test('error: rejects extra transfers when expected payments are supplied', () => {
+    expect(() =>
+      validateCalls(
+        [
+          {
+            to: swapTokenOut,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'transfer',
+              args: [bogus, 100n],
+            }),
+          },
+          {
+            to: swapTokenOut,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'transfer',
+              args: ['0x0000000000000000000000000000000000000002', 1n],
+            }),
+          },
+        ],
+        details,
+        {
+          currency: swapTokenOut,
+          expectedTransfers: [{ amount: '100', recipient: bogus }],
+        },
+      ),
+    ).toThrow('disallowed call pattern')
+  })
+
+  test('error: rejects expected transfers to the wrong token', () => {
+    expect(() =>
+      validateCalls(
+        [
+          {
+            to: swapTokenIn,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'transfer',
+              args: [bogus, 100n],
+            }),
+          },
+        ],
+        details,
+        {
+          currency: swapTokenOut,
+          expectedTransfers: [{ amount: '100', recipient: bogus }],
+        },
+      ),
+    ).toThrow('payment transfer does not match challenge')
+  })
+
+  test('error: rejects swaps whose output token does not fund the payment', () => {
+    expect(() =>
+      validateCalls(
+        [
+          {
+            to: swapTokenIn,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'approve',
+              args: [Addresses.stablecoinDex, 100n],
+            }),
+          },
+          {
+            to: Addresses.stablecoinDex,
+            data: swapData,
+          },
+          {
+            to: bogus,
+            data: encodeFunctionData({
+              abi: Abis.tip20,
+              functionName: 'transfer',
+              args: [bogus, 100n],
+            }),
+          },
+        ],
+        details,
+        {
+          currency: bogus,
+          expectedTransfers: [{ amount: '100', recipient: bogus }],
+        },
+      ),
+    ).toThrow('swap tokenOut does not match payment currency')
+  })
+
   test('error: rejects empty calls', () => {
     expect(() => validateCalls([], details)).toThrow(FeePayerValidationError)
   })

package/src/tempo/internal/fee-payer.ts

@@ -1,5 +1,6 @@
 import type { TempoAddress } from 'ox/tempo'
 import { TxEnvelopeTempo } from 'ox/tempo'
+import type { Hex } from 'viem'
 import type { Account } from 'viem'
 import { decodeFunctionData } from 'viem'
 import { Abis, Addresses, Transaction } from 'viem/tempo'
@@ -42,6 +43,13 @@ export type Policy = {
 // Tempo transaction fields.
 type SponsoredTransaction = ReturnType<(typeof Transaction)['deserialize']>
 
+type ExpectedTransfer = {
+  amount: string
+  allowAnyMemo?: boolean | undefined
+  memo?: Hex | undefined
+  recipient: TempoAddress.Address
+}
+
 const preservedTransactionKeys = [
   'accessList',
   'calls',
@@ -122,6 +130,10 @@ function getPolicy(chainId: number, overrides: Partial<Policy> | undefined): Pol
 export function validateCalls(
   calls: readonly { data?: `0x${string}` | undefined; to?: TempoAddress.Address | undefined }[],
   details: Record<string, string>,
+  options?: {
+    currency?: TempoAddress.Address | undefined
+    expectedTransfers?: readonly ExpectedTransfer[] | undefined
+  },
 ) {
   if (calls.length === 0)
     throw new FeePayerValidationError('disallowed call pattern in fee-payer transaction', details)
@@ -137,15 +149,19 @@ export function validateCalls(
   }
 
   const transferSelectors = callSelectors.slice(hasSwapPrefix ? 2 : 0)
+  if (transferSelectors.length === 0)
+    throw new FeePayerValidationError('disallowed call pattern in fee-payer transaction', details)
+
+  const expectedTransfers = options?.expectedTransfers
+  const transferLimit = expectedTransfers?.length ?? 11
   if (
-    transferSelectors.length === 0 ||
-    transferSelectors.length > 11 ||
+    transferSelectors.length > transferLimit ||
     transferSelectors.some(
       (selector) => selector !== Selectors.transfer && selector !== Selectors.transferWithMemo,
-    )
-  ) {
+    ) ||
+    (expectedTransfers && transferSelectors.length !== expectedTransfers.length)
+  )
     throw new FeePayerValidationError('disallowed call pattern in fee-payer transaction', details)
-  }
 
   // Bind the swap approval to the token the DEX call will actually spend.
   const buyCall = calls.find((c) => c.data?.slice(0, 10) === Selectors.swapExactAmountOut)
@@ -161,16 +177,79 @@ export function validateCalls(
   const approveCall = calls.find((c) => c.data?.slice(0, 10) === Selectors.approve)
   if (approveCall) {
     const { args } = decodeFunctionData({ abi: Abis.tip20, data: approveCall.data! })
+    const [spender, amount] = args as [`0x${string}`, bigint]
     if (!approveCall.to || (buyArgs && !TempoAddress_internal.isEqual(approveCall.to, buyArgs[0])))
       throw new FeePayerValidationError('approve target does not match swap tokenIn', details)
-    if (!TempoAddress_internal.isEqual((args as [`0x${string}`])[0]!, Addresses.stablecoinDex))
+    if (!TempoAddress_internal.isEqual(spender, Addresses.stablecoinDex))
       throw new FeePayerValidationError('approve spender is not the DEX', details)
+    if (buyArgs && amount !== buyArgs[3])
+      throw new FeePayerValidationError('approve amount does not match swap max input', details)
   }
   if (
     buyCall &&
     (!buyCall.to || !TempoAddress_internal.isEqual(buyCall.to, Addresses.stablecoinDex))
   )
     throw new FeePayerValidationError('buy target is not the DEX', details)
+
+  if (!expectedTransfers) return
+
+  const currency = options?.currency ?? (details.currency as TempoAddress.Address | undefined)
+  if (!currency) throw new FeePayerValidationError('missing payment currency', details)
+
+  if (buyArgs) {
+    const [, tokenOut, amountOut] = buyArgs
+    const expectedAmountOut = expectedTransfers.reduce(
+      (sum, transfer) => sum + BigInt(transfer.amount),
+      0n,
+    )
+    if (!TempoAddress_internal.isEqual(tokenOut, currency))
+      throw new FeePayerValidationError('swap tokenOut does not match payment currency', details)
+    if (amountOut !== expectedAmountOut)
+      throw new FeePayerValidationError('swap output does not match payment amount', details)
+  }
+
+  const transferCalls = calls.slice(hasSwapPrefix ? 2 : 0)
+  const sorted = [...expectedTransfers].sort((a, b) => {
+    if (a.memo && !b.memo) return -1
+    if (!a.memo && b.memo) return 1
+    return 0
+  })
+
+  const used = new Set<number>()
+  for (const expected of sorted) {
+    const matchIndex = transferCalls.findIndex((call, index) => {
+      if (used.has(index)) return false
+      if (!call.to || !TempoAddress_internal.isEqual(call.to, currency) || !call.data) return false
+
+      try {
+        const selector = call.data.slice(0, 10)
+        const { args } = decodeFunctionData({ abi: Abis.tip20, data: call.data })
+        if (selector === Selectors.transfer) {
+          const [recipient, amount] = args as [`0x${string}`, bigint]
+          if (!TempoAddress_internal.isEqual(recipient, expected.recipient)) return false
+          if (amount.toString() !== expected.amount) return false
+          return expected.memo === undefined
+        }
+
+        if (selector === Selectors.transferWithMemo) {
+          const [recipient, amount, memo] = args as [`0x${string}`, bigint, Hex]
+          if (!TempoAddress_internal.isEqual(recipient, expected.recipient)) return false
+          if (amount.toString() !== expected.amount) return false
+          if (expected.memo) return memo.toLowerCase() === expected.memo.toLowerCase()
+          return expected.allowAnyMemo === true
+        }
+      } catch {
+        return false
+      }
+
+      return false
+    })
+
+    if (matchIndex === -1)
+      throw new FeePayerValidationError('payment transfer does not match challenge', details)
+
+    used.add(matchIndex)
+  }
 }
 
 export function prepareSponsoredTransaction(parameters: {

package/src/tempo/server/Charge.test.ts

@@ -1579,6 +1579,104 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('behavior: fee payer rejects concurrent in-flight transactions from one sender', async () => {
+      let releaseSimulation!: () => void
+      let resolveSimulationStarted!: () => void
+      const simulationStarted = new Promise<void>((resolve) => {
+        resolveSimulationStarted = resolve
+      })
+      const releaseSimulationPromise = new Promise<void>((resolve) => {
+        releaseSimulation = resolve
+      })
+      let heldFirstSimulation = false
+
+      const interceptingClient = createClient({
+        account: accounts[0],
+        chain: client.chain,
+        transport: custom({
+          async request(args: any) {
+            if (args.method === 'eth_call' && !heldFirstSimulation) {
+              heldFirstSimulation = true
+              resolveSimulationStarted()
+              await releaseSimulationPromise
+            }
+            return client.transport.request(args)
+          },
+        }),
+      })
+
+      const sponsoredStore = Store.memory()
+      const serverWithSlowSimulation = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return interceptingClient
+            },
+            currency: asset,
+            account: accounts[0],
+            store: sponsoredStore,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          serverWithSlowSimulation.charge({
+            feePayer: accounts[0],
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const [challengeResponse1, challengeResponse2] = await Promise.all([
+        fetch(httpServer.url),
+        fetch(httpServer.url),
+      ])
+      expect(challengeResponse1.status).toBe(402)
+      expect(challengeResponse2.status).toBe(402)
+
+      const [credential1, credential2] = await Promise.all([
+        mppx.createCredential(challengeResponse1),
+        mppx.createCredential(challengeResponse2),
+      ])
+
+      const first = fetch(httpServer.url, { headers: { Authorization: credential1 } })
+      await simulationStarted
+      const second = fetch(httpServer.url, { headers: { Authorization: credential2 } })
+
+      try {
+        const secondResponse = await second
+        expect(secondResponse.status).toBe(402)
+        const body = (await secondResponse.json()) as { detail: string }
+        expect(body.detail).toContain('Sponsored transaction from this sender is already in flight')
+      } finally {
+        releaseSimulation()
+      }
+
+      const firstResponse = await first
+      expect(firstResponse.status).toBe(200)
+
+      httpServer.close()
+    })
+
     test('behavior: fee payer with splits', async () => {
       const mppx = Mppx_client.create({
         polyfill: false,
@@ -3338,6 +3436,27 @@ describe('tempo', () => {
       })
       expect(method.defaults?.recipient).toBe(accounts[0].address)
     })
+
+    test('request keeps explicit feePayer false disabled during verification', async () => {
+      const method = tempo_server.charge({
+        getClient: () => client,
+        account: accounts[0],
+        currency: asset,
+        feePayer: accounts[0],
+      })
+
+      const normalized = await method.request!({
+        credential: { challenge: {}, payload: {} } as never,
+        request: {
+          amount: '1',
+          currency: asset,
+          decimals: 6,
+          feePayer: false,
+        },
+      } as never)
+
+      expect(normalized.feePayer).toBe(false)
+    })
   })
 
   describe('default currency resolution', () => {