mppx 0.6.15 → 0.6.17

package/src/tempo/server/Charge.test.ts

@@ -8,6 +8,7 @@ import { createClient, custom, encodeFunctionData, parseUnits } from 'viem'
 import {
   getTransactionReceipt,
   prepareTransactionRequest,
+  sendRawTransactionSync,
   signTypedData,
   signTransaction,
 } from 'viem/actions'
@@ -3687,6 +3688,481 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('server verifies hash transfers from credential source', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+        source: `did:pkh:eip155:${chain.id}:${accounts[1].address}`,
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(200)
+      }
+
+      httpServer.close()
+    })
+
+    test('server verifies hash transfers from receipt sender when source is omitted', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(200)
+      }
+
+      httpServer.close()
+    })
+
+    test('server verifies hash transfers from source when receipt sender differs', async () => {
+      let useRelayerReceiptFrom = false
+      const smartAccountClient = createClient({
+        chain: client.chain,
+        transport: custom({
+          async request(args: any) {
+            const result = await client.transport.request(args)
+            if (useRelayerReceiptFrom && args?.method === 'eth_getTransactionReceipt') {
+              return { ...(result as any), from: accounts[2].address }
+            }
+            return result
+          },
+        }),
+      })
+      const smartAccountServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return smartAccountClient
+            },
+            currency: asset,
+            account: accounts[0],
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          smartAccountServer.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      useRelayerReceiptFrom = true
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+        source: `did:pkh:eip155:${chain.id}:${accounts[1].address}`,
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(200)
+      }
+
+      httpServer.close()
+    })
+
+    test('server rejects hash transfers from a different source', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+        source: `did:pkh:eip155:${chain.id}:${accounts[2].address}`,
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('no matching transfer found')
+      }
+
+      httpServer.close()
+    })
+
+    test('server rejects hash credentials with malformed source', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+        source: 'not-a-valid-did',
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Hash credential source is invalid')
+      }
+
+      httpServer.close()
+    })
+
+    test('server does not consume a hash when credential source is malformed', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      {
+        const credential = Credential.from({
+          challenge,
+          payload: { hash: receipt.transactionHash, type: 'hash' as const },
+          source: 'not-a-valid-did',
+        })
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Hash credential source is invalid')
+      }
+
+      {
+        const credential = Credential.from({
+          challenge,
+          payload: { hash: receipt.transactionHash, type: 'hash' as const },
+          source: `did:pkh:eip155:${chain.id}:${accounts[1].address}`,
+        })
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(200)
+      }
+
+      httpServer.close()
+    })
+
+    test('server rejects hash credentials with source from a different chain', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({ amount: '1', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        memo: memo as Hex.Hex,
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+        source: `did:pkh:eip155:1:${accounts[1].address}`,
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Hash credential source is invalid')
+      }
+
+      httpServer.close()
+    })
+
+    test('server verifies split hash transfers from credential source', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+            splits: [
+              { amount: '0.2', recipient: accounts[2].address },
+              { amount: '0.1', recipient: accounts[3].address },
+            ],
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const splits = challenge.request.methodDetails?.splits ?? []
+      const primaryAmount =
+        BigInt(challenge.request.amount) - BigInt(splits[0]!.amount) - BigInt(splits[1]!.amount)
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const prepared = await prepareTransactionRequest(client, {
+        account: accounts[1]!,
+        calls: [
+          Actions.token.transfer.call({
+            amount: BigInt(splits[0]!.amount),
+            to: splits[0]!.recipient as Hex.Hex,
+            token: challenge.request.currency as Hex.Hex,
+          }),
+          Actions.token.transfer.call({
+            amount: primaryAmount,
+            memo: memo as Hex.Hex,
+            to: challenge.request.recipient as Hex.Hex,
+            token: challenge.request.currency as Hex.Hex,
+          }),
+          Actions.token.transfer.call({
+            amount: BigInt(splits[1]!.amount),
+            to: splits[1]!.recipient as Hex.Hex,
+            token: challenge.request.currency as Hex.Hex,
+          }),
+        ],
+        nonceKey: 'expiring',
+      } as never)
+      prepared.gas = prepared.gas! + 5_000n
+      const signature = await signTransaction(client, prepared as never)
+      const { transactionHash } = await sendRawTransactionSync(client, {
+        serializedTransaction: signature,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: transactionHash, type: 'hash' as const },
+        source: `did:pkh:eip155:${chain.id}:${accounts[1].address}`,
+      })
+
+      const authResponse = await fetch(httpServer.url, {
+        headers: { Authorization: Credential.serialize(credential) },
+      })
+      expect(authResponse.status).toBe(200)
+
+      httpServer.close()
+    })
+
+    test('server rejects split hash transfers from a different source', async () => {
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server.charge({
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+            splits: [
+              { amount: '0.2', recipient: accounts[2].address },
+              { amount: '0.1', recipient: accounts[3].address },
+            ],
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+      const splits = challenge.request.methodDetails?.splits ?? []
+      const primaryAmount =
+        BigInt(challenge.request.amount) - BigInt(splits[0]!.amount) - BigInt(splits[1]!.amount)
+      const memo = Attribution.encode({ challengeId: challenge.id, serverId: challenge.realm })
+
+      const prepared = await prepareTransactionRequest(client, {
+        account: accounts[1]!,
+        calls: [
+          Actions.token.transfer.call({
+            amount: BigInt(splits[0]!.amount),
+            to: splits[0]!.recipient as Hex.Hex,
+            token: challenge.request.currency as Hex.Hex,
+          }),
+          Actions.token.transfer.call({
+            amount: primaryAmount,
+            memo: memo as Hex.Hex,
+            to: challenge.request.recipient as Hex.Hex,
+            token: challenge.request.currency as Hex.Hex,
+          }),
+          Actions.token.transfer.call({
+            amount: BigInt(splits[1]!.amount),
+            to: splits[1]!.recipient as Hex.Hex,
+            token: challenge.request.currency as Hex.Hex,
+          }),
+        ],
+        nonceKey: 'expiring',
+      } as never)
+      prepared.gas = prepared.gas! + 5_000n
+      const signature = await signTransaction(client, prepared as never)
+      const { transactionHash } = await sendRawTransactionSync(client, {
+        serializedTransaction: signature,
+      })
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: transactionHash, type: 'hash' as const },
+        source: `did:pkh:eip155:${chain.id}:${accounts[4].address}`,
+      })
+
+      const authResponse = await fetch(httpServer.url, {
+        headers: { Authorization: Credential.serialize(credential) },
+      })
+      expect(authResponse.status).toBe(402)
+      const body = (await authResponse.json()) as { detail: string }
+      expect(body.detail).toContain('no matching transfer found')
+
+      httpServer.close()
+    })
+
     test('anonymous client (no clientId) generates valid attribution memo', async () => {
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(
@@ -3792,9 +4268,17 @@ describe('tempo', () => {
         ],
       })
 
+      let challengeNonce = 0
       const httpServer = await Http.createServer(async (req, res) => {
+        // This replay check requires distinct challenge IDs. Default expires can collide
+        // when the paired 402s are issued in the same millisecond.
         const result = await Mppx_server.toNodeListener(
-          chargeServer.charge({ amount: '1', currency: asset, recipient: accounts[0].address }),
+          chargeServer.charge({
+            amount: '1',
+            currency: asset,
+            expires: new Date(Date.now() + 300_000 + challengeNonce++).toISOString(),
+            recipient: accounts[0].address,
+          }),
         )(req, res)
         if (result.status === 402) return
         res.end('OK')
@@ -3863,9 +4347,17 @@ describe('tempo', () => {
         ],
       })
 
+      let challengeNonce = 0
       const httpServer = await Http.createServer(async (req, res) => {
+        // This replay check requires distinct challenge IDs. Default expires can collide
+        // when the paired 402s are issued in the same millisecond.
         const result = await Mppx_server.toNodeListener(
-          chargeServer.charge({ amount: '1', currency: asset, recipient: accounts[0].address }),
+          chargeServer.charge({
+            amount: '1',
+            currency: asset,
+            expires: new Date(Date.now() + 300_000 + challengeNonce++).toISOString(),
+            recipient: accounts[0].address,
+          }),
         )(req, res)
         if (result.status === 402) return
         res.end('OK')

package/src/tempo/server/Charge.ts

@@ -203,28 +203,57 @@ export function charge<const parameters extends charge.Parameters>(
             throw new MismatchError('Hash credentials are not supported for this challenge.', {})
 
           const hash = payload.hash as `0x${string}`
+          // Validate client-supplied identity before reserving the hash so a
+          // malformed source cannot burn an otherwise valid payment attempt.
+          const source = parseHashCredentialSource({
+            chainId: chainId ?? client.chain?.id,
+            source: credential.source,
+          })
+          // Reserve the hash while we verify it. This blocks concurrent
+          // requests from racing to reuse the same on-chain payment.
           if (!(await markHashUsed(store, hash))) {
             throw new VerificationFailedError({ reason: 'Transaction hash has already been used' })
           }
 
-          const expectedTransfers = getExpectedTransfers({ amount, memo, methodDetails, recipient })
-          const receipt = await getTransactionReceipt(client, { hash })
-          const matchedLogs = assertTransferLogs(receipt, {
-            currency,
-            sender: receipt.from,
-            transfers: expectedTransfers,
-          })
-          // Only verify challenge binding when using auto-generated attribution memos.
-          // Explicit memos (set by the server) are strictly matched by assertTransferLogs
-          // but are NOT challenge-bound — callers that set explicit memos are responsible
-          // for ensuring memo uniqueness per challenge to prevent cross-challenge hash reuse.
-          if (!memo)
-            assertChallengeBoundMemo(matchedLogs, {
-              challengeId: challenge.id,
-              realm: challenge.realm,
+          // If verification fails after reservation, release it so transient
+          // RPC/log-validation errors do not force the payer to pay again.
+          // Once we have proven the receipt is a successful matching payment,
+          // keep the marker to enforce single-use semantics.
+          let releaseReservation = true
+
+          try {
+            const expectedTransfers = getExpectedTransfers({
+              amount,
+              memo,
+              methodDetails,
+              recipient,
+            })
+            const receipt = await getTransactionReceipt(client, { hash })
+            const sender = source?.address ?? receipt.from
+            const matchedLogs = assertTransferLogs(receipt, {
+              currency,
+              sender,
+              transfers: expectedTransfers,
             })
+            // Only verify challenge binding when using auto-generated attribution memos.
+            // Explicit memos (set by the server) are strictly matched by assertTransferLogs
+            // but are NOT challenge-bound — callers that set explicit memos are responsible
+            // for ensuring memo uniqueness per challenge to prevent cross-challenge hash reuse.
+            if (!memo)
+              assertChallengeBoundMemo(matchedLogs, {
+                challengeId: challenge.id,
+                realm: challenge.realm,
+              })
 
-          return toReceipt(receipt)
+            const paymentReceipt = toReceipt(receipt)
+            // `toReceipt` can throw for reverted transactions. Only keep the
+            // reservation after it confirms the referenced transaction settled.
+            releaseReservation = false
+            return paymentReceipt
+          } catch (error) {
+            if (releaseReservation) await releaseHashUse(store, hash)
+            throw error
+          }
         }
 
         case 'proof': {
@@ -239,7 +268,7 @@ export function charge<const parameters extends charge.Parameters>(
             throw new MismatchError('Proof credential must include a source.', {})
 
           const resolvedChainId = challenge.request.methodDetails?.chainId ?? chainId!
-          const source = Proof.parseProofSource(expectedSource)
+          const source = Proof.parsePkhSource(expectedSource)
 
           if (!source || source.chainId !== resolvedChainId) {
             throw new MismatchError('Proof credential source is invalid.', {})
@@ -757,6 +786,21 @@ async function releaseHashUse(
   await store.delete(getHashStoreKey(hash))
 }
 
+function parseHashCredentialSource(parameters: {
+  chainId: number | undefined
+  source: string | undefined
+}): { address: `0x${string}`; chainId: number } | undefined {
+  const { chainId, source } = parameters
+  if (!source) return undefined
+
+  const parsed = Proof.parsePkhSource(source)
+  if (!parsed || (chainId !== undefined && parsed.chainId !== chainId)) {
+    throw new MismatchError('Hash credential source is invalid.', {})
+  }
+
+  return parsed
+}
+
 /** @internal */
 async function markSponsoredSenderInFlight(
   store: Store.AtomicStore<charge.StoreItemMap>,

package/src/tempo/server/Session.ts

@@ -432,6 +432,7 @@ export async function settle(
     ...(options?.feePayer && options?.account
       ? { feePayer: options.feePayer, account: options.account }
       : { account: options?.account }),
+    candidateFeeTokens: [channel.token],
   })
 
   await store.updateChannel(channelId, (current) => {
@@ -965,6 +966,7 @@ async function handleClose(
 
     txHash = await closeOnChain(client, methodDetails.escrowContract, voucher, {
       ...(feePayer && account ? { feePayer, account } : { account }),
+      candidateFeeTokens: [channel.token],
     })
   } catch (error) {
     if (pendingCloseMarked) {

package/src/tempo/server/internal/html/node_modules/.bin/mppx

@@ -0,0 +1,22 @@
+#!/bin/sh
+basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
+
+case `uname` in
+    *CYGWIN*|*MINGW*|*MSYS*)
+        if command -v cygpath > /dev/null 2>&1; then
+            basedir=`cygpath -w "$basedir"`
+        fi
+    ;;
+esac
+
+if [ -z "$NODE_PATH" ]; then
+  export NODE_PATH="/home/runner/work/mppx/mppx/node_modules/.pnpm/node_modules"
+else
+  export NODE_PATH="/home/runner/work/mppx/mppx/node_modules/.pnpm/node_modules:$NODE_PATH"
+fi
+if [ -x "$basedir/node" ]; then
+  exec "$basedir/node"  "$basedir/../mppx/dist/bin.js" "$@"
+else
+  exec node  "$basedir/../mppx/dist/bin.js" "$@"
+fi
+# cmd-shim-target=/home/runner/work/mppx/mppx/src/tempo/server/internal/html/node_modules/mppx/dist/bin.js

package/src/tempo/server/internal/html/node_modules/.bin/mppx.src

@@ -10,12 +10,13 @@ case `uname` in
 esac
 
 if [ -z "$NODE_PATH" ]; then
-  export NODE_PATH="/home/runner/work/mppx/mppx/src/node_modules:/home/runner/work/mppx/mppx/node_modules:/home/runner/work/mppx/node_modules:/home/runner/work/node_modules:/home/runner/node_modules:/home/node_modules:/node_modules:/home/runner/work/mppx/mppx/node_modules/.pnpm/node_modules"
+  export NODE_PATH="/home/runner/work/mppx/mppx/node_modules/.pnpm/node_modules"
 else
-  export NODE_PATH="/home/runner/work/mppx/mppx/src/node_modules:/home/runner/work/mppx/mppx/node_modules:/home/runner/work/mppx/node_modules:/home/runner/work/node_modules:/home/runner/node_modules:/home/node_modules:/node_modules:/home/runner/work/mppx/mppx/node_modules/.pnpm/node_modules:$NODE_PATH"
+  export NODE_PATH="/home/runner/work/mppx/mppx/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
   exec "$basedir/node"  "$basedir/../mppx/src/bin.ts" "$@"
 else
   exec node  "$basedir/../mppx/src/bin.ts" "$@"
 fi
+# cmd-shim-target=/home/runner/work/mppx/mppx/src/tempo/server/internal/html/node_modules/mppx/src/bin.ts