npm - mppx - Versions diffs - 0.6.18 → 0.6.20 - Mend

mppx 0.6.18 → 0.6.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/CHANGELOG.md +13 -0
package/dist/Challenge.d.ts +2 -2
package/dist/Challenge.d.ts.map +1 -1
package/dist/Challenge.js +1 -1
package/dist/Challenge.js.map +1 -1
package/dist/Method.d.ts +34 -0
package/dist/Method.d.ts.map +1 -1
package/dist/Method.js +3 -1
package/dist/Method.js.map +1 -1
package/dist/Receipt.d.ts +1 -0
package/dist/Receipt.d.ts.map +1 -1
package/dist/Receipt.js +2 -0
package/dist/Receipt.js.map +1 -1
package/dist/client/Methods.d.ts +1 -0
package/dist/client/Methods.d.ts.map +1 -1
package/dist/client/Methods.js +1 -0
package/dist/client/Methods.js.map +1 -1
package/dist/middlewares/elysia.d.ts.map +1 -1
package/dist/middlewares/elysia.js +14 -0
package/dist/middlewares/elysia.js.map +1 -1
package/dist/middlewares/express.d.ts.map +1 -1
package/dist/middlewares/express.js +1 -2
package/dist/middlewares/express.js.map +1 -1
package/dist/middlewares/hono.d.ts.map +1 -1
package/dist/middlewares/hono.js +14 -0
package/dist/middlewares/hono.js.map +1 -1
package/dist/middlewares/nextjs.d.ts.map +1 -1
package/dist/middlewares/nextjs.js +14 -0
package/dist/middlewares/nextjs.js.map +1 -1
package/dist/proxy/Proxy.d.ts.map +1 -1
package/dist/proxy/Proxy.js +2 -2
package/dist/proxy/Proxy.js.map +1 -1
package/dist/proxy/Service.d.ts.map +1 -1
package/dist/proxy/Service.js +1 -1
package/dist/proxy/Service.js.map +1 -1
package/dist/server/Mppx.d.ts +15 -3
package/dist/server/Mppx.d.ts.map +1 -1
package/dist/server/Mppx.js +190 -40
package/dist/server/Mppx.js.map +1 -1
package/dist/stripe/server/internal/html.gen.d.ts +1 -1
package/dist/stripe/server/internal/html.gen.d.ts.map +1 -1
package/dist/stripe/server/internal/html.gen.js +1 -1
package/dist/stripe/server/internal/html.gen.js.map +1 -1
package/dist/tempo/Methods.d.ts +96 -0
package/dist/tempo/Methods.d.ts.map +1 -1
package/dist/tempo/Methods.js +97 -0
package/dist/tempo/Methods.js.map +1 -1
package/dist/tempo/client/Methods.d.ts +3 -0
package/dist/tempo/client/Methods.d.ts.map +1 -1
package/dist/tempo/client/Methods.js +3 -0
package/dist/tempo/client/Methods.js.map +1 -1
package/dist/tempo/client/Subscription.d.ts +114 -0
package/dist/tempo/client/Subscription.d.ts.map +1 -0
package/dist/tempo/client/Subscription.js +100 -0
package/dist/tempo/client/Subscription.js.map +1 -0
package/dist/tempo/client/index.d.ts +1 -0
package/dist/tempo/client/index.d.ts.map +1 -1
package/dist/tempo/client/index.js +1 -0
package/dist/tempo/client/index.js.map +1 -1
package/dist/tempo/index.d.ts +1 -0
package/dist/tempo/index.d.ts.map +1 -1
package/dist/tempo/index.js +1 -0
package/dist/tempo/index.js.map +1 -1
package/dist/tempo/server/Charge.js +2 -2
package/dist/tempo/server/Charge.js.map +1 -1
package/dist/tempo/server/Methods.d.ts +5 -0
package/dist/tempo/server/Methods.d.ts.map +1 -1
package/dist/tempo/server/Methods.js +5 -0
package/dist/tempo/server/Methods.js.map +1 -1
package/dist/tempo/server/Subscription.d.ts +221 -0
package/dist/tempo/server/Subscription.d.ts.map +1 -0
package/dist/tempo/server/Subscription.js +637 -0
package/dist/tempo/server/Subscription.js.map +1 -0
package/dist/tempo/server/index.d.ts +1 -0
package/dist/tempo/server/index.d.ts.map +1 -1
package/dist/tempo/server/index.js +1 -0
package/dist/tempo/server/index.js.map +1 -1
package/dist/tempo/server/internal/html.gen.d.ts +1 -1
package/dist/tempo/server/internal/html.gen.d.ts.map +1 -1
package/dist/tempo/server/internal/html.gen.js +1 -1
package/dist/tempo/server/internal/html.gen.js.map +1 -1
package/dist/tempo/session/Chain.d.ts.map +1 -1
package/dist/tempo/session/Chain.js +3 -4
package/dist/tempo/session/Chain.js.map +1 -1
package/dist/tempo/subscription/KeyAuthorization.d.ts +282 -0
package/dist/tempo/subscription/KeyAuthorization.d.ts.map +1 -0
package/dist/tempo/subscription/KeyAuthorization.js +297 -0
package/dist/tempo/subscription/KeyAuthorization.js.map +1 -0
package/dist/tempo/subscription/Receipt.d.ts +10 -0
package/dist/tempo/subscription/Receipt.d.ts.map +1 -0
package/dist/tempo/subscription/Receipt.js +16 -0
package/dist/tempo/subscription/Receipt.js.map +1 -0
package/dist/tempo/subscription/Store.d.ts +99 -0
package/dist/tempo/subscription/Store.d.ts.map +1 -0
package/dist/tempo/subscription/Store.js +292 -0
package/dist/tempo/subscription/Store.js.map +1 -0
package/dist/tempo/subscription/Types.d.ts +65 -0
package/dist/tempo/subscription/Types.d.ts.map +1 -0
package/dist/tempo/subscription/Types.js +2 -0
package/dist/tempo/subscription/Types.js.map +1 -0
package/dist/tempo/subscription/index.d.ts +6 -0
package/dist/tempo/subscription/index.d.ts.map +1 -0
package/dist/tempo/subscription/index.js +4 -0
package/dist/tempo/subscription/index.js.map +1 -0
package/dist/zod.d.ts +7 -0
package/dist/zod.d.ts.map +1 -1
package/dist/zod.js +18 -0
package/dist/zod.js.map +1 -1
package/package.json +3 -3
package/src/Challenge.test.ts +13 -0
package/src/Challenge.ts +3 -3
package/src/Method.ts +46 -1
package/src/Receipt.ts +2 -0
package/src/client/Methods.ts +1 -0
package/src/middlewares/elysia.test.ts +31 -1
package/src/middlewares/elysia.ts +13 -0
package/src/middlewares/express.ts +1 -5
package/src/middlewares/hono.test.ts +30 -1
package/src/middlewares/hono.ts +13 -0
package/src/middlewares/nextjs.test.ts +28 -1
package/src/middlewares/nextjs.ts +13 -0
package/src/proxy/Proxy.ts +2 -5
package/src/proxy/Service.test.ts +34 -0
package/src/proxy/Service.ts +7 -0
package/src/server/Mppx.authorize.test.ts +210 -0
package/src/server/Mppx.test-d.ts +23 -1
package/src/server/Mppx.test.ts +73 -3
package/src/server/Mppx.ts +291 -58
package/src/stripe/server/internal/html/package.json +1 -1
package/src/stripe/server/internal/html.gen.ts +1 -1
package/src/tempo/Methods.test.ts +131 -0
package/src/tempo/Methods.ts +136 -0
package/src/tempo/Subscription.integration.test.ts +591 -0
package/src/tempo/client/Methods.ts +3 -0
package/src/tempo/client/Subscription.test.ts +131 -0
package/src/tempo/client/Subscription.ts +155 -0
package/src/tempo/client/index.ts +1 -0
package/src/tempo/index.ts +1 -0
package/src/tempo/server/Charge.ts +2 -2
package/src/tempo/server/Methods.ts +5 -0
package/src/tempo/server/Subscription.test.ts +1410 -0
package/src/tempo/server/Subscription.ts +1014 -0
package/src/tempo/server/index.ts +1 -0
package/src/tempo/server/internal/html/package.json +1 -1
package/src/tempo/server/internal/html.gen.ts +1 -1
package/src/tempo/session/Chain.ts +3 -5
package/src/tempo/subscription/KeyAuthorization.test.ts +204 -0
package/src/tempo/subscription/KeyAuthorization.ts +394 -0
package/src/tempo/subscription/Receipt.ts +28 -0
package/src/tempo/subscription/Store.test.ts +554 -0
package/src/tempo/subscription/Store.ts +431 -0
package/src/tempo/subscription/Types.ts +68 -0
package/src/tempo/subscription/index.ts +23 -0
package/src/zod.test.ts +23 -1
package/src/zod.ts +24 -0

package/src/tempo/server/Subscription.test.ts ADDED Viewed

@@ -0,0 +1,1410 @@
+import { Challenge, Credential, Receipt } from 'mppx'
+import { Mppx } from 'mppx/server'
+import { KeyAuthorization } from 'ox/tempo'
+import { createClient, custom } from 'viem'
+import { privateKeyToAccount } from 'viem/accounts'
+import { tempo as tempo_chain } from 'viem/chains'
+import { describe, expect, test } from 'vp/test'
+import * as Store from '../../Store.js'
+import * as Methods from '../Methods.js'
+import { signSubscriptionKeyAuthorization } from '../subscription/KeyAuthorization.js'
+import * as SubscriptionStore from '../subscription/Store.js'
+import type { SubscriptionAccessKey } from '../subscription/Types.js'
+import type { SubscriptionRecord } from '../subscription/Types.js'
+import { renew, subscription } from './Subscription.js'
+const realm = 'api.example.com'
+const secretKey = 'test-secret-key'
+const activeBillingAnchor = new Date(Math.floor(Date.now() / 1_000) * 1_000).toISOString()
+const activeSubscriptionExpires = new Date(
+  Math.ceil((Date.now() + 365 * 24 * 60 * 60 * 1_000) / 1_000) * 1_000,
+).toISOString()
+const chainId = 4217
+const subscriptionDefaultChainId = 42431
+const subscriptionAmount = '10'
+const subscriptionCurrency = '0x20c0000000000000000000000000000000000001'
+const subscriptionKey = 'user-1:plan:pro'
+const subscriptionPeriodCount = '1'
+const subscriptionPeriodUnit = 'day'
+const subscriptionPeriodMilliseconds = 86_400_000
+const subscriptionRecipient = '0x1234567890abcdef1234567890abcdef12345678'
+const rootAccount = privateKeyToAccount(
+  '0x0000000000000000000000000000000000000000000000000000000000000001',
+)
+const accessAccount = privateKeyToAccount(
+  '0x0000000000000000000000000000000000000000000000000000000000000002',
+)
+const otherAccessAccount = privateKeyToAccount(
+  '0x0000000000000000000000000000000000000000000000000000000000000003',
+)
+const accessKey = {
+  accessKeyAddress: accessAccount.address,
+  keyType: 'secp256k1',
+} as const satisfies SubscriptionAccessKey
+const hashActivate = `0x${'a'.repeat(64)}`
+const hashRenewed = `0x${'b'.repeat(64)}`
+const hashStale = `0x${'c'.repeat(64)}`
+const hashBackground = `0x${'d'.repeat(64)}`
+const hashOld = `0x${'e'.repeat(64)}`
+function createReceipt(subscriptionId: string, reference = hashActivate) {
+  return {
+    method: 'tempo',
+    reference,
+    status: 'success',
+    subscriptionId,
+    timestamp: '2025-01-01T00:00:00.000Z',
+  } as const
+}
+function createRecord(overrides: Partial<SubscriptionRecord> = {}): SubscriptionRecord {
+  return {
+    amount: '10000000',
+    billingAnchor: activeBillingAnchor,
+    chainId,
+    currency: subscriptionCurrency,
+    lastChargedPeriod: 0,
+    lookupKey: subscriptionKey,
+    periodCount: subscriptionPeriodCount,
+    periodUnit: subscriptionPeriodUnit,
+    recipient: subscriptionRecipient,
+    reference: hashActivate,
+    subscriptionExpires: activeSubscriptionExpires,
+    subscriptionId: 'sub_123',
+    timestamp: '2025-01-01T00:00:00.000Z',
+    ...overrides,
+  }
+}
+async function createCredential(
+  challenge: Challenge.Challenge,
+  source = rootAccount.address,
+  key: SubscriptionAccessKey = accessKey,
+) {
+  const keyAuthorization = await signSubscriptionKeyAuthorization({
+    accessKey: key,
+    account: rootAccount,
+    chainId,
+    request: challenge.request as ReturnType<typeof Methods.subscription.schema.request.parse>,
+  })
+  if (!keyAuthorization) throw new Error('expected key authorization')
+  return Credential.from({
+    challenge,
+    payload: {
+      signature: KeyAuthorization.serialize(keyAuthorization),
+      type: 'keyAuthorization',
+    },
+    source: `did:pkh:eip155:${chainId}:${source.toLowerCase()}`,
+  })
+}
+function createBillingClient(hashes: readonly string[]) {
+  const rpcMethods: string[] = []
+  let nextHash = 0
+  const client = createClient({
+    chain: { ...tempo_chain, id: chainId },
+    transport: custom({
+      async request({ method }) {
+        rpcMethods.push(method)
+        if (method === 'eth_chainId') return `0x${chainId.toString(16)}`
+        if (method === 'eth_call') return '0x'
+        if (method === 'eth_sendRawTransaction') return hashes[nextHash++] ?? hashActivate
+        throw new Error(`unexpected rpc method: ${method}`)
+      },
+    }),
+  })
+  return { client, rpcMethods }
+}
+describe('tempo.subscription', () => {
+  test('stores an activated subscription and reuses it on later requests', async () => {
+    const store = Store.memory()
+    let activationCount = 0
+    const method = subscription({
+      activate: async ({ request, resolved }) => {
+        activationCount += 1
+        return {
+          receipt: createReceipt('sub_123', hashActivate),
+          subscription: createRecord({
+            amount: request.amount,
+            chainId: request.methodDetails?.chainId,
+            currency: request.currency,
+            lookupKey: resolved.key,
+            periodCount: request.periodCount,
+            periodUnit: request.periodUnit,
+            recipient: request.recipient,
+            reference: hashActivate,
+            subscriptionExpires: request.subscriptionExpires,
+          }),
+        }
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async ({ input }) => {
+        const key = input.headers.get('X-Subscription-Key')
+        return key ? { accessKey, key } : null
+      },
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { 'X-Subscription-Key': subscriptionKey },
+      }),
+    )
+    expect(challengeResult.status).toBe(402)
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const challengeRequest = challenge.request as ReturnType<
+      typeof Methods.subscription.schema.request.parse
+    >
+    expect(challengeRequest.methodDetails?.accessKey).toEqual({
+      ...accessKey,
+      accessKeyAddress: accessKey.accessKeyAddress.toLowerCase(),
+    })
+    const credential = await createCredential(challenge)
+    const activated = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: {
+          Authorization: Credential.serialize(credential),
+          'X-Subscription-Key': subscriptionKey,
+        },
+      }),
+    )
+    expect(activated.status).toBe(200)
+    expect(activationCount).toBe(1)
+    const replayed = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: {
+          Authorization: Credential.serialize(credential),
+          'X-Subscription-Key': subscriptionKey,
+        },
+      }),
+    )
+    expect(replayed.status).toBe(402)
+    expect(activationCount).toBe(1)
+    const reused = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: {
+          'X-Subscription-Key': subscriptionKey,
+        },
+      }),
+    )
+    expect(reused.status).toBe(200)
+    if (reused.status !== 200) throw new Error('expected authorize reuse')
+    const response = reused.withReceipt(new Response('OK'))
+    const receipt = response.headers.get('Payment-Receipt')
+    expect(receipt).toBeTruthy()
+  })
+  test('automatically creates an access key and submits the activation payment', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const { client, rpcMethods } = createBillingClient([hashActivate])
+    const method = subscription({
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      getClient: async () => client,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+      waitForConfirmation: false,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    expect(challengeResult.status).toBe(402)
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const challengeRequest = challenge.request as ReturnType<
+      typeof Methods.subscription.schema.request.parse
+    >
+    const generatedAccessKey = challengeRequest.methodDetails?.accessKey
+    expect(generatedAccessKey?.keyType).toBe('secp256k1')
+    if (!generatedAccessKey) throw new Error('expected generated access key')
+    const credential = await createCredential(challenge, rootAccount.address, generatedAccessKey)
+    const activated = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(activated.status).toBe(200)
+    if (activated.status !== 200) throw new Error('expected activation')
+    const receipt = Receipt.fromResponse(activated.withReceipt(new Response('OK')))
+    expect(receipt.reference).toBe(hashActivate)
+    expect(receipt.subscriptionId).toMatch(/^[A-Za-z0-9_-]+$/)
+    expect(rpcMethods.filter((method) => method === 'eth_sendRawTransaction')).toHaveLength(1)
+    const record = await subscriptions.getByKey(subscriptionKey)
+    expect(record?.accessKey).toEqual(generatedAccessKey)
+    expect(record?.keyAuthorization).toBe(credential.payload.signature)
+    expect(record?.payer?.address.toLowerCase()).toBe(rootAccount.address.toLowerCase())
+    expect(record?.lastChargedPeriod).toBe(0)
+    const reused = await mppx.tempo.subscription({})(new Request('https://example.com/resource'))
+    expect(reused.status).toBe(200)
+    expect(rpcMethods.filter((method) => method === 'eth_sendRawTransaction')).toHaveLength(1)
+  })
+  test('verifyCredential activates a subscription credential with a canonical challenge request', async () => {
+    const store = Store.memory()
+    const { client } = createBillingClient([hashActivate])
+    const method = subscription({
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      getClient: async () => client,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+      waitForConfirmation: false,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challenge = await mppx.challenge.tempo.subscription({})
+    const generatedAccessKey = (
+      challenge.request as ReturnType<typeof Methods.subscription.schema.request.parse>
+    ).methodDetails?.accessKey
+    if (!generatedAccessKey) throw new Error('expected generated access key')
+    const credential = await createCredential(challenge, rootAccount.address, generatedAccessKey)
+    const receipt = await mppx.verifyCredential(credential)
+    expect(receipt.status).toBe('success')
+    expect(receipt.reference).toBe(hashActivate)
+  })
+  test('automatically renews overdue subscriptions on the request path', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const { client, rpcMethods } = createBillingClient([hashActivate, hashRenewed])
+    const method = subscription({
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      getClient: async () => client,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+      waitForConfirmation: false,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const accessKey = (
+      challenge.request as ReturnType<typeof Methods.subscription.schema.request.parse>
+    ).methodDetails?.accessKey
+    if (!accessKey) throw new Error('expected generated access key')
+    const credential = await createCredential(challenge, rootAccount.address, accessKey)
+    const activated = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(activated.status).toBe(200)
+    const record = await subscriptions.getByKey(subscriptionKey)
+    if (!record) throw new Error('expected subscription record')
+    await subscriptions.put({
+      ...record,
+      billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+      keyAuthorization: undefined,
+      lastChargedPeriod: 0,
+      reference: hashStale,
+    })
+    const renewed = await mppx.tempo.subscription({})(new Request('https://example.com/resource'))
+    expect(renewed.status).toBe(200)
+    if (renewed.status !== 200) throw new Error('expected renewal')
+    const receipt = Receipt.fromResponse(renewed.withReceipt(new Response('OK')))
+    expect(receipt.reference).toBe(hashRenewed)
+    expect(rpcMethods.filter((method) => method === 'eth_sendRawTransaction')).toHaveLength(2)
+    expect((await subscriptions.get(record.subscriptionId))?.lastChargedPeriod).toBeGreaterThan(0)
+  })
+  test('returns a management response while renewal is already in flight', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async () => ({
+        receipt: createReceipt('unused'),
+        subscription: createRecord({ subscriptionId: 'unused' }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      renew: async () => {
+        throw new Error('renew should not run')
+      },
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    await subscriptions.put(
+      createRecord({
+        billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+        inFlightPeriod: 1,
+        inFlightStartedAt: new Date().toISOString(),
+        lastChargedPeriod: 0,
+        subscriptionId: 'sub_due',
+      }),
+    )
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const result = await mppx.tempo.subscription({})(new Request('https://example.com/resource'))
+    expect(result.status).toBe(200)
+    if (result.status !== 200) throw new Error('expected management response')
+    const response = (result.withReceipt as () => Response)()
+    expect(response.status).toBe(409)
+    expect(response.headers.get('Retry-After')).toBe('1')
+  })
+  test('does not authorize an active subscription whose request binding differs', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    await subscriptions.put(
+      createRecord({
+        accessKey,
+        amount: '1000000',
+        lookupKey: subscriptionKey,
+        subscriptionId: 'sub_basic',
+      }),
+    )
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async () => ({
+        receipt: createReceipt('sub_unused'),
+        subscription: createRecord({ subscriptionId: 'sub_unused' }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const result = await mppx.tempo.subscription({})(new Request('https://example.com/resource'))
+    expect(result.status).toBe(402)
+  })
+  test('requires an access key before issuing a subscription challenge', async () => {
+    const method = subscription({
+      activate: async () => ({
+        receipt: createReceipt('unused'),
+        subscription: createRecord({ subscriptionId: 'unused' }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store: Store.memory(),
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const result = await mppx.tempo.subscription({})(new Request('https://example.com/resource'))
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error('expected challenge')
+    const body = (await result.challenge.json()) as { detail?: string }
+    expect(body.detail).toBe('Payment verification failed: subscription accessKey is missing.')
+  })
+  test('defaults omitted subscription chainId to Tempo testnet', async () => {
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async () => ({
+        receipt: createReceipt('unused'),
+        subscription: createRecord({ subscriptionId: 'unused' }),
+      }),
+      amount: subscriptionAmount,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store: Store.memory(),
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const challengeRequest = challenge.request as ReturnType<
+      typeof Methods.subscription.schema.request.parse
+    >
+    expect(challengeRequest.methodDetails?.chainId).toBe(subscriptionDefaultChainId)
+  })
+  test('reuses a stored active subscription access key without a resolver callback', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    await subscriptions.put(createRecord({ accessKey, lookupKey: subscriptionKey }))
+    const method = subscription({
+      activate: async () => ({
+        receipt: createReceipt('unused'),
+        subscription: createRecord({ subscriptionId: 'unused' }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const reused = await mppx.tempo.subscription({})(new Request('https://example.com/resource'))
+    expect(reused.status).toBe(200)
+  })
+  test('serializes concurrent fresh activations for the same lookup key', async () => {
+    const store = Store.memory()
+    let activationCount = 0
+    let releaseActivation!: () => void
+    let markActivationStarted!: () => void
+    const activationStarted = new Promise<void>((resolve) => {
+      markActivationStarted = resolve
+    })
+    const activationReleased = new Promise<void>((resolve) => {
+      releaseActivation = resolve
+    })
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async ({ request, resolved }) => {
+        activationCount += 1
+        markActivationStarted()
+        await activationReleased
+        return {
+          receipt: createReceipt('sub_123', hashActivate),
+          subscription: createRecord({
+            amount: request.amount,
+            chainId: request.methodDetails?.chainId,
+            currency: request.currency,
+            lookupKey: resolved.key,
+            periodCount: request.periodCount,
+            periodUnit: request.periodUnit,
+            recipient: request.recipient,
+            reference: hashActivate,
+            subscriptionExpires: request.subscriptionExpires,
+          }),
+        }
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const firstChallengeResult = await mppx.tempo.subscription({
+      expires: '2027-01-01T00:01:00.000Z',
+    })(new Request('https://example.com/resource'))
+    const secondChallengeResult = await mppx.tempo.subscription({
+      expires: '2027-01-01T00:02:00.000Z',
+    })(new Request('https://example.com/resource'))
+    if (firstChallengeResult.status !== 402 || secondChallengeResult.status !== 402) {
+      throw new Error('expected activation challenges')
+    }
+    const firstChallenge = Challenge.fromResponse(firstChallengeResult.challenge)
+    const secondChallenge = Challenge.fromResponse(secondChallengeResult.challenge)
+    expect(firstChallenge.id).not.toBe(secondChallenge.id)
+    const firstCredential = await createCredential(firstChallenge)
+    const secondCredential = await createCredential(secondChallenge)
+    const firstActivation = mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(firstCredential) },
+      }),
+    )
+    await activationStarted
+    const secondActivation = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(secondCredential) },
+      }),
+    )
+    releaseActivation()
+    const activated = await firstActivation
+    expect(activated.status).toBe(200)
+    expect(secondActivation.status).toBe(402)
+    expect(activationCount).toBe(1)
+  })
+  test('allows retry after a stale failed activation attempt', async () => {
+    const store = Store.memory()
+    let activationCount = 0
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activationTimeoutMs: 0,
+      activate: async ({ request, resolved }) => {
+        activationCount += 1
+        if (activationCount === 1) throw new Error('activation failed before charge')
+        return {
+          receipt: createReceipt('sub_123', hashActivate),
+          subscription: createRecord({
+            amount: request.amount,
+            chainId: request.methodDetails?.chainId,
+            currency: request.currency,
+            lookupKey: resolved.key,
+            periodCount: request.periodCount,
+            periodUnit: request.periodUnit,
+            recipient: request.recipient,
+            reference: hashActivate,
+            subscriptionExpires: request.subscriptionExpires,
+          }),
+        }
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const firstChallengeResult = await mppx.tempo.subscription({
+      expires: '2027-01-01T00:03:00.000Z',
+    })(new Request('https://example.com/resource'))
+    const secondChallengeResult = await mppx.tempo.subscription({
+      expires: '2027-01-01T00:04:00.000Z',
+    })(new Request('https://example.com/resource'))
+    if (firstChallengeResult.status !== 402 || secondChallengeResult.status !== 402) {
+      throw new Error('expected activation challenges')
+    }
+    const firstCredential = await createCredential(
+      Challenge.fromResponse(firstChallengeResult.challenge),
+    )
+    const firstRejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(firstCredential) },
+      }),
+    )
+    expect(firstRejected.status).toBe(402)
+    const secondCredential = await createCredential(
+      Challenge.fromResponse(secondChallengeResult.challenge),
+    )
+    const retried = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(secondCredential) },
+      }),
+    )
+    expect(retried.status).toBe(200)
+    expect(activationCount).toBe(2)
+  })
+  test('new activation replaces the previous subscription for the same lookup key', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    // Seed an expired subscription so authorize() falls through to a new challenge.
+    const expiredDate = new Date(Date.now() - 1_000).toISOString()
+    await subscriptions.put(
+      createRecord({
+        lookupKey: subscriptionKey,
+        subscriptionId: 'sub_old',
+        reference: hashOld,
+        subscriptionExpires: expiredDate,
+      }),
+    )
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async ({ request, resolved }) => ({
+        receipt: createReceipt('sub_new', hashActivate),
+        subscription: createRecord({
+          amount: request.amount,
+          chainId: request.methodDetails?.chainId,
+          currency: request.currency,
+          lookupKey: resolved.key,
+          periodCount: request.periodCount,
+          periodUnit: request.periodUnit,
+          recipient: request.recipient,
+          reference: hashActivate,
+          subscriptionExpires: request.subscriptionExpires,
+          subscriptionId: 'sub_new',
+        }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    expect(challengeResult.status).toBe(402)
+    if (challengeResult.status !== 402) throw new Error('expected challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const credential = await createCredential(challenge)
+    const activated = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: {
+          Authorization: Credential.serialize(credential),
+          'X-Subscription-Key': subscriptionKey,
+        },
+      }),
+    )
+    expect(activated.status).toBe(200)
+    if (activated.status !== 200) throw new Error('expected activation')
+    const receipt = Receipt.fromResponse(activated.withReceipt(new Response('OK')))
+    expect(receipt.subscriptionId).toBe('sub_new')
+    const current = await subscriptions.getByKey(subscriptionKey)
+    expect(current?.subscriptionId).toBe('sub_new')
+  })
+  test('does not reuse an active subscription whose request binding differs during verify', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    let activationCount = 0
+    await subscriptions.put(
+      createRecord({
+        accessKey,
+        amount: '1000000',
+        lookupKey: subscriptionKey,
+        subscriptionId: 'sub_basic',
+      }),
+    )
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async ({ request, resolved }) => {
+        activationCount += 1
+        return {
+          receipt: createReceipt('sub_premium'),
+          subscription: createRecord({
+            amount: request.amount,
+            chainId: request.methodDetails?.chainId,
+            currency: request.currency,
+            lookupKey: resolved.key,
+            periodCount: request.periodCount,
+            periodUnit: request.periodUnit,
+            recipient: request.recipient,
+            subscriptionExpires: request.subscriptionExpires,
+            subscriptionId: 'sub_premium',
+          }),
+        }
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const credential = await createCredential(Challenge.fromResponse(challengeResult.challenge))
+    const activated = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(activated.status).toBe(200)
+    expect(activationCount).toBe(1)
+    if (activated.status !== 200) throw new Error('expected activation')
+    const receipt = Receipt.fromResponse(activated.withReceipt(new Response('OK')))
+    expect(receipt.subscriptionId).toBe('sub_premium')
+  })
+  test('does not reuse an overdue subscription during verify', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    let activationCount = 0
+    await subscriptions.put(
+      createRecord({
+        accessKey,
+        billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+        lastChargedPeriod: 0,
+        lookupKey: subscriptionKey,
+        reference: hashStale,
+        subscriptionId: 'sub_due',
+      }),
+    )
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async () => {
+        activationCount += 1
+        throw new Error('overdue subscription must renew')
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const credential = await createCredential(Challenge.fromResponse(challengeResult.challenge))
+    const rejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect(activationCount).toBe(1)
+  })
+  test('rejects activation when the dynamic access key does not match the credential', async () => {
+    const store = Store.memory()
+    const activateCalls: unknown[] = []
+    const method = subscription({
+      accessKey: async () => ({
+        accessKeyAddress: accessAccount.address,
+        keyType: 'p256',
+      }),
+      activate: async (parameters) => {
+        activateCalls.push(parameters)
+        return {
+          receipt: createReceipt('sub_unused'),
+          subscription: createRecord({ subscriptionId: 'sub_unused' }),
+        }
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const credential = await createCredential(challenge)
+    const rejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect(activateCalls.length).toBe(0)
+  })
+  test('rejects activation settlements that do not match the challenged request', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async ({ request, resolved }) => ({
+        receipt: createReceipt('sub_bad', hashActivate),
+        subscription: createRecord({
+          amount: String(BigInt(request.amount) + 1n),
+          chainId: request.methodDetails?.chainId,
+          currency: request.currency,
+          lookupKey: resolved.key,
+          periodCount: request.periodCount,
+          periodUnit: request.periodUnit,
+          recipient: request.recipient,
+          reference: hashActivate,
+          subscriptionExpires: request.subscriptionExpires,
+          subscriptionId: 'sub_bad',
+        }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const credential = await createCredential(challenge)
+    const rejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect(await subscriptions.getByKey(subscriptionKey)).toBe(null)
+  })
+  test('rejects activation settlements with a mismatched chainId', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async ({ request, resolved }) => ({
+        receipt: createReceipt('sub_bad', hashActivate),
+        subscription: createRecord({
+          amount: request.amount,
+          chainId: chainId + 1,
+          currency: request.currency,
+          lookupKey: resolved.key,
+          periodCount: request.periodCount,
+          periodUnit: request.periodUnit,
+          recipient: request.recipient,
+          reference: hashActivate,
+          subscriptionExpires: request.subscriptionExpires,
+          subscriptionId: 'sub_bad',
+        }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const credential = await createCredential(challenge)
+    const rejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect(await subscriptions.getByKey(subscriptionKey)).toBe(null)
+  })
+  test('rejects activation settlements with a mismatched externalId', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async ({ request, resolved }) => ({
+        receipt: createReceipt('sub_bad', hashActivate),
+        subscription: createRecord({
+          amount: request.amount,
+          chainId: request.methodDetails?.chainId,
+          currency: request.currency,
+          externalId: 'external_2',
+          lookupKey: resolved.key,
+          periodCount: request.periodCount,
+          periodUnit: request.periodUnit,
+          recipient: request.recipient,
+          reference: hashActivate,
+          subscriptionExpires: request.subscriptionExpires,
+          subscriptionId: 'sub_bad',
+        }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      externalId: 'external_1',
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const credential = await createCredential(challenge)
+    const rejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect(await subscriptions.getByKey(subscriptionKey)).toBe(null)
+  })
+  test('rejects credentials when the current request externalId differs from the challenge', async () => {
+    const store = Store.memory()
+    let activationCount = 0
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async ({ request, resolved }) => {
+        activationCount += 1
+        return {
+          receipt: createReceipt('sub_unused'),
+          subscription: createRecord({
+            amount: request.amount,
+            chainId: request.methodDetails?.chainId,
+            currency: request.currency,
+            externalId: request.externalId,
+            lookupKey: resolved.key,
+            periodCount: request.periodCount,
+            periodUnit: request.periodUnit,
+            recipient: request.recipient,
+            subscriptionExpires: request.subscriptionExpires,
+            subscriptionId: 'sub_unused',
+          }),
+        }
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({ externalId: 'external_1' })(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const credential = await createCredential(Challenge.fromResponse(challengeResult.challenge))
+    const rejected = await mppx.tempo.subscription({ externalId: 'external_2' })(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect(activationCount).toBe(0)
+  })
+  test('rejects credentials whose declared source does not match the key authorization signer', async () => {
+    const store = Store.memory()
+    const activateCalls: unknown[] = []
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async (parameters) => {
+        activateCalls.push(parameters)
+        return {
+          receipt: createReceipt('sub_unused'),
+          subscription: createRecord({ subscriptionId: 'sub_unused' }),
+        }
+      },
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const credential = await createCredential(challenge, otherAccessAccount.address)
+    const rejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect(activateCalls.length).toBe(0)
+  })
+  test('renews an overdue matching subscription before falling back to 402', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const renewCalls: number[] = []
+    const renewalReferences: string[] = []
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async () => ({
+        receipt: createReceipt('unused'),
+        subscription: createRecord({ subscriptionId: 'unused' }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      renew: async ({ inFlightReference, periodIndex, subscription }) => {
+        renewCalls.push(periodIndex)
+        renewalReferences.push(inFlightReference)
+        expect(subscription.inFlightReference).toBe(inFlightReference)
+        return {
+          receipt: createReceipt(subscription.subscriptionId, hashRenewed),
+          subscription: {
+            ...subscription,
+            lastChargedPeriod: periodIndex,
+            reference: hashRenewed,
+          },
+        }
+      },
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    await subscriptions.put(
+      createRecord({
+        billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+        lastChargedPeriod: 0,
+        lookupKey: subscriptionKey,
+        reference: hashStale,
+        subscriptionId: 'sub_due',
+      }),
+    )
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const result = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { 'X-Subscription-Key': subscriptionKey },
+      }),
+    )
+    expect(result.status).toBe(200)
+    expect(renewCalls.length).toBe(1)
+    expect(renewCalls[0]).toBeGreaterThan(0)
+    expect(renewalReferences[0]).toBe(`renewal:sub_due:${renewCalls[0]}`)
+    if (result.status !== 200) throw new Error('expected renewal success')
+    const receipt = Receipt.fromResponse(result.withReceipt(new Response('OK')))
+    expect(receipt.reference).toBe(hashRenewed)
+    expect(receipt.subscriptionId).toBe('sub_due')
+    expect((await subscriptions.get('sub_due'))?.inFlightReference).toBe(undefined)
+  })
+  test('rejects renewals that change the active subscriptionId', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const method = subscription({
+      accessKey: async () => accessKey,
+      activate: async () => ({
+        receipt: createReceipt('unused'),
+        subscription: createRecord({ subscriptionId: 'unused' }),
+      }),
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      renew: async ({ periodIndex, subscription }) => {
+        const record = {
+          ...subscription,
+          lastChargedPeriod: periodIndex,
+          reference: hashRenewed,
+          subscriptionId: 'sub_other',
+        }
+        return {
+          receipt: createReceipt(record.subscriptionId, hashRenewed),
+          subscription: record,
+        }
+      },
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+    })
+    await subscriptions.put(
+      createRecord({
+        billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+        lastChargedPeriod: 0,
+        lookupKey: subscriptionKey,
+        reference: hashStale,
+        subscriptionId: 'sub_due',
+      }),
+    )
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const rejected = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { 'X-Subscription-Key': subscriptionKey },
+      }),
+    )
+    expect(rejected.status).toBe(402)
+    expect((await subscriptions.getByKey(subscriptionKey))?.subscriptionId).toBe('sub_due')
+    expect((await subscriptions.get('sub_due'))?.lastChargedPeriod).toBe(0)
+  })
+  test('charges an overdue subscription outside the request path', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const renewCalls: number[] = []
+    await subscriptions.put(
+      createRecord({
+        billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+        lastChargedPeriod: 0,
+        lookupKey: subscriptionKey,
+        amount: subscriptionAmount,
+        reference: hashStale,
+        subscriptionId: 'sub_background',
+      }),
+    )
+    const result = await renew({
+      renew: async ({ periodIndex, subscription }) => {
+        renewCalls.push(periodIndex)
+        return {
+          receipt: createReceipt(subscription.subscriptionId, hashBackground),
+          subscription: {
+            ...subscription,
+            lastChargedPeriod: periodIndex,
+            reference: hashBackground,
+          },
+        }
+      },
+      store,
+      subscriptionId: 'sub_background',
+    })
+    expect(result?.receipt.reference).toBe(hashBackground)
+    expect(renewCalls.length).toBe(1)
+    expect((await subscriptions.get('sub_background'))?.reference).toBe(hashBackground)
+  })
+  test('rejects background renewals that mutate economic fields', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    await subscriptions.put(
+      createRecord({
+        billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+        lastChargedPeriod: 0,
+        lookupKey: subscriptionKey,
+        amount: subscriptionAmount,
+        reference: hashStale,
+        subscriptionId: 'sub_background',
+      }),
+    )
+    await expect(
+      renew({
+        renew: async ({ periodIndex, subscription }) => {
+          const mutated = {
+            ...subscription,
+            amount: '999',
+            lastChargedPeriod: periodIndex,
+            reference: hashBackground,
+          }
+          return {
+            receipt: createReceipt(subscription.subscriptionId, hashBackground),
+            subscription: mutated,
+          }
+        },
+        store,
+        subscriptionId: 'sub_background',
+      }),
+    ).rejects.toThrow('subscription record does not match request')
+    expect((await subscriptions.get('sub_background'))?.inFlightReference).toBe(undefined)
+    expect((await subscriptions.get('sub_background'))?.amount).toBe(subscriptionAmount)
+  })
+  test('does not charge a superseded subscription outside the request path', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    let renewCalls = 0
+    await subscriptions.put(
+      createRecord({
+        billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+        lastChargedPeriod: 0,
+        reference: hashStale,
+        subscriptionId: 'sub_old',
+      }),
+    )
+    await subscriptions.put(
+      createRecord({
+        reference: hashBackground,
+        subscriptionId: 'sub_new',
+      }),
+    )
+    const result = await renew({
+      renew: async ({ subscription }) => {
+        renewCalls += 1
+        return {
+          receipt: createReceipt(subscription.subscriptionId, hashBackground),
+          subscription,
+        }
+      },
+      store,
+      subscriptionId: 'sub_old',
+    })
+    expect(result).toBe(null)
+    expect(renewCalls).toBe(0)
+    expect((await subscriptions.getByKey(subscriptionKey))?.subscriptionId).toBe('sub_new')
+  })
+  test('automatically renews an overdue subscription outside the request path', async () => {
+    const store = Store.memory()
+    const subscriptions = SubscriptionStore.fromStore(store)
+    const { client, rpcMethods } = createBillingClient([hashActivate, hashBackground])
+    const method = subscription({
+      amount: subscriptionAmount,
+      chainId,
+      currency: subscriptionCurrency,
+      getClient: async () => client,
+      periodCount: subscriptionPeriodCount,
+      periodUnit: subscriptionPeriodUnit,
+      recipient: subscriptionRecipient,
+      resolve: async () => ({ key: subscriptionKey }),
+      store,
+      subscriptionExpires: activeSubscriptionExpires,
+      waitForConfirmation: false,
+    })
+    const mppx = Mppx.create({ methods: [method], realm, secretKey })
+    const challengeResult = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource'),
+    )
+    if (challengeResult.status !== 402) throw new Error('expected activation challenge')
+    const challenge = Challenge.fromResponse(challengeResult.challenge)
+    const accessKey = (
+      challenge.request as ReturnType<typeof Methods.subscription.schema.request.parse>
+    ).methodDetails?.accessKey
+    if (!accessKey) throw new Error('expected generated access key')
+    const credential = await createCredential(challenge, rootAccount.address, accessKey)
+    const activated = await mppx.tempo.subscription({})(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+    expect(activated.status).toBe(200)
+    const record = await subscriptions.getByKey(subscriptionKey)
+    if (!record) throw new Error('expected subscription record')
+    await subscriptions.put({
+      ...record,
+      billingAnchor: new Date(Date.now() - 3 * subscriptionPeriodMilliseconds).toISOString(),
+      lastChargedPeriod: 0,
+      reference: hashStale,
+    })
+    const result = await renew({
+      getClient: async () => client,
+      store,
+      subscriptionId: record.subscriptionId,
+      waitForConfirmation: false,
+    })
+    expect(result?.receipt.reference).toBe(hashBackground)
+    expect(rpcMethods.filter((method) => method === 'eth_sendRawTransaction')).toHaveLength(2)
+    const renewed = await subscriptions.get(record.subscriptionId)
+    expect(renewed?.reference).toBe(hashBackground)
+  })
+})