mppx 0.6.27 → 0.6.29

package/src/tempo/client/ChannelOps.test.ts

@@ -1,7 +1,8 @@
 import { Hex } from 'ox'
-import { type Address, createClient } from 'viem'
+import { SignatureEnvelope } from 'ox/tempo'
+import { type Address, createClient, decodeFunctionData } from 'viem'
 import { privateKeyToAccount } from 'viem/accounts'
-import { Addresses } from 'viem/tempo'
+import { Account as TempoAccount, Addresses, Transaction } from 'viem/tempo'
 import { beforeAll, describe, expect, test } from 'vp/test'
 import { nodeEnv } from '~test/config.js'
 import { deployEscrow, openChannel } from '~test/tempo/session.js'
@@ -15,6 +16,7 @@ import {
   chainId as chainIdDefaults,
   escrowContract as escrowContractDefaults,
 } from '../internal/defaults.js'
+import { escrowAbi } from '../session/Chain.js'
 import { verifyVoucher } from '../session/Voucher.js'
 import {
   createClosePayload,
@@ -140,6 +142,40 @@ describe('createVoucherPayload', () => {
     )
     expect(valid).toBe(true)
   })
+
+  test('uses raw access-key signatures when no voucherSigner is provided', async () => {
+    const accessKey = TempoAccount.fromSecp256k1(
+      '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d',
+      { access: localAccount },
+    )
+    const accessKeyClient = createClient({
+      account: accessKey,
+      transport: http('http://127.0.0.1'),
+    })
+
+    const result = await createVoucherPayload(
+      accessKeyClient,
+      accessKey,
+      channelId,
+      5_000_000n,
+      escrowContract,
+      chainId,
+    )
+
+    expect(result.action).toBe('voucher')
+    if (result.action !== 'voucher') throw new Error('unexpected action')
+
+    const envelope = SignatureEnvelope.from(result.signature as SignatureEnvelope.Serialized)
+    expect(envelope.type).toBe('secp256k1')
+
+    const valid = await verifyVoucher(
+      escrowContract,
+      chainId,
+      { channelId, cumulativeAmount: 5_000_000n, signature: result.signature },
+      accessKey.accessKeyAddress,
+    )
+    expect(valid).toBe(true)
+  })
 })
 
 describe('createClosePayload', () => {
@@ -228,11 +264,13 @@ describe.runIf(isLocalnet)('createOpenPayload', () => {
       chainId: chain.id,
     })
 
-    expect((result.payload as any).authorizedSigner).toBe(payer.address)
+    expect(result.payload.action).toBe('open')
+    if (result.payload.action !== 'open') throw new Error('unexpected action')
+    expect(result.payload.authorizedSigner).toBe(payer.address)
   })
 
-  test('uses custom authorizedSigner when provided', async () => {
-    const customSigner = accounts[5].address
+  test('derives authorizedSigner from voucherSigner when provided', async () => {
+    const voucherSigner = accounts[5]
     const payerClient = createClient({
       account: payer,
       chain,
@@ -240,7 +278,7 @@ describe.runIf(isLocalnet)('createOpenPayload', () => {
     })
 
     const result = await createOpenPayload(payerClient, payer, {
-      authorizedSigner: customSigner,
+      voucherSigner,
       escrowContract: escrow,
       payee,
       currency,
@@ -249,7 +287,23 @@ describe.runIf(isLocalnet)('createOpenPayload', () => {
       chainId: chain.id,
     })
 
-    expect((result.payload as any).authorizedSigner).toBe(customSigner)
+    expect(result.payload.action).toBe('open')
+    if (result.payload.action !== 'open') throw new Error('unexpected action')
+    expect(result.payload.authorizedSigner).toBe(voucherSigner.address)
+
+    const transaction = Transaction.deserialize(result.payload.transaction)
+    if (!('calls' in transaction)) throw new Error('unexpected transaction type')
+    const calls = transaction.calls as readonly [
+      { to?: Address; data?: Hex.Hex },
+      { to?: Address; data?: Hex.Hex },
+    ]
+    const openCall = calls[1]
+    const open = decodeFunctionData({
+      abi: escrowAbi,
+      data: openCall?.data ?? '0x',
+    })
+    const openArgs = open.args as readonly [Address, Address, bigint, string, Address]
+    expect(openArgs[4].toLowerCase()).toBe(voucherSigner.address.toLowerCase())
   })
 })
 

package/src/tempo/client/ChannelOps.ts

@@ -18,6 +18,7 @@ import { Abis } from 'viem/tempo'
 
 import type { Challenge } from '../../Challenge.js'
 import * as Credential from '../../Credential.js'
+import { getAccountSignerAddress } from '../internal/account.js'
 import * as defaults from '../internal/defaults.js'
 import { escrowAbi, getOnChainChannel } from '../session/Chain.js'
 import * as Channel from '../session/Channel.js'
@@ -33,6 +34,13 @@ export type ChannelEntry = {
   opened: boolean
 }
 
+function resolveVoucherSigner(
+  account: viem_Account,
+  voucherSigner?: viem_Account | undefined,
+): viem_Account {
+  return voucherSigner ?? account
+}
+
 export function resolveChainId(challenge: Challenge): number {
   const md = challenge.request.methodDetails as { chainId?: number } | undefined
   return md?.chainId ?? 0
@@ -76,15 +84,16 @@ export async function createVoucherPayload(
   cumulativeAmount: bigint,
   escrowContract: Address,
   chainId: number,
-  authorizedSigner?: Address | undefined,
+  voucherSigner?: viem_Account | undefined,
 ): Promise<SessionCredentialPayload> {
+  const signer = resolveVoucherSigner(account, voucherSigner)
   const signature = await signVoucher(
     client,
     account,
     { channelId, cumulativeAmount },
     escrowContract,
     chainId,
-    authorizedSigner,
+    signer,
   )
   return {
     action: 'voucher',
@@ -101,15 +110,16 @@ export async function createClosePayload(
   cumulativeAmount: bigint,
   escrowContract: Address,
   chainId: number,
-  authorizedSigner?: Address | undefined,
+  voucherSigner?: viem_Account | undefined,
 ): Promise<SessionCredentialPayload> {
+  const signer = resolveVoucherSigner(account, voucherSigner)
   const signature = await signVoucher(
     client,
     account,
     { channelId, cumulativeAmount },
     escrowContract,
     chainId,
-    authorizedSigner,
+    signer,
   )
   return {
     action: 'close',
@@ -123,7 +133,7 @@ export async function createOpenPayload(
   client: viem_Client,
   account: viem_Account,
   options: {
-    authorizedSigner?: Address | undefined
+    voucherSigner?: viem_Account | undefined
     escrowContract: Address
     payee: Address
     currency: Address
@@ -134,7 +144,8 @@ export async function createOpenPayload(
   },
 ): Promise<{ entry: ChannelEntry; payload: SessionCredentialPayload }> {
   const { escrowContract, payee, currency, deposit, initialAmount, chainId, feePayer } = options
-  const authorizedSigner = options.authorizedSigner ?? account.address
+  const voucherSigner = resolveVoucherSigner(account, options.voucherSigner)
+  const authorizedSigner = getAccountSignerAddress(voucherSigner)
 
   const salt = Hex.random(32)
   const channelId = Channel.computeId({
@@ -180,7 +191,7 @@ export async function createOpenPayload(
     { channelId, cumulativeAmount: initialAmount },
     escrowContract,
     chainId,
-    options.authorizedSigner,
+    voucherSigner,
   )
 
   return {

package/src/tempo/client/Charge.test.ts

@@ -0,0 +1,126 @@
+import { Challenge, Credential } from 'mppx'
+import { createClient, http } from 'viem'
+import { privateKeyToAccount } from 'viem/accounts'
+import { tempoLocalnet } from 'viem/chains'
+import { describe, expect, test, vi } from 'vp/test'
+
+import * as Methods from '../Methods.js'
+import { charge } from './Charge.js'
+
+const account = privateKeyToAccount(
+  '0x0000000000000000000000000000000000000000000000000000000000000001',
+)
+const currency = '0x3333333333333333333333333333333333333333'
+const recipient = '0x2222222222222222222222222222222222222222'
+
+type ChargeRequest = ReturnType<typeof Methods.charge.schema.request.parse>
+
+function createChallenge(
+  overrides: Partial<Parameters<typeof Methods.charge.schema.request.parse>[0]> = {},
+): Challenge.Challenge<ChargeRequest, 'charge', 'tempo'> {
+  const request = Methods.charge.schema.request.parse({
+    amount: '0',
+    currency,
+    decimals: 6,
+    recipient,
+    ...overrides,
+  })
+  return Challenge.from({
+    id: 'test-challenge-id',
+    intent: 'charge',
+    method: 'tempo',
+    realm: 'api.example.com',
+    request,
+  }) as Challenge.Challenge<ChargeRequest, 'charge', 'tempo'>
+}
+
+describe('tempo.charge client', () => {
+  test('uses client chain ID when the challenge omits chainId', async () => {
+    const client = createClient({
+      account,
+      chain: tempoLocalnet,
+      transport: http('http://127.0.0.1'),
+    })
+    const method = charge({
+      account,
+      getClient: () => client,
+    })
+
+    const credential = Credential.deserialize(
+      await method.createCredential({
+        challenge: createChallenge(),
+        context: {},
+      }),
+    )
+
+    expect(credential.source).toBe(`did:pkh:eip155:${tempoLocalnet.id}:${account.address}`)
+  })
+
+  test('uses challenge chainId for client resolution and proof source', async () => {
+    let requestedChainId: number | undefined
+    const chainId = 42431
+    const client = createClient({
+      account,
+      chain: tempoLocalnet,
+      transport: http('http://127.0.0.1'),
+    })
+    const method = charge({
+      account,
+      getClient: (parameters) => {
+        requestedChainId = parameters.chainId
+        return client
+      },
+    })
+
+    const credential = Credential.deserialize(
+      await method.createCredential({
+        challenge: createChallenge({ chainId }),
+        context: {},
+      }),
+    )
+
+    expect(requestedChainId).toBe(chainId)
+    expect(credential.source).toBe(`did:pkh:eip155:${chainId}:${account.address}`)
+  })
+
+  test('uses challenge chainId for non-zero transaction source', async () => {
+    vi.resetModules()
+    const prepareTransactionRequest = vi.fn(async () => ({}))
+    const signTransaction = vi.fn(async () => '0xdeadbeef')
+    vi.doMock('viem/actions', () => ({
+      prepareTransactionRequest,
+      sendCallsSync: vi.fn(),
+      signTransaction,
+      signTypedData: vi.fn(),
+    }))
+
+    try {
+      const { charge: chargeWithMockedActions } = await import('./Charge.js')
+      const chainId = 42431
+      const client = createClient({
+        account,
+        chain: tempoLocalnet,
+        transport: http('http://127.0.0.1'),
+      })
+      const method = chargeWithMockedActions({
+        account,
+        getClient: () => client,
+      })
+
+      const credential = Credential.deserialize(
+        await method.createCredential({
+          challenge: createChallenge({ amount: '1', chainId, supportedModes: ['pull'] }),
+          context: {},
+        }),
+      )
+
+      expect(prepareTransactionRequest).toHaveBeenCalledOnce()
+      expect(signTransaction).toHaveBeenCalledOnce()
+      expect(credential.payload).toEqual({ signature: '0xdeadbeef', type: 'transaction' })
+      expect(credential.source).toBe(`did:pkh:eip155:${chainId}:${account.address}`)
+    } finally {
+      vi.doUnmock('viem/actions')
+      vi.resetModules()
+    }
+  })
+})

package/src/tempo/client/Charge.ts

@@ -51,8 +51,12 @@ export function charge(parameters: charge.Parameters = {}) {
     }),
 
     async createCredential({ challenge, context }) {
-      const chainId = challenge.request.methodDetails?.chainId
-      const client = await getClient({ chainId })
+      const challengeChainId = challenge.request.methodDetails?.chainId
+      const client = await getClient({ chainId: challengeChainId })
+      const chainId = challengeChainId ?? client.chain?.id
+      if (chainId === undefined)
+        throw new Error('No `chainId` provided. Pass a chain ID in the challenge or client.')
+
       const account = getAccount(client, context)
 
       const { request } = challenge
@@ -62,7 +66,7 @@ export function charge(parameters: charge.Parameters = {}) {
       if (BigInt(amount) === 0n) {
         const signature = await signTypedData(client, {
           account,
-          domain: Proof.domain(chainId!),
+          domain: Proof.domain(chainId),
           types: Proof.types,
           primaryType: 'Proof',
           message: Proof.message(challenge.id, challenge.realm),
@@ -70,7 +74,7 @@ export function charge(parameters: charge.Parameters = {}) {
         return Credential.serialize({
           challenge,
           payload: { signature, type: 'proof' },
-          source: Proof.proofSource({ address: account.address, chainId: chainId! }),
+          source: Proof.proofSource({ address: account.address, chainId }),
         })
       }
 
@@ -156,7 +160,7 @@ export function charge(parameters: charge.Parameters = {}) {
         return Credential.serialize({
           challenge,
           payload: { hash, type: 'hash' },
-          source: `did:pkh:eip155:${chainId}:${account.address}`,
+          source: Proof.proofSource({ address: account.address, chainId }),
         })
       }
 
@@ -175,7 +179,7 @@ export function charge(parameters: charge.Parameters = {}) {
       return Credential.serialize({
         challenge,
         payload: { signature, type: 'transaction' },
-        source: `did:pkh:eip155:${chainId}:${account.address}`,
+        source: Proof.proofSource({ address: account.address, chainId }),
       })
     },
   })

package/src/tempo/client/Session.test.ts

@@ -1,6 +1,7 @@
+import { SignatureEnvelope } from 'ox/tempo'
 import { type Address, createClient, decodeFunctionData, erc20Abi, type Hex, http } from 'viem'
 import { privateKeyToAccount } from 'viem/accounts'
-import { Addresses, Transaction } from 'viem/tempo'
+import { Account as TempoAccount, Addresses, Transaction, WebCryptoP256 } from 'viem/tempo'
 import { beforeAll, describe, expect, test } from 'vp/test'
 import { nodeEnv } from '~test/config.js'
 import { deployEscrow, openChannel } from '~test/tempo/session.js'
@@ -13,6 +14,7 @@ import * as Credential from '../../Credential.js'
 import { chainId, escrowContract as escrowContractDefaults } from '../internal/defaults.js'
 import { escrowAbi } from '../session/Chain.js'
 import type { SessionCredentialPayload } from '../session/Types.js'
+import { verifyVoucher } from '../session/Voucher.js'
 import { session } from './Session.js'
 
 function deserializePayload(result: string) {
@@ -184,6 +186,133 @@ describe('session (pure)', () => {
       expect(cred.source).toBe(`did:pkh:eip155:42431:${pureAccount.address}`)
     })
 
+    test('manual open rejects P256 voucher signer while TIP-1020 verification is disabled', async () => {
+      const keyPair = await WebCryptoP256.createKeyPair()
+      const voucherSigner = TempoAccount.fromWebCryptoP256(keyPair)
+      const method = session({
+        getClient: () => pureClient,
+        account: pureAccount,
+        voucherSigner,
+      })
+
+      await expect(
+        method.createCredential({
+          challenge: makeChallenge(),
+          context: {
+            action: 'open',
+            channelId,
+            cumulativeAmount: '5',
+            transaction: '0xdeadbeef',
+          },
+        }),
+      ).rejects.toThrow('Session vouchers only support secp256k1 signatures')
+    })
+
+    test('manual open signs access-key vouchers with raw signatures', async () => {
+      const accessKey = TempoAccount.fromSecp256k1(
+        '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d',
+        { access: pureAccount },
+      )
+      const accessKeyClient = createClient({
+        account: accessKey,
+        transport: http('http://127.0.0.1'),
+      })
+      const method = session({
+        getClient: () => accessKeyClient,
+        account: accessKey,
+      })
+
+      const result = await method.createCredential({
+        challenge: makeChallenge(),
+        context: {
+          action: 'open',
+          channelId,
+          cumulativeAmount: '5',
+          transaction: '0xdeadbeef',
+        },
+      })
+
+      const cred = deserializePayload(result)
+      expect(cred.payload.action).toBe('open')
+      if (cred.payload.action !== 'open') throw new Error('unexpected action')
+      expect(cred.payload.authorizedSigner).toBeDefined()
+      if (!cred.payload.authorizedSigner) throw new Error('missing authorizedSigner')
+      expect(cred.payload.authorizedSigner.toLowerCase()).toBe(
+        accessKey.accessKeyAddress.toLowerCase(),
+      )
+
+      const envelope = SignatureEnvelope.from(
+        cred.payload.signature as SignatureEnvelope.Serialized,
+      )
+      expect(envelope.type).toBe('secp256k1')
+
+      const isValid = await verifyVoucher(
+        escrowAddress,
+        42431,
+        {
+          channelId,
+          cumulativeAmount: 5_000_000n,
+          signature: cred.payload.signature,
+        },
+        accessKey.accessKeyAddress,
+      )
+      expect(isValid).toBe(true)
+      expect(cred.source).toBe(`did:pkh:eip155:42431:${pureAccount.address}`)
+    })
+
+    test('manual open signs access-key vouchers with direct voucher signer', async () => {
+      const privateKey = '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d'
+      const accessKey = TempoAccount.fromSecp256k1(privateKey, { access: pureAccount })
+      const voucherSigner = TempoAccount.fromSecp256k1(privateKey)
+      const accessKeyClient = createClient({
+        account: accessKey,
+        transport: http('http://127.0.0.1'),
+      })
+      const method = session({
+        getClient: () => accessKeyClient,
+        account: accessKey,
+        voucherSigner,
+      })
+
+      const result = await method.createCredential({
+        challenge: makeChallenge(),
+        context: {
+          action: 'open',
+          channelId,
+          cumulativeAmount: '5',
+          transaction: '0xdeadbeef',
+        },
+      })
+
+      const cred = deserializePayload(result)
+      expect(cred.payload.action).toBe('open')
+      if (cred.payload.action !== 'open') throw new Error('unexpected action')
+      expect(cred.payload.authorizedSigner).toBeDefined()
+      if (!cred.payload.authorizedSigner) throw new Error('missing authorizedSigner')
+      expect(cred.payload.authorizedSigner.toLowerCase()).toBe(
+        accessKey.accessKeyAddress.toLowerCase(),
+      )
+
+      const envelope = SignatureEnvelope.from(
+        cred.payload.signature as SignatureEnvelope.Serialized,
+      )
+      expect(envelope.type).toBe('secp256k1')
+      expect(cred.payload.signature.length).toBe(132)
+
+      const isValid = await verifyVoucher(
+        escrowAddress,
+        42431,
+        {
+          channelId,
+          cumulativeAmount: 5_000_000n,
+          signature: cred.payload.signature,
+        },
+        accessKey.accessKeyAddress,
+      )
+      expect(isValid).toBe(true)
+      expect(cred.source).toBe(`did:pkh:eip155:42431:${pureAccount.address}`)
+    })
+
     test('manual close produces valid credential', async () => {
       const method = session({ getClient: () => pureClient, account: pureAccount })
 

package/src/tempo/client/Session.ts

@@ -7,6 +7,7 @@ import * as Method from '../../Method.js'
 import * as Account from '../../viem/Account.js'
 import * as Client from '../../viem/Client.js'
 import * as z from '../../zod.js'
+import { getAccountSignerAddress } from '../internal/account.js'
 import * as defaults from '../internal/defaults.js'
 import * as Methods from '../Methods.js'
 import type { SessionCredentialPayload } from '../session/Types.js'
@@ -27,7 +28,6 @@ export const sessionContextSchema = z.object({
   cumulativeAmount: z.optional(z.amount()),
   cumulativeAmountRaw: z.optional(z.string()),
   transaction: z.optional(z.string()),
-  authorizedSigner: z.optional(z.string()),
   additionalDeposit: z.optional(z.amount()),
   additionalDepositRaw: z.optional(z.string()),
   depositRaw: z.optional(z.string()),
@@ -79,9 +79,6 @@ export function session(parameters: session.Parameters = {}) {
     rpcUrl: defaults.rpcUrl,
   })
   const getAccount = Account.getResolver({ account: parameters.account })
-  const getAuthorizedSigner = (account: viem_Account) =>
-    parameters.authorizedSigner ??
-    (account as unknown as { accessKeyAddress?: Address }).accessKeyAddress
 
   const maxDeposit =
     parameters.maxDeposit !== undefined ? parseUnits(parameters.maxDeposit, decimals) : undefined
@@ -141,7 +138,7 @@ export function session(parameters: session.Parameters = {}) {
       )
     })()
 
-    const authorizedSigner = getAuthorizedSigner(account)
+    const voucherSigner = parameters.voucherSigner ?? account
 
     const key = channelKey(payee, currency, escrowContract)
     let entry = channels.get(key)
@@ -186,12 +183,12 @@ export function session(parameters: session.Parameters = {}) {
         entry.cumulativeAmount,
         escrowContract,
         chainId,
-        authorizedSigner,
+        voucherSigner,
       )
       notifyUpdate(entry)
     } else {
       const result = await createOpenPayload(client, account, {
-        authorizedSigner,
+        voucherSigner,
         escrowContract,
         payee,
         currency,
@@ -222,12 +219,8 @@ export function session(parameters: session.Parameters = {}) {
     const client = await getClient({ chainId })
 
     const action = context.action!
-    const {
-      channelId: channelIdRaw,
-      transaction,
-      authorizedSigner: contextAuthorizedSigner,
-    } = context
-    const authorizedSigner = (contextAuthorizedSigner as Address) ?? getAuthorizedSigner(account)
+    const { channelId: channelIdRaw, transaction } = context
+    const voucherSigner = parameters.voucherSigner ?? account
     const channelId = channelIdRaw as Hex.Hex
     const cumulativeAmount = context.cumulativeAmountRaw
       ? BigInt(context.cumulativeAmountRaw)
@@ -256,14 +249,14 @@ export function session(parameters: session.Parameters = {}) {
           { channelId, cumulativeAmount },
           escrowContract,
           chainId,
-          authorizedSigner,
+          voucherSigner,
         )
         payload = {
           action: 'open',
           type: 'transaction',
           channelId,
           transaction: transaction as Hex.Hex,
-          authorizedSigner: authorizedSigner ?? account.address,
+          authorizedSigner: getAccountSignerAddress(voucherSigner),
           cumulativeAmount: cumulativeAmount.toString(),
           signature,
         }
@@ -293,7 +286,7 @@ export function session(parameters: session.Parameters = {}) {
           cumulativeAmount,
           escrowContract,
           chainId,
-          authorizedSigner,
+          voucherSigner,
         )
         const key = channelIdToKey.get(channelId)
         if (key) {
@@ -316,7 +309,7 @@ export function session(parameters: session.Parameters = {}) {
           { channelId, cumulativeAmount },
           escrowContract,
           chainId,
-          authorizedSigner,
+          voucherSigner,
         )
         payload = {
           action: 'close',
@@ -364,8 +357,8 @@ export function session(parameters: session.Parameters = {}) {
 export declare namespace session {
   type Parameters = Account.getResolver.Parameters &
     Client.getResolver.Parameters & {
-      /** Address authorized to sign vouchers. Defaults to the account address. Use when a separate access key (e.g. secp256k1) signs vouchers while the root account funds the channel. */
-      authorizedSigner?: Address | undefined
+      /** Account that signs voucher digests. Defaults to `account`; access-key accounts sign raw vouchers as their access-key address. */
+      voucherSigner?: viem_Account | undefined
       /** Token decimals for parsing human-readable amounts (default: 6). */
       decimals?: number | undefined
       /** Initial deposit amount in human-readable units (e.g. "10" for 10 tokens). When set, the method handles the full channel lifecycle (open, voucher, cumulative tracking) automatically. */