mppx 0.6.28 → 0.6.29

package/src/client/internal/Fetch.test.ts

@@ -665,8 +665,37 @@ describe('Fetch.from: 402 retry path', () => {
     await fetch('https://example.com/api')
 
     const retryInit = calls[1]!.init as Record<string, unknown>
-    const headers = retryInit.headers as Record<string, string>
-    expect(headers.Authorization).toBe('credential')
+    const headers = new Headers(retryInit.headers as HeadersInit)
+    expect(headers.get('Authorization')).toBe('credential')
+  })
+
+  test('sends credential retry to the final 402 response URL', async () => {
+    let callCount = 0
+    const calls: { input: RequestInfo | URL; init: RequestInit | undefined }[] = []
+    const mockFetch: typeof globalThis.fetch = async (input, init) => {
+      calls.push({ input, init })
+      callCount++
+      if (callCount === 1) {
+        const response = make402()
+        Object.defineProperty(response, 'url', {
+          value: 'https://payments.example.com/protected',
+        })
+        return response
+      }
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    const response = await fetch('https://api.example.com/protected')
+
+    expect(response.status).toBe(200)
+    expect(calls[0]!.input).toBe('https://api.example.com/protected')
+    expect(calls[1]!.input).toBe('https://payments.example.com/protected')
+    expect(new Headers(calls[1]!.init?.headers).get('Authorization')).toBe('credential')
   })
 
   test('emits client events and allows challenge handler to provide credential', async () => {

package/src/client/internal/Fetch.ts

@@ -4,6 +4,7 @@ import * as AcceptPayment from '../../internal/AcceptPayment.js'
 import type { MaybePromise } from '../../internal/types.js'
 import type * as Method from '../../Method.js'
 import type * as z from '../../zod.js'
+import * as Transport from '../Transport.js'
 
 // We tag wrappers with a global symbol so we can recognize wrappers created by mppx,
 // even across multiple module instances/bundles. This lets restore() avoid clobbering
@@ -162,6 +163,7 @@ export function from<const methods extends readonly Method.AnyClient[]>(
     methods,
     onChallenge,
     orderChallenges,
+    transport = Transport.http(),
   } = config
   const events = config.eventDispatcher ?? createEventDispatcher()
   const resolvedAcceptPayment = acceptPayment ?? AcceptPayment.resolve(methods)
@@ -183,7 +185,7 @@ export function from<const methods extends readonly Method.AnyClient[]>(
     )
     const response = await baseFetch(initialRequest.input, initialRequest.init)
 
-    if (response.status !== 402) return response
+    if (!transport.isPaymentRequired(response)) return response
 
     // Only extract context for payment handling after confirming 402.
     const context = (init as Record<string, unknown> | undefined)?.context
@@ -198,8 +200,9 @@ export function from<const methods extends readonly Method.AnyClient[]>(
     let mi: methods[number] | undefined
 
     try {
-      // Parse all challenges from the response (supports merged WWW-Authenticate headers).
-      challenges = Challenge.fromResponseList(response)
+      challenges = transport.getChallenges
+        ? transport.getChallenges(response)
+        : [transport.getChallenge(response)]
 
       const candidates = AcceptPayment.selectChallengeCandidates(
         challenges,
@@ -258,10 +261,17 @@ export function from<const methods extends readonly Method.AnyClient[]>(
         }),
       )
 
-      const paymentResponse = await baseFetch(initialRequest.input, {
-        ...fetchInit,
-        headers: withAuthorizationHeader(initialRequest.headers, credential),
-      })
+      const paymentResponse = await baseFetch(
+        resolvePaymentRetryInput(response, initialRequest.input),
+        transport.setCredential(
+          {
+            ...fetchInit,
+            headers: initialRequest.headers,
+          },
+          credential,
+          { challenge: selectedChallenge },
+        ),
+      )
       if (paymentResponse.ok)
         await events.emit(
           'payment.response',
@@ -335,6 +345,8 @@ export declare namespace from {
       | undefined
     /** Filters and sorts supported challenges before credential creation. */
     orderChallenges?: AcceptPayment.OrderChallenges<methods> | undefined
+    /** Transport to use for challenge extraction and credential attachment. */
+    transport?: Transport.AnyTransport | undefined
   }
 
   type Fetch<methods extends readonly Method.AnyClient[] = readonly Method.AnyClient[]> = (
@@ -688,18 +700,6 @@ function freezeSnapshot<value>(value: value): value {
   return value
 }
 
-/** @internal */
-function withAuthorizationHeader(headers: unknown, credential: string): Record<string, string> {
-  const normalized = normalizeHeaders(headers)
-  // Remove any existing Authorization header regardless of casing to avoid
-  // duplicate/conflicting credentials on retry.
-  for (const key of Object.keys(normalized)) {
-    if (key.toLowerCase() === 'authorization') delete normalized[key]
-  }
-  normalized.Authorization = credential
-  return normalized
-}
-
 /** @internal */
 function prepareInitialRequest<methods extends readonly Method.AnyClient[]>(
   input: RequestInfo | URL,
@@ -843,3 +843,10 @@ function resolveRequestUrl(input: RequestInfo | URL): URL {
   if (input instanceof Request) return new URL(input.url)
   return new URL(input, isBrowser() ? globalThis.location.href : undefined)
 }
+
+function resolvePaymentRetryInput(
+  response: Response,
+  fallback: RequestInfo | URL,
+): RequestInfo | URL {
+  return response.url ? response.url : fallback
+}

package/src/evm/Assets.ts

@@ -0,0 +1 @@
+export * from '../x402/Assets.js'

package/src/evm/Chains.ts

@@ -0,0 +1,5 @@
+/** Base mainnet EVM chain ID. */
+export const base = 8453
+
+/** Base Sepolia testnet EVM chain ID. */
+export const baseSepolia = 84532

package/src/evm/Methods.ts

@@ -0,0 +1,44 @@
+import { getAddress, parseUnits } from 'viem'
+
+import * as Method from '../Method.js'
+import * as z from '../zod.js'
+import * as Types from './Types.js'
+
+/** Native Payment-auth EVM charge method. */
+export const charge = Method.from({
+  name: Types.paymentMethod,
+  intent: Types.chargeIntent,
+  schema: {
+    credential: {
+      payload: Types.ChargePayloadSchema,
+    },
+    request: z.pipe(
+      Types.ChargeRequestInputSchema,
+      z.transform(
+        ({
+          amount,
+          chainId,
+          credentialTypes = ['authorization'],
+          currency,
+          decimals,
+          permit2Address,
+          recipient,
+          splits,
+          ...request
+        }) => ({
+          ...request,
+          amount: parseUnits(amount, decimals).toString(),
+          currency: getAddress(currency),
+          methodDetails: {
+            chainId,
+            credentialTypes,
+            decimals,
+            ...(permit2Address ? { permit2Address: getAddress(permit2Address) } : {}),
+            ...(splits ? { splits } : {}),
+          },
+          recipient: getAddress(recipient),
+        }),
+      ),
+    ),
+  },
+})

package/src/evm/PublicInterface.test-d.ts

@@ -0,0 +1,109 @@
+import * as evmRoot from 'mppx/evm'
+import {
+  assets as clientAssets,
+  chains as clientChains,
+  charge as clientCharge,
+  evm as clientEvm,
+} from 'mppx/evm/client'
+import { assets as serverAssets, charge as serverCharge, evm as serverEvm } from 'mppx/evm/server'
+import type { Account } from 'viem'
+import { describe, expectTypeOf, test } from 'vp/test'
+
+import { Mppx as ClientMppx } from '../client/index.js'
+import { Mppx as ServerMppx } from '../server/index.js'
+
+const account = {} as Account
+const recipient = '0x209693Bc6afc0C5328bA36FaF03C514EF312287C'
+const secretKey = 'test-secret'
+const settle = async () => ({
+  reference: `0x${'1'.repeat(64)}` as `0x${string}`,
+})
+const facilitator = {
+  settle: async () => ({
+    network: 'eip155:8453',
+    success: true,
+    transaction: `0x${'1'.repeat(64)}` as `0x${string}`,
+  }),
+  verify: async () => ({ isValid: true }),
+}
+
+describe('evm public interface', () => {
+  test('exports EVM asset metadata from root and subpaths', () => {
+    expectTypeOf(evmRoot.assets.base.USDC).toMatchTypeOf<typeof serverAssets.base.USDC>()
+    expectTypeOf(clientAssets.baseSepolia.USDC).toMatchTypeOf<
+      typeof serverAssets.baseSepolia.USDC
+    >()
+    expectTypeOf(evmRoot.chains.base).toMatchTypeOf<number>()
+    expectTypeOf(clientChains.baseSepolia).toMatchTypeOf<number>()
+  })
+
+  test('server charge works through subpath exports and tuple helper', () => {
+    const direct = serverCharge({
+      currency: serverAssets.base.USDC,
+      recipient,
+      x402: { facilitator },
+    })
+    expectTypeOf(direct.name).toEqualTypeOf<'evm'>()
+    expectTypeOf(direct.intent).toEqualTypeOf<'charge'>()
+
+    const mppx = ServerMppx.create({
+      methods: [
+        serverEvm({
+          currency: serverAssets.base.USDC,
+          recipient,
+          x402: { facilitator },
+        }),
+      ],
+      secretKey,
+    })
+
+    expectTypeOf(mppx.evm.charge).toBeFunction()
+    expectTypeOf(mppx.evm.charge({ amount: '0.01' })).toBeFunction()
+  })
+
+  test('server charge accepts a custom settlement override', () => {
+    const direct = serverCharge({
+      currency: serverAssets.base.USDC,
+      recipient,
+      settle,
+    })
+    expectTypeOf(direct.name).toEqualTypeOf<'evm'>()
+    expectTypeOf(direct.intent).toEqualTypeOf<'charge'>()
+  })
+
+  test('client charge works through subpath exports and tuple helper', () => {
+    const direct = clientCharge({
+      account,
+      currencies: [clientAssets.baseSepolia.USDC],
+      maxAmount: '0.01',
+      networks: [clientChains.baseSepolia],
+    })
+    expectTypeOf(direct.name).toEqualTypeOf<'evm'>()
+    expectTypeOf(direct.intent).toEqualTypeOf<'charge'>()
+
+    const mppx = ClientMppx.create({
+      methods: [
+        clientEvm({
+          account,
+          currencies: [clientAssets.baseSepolia.USDC],
+          maxAmount: '0.01',
+          networks: [clientEvm.chains.baseSepolia],
+        }),
+      ],
+      polyfill: false,
+    })
+
+    expectTypeOf(mppx.createCredential).toBeFunction()
+  })
+
+  test('server charge rejects x402 exact config shape', () => {
+    serverCharge({
+      // @ts-expect-error evm.charge takes shared charge config, not x402 exact config.
+      config: {
+        currency: serverAssets.base.USDC,
+        recipient,
+        x402: { facilitator },
+      },
+    })
+  })
+})

package/src/evm/Types.ts

@@ -0,0 +1,140 @@
+import { Bytes, Hash } from 'ox'
+
+import * as z from '../zod.js'
+
+/** Payment method name for Payment-auth EVM challenges. */
+export const paymentMethod = 'evm' as const
+
+/** Payment intent name for one-time EVM charges. */
+export const chargeIntent = 'charge' as const
+
+/** CAIP-2 namespace prefix for EVM networks. */
+export const evmNetworkPrefix = 'eip155:' as const
+
+/** EIP-3009 transfer authorization method identifier. */
+export const eip3009 = 'eip3009' as const
+
+/** EVM charge credential types supported by this package. */
+export const credentialTypes = ['authorization'] as const
+
+const atomicAmount = z.string().check(z.regex(/^\d+$/, 'Invalid atomic amount'))
+
+/** EIP-3009 domain metadata for `transferWithAuthorization` signatures. */
+export const AuthorizationConfigSchema = z.object({
+  name: z.string().check(z.minLength(1)),
+  version: z.string().check(z.minLength(1)),
+})
+export type AuthorizationConfig = z.infer<typeof AuthorizationConfigSchema>
+
+/** CAIP-2 EVM network identifier. */
+export type EvmNetwork = `${typeof evmNetworkPrefix}${number}`
+
+/** EVM-specific charge method details. */
+export const MethodDetailsSchema = z.object({
+  chainId: z.number(),
+  credentialTypes: z.optional(z.array(z.enum(credentialTypes)).check(z.minLength(1))),
+  decimals: z.optional(z.number()),
+  permit2Address: z.optional(z.address()),
+  splits: z.optional(
+    z.array(
+      z.object({
+        amount: atomicAmount,
+        recipient: z.address(),
+      }),
+    ),
+  ),
+})
+export type MethodDetails = z.infer<typeof MethodDetailsSchema>
+
+/** Canonical Payment-auth EVM charge request. */
+export const ChargeRequestSchema = z.object({
+  amount: atomicAmount,
+  currency: z.address(),
+  description: z.optional(z.string()),
+  externalId: z.optional(z.string()),
+  methodDetails: MethodDetailsSchema,
+  recipient: z.address(),
+})
+export type ChargeRequest = z.infer<typeof ChargeRequestSchema>
+
+/** Public route input before display-unit amounts are converted to atomic units. */
+export const ChargeRequestInputSchema = z.object({
+  amount: z.amount(),
+  chainId: z.number(),
+  currency: z.address(),
+  credentialTypes: z.optional(z.array(z.enum(credentialTypes)).check(z.minLength(1))),
+  decimals: z.number(),
+  description: z.optional(z.string()),
+  externalId: z.optional(z.string()),
+  permit2Address: z.optional(z.address()),
+  recipient: z.address(),
+  splits: z.optional(
+    z.array(
+      z.object({
+        amount: atomicAmount,
+        recipient: z.address(),
+      }),
+    ),
+  ),
+})
+export type ChargeRequestInput = z.infer<typeof ChargeRequestInputSchema>
+
+/** Payment-auth EVM authorization credential payload. */
+export const AuthorizationPayloadSchema = z.object({
+  from: z.address(),
+  nonce: z.hash(),
+  signature: z.signature(),
+  to: z.address(),
+  type: z.literal('authorization'),
+  validAfter: atomicAmount,
+  validBefore: atomicAmount,
+  value: atomicAmount,
+})
+export type AuthorizationPayload = z.infer<typeof AuthorizationPayloadSchema>
+
+/** Payment-auth EVM charge credential payload. */
+export const ChargePayloadSchema = AuthorizationPayloadSchema
+export type ChargePayload = z.infer<typeof ChargePayloadSchema>
+
+/** EIP-712 type definition for EIP-3009 `transferWithAuthorization`. */
+export const authorizationTypes = {
+  TransferWithAuthorization: [
+    { name: 'from', type: 'address' },
+    { name: 'to', type: 'address' },
+    { name: 'value', type: 'uint256' },
+    { name: 'validAfter', type: 'uint256' },
+    { name: 'validBefore', type: 'uint256' },
+    { name: 'nonce', type: 'bytes32' },
+  ],
+} as const
+
+/** Returns the EIP-712 domain for an EIP-3009 authorization signature. */
+export function authorizationDomain(parameters: {
+  authorization: AuthorizationConfig
+  chainId: number
+  currency: `0x${string}`
+}) {
+  return {
+    chainId: parameters.chainId,
+    name: parameters.authorization.name,
+    verifyingContract: parameters.currency,
+    version: parameters.authorization.version,
+  } as const
+}
+
+/** Computes the Payment-auth EVM challenge hash used as the EIP-3009 nonce. */
+export function challengeHash(challenge: { id: string; realm: string }): `0x${string}` {
+  return Hash.keccak256(Bytes.fromString(`${challenge.id}${challenge.realm}`), {
+    as: 'Hex',
+  }) as `0x${string}`
+}
+
+/** Converts a chain ID to the CAIP-2 EVM network identifier. */
+export function networkOf(chainId: number): EvmNetwork {
+  return `${evmNetworkPrefix}${chainId}`
+}
+
+/** Formats an EVM address as a did:pkh source identifier. */
+export function toSource(parameters: { address: `0x${string}`; chainId: number }) {
+  return `did:pkh:eip155:${parameters.chainId}:${parameters.address}` as const
+}

package/src/evm/client/Charge.test.ts

@@ -0,0 +1,99 @@
+import { Challenge } from 'mppx'
+import type { Account } from 'viem'
+import { describe, expect, test, vi } from 'vp/test'
+
+import * as Assets from '../Assets.js'
+import * as Chains from '../Chains.js'
+import { charge } from './Charge.js'
+
+const account = {
+  address: '0x1111111111111111111111111111111111111111',
+  signTypedData: vi.fn(async () => '0x1234'),
+} as unknown as Account
+
+describe('evm charge client', () => {
+  test('does not sign x402 payloads from unbranded Payment-auth challenges', async () => {
+    const signTypedData = vi.fn(async () => '0x1234')
+    const client = charge({
+      account: {
+        ...account,
+        signTypedData,
+      } as unknown as Account,
+      currencies: [Assets.baseSepolia.USDC],
+      maxAmount: '0.01',
+      networks: [Chains.baseSepolia],
+    })
+    const challenge = Challenge.from({
+      id: 'attacker-controlled',
+      intent: 'charge',
+      method: 'evm',
+      realm: 'api.example.com',
+      request: {
+        amount: '10000',
+        asset: Assets.baseSepolia.USDC.address,
+        maxTimeoutSeconds: 60,
+        network: 'eip155:84532',
+        payTo: '0x2222222222222222222222222222222222222222',
+        scheme: 'exact',
+      },
+    })
+
+    await expect(client.createCredential({ challenge } as never)).rejects.toThrow()
+    expect(signTypedData).not.toHaveBeenCalled()
+  })
+
+  test('does not use server-supplied decimals for maxAmount policy', async () => {
+    const client = charge({
+      account,
+      maxAmount: '1',
+    })
+    const challenge = Challenge.from({
+      id: 'native',
+      intent: 'charge',
+      method: 'evm',
+      realm: 'api.example.com',
+      request: {
+        amount: '1000000000000000000',
+        currency: Assets.baseSepolia.USDC.address,
+        methodDetails: {
+          chainId: 84532,
+          credentialTypes: ['authorization'],
+          decimals: 18,
+        },
+        recipient: '0x2222222222222222222222222222222222222222',
+      },
+    })
+
+    await expect(client.createCredential({ challenge } as never)).rejects.toThrow(
+      'EVM charge maxAmount requires currency decimals.',
+    )
+  })
+
+  test('requires network policy for raw hex currencies', async () => {
+    const client = charge({
+      account,
+      currencies: [Assets.baseSepolia.USDC.address],
+      maxAmount: '1',
+    })
+    const challenge = Challenge.from({
+      id: 'native',
+      intent: 'charge',
+      method: 'evm',
+      realm: 'api.example.com',
+      request: {
+        amount: '1000000',
+        currency: Assets.baseSepolia.USDC.address,
+        methodDetails: {
+          chainId: 84532,
+          credentialTypes: ['authorization'],
+          decimals: 6,
+        },
+        recipient: '0x2222222222222222222222222222222222222222',
+      },
+    })
+
+    await expect(client.createCredential({ challenge } as never)).rejects.toThrow(
+      'EVM raw currency allowlists require networks.',
+    )
+  })
+})