mppx 0.7.0 → 0.8.0

package/src/tempo/server/Subscription.ts

@@ -1,6 +1,13 @@
 import { Base64 } from 'ox'
 import { KeyAuthorization } from 'ox/tempo'
-import { encodeFunctionData, isAddressEqual, type Address, type Client as ViemClient } from 'viem'
+import {
+  encodeFunctionData,
+  isAddressEqual,
+  parseEventLogs,
+  type Address,
+  type Client as ViemClient,
+  type TransactionReceipt,
+} from 'viem'
 import {
   call as viem_call,
   prepareTransactionRequest,
@@ -113,6 +120,8 @@ export function subscription<const parameters extends subscription.Parameters>(
     },
 
     async authorize({ input, request }) {
+      if (parameters.requireCredential) return undefined
+
       const resolved = await parameters.resolve({ input, request })
       if (!resolved) return undefined
 
@@ -182,8 +191,8 @@ export function subscription<const parameters extends subscription.Parameters>(
       const input = requestFromCaptured(capturedRequest)
       const resolved = await parameters.resolve({ input, request: parsedRequest })
       const existing = resolved ? await store.getByKey(resolved.key) : null
-      const accessKey =
-        resolved && !credential
+      const accessKey = !credential
+        ? resolved
           ? await resolveChallengeAccessKey({
               existing,
               input,
@@ -192,7 +201,10 @@ export function subscription<const parameters extends subscription.Parameters>(
               resolved,
               store,
             })
-          : (credentialRequest?.methodDetails?.accessKey ?? parsedRequest.methodDetails?.accessKey)
+          : parameters.requireCredential && !parameters.activate
+            ? await createUnboundChallengeAccessKey({ store })
+            : undefined
+        : (credentialRequest?.methodDetails?.accessKey ?? parsedRequest.methodDetails?.accessKey)
       if (!accessKey) {
         throw new VerificationFailedError({ reason: 'subscription accessKey is missing' })
       }
@@ -218,16 +230,17 @@ export function subscription<const parameters extends subscription.Parameters>(
         challengeExpires: credential.challenge.expires,
         request: parsedRequest,
       })
-      const resolved = await parameters.resolve({ input, request: parsedRequest })
-
-      if (!resolved) {
-        throw new VerificationFailedError({ reason: 'subscription could not be resolved' })
-      }
       const challengeRequest = credential.challenge.request as SubscriptionRequest
-      const accessKey =
-        challengeRequest.methodDetails?.accessKey ??
-        parsedRequest.methodDetails?.accessKey ??
-        (await resolveAccessKey({ input, parameters, request: parsedRequest, resolved }))
+      let resolved: subscription.ResolvedSubscription | null = null
+      let accessKey =
+        challengeRequest.methodDetails?.accessKey ?? parsedRequest.methodDetails?.accessKey
+      if (!accessKey) {
+        resolved = await parameters.resolve({ input, request: parsedRequest })
+        if (!resolved) {
+          throw new VerificationFailedError({ reason: 'subscription could not be resolved' })
+        }
+        accessKey = await resolveAccessKey({ input, parameters, request: parsedRequest, resolved })
+      }
       if (!accessKey) {
         throw new VerificationFailedError({ reason: 'subscription accessKey is missing' })
       }
@@ -247,10 +260,20 @@ export function subscription<const parameters extends subscription.Parameters>(
           reason: 'credential source does not match signature',
         })
       }
+      resolved =
+        (await parameters.resolve({ input, request: parsedRequest, source: verified.source })) ??
+        resolved
+
+      if (!resolved) {
+        throw new VerificationFailedError({ reason: 'subscription could not be resolved' })
+      }
 
       const activation = await store.activate({
         challengeId: credential.challenge.id,
-        isReusable: (subscription) => isReusableSubscription(subscription, parsedRequest),
+        isReusable: (subscription) =>
+          parameters.requireCredential
+            ? isActiveSubscriptionForRequest(subscription, parsedRequest)
+            : isReusableSubscription(subscription, parsedRequest),
         lookupKey: resolved.key,
         async create() {
           const activation = withSubscriptionAccessKey(
@@ -299,7 +322,50 @@ export function subscription<const parameters extends subscription.Parameters>(
         throw new VerificationFailedError({ reason: 'subscription activation claim mismatch' })
       }
       if (activation.status === 'existing') {
-        return SubscriptionReceipt.fromRecord(activation.subscription)
+        const subscription = activation.subscription
+        assertSubscriptionPayer(subscription, verified.source, {
+          required: parameters.requireCredential,
+        })
+
+        const periodIndex = getPeriodIndex(subscription)
+        if (periodIndex > subscription.lastChargedPeriod) {
+          const renew = resolveRenewalHandler({
+            feePayer,
+            feePayerPolicy,
+            getClient,
+            parameters,
+            store,
+            subscription,
+            waitForConfirmation,
+          })
+          if (!renew) {
+            throw new VerificationFailedError({ reason: 'subscription renewal is required' })
+          }
+
+          const renewal = await settleRenewal({
+            expectedLookupKey: resolved.key,
+            periodIndex,
+            renew,
+            request: parsedRequest,
+            store,
+            subscription,
+          })
+          if (!renewal) {
+            throw new VerificationFailedError({ reason: 'subscription renewal failed' })
+          }
+          if (renewal.status === 'charged' || renewal.status === 'inFlight') {
+            return renewal.receipt
+          }
+
+          await parameters.hooks?.renewed?.({
+            periodIndex,
+            receipt: renewal.result.receipt,
+            subscription: renewal.result.subscription,
+          })
+          return renewal.result.receipt
+        }
+
+        return SubscriptionReceipt.fromRecord(subscription)
       }
 
       await parameters.hooks?.activated?.({
@@ -380,6 +446,18 @@ async function resolveChallengeAccessKey(parameters: {
   )
 }
 
+async function createUnboundChallengeAccessKey(parameters: {
+  store: SubscriptionStore.SubscriptionStore
+}) {
+  const accessKey = await parameters.store.getOrCreateAccessKey(
+    `challenge:${createSubscriptionId()}`,
+  )
+  return {
+    accessKeyAddress: accessKey.accessKeyAddress,
+    keyType: accessKey.keyType,
+  } satisfies SubscriptionAccessKey
+}
+
 async function activateSubscription(parameters: {
   accessKey: SubscriptionAccessKey
   auto: {
@@ -567,14 +645,20 @@ function isActive(subscription: SubscriptionRecord): boolean {
   return new Date(subscription.subscriptionExpires).getTime() > Date.now()
 }
 
+function isActiveSubscriptionForRequest(
+  subscription: SubscriptionRecord,
+  request: SubscriptionRequest,
+): boolean {
+  return isActive(subscription) && subscriptionMatchesRequest(subscription, request)
+}
+
 function isReusableSubscription(
   subscription: SubscriptionRecord,
   request: SubscriptionRequest,
 ): boolean {
   return (
-    isActive(subscription) &&
-    getPeriodIndex(subscription) <= subscription.lastChargedPeriod &&
-    subscriptionMatchesRequest(subscription, request)
+    isActiveSubscriptionForRequest(subscription, request) &&
+    getPeriodIndex(subscription) <= subscription.lastChargedPeriod
   )
 }
 
@@ -589,6 +673,25 @@ function subscriptionMatchesRequest(
   )
 }
 
+function assertSubscriptionPayer(
+  subscription: SubscriptionRecord,
+  source: { address: Address; chainId: number },
+  options?: { required?: boolean | undefined },
+) {
+  if (!subscription.payer) {
+    if (options?.required) {
+      throw new VerificationFailedError({ reason: 'subscription payer is missing' })
+    }
+    return
+  }
+  if (
+    subscription.payer.chainId !== source.chainId ||
+    !isAddressEqual(subscription.payer.address, source.address)
+  ) {
+    throw new VerificationFailedError({ reason: 'subscription payer mismatch' })
+  }
+}
+
 function comparableSubscriptionBinding(value: SubscriptionRecord | SubscriptionRequest) {
   const chainId =
     'chainId' in value ? value.chainId : (value as SubscriptionRequest).methodDetails?.chainId
@@ -804,7 +907,9 @@ async function submitSubscriptionPayment(parameters: {
     store,
     waitForConfirmation,
   } = parameters
-  const stored = await store.getAccessKey(lookupKey)
+  const stored =
+    (await store.getAccessKey(lookupKey)) ??
+    (await store.getAccessKeyByAddress(accessKey.accessKeyAddress))
   if (!stored) {
     throw new VerificationFailedError({ reason: 'subscription access key is missing' })
   }
@@ -884,6 +989,8 @@ async function submitSubscriptionPayment(parameters: {
   } as never)
 
   if (!waitForConfirmation) {
+    // Optimistic mode has no receipt to inspect, so it cannot detect a T6
+    // (TIP-1028) held transfer. Use `waitForConfirmation: true` for T6-safe proof.
     return sendRawTransaction(client, {
       serializedTransaction: serializedTransaction as Transaction.TransactionSerializedTempo,
     })
@@ -897,9 +1004,50 @@ async function submitSubscriptionPayment(parameters: {
       reason: `subscription transaction reverted: ${receipt.transactionHash}`,
     })
   }
+  assertSubscriptionTransfer(receipt, {
+    amount: BigInt(request.amount),
+    currency: request.currency as Address,
+    memo,
+    recipient: request.recipient as Address,
+  })
   return receipt.transactionHash
 }
 
+/**
+ * Asserts a confirmed subscription payment credited the recipient.
+ *
+ * Transaction success alone is not proof: under Tempo T6 (TIP-1028) a recipient
+ * receive policy can hold the funds in `ReceivePolicyGuard` while the tx still
+ * succeeds. Settlement always emits one `transferWithMemo(recipient, amount,
+ * memo)`, so this requires a matching `TransferWithMemo` log on the expected
+ * token. A held transfer fails because its `to` is the guard, and the memo
+ * binding excludes unrelated transfer effects in the same receipt.
+ */
+function assertSubscriptionTransfer(
+  receipt: TransactionReceipt,
+  parameters: { amount: bigint; currency: Address; memo: `0x${string}`; recipient: Address },
+): void {
+  const { amount, currency, memo, recipient } = parameters
+  const credited = parseEventLogs({
+    abi: Abis.tip20,
+    eventName: 'TransferWithMemo',
+    logs: receipt.logs,
+  }).some(
+    (log) =>
+      isAddressEqual(log.address, currency) &&
+      isAddressEqual(log.args.to, recipient) &&
+      log.args.amount === amount &&
+      log.args.memo.toLowerCase() === memo.toLowerCase(),
+  )
+  if (!credited) {
+    throw new VerificationFailedError({
+      reason:
+        `subscription transfer was not credited to the recipient ` +
+        `(funds may have been held by a receive policy): ${receipt.transactionHash}`,
+    })
+  }
+}
+
 function createSubscriptionId() {
   const bytes = new Uint8Array(18)
   globalThis.crypto.getRandomValues(bytes)
@@ -1054,6 +1202,11 @@ export declare namespace subscription {
        * Keeps concurrent renewal safe while allowing recovery from abandoned attempts.
        */
       renewalTimeoutMs?: number | undefined
+      /**
+       * Requires a fresh subscription Credential even when a subscription is active.
+       * This binds access reuse to the stored payer instead of trusting request metadata alone.
+       */
+      requireCredential?: boolean | undefined
       /**
        * Override the fee-payer policy for sponsored subscription payments.
        * Useful when the access key + key authorization tx requires more gas
@@ -1101,6 +1254,8 @@ export declare namespace subscription {
       resolve: (parameters: {
         input: Request
         request: SubscriptionRequest
+        /** Verified payer identity recovered from a signed subscription credential. */
+        source?: { address: Address; chainId: number } | undefined
       }) => MaybePromise<ResolvedSubscription | null>
       renew?: (parameters: {
         /** Stable idempotency/reconciliation reference persisted before the renewal hook runs. */

package/src/tempo/server/internal/html/package.json

@@ -3,8 +3,8 @@
   "private": true,
   "type": "module",
   "dependencies": {
-    "accounts": "0.14.6",
+    "accounts": "0.14.9",
     "mppx": "workspace:*",
-    "viem": "2.50.4"
+    "viem": "2.52.2"
   }
 }