Skip to content

Releases: wevm/mppx

mppx@0.5.1

31 Mar 21:07
@github-actions github-actions
mppx@0.5.1
54d6279
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.5.1 Latest
Latest

Patch Changes

  • dd27cb1: Validate the did:pkh:eip155 source DID on zero-dollar Tempo proof credentials. Servers now reject malformed proof source DIDs and chain ID mismatches between the source DID and the challenge signing domain.
Assets 2
Loading

mppx@0.5.0

31 Mar 04:05
@github-actions github-actions
mppx@0.5.0
6f2682a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.5.0

Minor Changes

  • 5e7750b: Added a proof credential type for zero-amount Tempo charge requests. Clients now sign an EIP-712 proof over the challenge ID instead of creating a broadcastable transaction, and servers verify the proof against the credential source DID before accepting the request. This prevents zero-dollar auth flows from burning gas when the payer would otherwise have been the fee payer.
Loading

mppx@0.4.12

30 Mar 05:26
@github-actions github-actions
mppx@0.4.12
a623877
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.12

Patch Changes

  • 5684b94: Fixed settleOnChain and closeOnChain to use the payee account as
    msg.sender instead of the fee payer when submitting fee-sponsored
    transactions. Previously, sendFeePayerTx used the fee payer as both
    sender and gas sponsor, causing the escrow contract to revert with
    NotPayee(). Added account option to tempo.settle() so callers can
    specify the signing account separately from the fee payer.
  • 3bc8657: Added compile-time guard to tempo.session() and tempo.charge(). Unknown properties (e.g. stream instead of sse) now cause a type error instead of being silently accepted.
  • 0531edd: Added split-payment support to Tempo charge requests, including client transaction construction and stricter server verification for split transfers.
  • 6188184: Added realm auto-detection from the request Host header when not explicitly configured. Resolution order: explicit value → env vars (MPP_REALM, FLY_APP_NAME, VERCEL_URL, etc.) → request URL hostname → "MPP Payment" fallback with a one-time warning. Removed the hard-coded "MPP Payment" default and deprioritized HOST/HOSTNAME env vars in favor of platform-specific alternatives.
  • ba79504: Return 410 ChannelClosedError instead of 402 AmountExceedsDepositError when a channel's on-chain deposit is zero but the channel still exists (payer is non-zero). This handles a race window during settlement where the escrow contract zeros the deposit before setting the finalized flag.
Loading

mppx@0.4.11

26 Mar 21:19
@github-actions github-actions
mppx@0.4.11
8ce9f56
This commit was signed with the committer’s verified signature.
tmm tmm
SSH Key Fingerprint: zYbKencWTU5A/hSVaVV5IBB4LFegtgi8pqDQs2J+Fv8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.11

Patch Changes

  • Fixed close voucher validation to reject vouchers equal to the on-chain settled amount. (GHSA-mv9j-8jvg-j8mr)
  • Added Stripe credential replay protection via the Idempotent-Replayed header. (GHSA-8mhj-rffc-rcvw)
Loading

mppx@0.4.10

26 Mar 15:57
@github-actions github-actions
mppx@0.4.10
7055bd1
This commit was signed with the committer’s verified signature.
tmm tmm
SSH Key Fingerprint: zYbKencWTU5A/hSVaVV5IBB4LFegtgi8pqDQs2J+Fv8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.10

Patch Changes

  • b4e1a3d: Add OpenAPI-first discovery tooling via mppx/discovery, framework discovery() helpers, and mppx discover validate.

    This also changes mppx/proxy discovery routes:

    • GET /openapi.json is now the canonical machine-readable discovery document.
    • GET /llms.txt remains available as the text-friendly discovery view.
    • Legacy /discover* routes now return 410 Gone.

  • 70f6595: Fix two production session/SSE robustness issues.

    1. Accept exact voucher replays (cumulativeAmount == highestVoucherAmount) as idempotent success after signature verification, while still rejecting lower cumulative amounts and preserving monotonic state advancement rules.
    2. Prevent invalid null-body response wrapping in SSE receipt transport by returning 101/204/205/304 responses directly instead of stream-wrapping them.

  • 3c713c9: tempo.session() now throws immediately at initialization if no viem Account is provided, instead of failing later with an opaque error during channel close. The error message includes an example fix.

Loading

mppx@0.4.9

23 Mar 18:58
@github-actions github-actions
mppx@0.4.9
5339356
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.9

Patch Changes

  • d9b651d: Added Store.redis() adapter for standard Redis clients (ioredis, node-redis, Valkey) with BigInt-safe serialization.
  • b69bbee: Fixed Express middleware hanging by constructing a Fetch Request directly from Express's req API.
  • 7da6cfd: Fixed SSE header normalization.
  • a2c6cc9: Skipped route amount/currency/recipient validation for topUp and voucher credentials. These POSTs carry no application body so the route's request hook may produce a different amount than the challenge echoed from the original request. The on-chain voucher signature is the real validation.
Loading

mppx@0.4.8

20 Mar 21:41
@github-actions github-actions
mppx@0.4.8
1092d43
This commit was signed with the committer’s verified signature.
tmm tmm
SSH Key Fingerprint: zYbKencWTU5A/hSVaVV5IBB4LFegtgi8pqDQs2J+Fv8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.8

Patch Changes

  • 99920d0: Updated validation.
Loading

mppx@0.4.7

18 Mar 13:54
@github-actions github-actions
mppx@0.4.7
0742b76
This commit was signed with the committer’s verified signature.
tmm tmm
SSH Key Fingerprint: zYbKencWTU5A/hSVaVV5IBB4LFegtgi8pqDQs2J+Fv8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.7

Patch Changes

  • 2a0b88e: Fixed cooperative close to sign the server-reported spent amount instead of the high-water mark (cumulativeAmount), preventing overcharging when actual usage was below the pre-authorized voucher amount.
Loading

mppx@0.4.6

18 Mar 01:28
@github-actions github-actions
mppx@0.4.6
351be54
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.6

Patch Changes

  • 281005c: Added support for feePayer as a URL string on tempo method.
Loading

mppx@0.4.5

17 Mar 18:43
@github-actions github-actions
mppx@0.4.5
af5f30b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
mppx@0.4.5

Patch Changes

  • bbd4b3f: Updated Moderato (testnet) escrow contract address to 0xe1c4d3dce17bc111181ddf716f75bae49e61a336.
Loading