Releases: wevm/mppx
Releases · wevm/mppx
mppx@0.6.31
Patch Changes
- 1c286cd: Fixed host confusion in the Node adapter (
Request.fromNodeListener/toNodeListener). Protocol-relative (//evil.com/x), triple-slash (///evil.com/x), backslash (/\evil.com/x), and embedded-authority (//a//evil.com/x) request targets could previously override the request host derived from theHostheader, which in turn poisoned the auto-detected challengerealm. The adapter now copies only the parsed path and query onto a trusted origin, so the request target's authority can never influence the resulting URL host. - e03f5c5: Fixed
tempo.sessionvoucher verification to treat lower-amount voucher replays idempotently. Per the session spec's idempotency requirement, a non-advancing voucher (with acumulativeAmountat or below the highest accepted amount, but above the on-chain settled amount) now returns a 200 OK receipt with the current highest amount instead of being rejected as an error. Forged or at-or-below-settled vouchers are still rejected, and the at-or-below-settled rejection reason was clarified to match the inclusive (<=) bound. - f7bf20c: Fixed SSE session voucher updates being charged as content requests.
mppx@0.6.30
Patch Changes
- 77eac81: Added the root EVM charge method export for direct
mppx/evmhelper access.
mppx@0.6.29
Patch Changes
- aca0e4a: Fixed challenge header serialization type checking for ES2020 TypeScript targets.
- 1edd30e: Fixed WWW-Authenticate challenge serialization to escape quoted-string values and reject CRLF.
- 5aed74b: Replaced Tempo session
authorizedSigneroptions withvoucherSigneraccounts and added raw access-key voucher signing. - d337c11: Preserved charge supported modes and split payment defaults in challenges.
- c95f4e2: Applied strict session fee-payer call validation to relay-sponsored transactions.
- 2f5b92a: Bound session voucher verification to stored channel chain metadata.
- 165bc9c: Required expiring nonce keys for fee-sponsored transactions.
- a171438: Blocked WebSocket session metering after channel close requests.
- ae76fb4: Retried payment credentials against the final challenge response URL.
- 6715802: Stripped caller-supplied OpenAI tenant headers before proxying requests.
- fbb7057: Added EVM charge support with x402 exact compatibility and resource-bound payment payload verification.
- bf72175: Added an x402 and mpp example server/client, fixed HTTP clients to parse x402 offers when Payment-auth challenges were also present, and fixed repeated x402 EIP-3009 payments for live facilitators.
mppx@0.6.28
Patch Changes
- 6c789fa: Added store key prefix options for Store constructors and Tempo charge, session, and subscription stores.
- b051e6c: Stripped
Set-Cookiefrom upstream responses inProxy.scrubResponseso an upstream service cannot set cookies under the proxy's origin. - 1ee47a2: Added server-side Stripe Connect settlement options for Stripe charges.
mppx@0.6.27
mppx@0.6.26
Patch Changes
- 3d9a9cf: Added
dev_secondsubscription periods.
Addedmppx.tempo.subscription.renew.
Raised default sponsor limits for subscription payments.
mppx@0.6.25
mppx@0.6.24
mppx@0.6.23
Patch Changes
- c370c93: Added fee payer support and an optional
feePayerPolicyparameter totempo.subscriptionso activation and renewal payments can be sponsored without consuming the access key's spending limit.
mppx@0.6.22
Patch Changes
- 281fc16: Fixed Tempo subscription
wallet_authorizeAccessKeyRPC payload to sendscopes(the spec-compliant field) instead ofallowedCalls, and to hex-encodelimits[].limitso the parameters match the encoded variant of thewallet_authorizeAccessKeyschema.