Skip to content

feat: settle MCP payments in the payment-aware fetch#567

Open
parvahuja wants to merge 1 commit into
wevm:mainfrom
parvahuja:parv/payment-aware-fetch
Open

feat: settle MCP payments in the payment-aware fetch#567
parvahuja wants to merge 1 commit into
wevm:mainfrom
parvahuja:parv/payment-aware-fetch

Conversation

@parvahuja

@parvahuja parvahuja commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Compose Transport.http() from protocol handlers for MPP, x402, and MCP-over-HTTP challenges behind the payment-aware fetch.
  • Collect all payment offers from HTTP responses and route retry credentials through the protocol that produced the selected challenge.
  • Detect MCP JSON-RPC -32042 responses at the fetch boundary, including the first SSE event, and retry with credentials in MCP _meta while preserving Request-carried bodies.
  • Harden MCP-over-HTTP message parsing for invalid JSON-RPC response shapes and case-insensitive content types.

Validation

  • pnpm check:ci
  • VITE_TEMPO_NETWORK=none pnpm check:types
  • VITE_TEMPO_NETWORK=none pnpm vp test --project node src/client/internal/protocols/Mcp.test.ts src/client/Transport.test.ts
  • VITE_TEMPO_NETWORK=none pnpm vp test --project node src/client/internal/Fetch.test.ts -t "combined MPP|MCP-over-HTTP|Request input|native HTTP 402|JSON-RPC payment|PAYMENT-REQUIRED"

@pkg-pr-new

pkg-pr-new Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/mppx@567

commit: ac52a12

@parvahuja parvahuja force-pushed the parv/payment-aware-fetch branch from 6423f4a to bd3001d Compare June 18, 2026 06:17
parvahuja
parvahuja commented Jun 18, 2026
View reviewed changes
Comment thread src/client/internal/McpChallengeBrand.ts Outdated
parvahuja
parvahuja commented Jun 18, 2026
View reviewed changes
Comment thread src/client/Transport.ts Outdated
@parvahuja parvahuja marked this pull request as ready for review June 18, 2026 06:27
@parvahuja parvahuja force-pushed the parv/payment-aware-fetch branch 2 times, most recently from 141429a to e28e494 Compare June 18, 2026 22:42
@parvahuja parvahuja marked this pull request as draft June 18, 2026 22:42
@parvahuja parvahuja force-pushed the parv/payment-aware-fetch branch from e28e494 to 0337a82 Compare June 18, 2026 22:59
brendanjryan
brendanjryan reviewed Jun 19, 2026
View reviewed changes
Comment thread src/client/internal/adapters/Mcp.ts Outdated
Comment thread src/client/internal/adapters/Mpp.ts Outdated
@parvahuja parvahuja force-pushed the parv/payment-aware-fetch branch 10 times, most recently from bfcd9c1 to e8df79b Compare June 19, 2026 23:35
@parvahuja parvahuja marked this pull request as ready for review June 20, 2026 00:30
brendanjryan
brendanjryan approved these changes Jun 20, 2026
View reviewed changes

@brendanjryan brendanjryan left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment, but otherwise LGTM

Comment thread src/client/internal/protocols/Mcp.ts
Comment thread src/client/internal/protocols/Mcp.ts
@tempoxyz-bot

tempoxyz-bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

👁️ Cyclops Security Review

e8df79b

🧭 Audit failed · mode=normal · workers 0/2 done (0 left, 2 failed) · verify pending 0

Worker Engine Latest Status Status
pr-567-w1 claude-opus-4-8 🚨 Iteration 3 · Verify Failed
pr-567-w2 gpt-5.5 ⏰ Iteration 3 · Audit Timed out

Findings

# Finding Severity Status
1 MCP payment-aware fetch pays JSON-RPC responses the MCP SDK would ignore Medium Iteration 1 · Verify
2 Fetch-level MCP settlement bypasses McpClient approval hooks Medium Iteration 2 · Verify
3 MCP-over-HTTP body pre-read in isPaymentRequired deadlocks the upstream MCP SDK's streaming SSE consumer (client hang + unbounded memory) Medium Iteration 2 · Verify
4 Over-broad MCP JSON-RPC detection drags non-MCP RPC traffic (viem/Ethereum RPC) into the auto-pay flow via the global fetch polyfill Medium Iteration 3 · Verify
⚙️ Controls
  • 🚀 Keep only 1 remaining iteration per worker after the current work finishes.
  • 👀 Keep only 2 remaining iterations per worker after the current work finishes.
  • ❤️ Let only worker 1 continue; other workers skip queued iterations.
  • 😄 Let only worker 2 continue; other workers skip queued iterations.
  • 🎉 End faster by skipping queued iterations and moving toward consolidation.
  • 😕 Stop active workers/verifiers now and start consolidation immediately.
📜 26 events

🔍 pr-567-w1 iter 1/3 [audit-general.md]
🔍 pr-567-w2 iter 1/3 [audit-ripple.md]
🚨 pr-567-w2 iter 1 — finding
🚨 Finding: MCP payment-aware fetch pays JSON-RPC responses the MCP SDK would ignore (Medium)
🔍 pr-567-w2 iter 2/3 [audit-ripple.md]
🔬 Verifying: MCP payment-aware fetch pays JSON-RPC responses the MCP SDK would ignore
📋 Verify: MCP payment-aware fetch pays JSON-RPC responses the MCP SDK would ignore → ✅ Verified
🚨 pr-567-w2 iter 2 — finding
🚨 Finding: Fetch-level MCP settlement bypasses McpClient approval hooks (Medium)
🔍 pr-567-w2 iter 3/3 [audit-invariants.md]
🔬 Verifying: Fetch-level MCP settlement bypasses McpClient approval hooks
📋 Verify: Fetch-level MCP settlement bypasses McpClient approval hooks → ✅ Verified
pr-567-w1 iter 1 — timeout
🔍 pr-567-w1 iter 2/3 [audit-ripple.md]
🚨 pr-567-w1 iter 2 — finding
🚨 Finding: MCP-over-HTTP body pre-read in isPaymentRequired deadlocks the upstream MCP SDK's streaming SSE consumer (client hang + unbounded memory) (Medium)
🔍 pr-567-w1 iter 3/3 [audit-ripple.md]
🔬 Verifying: MCP-over-HTTP body pre-read in isPaymentRequired deadlocks the upstream MCP SDK's streaming SSE consumer (client hang + unbounded memory)
📋 Verify: MCP-over-HTTP body pre-read in isPaymentRequired deadlocks the upstream MCP SDK's streaming SSE consumer (client hang + unbounded memory) → ✅ Verified
🚨 pr-567-w1 iter 3 — finding
🚨 Finding: Over-broad MCP JSON-RPC detection drags non-MCP RPC traffic (viem/Ethereum RPC) into the auto-pay flow via the global fetch polyfill (Medium)
🔬 Verifying: Over-broad MCP JSON-RPC detection drags non-MCP RPC traffic (viem/Ethereum RPC) into the auto-pay flow via the global fetch polyfill
📋 Verify: Over-broad MCP JSON-RPC detection drags non-MCP RPC traffic (viem/Ethereum RPC) into the auto-pay flow via the global fetch polyfill → ✅ Verified
pr-567-w1 failed — one or more audit iterations failed
pr-567-w2 iter 3 — timeout
pr-567-w2 failed — one or more audit iterations failed

@parvahuja parvahuja force-pushed the parv/payment-aware-fetch branch 2 times, most recently from 6465097 to abc576f Compare June 22, 2026 18:05
@parvahuja parvahuja marked this pull request as draft June 22, 2026 18:50
@parvahuja parvahuja force-pushed the parv/payment-aware-fetch branch from 1ab6eac to 402e170 Compare June 22, 2026 19:29
@parvahuja parvahuja marked this pull request as ready for review June 22, 2026 19:29
brendanjryan
brendanjryan reviewed Jun 22, 2026
View reviewed changes
Comment thread src/client/internal/protocols/Mcp.ts
@parvahuja
feat: settle MCP payments in payment-aware fetch
ac52a12 
Compose the HTTP transport from MPP, x402, and MCP-over-HTTP protocol handlers.

Collect every payment offer from HTTP responses and route retry credentials through the protocol that produced the selected challenge.

Detect MCP JSON-RPC -32042 responses at the fetch boundary, including first SSE events, and preserve Request-carried bodies for retries.
@parvahuja parvahuja force-pushed the parv/payment-aware-fetch branch from 402e170 to ac52a12 Compare June 22, 2026 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brendanjryan brendanjryan brendanjryan approved these changes

Assignees

No one assigned

Labels

cyclops

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@parvahuja @tempoxyz-bot @brendanjryan