Skip to content

feat: add Stripe payment method (SPT charge intent)#97

Open
brendanjryan wants to merge 11 commits intomainfrom
feat/stripe-payment-method
Open

feat: add Stripe payment method (SPT charge intent)#97
brendanjryan wants to merge 11 commits intomainfrom
feat/stripe-payment-method

Conversation

@brendanjryan
Copy link
Copy Markdown
Collaborator

@brendanjryan brendanjryan commented Mar 23, 2026
edited
Loading

Summary

Adds Stripe payment method support to pympp, mirroring the mppx TypeScript implementation.

Key design decisions

  • SPT flow: Uses Stripe's Shared Payment Token (private preview), matching mppx exactly
  • Duck-typed client: Supports both client.v1.payment_intents (stripe-python v8+) and client.payment_intents (legacy) via _resolve_payment_intents()
  • Two verification paths: Stripe SDK client or raw httpx POST to api.stripe.com
  • Idempotency key: mppx_{challenge_id}_{spt} — matches TypeScript SDK for cross-SDK consistency
  • Analytics metadata: Injects mpp_version, mpp_is_mpp, mpp_intent, etc. on every PaymentIntent
  • transform_request hook: Injects networkId and paymentMethodTypes into challenge methodDetails
  • Error classes: Uses VerificationFailedError (RFC 9457 Problem Details) instead of plain VerificationError
  • Shared DEFAULT_TIMEOUT: Extracted to mpp._defaults — used by both Stripe and Tempo methods

Usage

# Server
from mpp.server import Mpp
from mpp.methods.stripe import stripe, ChargeIntent

server = Mpp.create(
    method=stripe(
        network_id="bn_...",
        payment_method_types=["card"],
        currency="usd",
        decimals=2,
        intents={"charge": ChargeIntent(secret_key="sk_...")},
    ),
)

# Client
from mpp.methods.stripe import stripe

method = stripe(
    create_token=my_spt_proxy,
    payment_method="pm_card_visa",
    intents={},
)

Files

File Purpose
src/mpp/_defaults.py Shared DEFAULT_TIMEOUT constant
src/mpp/methods/stripe/__init__.py Package exports
src/mpp/methods/stripe/_defaults.py Stripe API base URL
src/mpp/methods/stripe/client.py Client-side credential creation (SPT flow)
src/mpp/methods/stripe/intents.py Server-side verification (PaymentIntent)
src/mpp/methods/stripe/schemas.py Pydantic schemas
tests/test_stripe.py 44 tests covering all paths
examples/stripe/ Working example (server + headless client)

mppx parity guards

  • Rejects metadata.externalId in challenge (reserved for credential payload)
  • Requires networkId in challenge.methodDetails
  • Surfaces Stripe error details (message/code) in raw HTTP path exceptions

Test coverage (44 tests)

  • Schema validation (payload, request, method details)
  • Client credential creation (happy path, external ID, missing fields)
  • Server verification (SDK client, modern v1 client, expiry, action required, failed status)
  • Raw HTTP path (success, Stripe error parsing, non-JSON errors, metadata form encoding)
  • Analytics metadata and idempotency key format
  • Async context manager lifecycle (owned vs injected client)
  • Factory defaults and parameter validation

Example (verified working)

examples/stripe/ contains a pay-per-fortune server + headless client using pm_card_visa. Tested end-to-end against Stripe test mode:

Client → GET /api/fortune → 402
Client → POST /api/create-spt → spt_... created
Client → GET /api/fortune + credential → pi_... succeeded → 🥠 fortune

brendanjryan and others added 8 commits March 23, 2026 13:02
@brendanjryan
feat: add Stripe payment method (SPT charge intent)
bb5977c 
Adds Stripe payment method support to pympp, mirroring the TypeScript
mppx implementation:

- StripeMethod client with create_token callback for SPT creation
- ChargeIntent server with Stripe SDK client or raw secret_key paths
- Pydantic schemas for ChargeRequest and StripeCredentialPayload
- transform_request hook for injecting networkId/paymentMethodTypes
- MPP analytics metadata on every PaymentIntent (mpp_version, etc.)
- Idempotency key format matching mppx: mppx_{challengeId}_{spt}
- 29 tests covering schemas, client, server, and factory
@github-actions
chore: add changelog
72e7e94
@brendanjryan
fix: address code review findings for Stripe payment method
45366e7 
- Fix Stripe SDK client shape: support both client.v1.payment_intents
  (stripe-python v8+) and client.payment_intents (legacy/custom)
- Add metadata.externalId rejection in create_credential (mppx parity)
- Require networkId in challenge.methodDetails (mppx parity)
- Use VerificationFailedError instead of VerificationError for proper
  RFC 9457 Problem Details support
- Surface Stripe error details in raw HTTP path instead of generic msg
- Remove unused secret_key param from stripe() factory
- Fix docstring examples: clients don't need secret keys
- Convert OnChallengeParameters to frozen dataclass for consistency
- Remove fragile hasattr(__await__) sync/async detection
- Pass request body as first positional arg (Stripe SDK convention)
- Add tests: raw HTTP path, modern v1 client, async lifecycle,
  networkId guard, metadata.externalId rejection, factory param removal
  (44 tests, up from 29)
@brendanjryan
fix: resolve lint errors (import sorting, unused imports, blind excep…
3acfde5 
…tions)
@brendanjryan
fix: use Any for client param to satisfy pyright type checks
058b959 
The StripeClient protocol was too strict for pyright's invariance
checking on mutable attributes. Since _resolve_payment_intents()
handles duck-type dispatch at runtime, the type annotation can
safely be Any.
@brendanjryan
refactor: extract DEFAULT_TIMEOUT to shared mpp._defaults
2e156a8 
Consolidates the 3 duplicate DEFAULT_TIMEOUT = 30.0 constants from
tempo/intents.py, tempo/_rpc.py, and stripe/intents.py into a single
shared mpp._defaults module.
@brendanjryan
feat: add Stripe example (server + headless client)
a868d28 
Pay-per-fortune example demonstrating the full SPT flow:
- FastAPI server with /api/create-spt proxy and /api/fortune gated endpoint
- Headless CLI client using pm_card_visa test card
- Mirrors the mppx examples/stripe/ structure
@brendanjryan
fix: stripe example - remove seller_details param, add error handling
2e713e9 
seller_details[network_id] is only for Stripe Business Network accounts.
Skip it for standard accounts so the SPT endpoint works universally.
@brendanjryan brendanjryan mentioned this pull request Mar 24, 2026
Merged
@decofe decofe mentioned this pull request Mar 24, 2026
Merged
@brendanjryan brendanjryan added the cyclops Trigger Cyclops PR audit label Mar 25, 2026
@brendanjryan
fix: reject replayed Stripe credentials via Idempotent-Replayed header
68f418a 
Mirrors the safeguard from wevm/mppx-private#25. Both the SDK client
path and raw HTTP path now check Stripe's 'idempotent-replayed' header
and raise VerificationFailedError when a credential is replayed.

Ref: https://docs.stripe.com/error-low-level#idempotency
@brendanjryan brendanjryan added cyclops Trigger Cyclops PR audit and removed cyclops Trigger Cyclops PR audit labels Mar 26, 2026
@brendanjryan brendanjryan added cyclops Trigger Cyclops PR audit and removed cyclops Trigger Cyclops PR audit labels Mar 27, 2026
@tempoxyz-bot
Copy link
Copy Markdown

tempoxyz-bot commented Mar 27, 2026
edited
Loading

👁️ Cyclops Security Review

68f8a60

🧭 Auditing · mode=normal · workers 2/3 done (1 left) · verify pending 1

Worker Engine Progress Status
pr-97-w1 gemini-3.1-pro-preview 🚨 thread-1 🚨 thread-2 ✅ thread-3 Done
pr-97-w2 amp/deep 🚨 thread-1 🚨 thread-2 🚨 thread-3 Done
pr-97-w3 gpt-5.4 🚨 thread-1 🔍 thread-2 · Running

Findings

# Finding Severity Verification Threads
1 Untrusted Client Payload Bypasses HMAC for Receipt external_id (Order Spoofing) & Misuse of Stripe Idempotency Breaks Network Retries Critical ✅ Verified audit · verify
2 paymentMethodTypes is challenge-bound but never enforced Medium ✅ Verified audit · verify
3 Stripe Payment Method Silently Ignores recipient and paymentMethodTypes, Breaking Marketplace Fund Routing and Risk Policies High ⚠️ Partial audit · verify
4 Stripe recipient is HMAC-bound but never mapped to Stripe settlement Medium ⏩ Dup audit · verify
5 Replay protection is bypassed for documented custom Stripe clients with case-sensitive response headers High ✅ Verified audit · verify
6 Stripe networkId is challenge-bound but never enforced Medium ⏳ Pending audit
⚙️ Controls
  • 🚀 Keep only 1 remaining iteration per worker after the current work finishes.
  • 👀 Keep only 2 remaining iterations per worker after the current work finishes.
  • ❤️ Let only worker 1 continue; other workers skip queued iterations.
  • 😄 Let only worker 2 continue; other workers skip queued iterations.
  • 🎉 End faster by skipping queued iterations and moving toward consolidation.
  • 😕 Stop active workers/verifiers now and start consolidation immediately.
📜 34 events

🔍 pr-97-w1 iter 1/3 [audit-ripple.md]
🔍 pr-97-w2 iter 1/3 [audit-focused.md]
🔍 pr-97-w3 iter 1/3 [audit-deep-focus.md]
🚨 pr-97-w1 iter 1 — finding | Thread
🚨 Finding: Untrusted Client Payload Bypasses HMAC for Receipt external_id (Order Spoofing) & Misuse of Stripe Idempotency Breaks Network Retries (Critical) | Thread
🔍 pr-97-w1 iter 2/3 [audit-historical.md]
🔬 Verifying: Untrusted Client Payload Bypasses HMAC for Receipt external_id (Order Spoofing) & Misuse of Stripe Idempotency Breaks Network Retries | Thread
📋 Verify: Untrusted Client Payload Bypasses HMAC for Receipt external_id (Order Spoofing) & Misuse of Stripe Idempotency Breaks Network Retries → ✅ Verified | Thread
🚨 pr-97-w2 iter 1 — finding | Thread
🚨 Finding: paymentMethodTypes is challenge-bound but never enforced (Medium) | Thread
🔍 pr-97-w2 iter 2/3 [audit-ripple.md]
🔬 Verifying: paymentMethodTypes is challenge-bound but never enforced | Thread
🚨 pr-97-w1 iter 2 — finding | Thread
🚨 Finding: Stripe Payment Method Silently Ignores recipient and paymentMethodTypes, Breaking Marketplace Fund Routing and Risk Policies (High) | Thread
🔍 pr-97-w1 iter 3/3 [audit-focused.md]
🔬 Verifying: Stripe Payment Method Silently Ignores recipient and paymentMethodTypes, Breaking Marketplace Fund Routing and Risk Policies | Thread
📋 Verify: paymentMethodTypes is challenge-bound but never enforced → ✅ Verified | Thread
📋 Verify: Stripe Payment Method Silently Ignores recipient and paymentMethodTypes, Breaking Marketplace Fund Routing and Risk Policies⚠️ Partial | Thread
pr-97-w1 iter 3 — clear | Thread
🏁 pr-97-w1 done
🚨 pr-97-w2 iter 2 — finding | Thread
🚨 Finding: Stripe recipient is HMAC-bound but never mapped to Stripe settlement (Medium) | Thread
🔍 pr-97-w2 iter 3/3 [audit-historical.md]
🔬 Verifying: Stripe recipient is HMAC-bound but never mapped to Stripe settlement | Thread
📋 Verify: Stripe recipient is HMAC-bound but never mapped to Stripe settlement → ⏩ Dup | Thread
🚨 pr-97-w3 iter 1 — finding | Thread
🚨 Finding: Replay protection is bypassed for documented custom Stripe clients with case-sensitive response headers (High) | Thread
🔍 pr-97-w3 iter 2/3 [audit-focused.md]
🔬 Verifying: Replay protection is bypassed for documented custom Stripe clients with case-sensitive response headers | Thread
🚨 pr-97-w2 iter 3 — finding | Thread
🚨 Finding: Stripe networkId is challenge-bound but never enforced (Medium) | Thread
🏁 pr-97-w2 done
🔬 Verifying: Stripe networkId is challenge-bound but never enforced | Thread
📋 Verify: Replay protection is bypassed for documented custom Stripe clients with case-sensitive response headers → ✅ Verified | Thread

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cyclops Trigger Cyclops PR audit

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brendanjryan @tempoxyz-bot