- Make the Tempo skill credits flow easier to discover by surfacing credit usage and first-time funding guidance more prominently. (by @alexrisch, #501)
- Update the credits funding handoff URL to use the fund action with a credits intent. (by @alexrisch, #499)
- Added TIP-1034 Tempo session client support, including descriptor-backed channel persistence, session reuse, top-ups, SSE voucher updates, and cooperative close handling while preserving legacy session compatibility. (by @alexrisch, #494)
- Exposed service credit support in wallet service discovery output, allowed filtering for credit-capable services, fixed credits transfer dry runs to avoid redeem submission, and documented the MPP Credits workflow. (by @alexrisch, #495, #496)
- Add wallet CLI support for checking and spending Coinflow credits, and update shared signer handling so wallet flows can emit the expected Tempo signature format for these transactions. (by @alexrisch, #471)
- Fix v0.4.3 wallet regressions by sending auth
chainIdin the backend-compatible hex/camelCase shape and by preventing transient key spending-limit preflight failures from forcing an already-provisioned access key through registration again. (by @Kartik, #485) - Pin the
mppSDK to tempoxyz/mpp-rs@8ba7631 while the 0.10.5 publish is pending.
- Add the standalone
tempo-cardsextension for wallet-backed card configuration, customer management, approvals, and provider-backed card workflows. (by @letstokenize, #480) - Preserve both halves of an oversized session channel log scan when an RPC requires a smaller
eth_getLogsrange, avoiding skipped upper-half ranges during wallet session recovery. (by @EfeBaranDurmaz, #462) - Pass the selected login network through wallet authentication requests so testnet CLI logins stay on testnet instead of falling back to mainnet browser state. (by @BrendanRyan, #456)
- Fixed
tempo requestfailing on 402 responses that offer multipletempo-method payment challenges (e.g. moderato + mainnet on the same endpoint). The CLI now decodes every offered challenge and picks the first one the wallet can actually satisfy — matching--network(when set) and the keystore's(chain_id, currency). When no challenge matches, a newNoCompatibleChallengeerror lists the offered and held options and suggeststempo wallet fund/tempo wallet logininstead of failing later with a cryptic "No key configured" message. (by @BrendanRyan, #477) - Redact query parameters from paid-success analytics events so payment flows do not report URL secrets after a 402 challenge succeeds. (by @DimitryFiuse, #458)
- Bump posthog-rs 0.5.0 → 0.5.3 (drops reqwest 0.11/rustls 0.21 chain), remove stale advisory ignores, add dependabot update grouping.
- Surface access-key spending limit reverts returned by Tempo RPC as a specific wallet error with guidance to refresh or re-authorize the spending limit.
- Preserve both the MPP client attribution ID and the configured signing mode when handling zero-amount charge payments.
- Pin all GitHub Actions to commit SHAs, fix template injection in CI workflows, scope permissions per-job, replace curl|sh with checksum-verified binary download, add Dependabot cooldown, and suppress unfixable transitive advisories in deny.toml.
- Pass
signing_modetoTempoProviderin the zero-amount charge path, matching the paid charge path. Without this, the provider defaults to Direct mode and ignores keychain configuration.
- Added zero-amount proof credential support for identity flows. When a server issues a charge challenge with
amount="0", the wallet now signs an EIP-712 proof credential instead of building an on-chain transaction, enabling authentication without moving funds. UpgradedmppSDK to v0.9.0.
- Fix gas estimation failure when
feePayer: trueby using the real fee token address foreth_estimateGasinstead of the zero address. The final signed transaction still usesAddress::ZEROfor server-side sponsor co-signing.
- Upgraded
mppSDK to v0.8.3, adding support for split payments. Charges withsplitsin the 402 challenge are now handled transparently via multi-transfer AA transactions.
- Add a remote-host-friendly
--no-browserpath fortempo wallet loginandtempo wallet fund, including CLI guidance that agents can relay to a user approving wallet actions from another device.
- Bump to the latest
mpp-rsmain, including upstream security fixes for payment bypass, replay, fee-payer manipulation, and session/channel griefing vulnerabilities across Tempo and Stripe flows. The update also refreshes the Tempo client dependency graph and switches Tempo gas estimation to a request-based API while preserving existing wallet/request behavior. - Stabilize voucher HEAD fallback tests by serializing cases that share a process-global unsupported-origin cache.
- Preserve non-2xx response bodies when fetching the service directory so CLI errors include upstream details instead of only the HTTP status.
- Add
chain_idtotempo wallet transferoutput and render submitted transaction hashes as explorer hyperlinks, with a plain URL fallback when terminal hyperlinks are unsupported.
- Add
tempo wallet refreshto refresh passkey/access-key authorization without a full relogin, including improved login/refresh command flow and validation messaging for expired or stale authorizations. - Enforce strict session
Payment-Receipthandling across all session flows, including reused persisted sessions that were previously permissive: reject successful paid responses that omit or malformedly encode receipts, require validspentsemantics for response/header/event receipts, preserve conservative local channel state when strict top-up receipt validation fails after a paid response, and extend integration coverage for strict open/top-up/streaming receipt failure paths.
- Add
--max-spend/TEMPO_MAX_SPENDhard cap for cumulative session spend, enforced at challenge time, on session reuse, at channel open, and during streaming top-ups. Also reconcile on-chain channel state after cooperative-close 5xx failures before falling back to payer-side close, and fix session reuse to reject candidates from a different origin. - Track server-reported
Payment-Receipt.spentfor session state and use it as the close target instead of the payer-signed cumulative ceiling. This adds persistedserver_spentsupport and updates request/session close flows so cooperative close settles the amount the server actually reports as spent. - Fix session top-up which was completely broken due to five compounding bugs: ABI mismatch (topUp used uint128 instead of uint256 producing wrong function selector), voucher cumulative amount was incorrectly clamped to available balance preventing top-up from ever triggering, AmountExceedsDeposit problem type was not handled alongside InsufficientBalance, stale challenge echo was used for top-up requests causing server rejection, and missing requiredTopUp field in server response caused a hard failure instead of computing the value from local state. Also signals ChannelInvalidated when on-chain top-up fails so the caller can re-open a new channel.
- Added
help_heading = "Network"to the--networkCLI argument for improved help output organization. - Only purge local credentials/session state for inactive access-key errors after confirming key state on-chain. This prevents destructive cleanup on transient or misclassified failures and improves error classification for charge/session payment paths.
- Fix hyperlink sanitization tests to correctly extract and validate only the display text portion of OSC 8 hyperlink sequences, preventing false failures in OSC 8-capable terminals.
- Harden paid session SSE handling for real-world providers by improving retry/stream behavior and session state synchronization across open, voucher, and streaming flows. This reduces false failures and makes strict payment processing more resilient to provider response quirks.
- Improve
tempo wallet sessions closeoutput by printing a blank line before per-channel progress logs for better readability during multi-session close operations. - Slim the service list schema to replace full endpoint details with an
endpoint_countfield, reducing payload size. Adds a test to enforce the summary-only structure.
- Remove hardcoded credentials and tokens from default RPC URLs, auth URLs, and services API URL. Unhide the
--networkCLI flag and update its help text. Improve changelog generation by embedding full format instructions in the AI prompt. - Adds an
accepted_cumulativefield toChannelRecordto track the server-confirmed accepted amount separately from the payer-signed ceiling (cumulative_amount). Cooperative close now uses the accepted amount instead of the signing ceiling to avoid overcharging the payer, with a DB migration and monotonic update logic throughout the storage and request layers. - Fix cooperative session close by selecting the correct WWW-Authenticate challenge when the proxy returns multiple headers (charge and session intents). Parse problem+json error details from close failures to surface actionable messages instead of generic errors.
- Improve close command progress output: add status messages when closing local sessions, sessions by URL, and orphaned channels, and refactor
finalize_closed_channelsto use iterator filtering with a count message before finalizing.
- Improve open-source readiness across docs and metadata: fix contributor setup instructions, replace dead example links, add a security policy document, and refresh the root README structure.
- Remove embedded routing/rate-limit tokens from built-in Tempo default RPC and wallet auth URLs, using token-free base endpoints instead.
- Tighten charge payment provisioning retry to only fire on auth/payment (401–403) and server error (5xx) status codes, avoiding wasteful retries on unrelated API errors like 400 body validation. Show full server response body in payment rejection errors instead of extracting a single JSON field. Ensure all retry paths surface the original error on retry failure.
- Fix charge payment failing with "access key does not exist" when the signing key is not yet provisioned on-chain. The server-side rejection retry only triggered on HTTP 401-403, but the server returns other status codes for keychain errors.
- Fix charge payment failing with "access key does not exist" when the signing key is not yet provisioned on-chain. The server-side rejection retry only triggered on HTTP 401-403, but the server returns other status codes for keychain errors.
- Persist channel state when channel open fails to prevent orphaned on-chain funds.
- When the open transaction is sent to the server but the server returns an error, the channel may already exist on-chain. Previously the channel state was lost, making the deposited funds unrecoverable. Now the channel record is persisted before returning the error, so future runs can discover and close it.
- Fix session deposit and key-auth retry error handling.
- Preserve original error when key-authorization retry also fails, instead of showing misleading retry errors (e.g.
KeyAlreadyExists). - Ensure session deposit covers at least the per-request cost, preventing channels from opening with insufficient funds.
- Fail early before opening a channel if wallet balance is too low to cover the request cost.
- Removed the "all" amount option from the transfer command, along with the associated
query_balancehelper andbalanceOfinterface method. Theresolve_amountfunction is now synchronous. - Migrated the
fundcommand to a browser-based flow, replacing the previous faucet/bridge implementations with a simple browser-open + balance polling approach. Added network name aliases (mainnet,testnet,moderato) forNetworkIdparsing, removed theqrcodedependency, updated install paths from~/.local/binto~/.tempo/bin, and removed--no-waitand--dry-runflags from the fund command.
- Simplified optimistic key provisioning by removing the
query_key_statusandprepare_provisioning_retryfunctions, instead retrying directly withwith_key_authorization()on any error. Added support for mergedWWW-Authenticatechallenges (RFC 9110 §11.6.1) by splitting and selecting the first supported payment method. Fixedlist_channelsto exclude localhost origins and removed the realm-vs-origin validation check.