solana-foundation · lgalabru · Jun 15, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/harness/src/intents/charge.ts b/harness/src/intents/charge.ts
@@ -324,6 +324,12 @@ export const chargeScenarios: readonly HarnessScenario[] = [
     // can drive a 9-split request through the env-only path, so this
     // is typescript-client only. Splits are intentionally tiny so the
     // sum stays well under amount.
+    //
+    // Rust audit #21 promoted this from a runtime-reject to a
+    // refuse-to-boot at server startup. The harness has no notion of
+    // "expected startup failure" yet, so rust is excluded from this
+    // scenario via serverIds — re-include it when the harness gains a
+    // way to assert on adapter-exit-before-readiness.
     id: "charge-splits-too-many",
     intent: "charge",
     network: "localnet",
@@ -333,6 +339,7 @@ export const chargeScenarios: readonly HarnessScenario[] = [
     resourcePath: "/protected/splits-too-many",
     settlementHeader: "x-fixture-settlement",
     clientIds: ["typescript"],
+    serverIds: ["typescript", "php", "ruby", "go", "python", "lua"],
     splits: [
       { recipientKey: "platform", amount: "1" },
       { recipientKey: "platform", amount: "1" },

diff --git a/harness/test/e2e.test.ts b/harness/test/e2e.test.ts
@@ -281,7 +281,10 @@ beforeAll(async () => {
     MPP_HARNESS_NETWORK: baseScenario.network,
     MPP_HARNESS_MINT: baseScenario.asset,
     MPP_HARNESS_PRICE: baseScenario.price,
-    MPP_HARNESS_SECRET_KEY: "mpp-harness-secret-key",
+    // Rust audit #24 requires ≥32-byte HMAC secrets (NIST SP 800-107 for
+    // HMAC-SHA256). Padded with `-pad` to clear the threshold without
+    // changing the test's intent.
+    MPP_HARNESS_SECRET_KEY: "mpp-harness-secret-key-with-32b-pad",
     MPP_HARNESS_PAY_TO: payTo.publicKey,
     MPP_HARNESS_CLIENT_SECRET_KEY: JSON.stringify(Array.from(client.secretKey)),
     MPP_HARNESS_FEE_PAYER_SECRET_KEY: JSON.stringify(
@@ -593,7 +596,8 @@ describe("mpp harness", () => {
             const envA = environmentForScenario(harnessEnv, scenario);
             const envB = {
               ...environmentForScenario(harnessEnv, scenario),
-              MPP_HARNESS_SECRET_KEY: "mpp-harness-secret-key-server-b",
+              // Rust audit #24: 32-byte minimum.
+              MPP_HARNESS_SECRET_KEY: "mpp-harness-secret-key-server-b-pad",
             };
             const a = await startServer(serverA, envA);
             runningServers.push(a);

diff --git a/rust/AUDIT-ASSESSMENT.md b/rust/AUDIT-ASSESSMENT.md
diff --git a/rust/crates/mpp/examples/payment_link_server.rs b/rust/crates/mpp/examples/payment_link_server.rs
@@ -17,15 +17,27 @@ use std::collections::HashMap;
 use std::sync::Arc;
 
 const ROUTE_PRICE: &str = "0.01";
+const ROUTE_DESCRIPTION: &str = "Open a fortune cookie";
 
 /// Build the route's expected charge request. Threading this into
 /// `verify_credential_with_expected` is what protects against cross-route
 /// credential replay — without it, a credential issued for a cheaper route
 /// (or different recipient/currency) on the same server would be accepted.
+///
+/// Important: the options here MUST match the options used when the route
+/// issues its user-facing challenge. Audit #1 compares every
+/// payment-constraining field (including description), so a mismatch here
+/// would reject every honest credential.
 fn expected_request_for_route(mpp: &Mpp) -> Option<ChargeRequest> {
-    mpp.charge(ROUTE_PRICE)
-        .ok()
-        .and_then(|challenge| challenge.request.decode().ok())
+    mpp.charge_with_options(
+        ROUTE_PRICE,
+        solana_mpp::server::ChargeOptions {
+            description: Some(ROUTE_DESCRIPTION),
+            ..Default::default()
+        },
+    )
+    .ok()
+    .and_then(|challenge| challenge.request.decode().ok())
 }
 
 const CSP: &str = "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src *; worker-src 'self'";
@@ -85,12 +97,13 @@ async fn fortune(
             .into_response();
     }
 
-    // Generate challenge.
+    // Generate challenge. Options here must match `expected_request_for_route`
+    // exactly — audit #1 compares every payment-constraining field.
     let challenge = mpp
         .charge_with_options(
             ROUTE_PRICE,
             solana_mpp::server::ChargeOptions {
-                description: Some("Open a fortune cookie"),
+                description: Some(ROUTE_DESCRIPTION),
                 ..Default::default()
             },
         )

diff --git a/rust/crates/mpp/src/bin/harness_server.rs b/rust/crates/mpp/src/bin/harness_server.rs
@@ -56,7 +56,9 @@ use solana_mpp::{
 const DEFAULT_RESOURCE_PATH: &str = "/protected";
 const HEALTH_PATH: &str = "/health";
 const DEFAULT_PRICE: &str = "0.001";
-const DEFAULT_SECRET_KEY: &str = "mpp-harness-secret-key";
+// Audit #24: ≥32 bytes for HMAC-SHA256 keys. Pad to keep the harness
+// default usable when no MPP_HARNESS_SECRET_KEY is set in the env.
+const DEFAULT_SECRET_KEY: &str = "mpp-harness-secret-key-with-32b-pad";
 const DEFAULT_SETTLEMENT_HEADER: &str = "x-fixture-settlement";
 const DEFAULT_TOKEN_DECIMALS: u8 = 6;
 
@@ -144,6 +146,11 @@ fn read_state() -> Result<HarnessState, Box<dyn std::error::Error + Send + Sync>
         _ => DEFAULT_TOKEN_DECIMALS,
     };
     let splits = read_splits()?;
+    // Refuse to boot with invalid splits (audit #21). The harness
+    // misconfig scenario depends on this — every server SDK should
+    // reject the misconfig consistently, and refusing to start is the
+    // earliest possible signal.
+    solana_mpp::protocol::solana::validate_splits(&splits)?;
 
     Ok(HarnessState {
         mpp: Mpp::new(Config {
@@ -158,6 +165,9 @@ fn read_state() -> Result<HarnessState, Box<dyn std::error::Error + Send + Sync>
             fee_payer_signer: if push_mode { None } else { Some(fee_payer) },
             store: None,
             html: false,
+            // Interop tests exercise push mode end-to-end; the gate is
+            // opt-in (audit #5) so we set it explicitly here.
+            accept_push_mode: push_mode,
         })?,
         price,
         push_mode,

diff --git a/rust/crates/mpp/src/client/authenticate.rs b/rust/crates/mpp/src/client/authenticate.rs
@@ -193,13 +193,15 @@ mod tests {
             currency: "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v".into(),
             decimals: 6,
             network: "mainnet".into(),
-            challenge_binding_secret: Some("test-secret".into()),
+            // ≥32 bytes to satisfy the audit #24 secret-length check at Mpp::new.
+            challenge_binding_secret: Some("test-secret-key-for-authenticate-32b-pad".into()),
             ..Default::default()
         })
         .expect("mpp")
         .charge_challenge(&crate::ChargeRequest {
             amount: "1000".into(),
             currency: "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v".into(),
+            recipient: Some(signer.pubkey().to_string()),
             ..Default::default()
         })
         .expect("charge challenge");