feat(go): mpp/session client and server + playground-api example

[EfeDurmaz16]

feat(go): mpp/session client and server

Comprehensive mpp/session support for the Go SDK, rebased onto main after #165 and aligned with the rewritten skills/pay-sdk-implementation/references/intents/mpp-session.md. The Rust crate (rust/crates/mpp/src) is the wire truth throughout; the TypeScript implementation merged in #165 is the second reference. This PR ships both halves of the intent: the client surface and the full server-side session method, plus a Go port of the playground API example.

What this adds

Wire and program layer:

• Session wire types (SessionRequest, the tagged SessionAction union, OpenPayload, VoucherData/SignedVoucher, CommitPayload/CommitReceipt, TopUpPayload, ClosePayload, MeteringDirective, MeteringUsage) in go/protocols/mpp/intents/session.go, mirroring rust/crates/mpp/src/protocol/intents/session.rs field for field: salt as a u64 string accepting string or number on decode (with a raw-bytes re-parse to avoid float precision loss past 2^53), the cumulative decode alias with cumulativeAmount the only serialized name, SessionID() keyed channelId first with tokenAccount fallback, topUp.newDeposit as the new total, and DefaultSessionExpiresAt = 4_102_444_800.
• A codama-go generated payment-channels client under go/protocols/programs/paymentchannels/ (recipe in skills/pay-sdk-implementation/codegen/, reproducible via generate-payment-channels-client-go.ts), covering every instruction (open, topUp, settle, settleAndFinalize, distribute, finalize, requestClose, withdrawPayer, emitEvent) plus account and type decoders, with the production program id overriding the IDL placeholder and the single-byte discriminators (open = 1, topUp = 3). A frozen-hex parity suite (go/protocols/programs/paymentchannels_parity_test/) pins the borsh byte layouts against the Rust spine.
• The 48-byte voucher preimage (channel_id || cumulative u64 LE || expires_at i64 LE) has a single packer that VoucherData.MessageBytes delegates to, and is pinned by cross-SDK conformance vectors (harness/vectors/session-voucher.json, including a near-u64-max cumulative case) implemented in go/cmd/conformance.

Client layer, keyed to the skill's component inventory:

• Challenge parsing and mode selection: ParseSessionChallenge plus challenge selection with mode gating in client/challenge_selection.go, encoding modes empty or omitted as push-only (TS sessionRequestModes semantics, Rust membership checks).
• Challenge-driven open layer in client/payment_channels.go, ported line by line from rust/crates/mpp/src/client/payment_channels.rs: open derivation (mint from the challenge currency with the localnet to mainnet fallback, deposit defaulting to the cap, grace defaulting to 900 seconds, token program resolved from the currency so Token-2022 currencies open correctly, splits, random u64 salt), transaction assembly with fee payer = challenge operator and payer partial-signing only its own slot, the challenge recentBlockhash, the PENDING_SERVER_SIGNATURE placeholder (64 ones), and standard base64 with padding for the wire transaction. A per-call program id can be threaded through for non-mainnet clusters.
• Session state with the prepare/record split: ActiveSession signs vouchers without advancing the watermark and records them only after server acceptance, with channel-match checks, strict monotonicity, u64 overflow guards, and the Rust nonce rule.
• Metered consumer: SessionConsumer validates the directive session, prepares the voucher for watermark + amount, and commits with the directive's deliveryId. On a replayed receipt it reconciles the watermark to min(settled, prepared) instead of recording blindly, matching the hardened semantics proposed for the Rust client in fix(rust): do not advance session watermark on a replayed commit #162; the clamp treats the server as untrusted.
• Streaming consumption in client/http_stream.go, porting rust/crates/mpp/src/client/http_stream.rs: incremental SSE decoding, metered event classification (mpp.metering/metering, mpp.usage/usage, done, [DONE]), enforcement that a usage event's deliveryId matches the live directive and that usage overrides only the amount, and a net/http-backed commit transport.

Server layer, mirroring the TS server that landed in #165 (typescript/packages/mpp/src/server/Session.ts and server/session/*) and rust/crates/mpp/src/server/session.rs:

• go/protocols/mpp/server/session_store.go: per-channel state store with an atomic UpdateChannel read-modify-write mutator (per-channel mutex; a failing mutator leaves state unchanged), pluggable like the existing replay stores.
• session_voucher.go: the ordered voucher verifier as a pure function with the exact reference check sequence (parse, finalized, close pending, idempotent replay on same cumulative and same re-verified signature, strictly above watermark, within deposit, minVoucherDelta, Ed25519 against the stored authorizedSigner, expiry), preflighted outside the store lock and re-checked inside.
• session.go: the off-chain SessionServer core (challenge request building with cap clamping, open/voucher/commit/topUp/close handlers, reservation accounting cumulative + pendingTotal + amount <= deposit, sequence assignment with the default <sessionId>:<sequence> delivery id, replay returning the cached receipt).
• session_onchain.go: open-transaction verification (decode, fee-payer signature binding, deposit and recipient checks) and settle/finalize composition (settleAndFinalize with the ed25519 precompile instruction immediately preceding it, distribute bundled in the same transaction), gated behind an injectable verifier seam so the no-RPC trust model matches Rust rpc_url = None. Server-broadcast open submission completes the fee-payer signature and broadcasts, recording the settled signature on channel state.
• session_method.go and session_routes.go: the HTTP-facing session method (HMAC-bound 402 challenges, credential verification dispatching across the five actions) and the reserve/commit metering side channel (POST /__402/session/deliveries, POST /__402/session/commit), flagged as the TypeScript-server extension it is.
• session_lifecycle.go: the idle-close watchdog (single-shot timer per channel, reset on voucher/commit/topUp, close-and-settle on fire), mirroring the TS-only lifecycle extension.
• session_stream.go: a server-side metered SSE stream writer emitting the directive/usage/done event shapes the client consumer parses.

Example:

• go/examples/playground-api: a Go port of typescript/examples/playground-api with endpoint parity for the playground web app. Charges (stock quote, marketplace splits, fortune payment link, faucet), sessions (/sessions/stream pay-per-chunk SSE and /sessions/compute pay-per-call with real opens, side-channel metering, and idle-close on-chain settlement), the x402 exact demo routes with the embedded facilitator, and the config catalog endpoint. Setting PAYKIT_PLAYGROUND_API_URL points the playground's pnpm dev at this server instead of launching the TypeScript one.

Encoding boundaries follow the repo rule: canonical JSON (RFC 8785) to base64url without padding for the credential envelope and request field, standard base64 with padding for transactions, base58 for signatures, pubkeys, and blockhashes.

Notes for review

• The replayed-receipt reconcile in SessionConsumer intentionally tracks the fix(rust): do not advance session watermark on a replayed commit #162 Rust semantics rather than the current TS client, which still records the prepared voucher unconditionally. If fix(rust): do not advance session watermark on a replayed commit #162 lands first this is exact parity; if not, this is the same divergence flagged there.
• The generated client under go/protocols/programs/paymentchannels/ is codegen output and is carved out of the coverage gate alongside the examples; the curated layer in go/paycore/paymentchannels is fully covered.
• The README scheme matrix now marks mpp/session shipped on both client and server, with the scope notes inline.

Testing

• go test ./...: all packages pass, including the session intent serde suite, client session/consumer/stream suites, the server method, store, voucher, on-chain, concurrency, and lifecycle suites, and the playground example smoke tests.
• Surfpool-gated e2e: session_e2e_test.go and playground_e2e_test.go drive the full lifecycle (real open completed and broadcast by the server, metered SSE with per-chunk vouchers, side-channel reserve/commit, on-chain settle at idle close) against the hosted Solana Payment Sandbox; they skip explicitly when the sandbox is unreachable or under -short, never silently pass.
• Frozen-hex borsh parity tests pin the generated instruction encodings against the Rust spine; harness/vectors/session-voucher.json pins the voucher preimage cross-SDK.
• CI: the Go workflow gains a playground job that builds and boots go/examples/playground-api and runs the payment-link Playwright suite against it; the harness matrix job honors PAY_KIT_HARNESS_PROTOCOL in the Go client adapter.
• gofmt clean; lint configured to skip the generated client only.

[greptile-apps]

Greptile Summary

This PR adds the MPP session intent to the Go SDK, client-side only. A client can now open a payment channel, sign cumulative Ed25519 vouchers off-chain, top up, close, and drive metered delivery via a SessionConsumer, all byte-identical with the Rust spine. The codama-generated payment-channels program client is committed under protocols/programs/paymentchannels/, with a thin hand-written glue layer for PDA derivation, the voucher preimage, and the open/topUp instruction builders.

• protocols/mpp/intents/session.go implements the full wire-type tagged union (SessionAction, OpenPayload, VoucherData, CommitPayload, MeteringDirective, MeteredEnvelope[T]) with custom JSON marshaling for the cumulativeAmount/cumulative alias and the salt decimal-string encoding.
• protocols/mpp/client/session.go and session_consumer.go implement ActiveSession (monotonic watermark guard, voucher signing, action builders) and SessionConsumer/MeteredDelivery[T] with a correct replay-reconciliation path that clamps the server-reported cumulative to the client's prepared voucher.
• paycore/paymentchannels/paymentchannels.go provides PDA derivation, VoucherMessageBytes (the canonical 48-byte preimage), and the BuildOpenInstruction/BuildTopUpInstruction helpers; the duplicate preimage previously in VoucherData.MessageBytes now delegates to this single source.

Confidence Score: 5/5

Safe to merge. All three issues from the previous review round are addressed: replay watermark double-counting replaced by clamped ReconcileSettled, duplicate voucher preimage eliminated by delegation, and missing cumulative field now errors at deserialization.

The session consumer replay logic is correct and covered by six targeted tests (lost-response reconcile, stale-replay no-regression, malicious-server clamp, unknown status rejection). Borsh discriminators and account ordering are pinned by frozen cross-language parity vectors. No logic defects were found.

No files require special attention. Generated files under protocols/programs/paymentchannels/ are byte-reproducible from the IDL and correctly excluded from lint gates.

Important Files Changed

Filename	Overview
go/protocols/mpp/client/session_consumer.go	Correct replay-reconciliation logic: clamps settled to the prepared voucher; ReconcileSettled never regresses the watermark; unknown receipt status rejected before advancing state.
go/protocols/mpp/client/session.go	ActiveSession voucher signing and watermark management is well-implemented; PrepareVoucher/RecordVoucher separation is consistent with the ack/commit retry contract.
go/protocols/mpp/intents/session.go	Wire types, custom marshal/unmarshal (salt, cumulative alias, action tag union) all correct; missing cumulative now returns an error; VoucherData.MessageBytes delegates to the canonical packer.
go/paycore/paymentchannels/paymentchannels.go	PDA derivation, VoucherMessageBytes, BuildOpenInstruction/BuildTopUpInstruction all correct; init() pins the production program ID; SetProgramID follows the same global-var pattern as the generated package.
go/protocols/programs/paymentchannels_parity_test/parity_test.go	Frozen Borsh vectors for OpenArgs, TopUpArgs, VoucherArgs, and the single-byte discriminator guard against silent IDL-layout drift.
go/protocols/mpp/client/session_consumer_test.go	Comprehensive replay-handling tests now assert the watermark after replay, closing the gap identified in the previous review round.
harness/src/conformance/runners.ts	Intent-capability opt-in for runners (DEFAULT_INTENTS fallback) lets the session intent land without breaking existing language runners that haven't implemented it yet.

Sequence Diagram

sequenceDiagram
    participant C as Client (ActiveSession)
    participant SC as SessionConsumer
    participant T as CommitTransport
    participant S as Server

    C->>C: NewActiveSession(channelID, signer)
    C->>C: OpenAction(deposit, txSig)
    C->>S: POST Authorization: Payment open action
    S-->>C: 200 OK (session established)

    loop Metered deliveries
        S-->>SC: "MeteredEnvelope{payload, MeteringDirective}"
        SC->>SC: "Accept(envelope) -> MeteredDelivery"
        Note over SC: Application processes payload
        SC->>C: "PrepareIncrement(amount) -> SignedVoucher"
        Note over C: Watermark NOT yet advanced
        SC->>T: "Commit(directive, CommitPayload{voucher})"
        T->>S: POST commit endpoint
        alt CommitStatusCommitted
            S-->>T: "CommitReceipt{status:committed, cumulative}"
            T-->>SC: receipt
            SC->>C: RecordVoucher(voucher)
            Note over C: Watermark advanced to cumulative
        else CommitStatusReplayed
            S-->>T: "CommitReceipt{status:replayed, cumulative=settled}"
            T-->>SC: receipt
            SC->>C: ReconcileSettled(min(settled, prepared))
            Note over C: Watermark reconciled, never regresses
        else Transport error
            T-->>SC: error
            Note over C: Watermark unchanged - safe to retry
        end
    end

    C->>C: CloseAction(finalIncrement)
    C->>S: POST Authorization: Payment close action

Loading

_{Reviews (8): Last reviewed commit: "refactor(go): delegate VoucherData.Messa..." | Re-trigger Greptile}

[greptile-apps]

Replayed receipt still advances the local cumulative watermark

RecordVoucher(voucher) is called unconditionally on any successful transport response, including CommitStatusReplayed. In the intended retry-after-failure path the watermark is still at 0, so advancing it is correct. But if the first call already succeeded (watermark at amount) and the caller commits the same directive again, PrepareIncrement(amount) creates a voucher at 2×amount. The server returns Replayed with the original cumulative=amount, and RecordVoucher then advances the local watermark to 2×amount — the client has now signed and locally recorded a voucher the server never accepted as a new settlement. A subsequent channel close or settlement instruction could use that 2×amount voucher to claim more funds than were authorized.

TestConsumerDuplicateDeliveryReplayedNotDoubleCounted checks only that the server records one commit; it never asserts consumer.Session().Cumulative() after the replay, so this drift is not caught. The fix is to skip RecordVoucher when receipt.Status == CommitStatusReplayed and the current cumulative already equals or exceeds the replayed amount.

[greptile-apps]

Duplicate voucher-preimage implementation risks silent divergence

VoucherData.MessageBytes() re-implements the same 48-byte layout (channelId || cumulative LE u64 || expiresAt LE i64) as paymentchannels.VoucherMessageBytes(). The signing path in client/session.go's PrepareVoucher already calls paymentchannels.VoucherMessageBytes, while VoucherData.MessageBytes is a separate reimplementation. Both currently agree, but any future change to one that misses the other would silently produce mismatched signatures that only surface at on-chain settlement. Consider having VoucherData.MessageBytes decode the channel ID and delegate directly to paymentchannels.VoucherMessageBytes rather than carrying a parallel implementation.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

ValidateAndBuild() result discarded; materialize encodes the builder directly

ValidateAndBuild() is called only for its error-checking side-effect; the returned *Instruction is discarded, and materialize(builder, builder.GetAccounts()) then Borsh-encodes the builder directly. The comment explains why (the generated Instruction stores the impl by value, causing a pointer-receiver panic on Accounts()). This workaround is correct today, but if the codegen ever changes how ValidateAndBuild() mutates builder state (e.g., setting default accounts or computing derived fields), the discarded result may diverge from what materialize encodes. A code comment at the call site calling this out explicitly would make the coupling clearer for future maintainers regenerating the client.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Missing cumulative field accepted silently

UnmarshalJSON returns nil when neither cumulativeAmount nor cumulative appears in the JSON, leaving VoucherData.Cumulative as "". Any subsequent call — RecordVoucher, MessageBytes, parseCumulative — then fails with the cryptic message "invalid voucher cumulative \"\"" instead of a deserialization error pointing to the missing field. The Rust VoucherData treats cumulative_amount as a required field (non-Option), so the Go implementation is more permissive than the spec allows. A missing default case that returns an error would align Go with Rust and fail fast at the protocol boundary rather than deep inside the watermark logic.

Suggested change

	// UnmarshalJSON decodes VoucherData, accepting "cumulative" as an alias for
	// "cumulativeAmount", mirroring rust's serde(alias="cumulative").
	func (v *VoucherData) UnmarshalJSON(data []byte) error {
	var wire voucherDataJSON
	if err := json.Unmarshal(data, &wire); err != nil {
	return fmt.Errorf("decode voucher data: %w", err)
	}
	*v = VoucherData{
	ChannelID: wire.ChannelID,
	ExpiresAt: wire.ExpiresAt,
	Nonce: wire.Nonce,
	}
	switch {
	case wire.CumulativeAmount != nil:
	v.Cumulative = *wire.CumulativeAmount
	case wire.CumulativeAlias != nil:
	v.Cumulative = *wire.CumulativeAlias
	}
	return nil
	}
	switch {
	case wire.CumulativeAmount != nil:
	v.Cumulative = *wire.CumulativeAmount
	case wire.CumulativeAlias != nil:
	v.Cumulative = *wire.CumulativeAlias
	default:
	return fmt.Errorf("voucher data: missing required cumulativeAmount field")
	}
	return nil
	}

[lgalabru]

Let's implement the exact same endpoints we have in typescript/examples/playground-api

[lgalabru]

This constants are very likely already available in paykit

[lgalabru]

There should already be a helper in paykit

[lgalabru]

Let's clean up this example as much as possible - if we find ourselves writing code that could be helpful for others, we consolidate in pay-kit

[lgalabru]

should we be working with enums here?

[lgalabru]

Can we remove these comments?

[lgalabru]

Remove all these Mirrors comments.

[lgalabru]

Generally speaking, can we do a pass and get every single field of every single structure being commented?