feat(python): MPP sessions (client + server + playground)

[EfeDurmaz16]

What this adds

The MPP session intent for the Python SDK, now both halves plus the example app, bringing Python to parity with the Go port (#160). Rebased onto main (which carries #160), so the diff is the Python session surface only.

• Wire types protocols/mpp/intents/session.py — SessionRequest, the SessionAction tagged union (open / voucher / commit / topUp / close), signed vouchers, metering types.
• Client protocols/mpp/client/session.py + session_consumer.py — ActiveSession (voucher signing, monotonic watermark, action builders) and SessionConsumer (metered ack/commit).
• Server protocols/mpp/server/session_*.py — the full server method ported from go/protocols/mpp/server against the Rust spine (rust/crates/mpp/src/server/session.rs) as wire truth: session_store (channel store with per-channel-locked read-modify-write and Go-faithful nil-slice serialization), session_voucher (offline voucher verifier), session_lifecycle, session_onchain (open/top-up verification with an optional RPC liveness seam), session_method (new_session + open/voucher/commit/topUp/close handlers, re-drivable close, pull-mode guard), session_stream (metered SSE), session_routes + session (HTTP routes with strict typed decode, public SessionServer).
• Generated client protocols/programs/paymentchannels/ — codama-py output (Go uses @codama/renderers-go); regenerate with just payment-channels-generate-py.
• Playground examples/playground_api/ — FastAPI port of go/examples/playground-api: charges (stocks/marketplace/weather with fee splits), the metered session stream/compute/receipt, x402, faucet, docs, health/config catalog.

Reviewing it

Suggested read order (the generated client and the playground example can be skimmed):

1. protocols/mpp/intents/session.py (wire types)
2. protocols/mpp/client/session.py, session_consumer.py
3. protocols/mpp/server/session_store.py, session_voucher.py, session_method.py (the fund-safety surface)
4. protocols/mpp/server/session_routes.py (HTTP + strict decode)
5. examples/playground_api/ (runnable example)

Deferred (documented)

Server-side on-chain settlement broadcast (SubmitOpenTx / SettlementInstructions in the Go server) is not ported: it needs a Python transaction-broadcast layer (signer send + confirm) that does not exist in the SDK yet. The offline verification core, lifecycle, routes, store, and the optional-RPC liveness seam are complete. The playground uses the client submitter with rpc=None (offline) accordingly, and the receipt poll reports settledSignature=null until that path lands. This mirrors how the Go port treats the RPC client as optional.

Verification

ruff check, ruff format, pyright (0 errors), pytest --cov=pay_kit --cov-fail-under=90 (1141 passing, cov 94.6%). The server modules mirror Go's test behaviors test-first. Manual check: the playground returns real 402 Payment challenges on the session stream, charge, and x402 routes; the app boots with all 30 routes registered. The 48-byte voucher preimage and single-byte discriminators (open=1, topUp=3) match the Rust/Go frozen vectors.

---

Reviewer note (Claude Fable 5)

Claude Fable 5 reviewed this PR. Scope grew from client-only to full parity with Go #160 (client + server + playground), so the surface worth your attention:

• Fund safety lives in session_voucher.py and session_method.py. The voucher verifier runs the Go checks in the same order (monotonicity, deposit bound, min-delta, signature, expiry, finalized/close-pending). The close handler mirrors Go's re-drivable close: a closing channel with no recorded settlement signature re-drives rather than hard-rejecting, while a settled channel still rejects a second close. No fund-safety check was relaxed to make this work.
• Decode strictness matches Go. session_routes.py rejects type-mismatched JSON fields up front with 400 invalid request body (float/numeric-string into an int64 field, JSON number into a string field), before any store access, matching Go's typed json.Decode. Regression tests cover each case.
• Durable-record parity. session_store serializes empty delivery lists as null (Go nil-slice behavior) and decodes null/missing/[] all to empty, so durable channel records are byte-compatible across the Go and Python servers; the Rust spine's #[serde(default)] absorbs it on read.
• The deferred settlement-broadcast path is the one intentional gap (see above), stubbed to raise rather than fake-implemented.

[greptile-apps]

Greptile Summary

This PR ports the MPP session intent to Python — wire types, client (ActiveSession + SessionConsumer), full server (store, voucher verifier, lifecycle, onchain seams, method, routes), generated payment-channels client, and a FastAPI playground — bringing Python to parity with the Go port (#160). The deferred gap (server-broadcast settlement) is clearly stubbed and documented.

• Wire types & client (intents/session.py, client/session.py, session_consumer.py): VoucherData.from_dict now coerces JSON-number cumulative to str; CommitReceipt.from_dict rejects missing/unknown status; the prepare/record split in SessionConsumer makes failed commits safe to retry.
• Server fund-safety surface (session_voucher.py, session_method.py, session_store.py): voucher check order (monotonicity → deposit cap → min-delta → Ed25519 → expiry) matches Go/Rust; close re-drivability is correctly scoped to channels with no settled signature; per-channel locking serializes concurrent watermark advances.
• Strict decode (session_routes.py): typed field helpers reject JSON type mismatches before any store access, matching Go's json.Decode behaviour; _parse_session_u64 in session_method.py is missing the same isinstance(value, str) guard, causing an uncaught AttributeError on a non-string newDeposit from a topUp action.

Confidence Score: 4/5

Safe to merge with one fix: a topUp credential carrying newDeposit as a JSON integer escapes the ValueError handler and surfaces as an unhandled exception.

The fund-safety core (voucher verifier, watermark atomicity, close re-drivability) is thorough and matches the Go/Rust reference. One input-validation gap in session_method.py — _parse_session_u64 missing the isinstance guard present in session_routes.py — means a non-string newDeposit raises AttributeError instead of ValueError, escaping the handler and reaching the framework as a 500 on the topUp path.

python/src/pay_kit/protocols/mpp/server/session_method.py — the _parse_session_u64 guard fix. The rest of the server and client surface looks solid.

Important Files Changed

Filename	Overview
python/src/pay_kit/protocols/mpp/server/session_method.py	HTTP-facing session handler; _parse_session_u64 is missing the isinstance(value, str) guard present in the routes module, causing an uncaught AttributeError on non-string newDeposit payloads from the topUp path.
python/src/pay_kit/protocols/mpp/server/session_voucher.py	Pure voucher verifier; check order (monotonicity → deposit → min-delta → Ed25519 → expiry) faithfully mirrors the Go and Rust reference; idempotent replay is correctly gated on matching signature and re-verified.
python/src/pay_kit/protocols/mpp/server/session_store.py	In-memory store with per-channel locking for update_channel; delete_channel acquires only _mu (race with concurrent update_channel noted in a prior review thread); nil-slice serialization preserves wire parity with Go.
python/src/pay_kit/protocols/mpp/server/session_routes.py	Metering side-channel handlers; strict typed decode is thorough for integer/string field mismatches but the voucher field in commit is not type-checked before SignedVoucher.from_dict (non-dict value raises AttributeError as a 500 — noted in a prior thread).
python/src/pay_kit/protocols/mpp/intents/session.py	Wire types for the session intent; VoucherData now coerces JSON-number cumulative to str; CommitReceipt.from_dict raises on missing/unknown status; _parse_base_units normalizes via str() before digit-check, handling int inputs from deserialization safely.
python/src/pay_kit/protocols/mpp/client/session_consumer.py	SessionConsumer prepare/record split ensures a failed commit does not advance the local watermark; idempotent replay is handled for both committed and replayed receipts; transport interface is clean.
python/src/pay_kit/protocols/mpp/server/session.py	Core SessionServer: process_open idempotency, verify_voucher atomic watermark advance, begin_delivery/process_commit metering flows are faithfully ported from Go with correct u64 overflow guards.
python/examples/playground_api/sessions.py	FastAPI playground for session endpoints; session_routes are only wired to stream_session.core() but both sessions share the same MemoryChannelStore; receipt endpoint reads shared_store correctly.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant C as Client
    participant M as Session (method)
    participant S as SessionServer (core)
    participant ST as ChannelStore
    participant V as VoucherVerifier

    C->>M: GET /resource (no auth)
    M-->>C: 402 WWW-Authenticate: SessionRequest challenge

    C->>M: POST /resource (Authorization: open action)
    M->>M: verify HMAC + pinned fields
    M->>S: process_open(payload)
    S->>ST: update_channel (insert fresh state)
    ST-->>S: ChannelState
    S-->>M: ChannelState
    M-->>C: 200 X-Payment-Receipt

    loop Per request
        C->>M: POST /resource (Authorization: voucher action)
        M->>S: verify_voucher(payload)
        S->>ST: update_channel (verify + advance watermark)
        ST->>V: verify_voucher_for_channel(args)
        V-->>ST: VoucherVerifyResult (ACCEPTED)
        ST-->>S: ChannelState (new cumulative)
        S-->>M: cumulative
        M-->>C: 200 X-Payment-Receipt
    end

    C->>M: POST /__402/session/deliveries (reserve)
    M->>S: begin_delivery(DeliveryRequest)
    S->>ST: update_channel (add PendingDelivery)
    ST-->>S: MeteringDirective
    S-->>M: MeteringDirective
    M-->>C: 200 deliveryId+amount

    C->>M: POST /__402/session/commit (voucher)
    M->>S: process_commit(CommitPayload)
    S->>ST: update_channel (verify voucher + commit delivery)
    ST-->>S: CommitReceipt
    S-->>M: CommitReceipt
    M-->>C: 200 CommitReceipt

    C->>M: POST /resource (Authorization: close action)
    M->>ST: update_channel (set close_requested_at)
    ST-->>M: ChannelState (close-pending)
    M-->>C: 200 X-Payment-Receipt

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant C as Client
    participant M as Session (method)
    participant S as SessionServer (core)
    participant ST as ChannelStore
    participant V as VoucherVerifier

    C->>M: GET /resource (no auth)
    M-->>C: 402 WWW-Authenticate: SessionRequest challenge

    C->>M: POST /resource (Authorization: open action)
    M->>M: verify HMAC + pinned fields
    M->>S: process_open(payload)
    S->>ST: update_channel (insert fresh state)
    ST-->>S: ChannelState
    S-->>M: ChannelState
    M-->>C: 200 X-Payment-Receipt

    loop Per request
        C->>M: POST /resource (Authorization: voucher action)
        M->>S: verify_voucher(payload)
        S->>ST: update_channel (verify + advance watermark)
        ST->>V: verify_voucher_for_channel(args)
        V-->>ST: VoucherVerifyResult (ACCEPTED)
        ST-->>S: ChannelState (new cumulative)
        S-->>M: cumulative
        M-->>C: 200 X-Payment-Receipt
    end

    C->>M: POST /__402/session/deliveries (reserve)
    M->>S: begin_delivery(DeliveryRequest)
    S->>ST: update_channel (add PendingDelivery)
    ST-->>S: MeteringDirective
    S-->>M: MeteringDirective
    M-->>C: 200 deliveryId+amount

    C->>M: POST /__402/session/commit (voucher)
    M->>S: process_commit(CommitPayload)
    S->>ST: update_channel (verify voucher + commit delivery)
    ST-->>S: CommitReceipt
    S-->>M: CommitReceipt
    M-->>C: 200 CommitReceipt

    C->>M: POST /resource (Authorization: close action)
    M->>ST: update_channel (set close_requested_at)
    ST-->>M: ChannelState (close-pending)
    M-->>C: 200 X-Payment-Receipt

Loading

_{Reviews (15): Last reviewed commit: "test(python/playground): add playground-..." | Re-trigger Greptile}

[greptile-apps]

When VoucherData.from_dict receives a cumulativeAmount that is a JSON number rather than a string (a non-conforming but plausible server response), self.cumulative ends up as an int. Both message_bytes() (int(self.cumulative, 10)) and record_voucher (int(voucher.data.cumulative, 10)) then raise TypeError: int() can't convert non-string with explicit base instead of the expected ValueError, breaking the caller's error-handling path. Coercing to str in from_dict is the safe fix.

Suggested change

	if "cumulativeAmount" in data:
	cumulative = data["cumulativeAmount"]
	elif "cumulative" in data:
	cumulative = data["cumulative"]
	else:
	cumulative = ""
	if "cumulativeAmount" in data:
	cumulative = str(data["cumulativeAmount"])
	elif "cumulative" in data:
	cumulative = str(data["cumulative"])
	else:
	cumulative = ""

[greptile-apps]

struct.pack("<I", params.grace_period) silently raises struct.error when grace_period exceeds 2**32 - 1 rather than a descriptive ValueError. Since grace_period is typed as int (unbounded in Python) and callers may compute it from seconds, a clear range guard here prevents a confusing low-level exception. The same gap exists for bps (<H, max 65 535) in the recipients loop.

Suggested change

	data = bytearray()
	data.append(_OPEN_DISCRIMINATOR)
	data += struct.pack("<Q", params.salt)
	data += struct.pack("<Q", params.deposit)
	data += struct.pack("<I", params.grace_period)
	if not (0 <= params.grace_period <= 0xFFFF_FFFF):
	raise ValueError(f"grace_period {params.grace_period} exceeds u32 range")
	data = bytearray()
	data.append(_OPEN_DISCRIMINATOR)
	data += struct.pack("<Q", params.salt)
	data += struct.pack("<Q", params.deposit)
	data += struct.pack("<I", params.grace_period)

[greptile-apps]

CommitTransport is listed in session_consumer.__all__ and is the protocol users must implement to drive SessionConsumer, but it is not re-exported here. Any caller who imports only from the top-level client package will need to discover the sub-module path by reading source, which is at odds with the re-export pattern the rest of this __init__ establishes.

Suggested change

	from pay_kit.protocols.mpp.client.session_consumer import (
	MeteredDelivery,
	SessionConsumer,
	)
	from pay_kit.protocols.mpp.client.session_consumer import (
	CommitTransport,
	MeteredDelivery,
	SessionConsumer,
	)

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

The __all__ list omits CommitTransport after the import above is added, so from pay_kit.protocols.mpp.client import * still would not expose it to downstream consumers.

Suggested change

	__all__ = [
	"PaymentTransport",
	"ActiveSession",
	"SessionConsumer",
	"MeteredDelivery",
	"serialize_session_credential",
	"parse_session_challenge",
	]
	__all__ = [
	"PaymentTransport",
	"ActiveSession",
	"CommitTransport",
	"SessionConsumer",
	"MeteredDelivery",
	"serialize_session_credential",
	"parse_session_challenge",
	]

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

MeteringDirective.from_dict stores amount as whatever JSON hands it — typically an int when the server does not quote the field. commit_directive then calls directive.amount_base_units(), which passes self.amount directly to int(self.amount, 10). Python's int() with an explicit base rejects a plain int argument with TypeError: int() can't convert non-string with explicit base, rather than the ValueError the call-site catch-all expects. The fix is the same coercion already recommended for VoucherData.cumulative: normalize to str at deserialization time.

Suggested change

	@classmethod
	def from_dict(cls, data: dict[str, Any]) -> MeteringDirective:
	return cls(
	delivery_id=data.get("deliveryId", ""),
	session_id=data.get("sessionId", ""),
	amount=data.get("amount", ""),
	currency=data.get("currency", ""),
	sequence=int(data.get("sequence", 0)),
	expires_at=int(data.get("expiresAt", 0)),
	commit_url=data.get("commitUrl"),
	proof=data.get("proof"),
	)
	@classmethod
	def from_dict(cls, data: dict[str, Any]) -> MeteringDirective:
	return cls(
	delivery_id=data.get("deliveryId", ""),
	session_id=data.get("sessionId", ""),
	amount=str(data.get("amount", "")),
	currency=data.get("currency", ""),
	sequence=int(data.get("sequence", 0)),
	expires_at=int(data.get("expiresAt", 0)),
	commit_url=data.get("commitUrl"),
	proof=data.get("proof"),
	)

[greptile-apps]

amount coercion gap in MeteringUsage and CommitReceipt

MeteringUsage.from_dict stores amount as-is from the parsed JSON dictionary — a conforming but number-typed server response sets it to an int. amount_base_units() then calls int(self.amount, 10), which raises TypeError: int() can't convert non-string with explicit base instead of the expected ValueError. The same gap exists in CommitReceipt.from_dict for both amount (line 878) and cumulative (line 879): both amount_base_units() and cumulative_base_units() fail with TypeError when the field arrives as a JSON number. The coercion fix applied to VoucherData.cumulative (lines 1518–1519) should be replicated here.

[lgalabru]

Not a huge fan of this approach. can we have endpoints declared in-line instead of this json?

[lgalabru]

I don't think the RPC url should be exposed.

[lgalabru]

Is this endpoint actually needed by playground?

[lgalabru]

I'm surprised by the amount of code required to setup a simple python server exposing 5 endpoints.
Any reusable helpers that can / should be pushed to PayKit?

[lgalabru]

Why so many endpoints?

[lgalabru]

Same feedback - too much code

[lgalabru]

Same feedback - Feels like a lot of code here belongs to PayKit

[lgalabru]

Is there a python lib we can use instead of all this yahoo code?

[lgalabru]

"The wire format mirrors"
Can we get rid of these statements? If we're citing a source of truth, it's the spec

[lgalabru]

Remove all these "Mirrors etc"

[lgalabru]

Can we make sure we'll get high quality docs for all these classes, fields, etc.

[greptile-apps]

Unguarded from_dict call raises 500 on non-dict voucher

voucher_raw is checked for None but not for its JSON type. When a client sends {"deliveryId": "x", "voucher": "a-string"} or {"deliveryId": "x", "voucher": [1,2]}, SignedVoucher.from_dict(voucher_raw) calls voucher_raw.get("data", {}), which raises AttributeError on any non-dict value. This exception is not caught by the except (ValueError, json.JSONDecodeError) block below (covering only the body decode) nor by the except ValueError on the process_commit call, so it propagates to the ASGI framework as a 500. Go's json.Decode into a typed struct rejects a non-object voucher field with a 400 "invalid request body" — this path is untested in the strict-decode parity suite while deliveries has full coverage.

Add if not isinstance(voucher_raw, dict): return _error(400, "invalid request body") before the from_dict call to match Go's behaviour.

Suggested change

	voucher_raw = body.get("voucher")
	if voucher_raw is None:
	return _error(400, "voucher required")
	voucher = SignedVoucher.from_dict(voucher_raw)
	voucher_raw = body.get("voucher")
	if voucher_raw is None:
	return _error(400, "voucher required")
	if not isinstance(voucher_raw, dict):
	return _error(400, "invalid request body")
	voucher = SignedVoucher.from_dict(voucher_raw)

[greptile-apps]

delete_channel races with concurrent update_channel for the same channel

delete_channel removes the entry from _data while holding only _mu, not the per-channel lock. A concurrent update_channel that has already read the snapshot and released _mu (but is still inside its mutator) will then re-acquire _mu and write the channel back — silently undoing the delete. In a scenario where a settled channel is deleted while a stale in-flight voucher verification is mid-execution, the channel reappears in the store after the delete returns. update_channel should acquire the per-channel lock before removing the entry (or delete_channel should acquire the channel-level lock via _channel_lock) to serialize with concurrent updates.

[lgalabru]

I think we also have some codama commands in the main justfile, can we consolidate?

[lgalabru]

Could we get rid of this function?

[lgalabru]

Is this function used?

[lgalabru]

What are these products?

[lgalabru]

Arem't we supporting server?