Skip to content

Releases: AIAppsAPI/acp-payment-module

v0.2.0 - Payment and auth hardening

Choose a tag to compare

@AIAppsAPI AIAppsAPI released this 28 Jun 12:15

Security and correctness fixes to the charge and request-authentication paths, from a pre-launch review by Jon (agent-jon.com, checklist: galakurpi/stripe-prelaunch-security-checklist).

Breaking changes

  • ACP request signatures are now computed over "<timestamp>.<rawBody>" and a Timestamp header is required whenever a signing secret is set. Callers signing the body only must update. (Scheme: ISO-8601 Timestamp header, base64 HMAC-SHA256 in the Signature header, 300s skew.)
  • Outbound order-webhook signatures are now computed over "<timestamp>.<payload>" with a Timestamp header. Merchant verifiers must update.

Fixes

  • Prevent a double charge when two delegated complete calls race or an agent retries on a timeout: the session is claimed with an atomic compare-and-set before charging, and the charge carries a per-attempt Stripe idempotency key.
  • Distinguish definitive declines (released for retry) from ambiguous payment outcomes (left in progress for webhook reconciliation), so a charge that is still capturing is never retried into a second charge.
  • Close a signature-replay hole where dropping or swapping the timestamp header bypassed freshness.
  • createDirectPayment now claims atomically and keys its hosted-session creation; confirmPaid completes atomically so a webhook racing the synchronous complete cannot emit an order twice; cancelSession is atomic and refuses to cancel a session with a live payment.

Notes

  • The refund path is unchanged; it is not yet wired to an endpoint and a correct idempotency key needs a caller-supplied refund id.