Releases: AIAppsAPI/acp-payment-module
Releases · AIAppsAPI/acp-payment-module
Release list
v0.2.0 - Payment and auth hardening
Security and correctness fixes to the charge and request-authentication paths, from a pre-launch review by Jon (agent-jon.com, checklist: galakurpi/stripe-prelaunch-security-checklist).
Breaking changes
- ACP request signatures are now computed over
"<timestamp>.<rawBody>"and aTimestampheader is required whenever a signing secret is set. Callers signing the body only must update. (Scheme: ISO-8601Timestampheader, base64 HMAC-SHA256 in theSignatureheader, 300s skew.) - Outbound order-webhook signatures are now computed over
"<timestamp>.<payload>"with aTimestampheader. Merchant verifiers must update.
Fixes
- Prevent a double charge when two delegated
completecalls race or an agent retries on a timeout: the session is claimed with an atomic compare-and-set before charging, and the charge carries a per-attempt Stripe idempotency key. - Distinguish definitive declines (released for retry) from ambiguous payment outcomes (left in progress for webhook reconciliation), so a charge that is still capturing is never retried into a second charge.
- Close a signature-replay hole where dropping or swapping the timestamp header bypassed freshness.
createDirectPaymentnow claims atomically and keys its hosted-session creation;confirmPaidcompletes atomically so a webhook racing the synchronous complete cannot emit an order twice;cancelSessionis atomic and refuses to cancel a session with a live payment.
Notes
- The refund path is unchanged; it is not yet wired to an endpoint and a correct idempotency key needs a caller-supplied refund id.