grant/recap-relay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Persist payment-webhook dedup; declare BTCPay required; scope CORS

Browse Source 
Replace the in-memory dedup Sets in the BTCPay and Zaprite webhook
handlers (and the BTCPay rescan path) with a persistent JSON-backed
store (server/webhook-dedup.js). The in-memory sets were cleared on
restart, so a duplicate webhook delivery straddling a relay restart
could double-credit (BTCPay) or double-extend a subscription (Zaprite).
The store atomically writes /data/processed-webhooks.json, namespaces
keys per rail (storeId|invoiceId vs zaprite:orderId), and prunes
entries older than 180 days (safely beyond any retry window).

Also:
- BTCPay is a required running dependency (operator decision). Config
  was already optional:false/kind:'running'; corrected the contradictory
  "optional" comment in the manifest to match.
- Scope cors() to /relay/* only — off /admin/* and the same-origin
  dashboard, which don't need permissive CORS.
- Add money-path unit tests (commitCredit/refundCredit/applyTierPromotion)
  and webhook-dedup tests (incl. the survives-a-restart guarantee).
- Fix two AGENTS.md auth-doc drifts; refresh Current state.

Version 0.2.125 -> 0.2.126.
This commit is contained in:
Keysat
2026-06-15 18:15:00 -05:00
parent 798a698132
commit 238689ddcc
10 changed files with 345 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
startos/manifest/index.ts
+9 -9
View File
@@ -31,15 +31,15 @@ export const manifest = setupManifest({
start: null,
stop: null,
},
// Relay has no REQUIRED dependencies — Gemini is internet-fronted
// and the optional Parakeet/Gemma backends are at user-configured
// URLs (typically a separate machine on the operator's LAN).
//
// BTCPay Server is declared optional so the dashboard's "Connect
// BTCPay" flow can auto-discover its URL via
// sdk.serviceInterface.getAll() when both are installed on the
// same Start9 box. When BTCPay is not installed, the relay still
// runs fine — only the credit-purchase flow is disabled.
// BTCPay Server is a REQUIRED running dependency (optional: false
// here, kind: 'running' in dependencies.ts). It's the only payment
// rail through which the operator actually gets paid, so the relay
// shouldn't run without it. The dependency also wires up the internal
// docker hostname (btcpayserver.startos:23000) the relay-to-BTCPay API
// calls rely on, and lets the dashboard's "Connect BTCPay" flow
// auto-discover the URL via sdk.serviceInterface.getAll(). (Gemini is
// internet-fronted and the Parakeet/Gemma backends are at
// user-configured LAN URLs, so neither is a StartOS dependency.)
dependencies: {
btcpayserver: {
description: {