Replace the in-memory dedup Sets in the BTCPay and Zaprite webhook
handlers (and the BTCPay rescan path) with a persistent JSON-backed
store (server/webhook-dedup.js). The in-memory sets were cleared on
restart, so a duplicate webhook delivery straddling a relay restart
could double-credit (BTCPay) or double-extend a subscription (Zaprite).
The store atomically writes /data/processed-webhooks.json, namespaces
keys per rail (storeId|invoiceId vs zaprite:orderId), and prunes
entries older than 180 days (safely beyond any retry window).
Also:
- BTCPay is a required running dependency (operator decision). Config
was already optional:false/kind:'running'; corrected the contradictory
"optional" comment in the manifest to match.
- Scope cors() to /relay/* only — off /admin/* and the same-origin
dashboard, which don't need permissive CORS.
- Add money-path unit tests (commitCredit/refundCredit/applyTierPromotion)
and webhook-dedup tests (incl. the survives-a-restart guarantee).
- Fix two AGENTS.md auth-doc drifts; refresh Current state.
Version 0.2.125 -> 0.2.126.
New cookie-gated "Users" tab on the operator dashboard: a sortable view
of every credit-ledger row (typed cloud/license/install) with computed
remaining/total balances, key filter, and a per-row "grant free credits"
action.
Endpoints (routes/admin.js):
- GET /admin/credits — snapshotAll() enriched with a type derived from
the credit-key prefix and a computed balance (computeRemaining against
live tier quotas), since the ledger stores consumed counters only.
- POST /admin/credits/grant {credit_key, amount} — adds free top-up via
addPurchasedCredits. Grants land in the never-expires purchased bucket
(spent after the tier allowance). Guards: positive integer, <=1,000,000,
and the row must already exist (a typo can't spawn a ghost row).
Admin-only; no /relay/* client contract change. Tests added in
server/test/admin-credits.test.js (mount the real router over HTTP).
Version bumped 0.2.124 -> 0.2.125.
Cross-repo git-hygiene audit remediation: surface ~/Projects/standards/INBOX.md items at session start, and switch .gitignore to the deny-by-default .claude/* block (shared wiring allow-listed) plus the canonical secrets/env lines — per standards/portability.md.
AGENTS.md: append four real /admin routes the list omitted (job-output/:id, output-store-ids, settings/promote-prompt, test-run-suite); replace the stale HEAD hash with 'last code commit is v0.2.11, docs-only commits on top'. ROADMAP.md: fix the untracked count + HEAD wording; drop the two now-resolved doc-precision follow-ups.
- AGENTS.md: add Endpoints section — auth model (cloud operator-key path,
license/install-id path, admin session cookie, BTCPay HMAC) plus full
/relay/* surface (public + operator-key-only control plane), the
/admin/* dashboard, and the /admin/internal-meetings/* API.
- AGENTS.md: rewrite Current state with verified git facts — HEAD is the
prior docs commit, HEAD~1 is v0.2.11, working tree at v_0_2_124, file
counts pulled live from git status.
- ROADMAP.md: log two doc-precision follow-ups caught in review (the
working-tree counts drift fast; the admin-route shortlist silently
omits three real routes).
Keysat