Replace the in-memory dedup Sets in the BTCPay and Zaprite webhook
handlers (and the BTCPay rescan path) with a persistent JSON-backed
store (server/webhook-dedup.js). The in-memory sets were cleared on
restart, so a duplicate webhook delivery straddling a relay restart
could double-credit (BTCPay) or double-extend a subscription (Zaprite).
The store atomically writes /data/processed-webhooks.json, namespaces
keys per rail (storeId|invoiceId vs zaprite:orderId), and prunes
entries older than 180 days (safely beyond any retry window).
Also:
- BTCPay is a required running dependency (operator decision). Config
was already optional:false/kind:'running'; corrected the contradictory
"optional" comment in the manifest to match.
- Scope cors() to /relay/* only — off /admin/* and the same-origin
dashboard, which don't need permissive CORS.
- Add money-path unit tests (commitCredit/refundCredit/applyTierPromotion)
and webhook-dedup tests (incl. the survives-a-restart guarantee).
- Fix two AGENTS.md auth-doc drifts; refresh Current state.
Version 0.2.125 -> 0.2.126.
Malformed JSON request bodies fell through to Express's default error
handler, which renders an HTML page including the local-filesystem stack
trace (info leak). Add a final error-handling middleware: JSON 400 for
entity.parse.failed, 413 for entity.too.large, generic 500 otherwise —
closing the stack-trace leak on every propagated error, not just JSON.
Keysat