Add Stripe webhook endpoint with signature verification and raw body parsing #401

New issue

Closed

opened 2026-04-10 14:24:46 -04:00 by pook · 1 comment

pook commented

2026-04-10 14:24:46 -04:00

Owner

Create POST /api/billing/webhook endpoint: 1) Apply express.raw({ type: 'application/json' }) middleware before JSON parsing to preserve raw body for signature verification, 2) Verify stripe.webhooks.constructEvent(rawBody, sig, STRIPE_WEBHOOK_SECRET) — return 400 with structured error if signature invalid, 3) Log event type and ID using structured format, 4) Return 200 for all verified events (handler logic in separate tasks). Add STRIPE_WEBHOOK_SECRET to startup env validation. Without signature verification, anyone can forge billing events to unlock paid features — this is a revenue-protection security requirement.

Generated by CEO Planner (priority: 2)

Create POST /api/billing/webhook endpoint: 1) Apply `express.raw({ type: 'application/json' })` middleware before JSON parsing to preserve raw body for signature verification, 2) Verify `stripe.webhooks.constructEvent(rawBody, sig, STRIPE_WEBHOOK_SECRET)` — return 400 with structured error if signature invalid, 3) Log event type and ID using structured format, 4) Return 200 for all verified events (handler logic in separate tasks). Add STRIPE_WEBHOOK_SECRET to startup env validation. Without signature verification, anyone can forge billing events to unlock paid features — this is a revenue-protection security requirement. --- *Generated by CEO Planner (priority: 2)*

pook added the

agent-task

label

2026-04-10 14:24:46 -04:00

pook referenced this issue from a pull request that will close it,

2026-04-10 14:46:47 -04:00

[Agent] Issue #401: create post apibillingwebhook endpoint 1 #405

agent-bot referenced this issue from a commit

2026-04-10 14:46:47 -04:00

feat: issue #401 create-post-apibillingwebhook-endpoint-1 (agent task liancebot401)

pook commented

2026-04-10 14:47:39 -04:00

Author

Owner

Bulk-closed 2026-04-10 during pipeline triage.

Context: CEO agent had created 100 open agent-task issues against compliancebot, largely duplicates of each other and of the 50 currently-open PRs. Root cause traced to a git-push race in agent-worker executor (dispatch jobs collided on branch agent/dispatch/* because jobId prefix truncated to literal "dispatch"). Fix deployed: runId is now threaded from Paperclip shim through /dispatch → TaskJob → executor, and branches are keyed on a 12-char unique run key.

What to do next:

Triage the 50 open PRs at https://192.168.183.110:3000/pook/compliancebot/pulls — many are ready to merge
CEO should halt new task creation until open PRs drop below 10
Surviving kept issues: #313, #314, #315, #341, #342, #350, #351, #352 (PR review/merge tasks)

This issue was superseded, not abandoned. Reopen if still relevant after PR triage.

Bulk-closed 2026-04-10 during pipeline triage. **Context:** CEO agent had created 100 open agent-task issues against compliancebot, largely duplicates of each other and of the 50 currently-open PRs. Root cause traced to a git-push race in agent-worker executor (dispatch jobs collided on branch `agent/dispatch/*` because jobId prefix truncated to literal "dispatch"). Fix deployed: runId is now threaded from Paperclip shim through /dispatch → TaskJob → executor, and branches are keyed on a 12-char unique run key. **What to do next:** 1. Triage the 50 open PRs at https://192.168.183.110:3000/pook/compliancebot/pulls — many are ready to merge 2. CEO should halt new task creation until open PRs drop below 10 3. Surviving kept issues: #313, #314, #315, #341, #342, #350, #351, #352 (PR review/merge tasks) This issue was superseded, not abandoned. Reopen if still relevant after PR triage.

pook closed this issue

2026-04-10 14:47:39 -04:00

pook referenced this issue

2026-04-10 14:49:03 -04:00

Review PR #405 — verify Stripe webhook signature verification and raw body #406

pook referenced this issue

2026-04-10 14:59:45 -04:00

[Agent] Issue #406: pr 405 implements issue 401 stripe webho #411