-
mik-tf released this
2026-03-25 01:14:08 +00:00 | 45 commits to development since this releasev0.7.0 — Signed Wallet Transactions
What is new
- Signed spend intents — client signs
{action}\n{amount}\n{product_id}\n{timestamp}with ed25519 key - POST /api/wallet/transact — verify signature, check balance, deduct credits, return receipt
- Checkout integration — Place Order → sign spend intent → deduct wallet → create order → show confirmation
- Balance update — wallet balance display updates after purchase
- Insufficient funds handling — returns shortfall amount if balance too low
Flow
User clicks Place Order → Vault signs spend intent (ed25519) → POST /api/wallet/transact { action, amount, product_id, public_key, timestamp, signature } → Backend verifies signature against registered pubkey → Backend checks balance >= amount → Backend deducts credits via WalletManager.debit() → Returns { receipt_id, new_balance } → Frontend creates order via POST /api/orders → User sees confirmation + updated balanceTest results
- 26/26 API smoke tests PASS
- Both repos compile clean
- Deployed to dev
- Wallet balance tracking works (demo starts at 1250 MC)
Signed-off-by: mik-tf
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Signed spend intents — client signs
-
2026-03-25 00:55:17 +00:00 | 46 commits to development since this releasev0.6.0 — Payment Integration (Stripe, Clickpesa, Bank Transfer)
What is new
- PaymentProvider trait — abstract interface with 4 implementations (Demo, Stripe, Clickpesa, Bank)
- Stripe provider — Checkout Sessions API, HMAC-SHA256 webhook signature verification
- ClickPesa provider — JWT auth, checkout link generation, webhook HMAC verification
- Bank Transfer provider — displays bank details, min $1000, manual admin confirmation
- Demo provider — instant confirmation with fake URLs (DEMO_PAYMENT=true, default)
- Webhook endpoints — POST /api/webhooks/stripe, POST /api/webhooks/clickpesa
- Payment API — POST /api/payments/initiate (returns checkout URL), GET /api/payments/status
- Buy Credits UI — wallet page modal with amount + gateway selection → redirects to payment URL
- Provider registry — auto-selects provider from PAYMENT_PROVIDER env var
Environment variables
PAYMENT_PROVIDER=demo|stripe|clickpesa|bank DEMO_PAYMENT=true|false STRIPE_SECRET_KEY=sk_test_... STRIPE_WEBHOOK_SECRET=whsec_... CLICKPESA_CLIENT_ID=... CLICKPESA_API_SECRET=... CLICKPESA_WEBHOOK_SECRET=...Test results
- 26/26 API smoke tests PASS
- Payment initiation returns checkout URL (demo mode)
- Webhook endpoint accepts and processes events
- Buy Credits modal wired to payment API
Signed-off-by: mik-tf
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
-
2026-03-24 22:38:12 +00:00 | 47 commits to development since this releasev0.5.0 — Ed25519 Keypair Identity + Signature Auth
What is new
- Ed25519 keypair vault — generate, encrypt (AES-256-GCM + PBKDF2 100k iterations), store in localStorage
- Signature-based auth — every API request signed with X-Public-Key / X-Timestamp / X-Signature headers
- Session persistence — sessionStorage auto-unlock on page refresh, 30 min idle timeout
- User-friendly UX — Sign In, Passphrase, Create Account, Sign Out, Your ID (no technical jargon)
- Stateless HMAC challenges — server signs challenge with HMAC, no in-memory store, horizontally scalable
- Full body hash verification — middleware buffers body, computes SHA-256, verifies signature integrity
- Base-path proxy support — strips APP_BASE_PATH for correct signature verification behind nginx
- Fixture user persistence — in-memory store for dev/test mode
Test results (live dev)
- 26/26 API smoke tests (SSR domain)
- 24/24 API smoke tests (SPA domain)
- 19/19 SPA endpoint checks
- Full browser E2E: register → dashboard → refresh (session persists) → sign out → login
Design
Complete FOSS-sovereign design document at
docs/DESIGN.md(17 sections, 1000+ lines)Signed-off-by: mik-tf
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads