Skip to content

PAY-002B2C4B: persist attempt-2 pre-send evidence#240

Merged
daliu merged 1 commit into
mainfrom
codex/issue-238-attempt2-presend
Jul 14, 2026
Merged

PAY-002B2C4B: persist attempt-2 pre-send evidence#240
daliu merged 1 commit into
mainfrom
codex/issue-238-attempt2-presend

Conversation

@daliu

@daliu daliu commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Outcome

Adds one unused server-only attempt-2 Checkout Session pre-send boundary. It atomically records an immutable marker and audit only after the complete B1-through-C4A chain and current lease pass validation. It never calls Stripe or changes business state.

Closes #238

Safety boundary

  • Keeps the existing version-1 provider-plan commitment byte contract unchanged.
  • Adds a separate version-2 complete authorized-plan commitment including nanosecond binding time and both authorization-provenance copies; fixed golden bytes protect the domain, schema, and field order.
  • Creates exactly the attempt-2 marker and deterministic audit, or neither.
  • Reuses one trusted transaction time and one deadline exactly 23 hours later; retries never extend it.
  • Requires a fresh post-transaction clock check strictly before the captured lease expiry and stored deadline.
  • Converts thrown, malformed, or hostile post-transaction clock evidence to the fixed reconciliation-required result; strict pre-transaction clock failure remains unavailable.
  • Returns only fixed non-identifying permitted or reconciliation-required results.
  • Remains limited to checkout_session_create at POST /v1/checkout/sessions.
  • Adds no runtime/index import, provider/network/logger edge, attempt 3, business write, credential, or production-data path.

Exact final evidence

Final candidate: dd9596ad5dd4a2e847565e26057d2c61993e20a2, rebased on #239 main 4dc69d4e96c00afe3f9f20855b05b35d880c7416.

  • Hosted exact-head CI run 29312475633: all five required jobs passed, including the real commerce emulator.
  • Node 20 Functions lint: passed.
  • Node 20 Functions: 25 suites passed, 2 emulator suites skipped by default; 1,539 tests passed and 64 skipped.
  • Focused journal unit suite: 266/266 passed.
  • Java 17 demo-only commerce Firestore emulator: 63/63 passed, including 11 new C4B cases.
  • Java 17 full Firestore Rules: 378/378 passed.
  • Frontend Jest: 240/240 passed; final exact-head hosted frontend/build job passed.
  • SPA navigation: 11/11 passed.
  • Workflow/release/artifact safety: 42/42 passed.
  • Non-mutating lint ledger after CI-001B4B — Retire one stale AdminMembers lint directive #239: 106 files, 123 reviewed legacy errors, 7 reviewed legacy warnings.
  • Diagnostic production build: passed locally and at final exact head in hosted CI.
  • git diff --check, secret-pattern check, Markdown link/fence checks, and exact 11-path scope check: passed.
  • Independent final exact-hash security, concurrency/test, and documentation/dependency reviews: all approved with no findings.
  • Netlify exact-head PR preview: passed. This is preview evidence only, not production publication.

Review corrections

Independent review found and this PR fixed two material proof gaps before merge: unknown post-transaction time now reconciles instead of surfacing a retryable infrastructure error, and the version-2 commitment oracle now includes a hard-coded golden digest. A Mermaid node collision was also corrected. The controlled #239 refresh preserves both CI-001B4A/B entries and the 106/123/7 ledger while retaining the commerce-suite list through #238.

Compatibility and residual work

The new API is deliberately unused. C4B does not make a checkout runtime ready. PAY-002C still waits for PAY-001B2 and RACE-001B; PAY-002D also needs PAY-001C, MERCH-001B, and separate Product/Price safety boundaries. Attempt-2 result/reconciliation and protected deployment remain separate issues. Journal retention or deletion remains blocked on #110.

Officer impact: None. This is unused server-only source and synthetic tests; no current page, checkout, payment, refund, or officer task changes.

Officer documentation: None — no officer procedure becomes available or changes.

Deployment evidence: Website not published and runmprc.com not verified; Firebase not deployed; Stripe/provider not called or configured; production data untouched; live behavior not verified. Source, tests, merge, website publication, Firebase deployment, provider state, data changes, and live proof remain separate states.

@netlify

netlify Bot commented Jul 14, 2026

Copy link
Copy Markdown

Deploy Preview for luminous-fox-7c393f ready!

Name Link
🔨 Latest commit dd9596a
🔍 Latest deploy log https://app.netlify.com/projects/luminous-fox-7c393f/deploys/6a55dbb3ec45580009f5eb1d
😎 Deploy Preview https://deploy-preview-240--luminous-fox-7c393f.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@daliu daliu force-pushed the codex/issue-238-attempt2-presend branch from e6e0333 to dd9596a Compare July 14, 2026 06:48
@daliu daliu marked this pull request as ready for review July 14, 2026 06:51
@daliu daliu merged commit 5dd3ba6 into main Jul 14, 2026
9 checks passed
@daliu daliu deleted the codex/issue-238-attempt2-presend branch July 14, 2026 06:51
@daliu

daliu commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

COMPLETE / CLAIM RELEASED — 2026-07-14T06:54:06Z

PR #240 admin-squash merged reviewed source head dd9596a as exact main 5dd3ba6.

Evidence:

  • Final PR CI 29312475633 passed all five jobs, including the real commerce emulator.
  • Post-merge CI 29312630936 passed all five jobs.
  • Focused journal unit suite: 266/266.
  • Demo-only Firestore journal emulator: 63/63.
  • Full Firestore Rules: 378/378.
  • Functions full unit suite: 1,539 passed with 64 emulator-only skips.
  • Frontend 240/240, SPA 11/11, workflow/release/artifact 42/42, lint ledger 106 files / 123 errors / 7 warnings, and diagnostic build passed.
  • Three independent exact-final-hash reviews approved security, concurrency/tests, and documentation/dependencies with no findings.
  • Review findings fixed before merge: unknown/hostile post-transaction time now returns fixed reconciliation-required; v2 commitment bytes are pinned by a hard-coded golden digest; Mermaid gates use distinct node identities.

Deployment evidence:

  • GitHub reports zero deployment records for merge 5dd3ba6.
  • Only the CI workflow ran for the merge; no protected release workflow ran.
  • The Netlify PR preview was preview-only.
  • Website not published and runmprc.com not verified by this work.
  • Firebase not deployed.
  • Stripe/provider not called or configured.
  • Production data untouched; live behavior not verified.

This is deliberately unused source with no runtime/index edge, so there is no safe or authorized runtime deployment target in this child. Attempt-2 provider result/reconciliation and later checkout runtime adoption remain separate work.

Officer impact: None. No current page, payment, refund, or officer task changed.

Officer documentation: None — no officer procedure became available or changed.

Released exact claim: the 11 paths and named C4B hunks listed in the issue body. Preserve #239 106/123/7 wording and #238 C4B behavior in future work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

PAY-002B2C4B — Persist attempt-2 Checkout Session pre-send evidence

1 participant