fix(ack-pay): validate receipt payment option

[EfeDurmaz16]

Summary

• validate that a PaymentReceipt paymentOptionId exists in the verified Payment Request token
• add a dedicated InvalidPaymentReceiptError for receipt-level semantic failures
• cover mismatched receipt payment options with a regression test
• add a patch changeset for @agentcommercekit/ack-pay

Why

A receipt currently proves a paymentRequestToken and selected paymentOptionId, but verification did not bind that selected option back to the verified request. This keeps receipt proof semantics aligned with the payment options actually offered by the request.

Verification

• corepack pnpm install --frozen-lockfile
• corepack pnpm --filter @agentcommercekit/ack-pay... build
• corepack pnpm --filter @agentcommercekit/ack-pay test -- --run
• corepack pnpm --filter @agentcommercekit/ack-pay check:types
• corepack pnpm check:format
• git diff --check

Notes

Initial targeted tests/typecheck failed before building workspace dependencies because local package exports resolve to dist. Building the ack-pay dependency graph fixed that, and the rerun passed. pnpm install reported an ignored better-sqlite3 build script, but this ACK-Pay path does not use it.

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Enhanced payment receipt verification to validate that selected payment options exist in the original payment request.

• Tests

  • Expanded test coverage for payment option validation during receipt verification.

[coderabbitai]

Walkthrough

This PR adds payment option ID validation to the receipt verification flow. A new InvalidPaymentReceiptError type is introduced, validation logic checks that the receipt's paymentOptionId exists in the verified payment request's options, test coverage confirms the validation behavior, and a changeset documents the patch release.

Changes

Payment Option Validation

Layer / File(s)	Summary
InvalidPaymentReceiptError type definition packages/ack-pay/src/errors.ts	New exported error class with default message "Invalid payment receipt" and explicit name property.
Payment option ID validation implementation packages/ack-pay/src/verify-payment-receipt.ts	Import of InvalidPaymentReceiptError and runtime check that credentialSubject.paymentOptionId exists in paymentRequest.paymentOptions; throws InvalidPaymentReceiptError when no match is found.
Test coverage for payment option ID mismatch packages/ack-pay/src/verify-payment-receipt.test.ts	Test setup refactored to use scoped issuer keypair variables; import of InvalidPaymentReceiptError; new test case constructing a receipt with unmatched paymentOptionId and asserting rejection with InvalidPaymentReceiptError.
Release documentation .changeset/validate-receipt-payment-option.md	Changeset entry specifying patch release for @agentcommercekit/ack-pay documenting the validation requirement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(ack-pay): validate receipt payment option' directly and specifically describes the main change: adding validation that a PaymentReceipt's paymentOptionId matches an option from the verified Payment Request token.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.changeset/validate-receipt-payment-option.md (1)

5-5: ⚡ Quick win

Consider mentioning the new error type.

The changeset describes the validation behavior but doesn't mention that a new InvalidPaymentReceiptError is exported. Users reading the changelog may want to know about new error types they can catch.

📝 Suggested enhancement

-Validate that a PaymentReceipt paymentOptionId matches an option from the verified Payment Request token.
+Validate that a PaymentReceipt paymentOptionId matches an option from the verified Payment Request token. Introduces `InvalidPaymentReceiptError` for receipt validation failures.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.changeset/validate-receipt-payment-option.md at line 5, Update the
changeset text to explicitly mention the newly exported error type so consumers
know to catch it: add a line stating that the validation will throw/export
InvalidPaymentReceiptError when a PaymentReceipt paymentOptionId does not match
the verified Payment Request token; reference the exported symbol
InvalidPaymentReceiptError and briefly note that it can be imported and used for
error handling in client code.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.changeset/validate-receipt-payment-option.md:
- Line 5: Update the changeset text to explicitly mention the newly exported
error type so consumers know to catch it: add a line stating that the validation
will throw/export InvalidPaymentReceiptError when a PaymentReceipt
paymentOptionId does not match the verified Payment Request token; reference the
exported symbol InvalidPaymentReceiptError and briefly note that it can be
imported and used for error handling in client code.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 099e3e98-0b72-400c-bc66-1a1df2aa2922

📥 Commits

Reviewing files that changed from the base of the PR and between 6f65936 and c28c1e3.

📒 Files selected for processing (4)

• .changeset/validate-receipt-payment-option.md
• packages/ack-pay/src/errors.ts
• packages/ack-pay/src/verify-payment-receipt.test.ts
• packages/ack-pay/src/verify-payment-receipt.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c28c1e307d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Derive receipt option from the signed proof

For parsed-credential inputs, this new binding check reads credentialSubject.paymentOptionId from the caller-supplied object, but verifyParsedCredential() only validates proof.jwt and then runs claim checks against the current object. If a service accepts a parsed VC, an attacker can supply a valid receipt proof whose signed payload names one option, mutate this field to an offered option before verification, and this check passes even though the signed receipt did not bind that option. Reparse or derive the receipt fields from proof.jwt (or otherwise reject mutated parsed credentials) before enforcing the payment-option match.

Useful? React with 👍 / 👎.