--- taskmaster_id: "4.6" status: "done" priority: "high" depends_on: ["3"] parent_id: "4" source: "taskmaster" generated_at: "2026-05-24T07:26:29.052Z" --- # 4.6 - Specify webhook security and provider adapter contracts - [x] 4.6 - Specify webhook security and provider adapter contracts #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-6 ⛔ tm-3 ## Metadata | Field | Value | | --- | --- | | Taskmaster ID | 4.6 | | Status | done | | Priority | high | | Dependencies | 3 | | Parent | 4 - Define backend security and refactor strategy from latest audit | ## Description Define provider-neutral payment interface and signed webhook processing rules. ## Details Completed. Produced `09 - Audits/Webhook Security Spec.md` and `09 - Audits/Payment Provider Adapter Spec.md`. Document createPayInIntent, getPayInStatus, handleProviderWebhook, createHostedPaymentLink, createReleaseInstruction, createRefundInstruction, getPayoutStatus, searchProviderPayments, raw-body signature verification, replay prevention, delivery ID idempotency, duplicate/unknown event behavior, retry semantics, dead-letter/replay storage, and alert thresholds. ## Verification Contracts cover SHKeeper legacy, Request Network, manual/admin wallet, invalid signatures, duplicate deliveries, and missed webhook reconciliation.