Follow-up from PR #177 (phase 1) review.
Problem: settlePaymentSession settles once at response close, best-effort. On a transient auth-server failure (5xx/timeout) the request has already been served (200 buffered, or body already streamed for SSE) and there is no retry — settled=true is set and the charge is lost. It's logged (settle_failed_at_close protocol=… amount=…) but not recoverable. Under auth-server flakiness this is direct unbilled traffic.
Phase 1 status: intentionally out of scope — Phase 1 is fixed-amount settle-at-close; the no-debt/reservation hardening is a later phase. PR #177 added the greppable log marker + a test locking the served-200-on-failure behavior, but no recovery.
Proposed: a durable outbox / retry for failed close-time settlements — persist {credential, protocol, context, spent} on settle failure and retry out-of-band (idempotent on the auth side via alreadySettled). Consider an alert/metric on settle_failed_at_close.
Relates to the broader reservation/no-debt work in the streaming-payment-sessions plan.
Follow-up from PR #177 (phase 1) review.
Problem:
settlePaymentSessionsettles once at responseclose, best-effort. On a transient auth-server failure (5xx/timeout) the request has already been served (200 buffered, or body already streamed for SSE) and there is no retry —settled=trueis set and the charge is lost. It's logged (settle_failed_at_close protocol=… amount=…) but not recoverable. Under auth-server flakiness this is direct unbilled traffic.Phase 1 status: intentionally out of scope — Phase 1 is fixed-amount settle-at-close; the no-debt/reservation hardening is a later phase. PR #177 added the greppable log marker + a test locking the served-200-on-failure behavior, but no recovery.
Proposed: a durable outbox / retry for failed close-time settlements — persist
{credential, protocol, context, spent}on settle failure and retry out-of-band (idempotent on the auth side viaalreadySettled). Consider an alert/metric onsettle_failed_at_close.Relates to the broader reservation/no-debt work in the streaming-payment-sessions plan.