chore(paddle-webhooks): trim SKILL.md + bump SDKs (review-mode test output)#58
Merged
Conversation
… versions - Trim SKILL.md Express/FastAPI snippets to verification-core only, matching the stripe-webhooks convention (drops route wiring, event dispatch, response handling) - Fix SDK version claims in references/verification.md (@paddle/paddle-node-sdk v1.4.0+; paddle-python-sdk v1.14.0+) - Remove dead Verifier branch in examples/fastapi/main.py (SDK targets Flask/Django request objects, FastAPI verifies manually) - Bump fastapi/requirements.txt to current stable floors - Remove orphan "# Or via NPM" comment from Local Development section https://claude.ai/code/session_01NNTgQRJss1V7gyzzJ9rjnB
4 tasks
…y-protection doc - Bump @paddle/paddle-node-sdk to ^3.8.0 in express and nextjs examples - Bump nextjs typescript to ^6.0.3, next to ^16.2.6 - Tighten paddle-python-sdk to >=1.14.1 to match documented Verifier/Secret API - Remove replay-protection gotcha from verification.md so docs match handlers (strict 5s window would reject Paddle's legitimate retries) Produced by re-running `./scripts/generate-skills.sh review paddle` after the per-provider SDK version-tracking feature (PR #59) was applied. The review iteration's prompt now sees @paddle/paddle-node-sdk@3.8.0 and paddle-python-sdk@1.14.1 in {{VERSIONS_TABLE}}, applies the existing severity rubric (2 majors behind → major), and proposes the bumps. https://claude.ai/code/session_01NNTgQRJss1V7gyzzJ9rjnB
leggetter
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
End-to-end demonstration of two generator-prompt features applied to
paddle-webhooksvia./scripts/generate-skills.sh review paddle. The review iteration ran twice — once with each feature merged into main — and produced clean, focused fix commits both times.SKILL.md. Trimmed to verification core (~30 lines each) + canonical pointer block;SKILL.mdshrank from 178 → 139 lines.sdksfield@paddle/paddle-node-sdk ^1.4.0was 2 majors behind^3.8.0(Express + Next.js).paddle-python-sdk>=1.0.0was too loose to guarantee theVerifier/SecretAPI the docs reference. Plus averification.md"gotcha" describing replay protection the handlers don't implement.What changed
Commit 1 (
909e72a) — SKILL.md trim:SKILL.md— "Essential Code (USE THIS)" → "Verification (core)". Removed the full Express + FastAPI route wiring, raw-body middleware, event-type switches, response sending. Kept the byte-identical HMAC verification helpers in Node + Python. Added context about@paddle/paddle-node-sdk'sunmarshal()SDK helper. Inserted the canonical pointer block.references/verification.md— minor wording adjustment.examples/fastapi/main.py— removed dead code path that pretended to usepaddle_billing.Notifications.Verifierbut always fell back to manual verification.Commit 2 (
cacdf4a) — SDK + tooling bumps:examples/express/package.json:@paddle/paddle-node-sdk ^1.4.0 → ^3.8.0examples/nextjs/package.json: same SDK bump, plusnext ^16.1.6 → ^16.2.6andtypescript ^5.9.3 → ^6.0.3examples/fastapi/requirements.txt:paddle-python-sdk>=1.0.0 → >=1.14.1references/verification.md: removed a replay-protection "gotcha" — the strict 5-second tolerance described would reject Paddle's legitimate retries, and none of the handlers actually enforced it.Combined:
+47 / −181lines net across the trim + bump.Dependencies
This PR's content is a downstream side-effect of two upstream prompt-engineering PRs:
review-skill.md— produced commit 1.sdksfield #59 (open) adds the per-provider SDK version-tracking — produced commit 2.Best merged after PR #59 so the SDK-bump commit's pedigree (machine-generated by the reviewer) ties cleanly to the merged spec change.
Test plan
cd skills/paddle-webhooks/examples/express && npm install && npm testcd skills/paddle-webhooks/examples/nextjs && npm install && npm testcd skills/paddle-webhooks/examples/fastapi && python3 -m venv venv && source venv/bin/activate && pip install -r requirements.txt && pytest test_webhook.py -vpaddle.webhooks.unmarshal()signature is documented as stable across v2/v3 but worth a manual spot-check.)SKILL.mdstill answers "how do I verify a Paddle webhook?" cold without loading the examplesSKILL.mdstill matchexamples/<framework>/Reviewer suggestions (informational, not addressed)
From the original review output:
verification.md. Adding actual replay protection (with a documented-wide-enough window) is a separate concern.verification.mdpreviously recommended a 5-second tolerance which matched Paddle's documented value but is tight in production due to clock skew. The recommendation is gone for now; if it's added back, note the production caveat.https://claude.ai/code/session_01NNTgQRJss1V7gyzzJ9rjnB