Changelog

New public documentation page for new merchants: an end-to-end guide for testing the MonCash integration in sandbox mode, then going live with no code change.

• New

  New Sandbox Quickstart (`/docs/sandbox`) — step-by-step guide that walks a new merchant from account creation to first live payment in under 30 minutes. Covers project creation, the four keys (live + test, one-time secrets), the three API endpoints, the sandbox simulator (3 buttons: success / fail / cancel), the Test toggle on `/transactions`, and the live switch (swap two env-var values, no code change). Includes common errors table and FAQ.

• Improved

  Quickstart section of `/docs` enriched with a top callout pointing new merchants to `/docs/sandbox`. Sandbox promoted to first position in the "Specialized guides" sidebar.

Live chat support shipped (visitors and merchants ↔ Claude AI + human operator), new operator console at /admin/chat, role management, and a fix for a critical regression in webhook secret encryption.

• New

  Tidio-style live chat on moncashconnect.com — floating bubble on every page, AI assistant (Claude Haiku 4.5 grounded in the docs via Voyage AI RAG), explicit handoff to a human via the "Talk to a human" button, automatic tripwires on sensitive topics (fraud / disputes / Digicel issues), session-only history for anonymous visitors.

• New

  Operator console `/admin/chat` — three-pane inbox (list / thread / meta), Claim (mutes the AI) / Release / Mark resolved actions, AI signals shown inline (route, confidence, RAG retrieval similarity) on every assistant message.

• New

  Role management at `/admin/roles` — find a user by email, grant or revoke `admin` and `support` roles. Last-admin lockout protection: cannot revoke the only remaining admin.

• Fixed

  Critical fix: `webhook_secret_encrypted` was stored as JSON-of-Buffer (`{"type":"Buffer","data":[...]}`) instead of base64 of the AES-256-GCM blob, due to a no-op TypeScript cast (`as unknown as string`) on a Node Buffer. Net effect: the webhook tester and the real delivery path (`bazik-webhook`) both returned "Authentication failed" and failed silently. Migration applied: column converted to `text`, existing secrets invalidated. Action required: rotate each project's webhook secret (Projects → Rotate keys) and update `MCC_WEBHOOK_SECRET` on the receiver side.

• Security

  Branded `EncryptedBlob` type (string & brand) on `crypto.server.ts` — the compiler now rejects assigning a `Buffer` to an encrypted-column field. The previous regression is impossible to reintroduce without an explicit double-cast that stands out in code review.

• Improved

  Auto-redirect on session expiry: `SessionExpiryWatcher` detects silent `SIGNED_OUT` events (JWT refresh failed) and redirects to `/auth` with a "Session expired" toast. No more hours of opaque error loops in a stale tab.

• Improved

  Verbose error reporting on the webhook tester — instead of a vague "Error" toast, the name, message, HTTP status, and raw JSON are surfaced so auth failures, decrypt failures, receiver 401s, and network errors can be told apart at a glance.

Major documentation update: new partner Connect guide, AI-integration guide (Lovable/Claude), wire-contract v5, and cleanup of the existing API documentation.

• New

  New AI-integration guide (`/docs/ai-integration`) for Lovable, Claude, and other no-code tool users. Includes copy-paste prompts, dashboard navigation, and security rules so you NEVER expose your keys to the AI.

• New

  New partner Connect guide (`/docs/partners`) — public reference distilling the wire-contract for developers pushing payouts via OAuth.

• Improved

  Wire-contract v5 (`docs/wire-contract-v5.md`) — documents the Bazik operational reality (no outbound status GET), the `admin_manual` confirmation source, the `failure_reason` vocabulary, and the idempotency asymmetry between `/pay-create` (409) and `external-payout-create` (200 + replay).

• Fixed

  Removed the “Sandbox mode” section from `/docs` (the `sk_test_…` keys and `test_success_…` prefixes never existed in the API).

• Security

  Explicit warning in the Next.js SDK guide: read the raw body (`await req.text()`) before any JSON deserialization to preserve HMAC integrity on Edge runtime / middleware.

• Improved

  Structured error codes (machine-stable `code` field) added to the documentation alongside HTTP codes: `invalid_request`, `insufficient_scope`, `partner_daily_cap_exceeded`, and more.

Complete redesign of the user-to-user HTG transfer experience between MonCashConnect users — activity feed, smart search, printable receipt view, emoji reactions, and weekly summaries.

• New

  User-to-user HTG transfer (KYC-tiered, atomic). Per-transfer / daily / per-pair limits based on verification level. SECURITY DEFINER RPC with self-transfer guards and client-side idempotency.

• New

  Activity feed (`/transfer`) — “Sent / Received” filters, time-window chips (7d / 30d / 60d / 365d), pagination, search by counterparty. CSV export (Tier 3).

• New

  Printable receipt view (`/transfer/$txId`) — MonCashConnect header, centered amount, From → To section with avatars, breakdown, timeline, compact references, Print / Share (Web Share API) / Resend buttons.

• Improved

  Per-counterparty view (`/transfer/with/$counterpartyId`) — sent / received / net summary + transfer count + chronological list.

• Improved

  Real-time updates: `notifications` and `transactions` added to the `supabase_realtime` publication (which was empty). New transfers appear instantly in the recipient's feed.

• New

  Emoji reactions (Tier 3) — each party can stamp their side of the transfer (🎉 🙏 🤝 ❤️ 👍 🔥 😂 💯). Visible to both sides.

• New

  Weekly recap notification sent every Monday at 09:00 UTC via pg_cron for users with transfer activity. Idempotent per ISO week.

Phase B of the EPR (External Payout Request) pipeline — automatic reconciliation of stuck payouts, safety patch against false Bazik failures, and manual confirmation handling for MonCash deliveries that arrive without a webhook.

• New

  Phase B auto-submit: pg_cron reconciler that detects EPRs stuck at `agent_approved` and submits them to Bazik automatically. Covers the case where the application crontab hasn't taken over.

• Security

  Poll safety patch: Bazik returns 404 on the status GET for outbound `online` payouts. The poller no longer triggers false “late failure” — instead it flags `external_payout_stuck_confirmation` after a grace window and waits for the Bazik webhook or a manual confirmation.

• Fixed

  `admin_manual` confirmation source — MCC operators can manually confirm a payout's delivery after independent verification (Bazik dashboard, recipient confirmation) without triggering a refund.

• Fixed

  Historical reconciliation (admin/finance): audit of ledger entries with per-user drift attribution. Reset pipeline + compensating-entry compliant with the “never edit an existing entry” principle.

• Security

  Phase 1A/1B security: enforcement of authentication proofs on sensitive RPCs, `security_events` trail, closure of rollback-surviving gaps via http + edge function audit.

• Improved

  Auto-sweep every 2 minutes of stuck `pending` transactions to limit degraded UX returns.

First public launch of MonCashConnect — the independent API platform to integrate MonCash payments in Haiti.

• New

  REST API v1 with endpoints `POST /pay-create`, `GET /pay-status`, and `GET /pay-balance`.

• Security

  Authentication via project secret key (`sk_proj_…`) with server-side bcrypt validation.

• New

  HMAC-SHA256-signed webhooks (`X-MCC-Signature` + `X-MCC-Timestamp`) with 5-minute anti-replay protection. Events: `payment.completed` and `payment.failed`.

• SDK

  Python SDK `moncashconnect` (PyPI) — zero dependencies, Python 3.9+. Includes `MonCashClient`, `construct_event`, `verify_signature`.

• SDK

  Node.js SDK `@moncashconnect/sdk` (npm) — native TypeScript, dual CJS/ESM, Node 18+.

• SDK

  PHP SDK `moncashconnect/php-sdk` (Packagist) — PSR-4, PHP 8.1+, zero dependencies.

• New

  WordPress / WooCommerce plugin — native MonCash gateway integration with secure webhook verification.

• New

  Merchant dashboard — revenue stats, project + API key management, transaction history.

• New

  Complete documentation with cURL, Python, Node.js, and PHP examples for every endpoint.