P1-040: Verified rate limiting already integrated in checkout flow P1-041: Integrated FraudService into checkout and webhook handlers P1-042: Added coupon code sanitisation in CouponService Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Idempotency (replay attack protection): - Add WebhookEvent model for tracking processed events - Add webhook_events migration with unique constraint - Add isAlreadyProcessed() to BTCPay and Stripe controllers - Reject duplicate events with 200 response Payment amount verification (BTCPay): - Add verifyPaymentAmount() method - Reject underpayments (mark order failed, create audit record) - Reject currency mismatches - Log overpayments for manual review - Add 0.01 tolerance for floating point precision Add comprehensive tests for both features. Update TODO.md to mark P1 issues as fixed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
