Architecture review finding F-20.
Both Registry::Service::Stripe and Registry::Client::Stripe exist, and webhook-signature verification is implemented twice (each with its own _secure_compare). Maintaining two copies of security-critical crypto invites drift. Pick one Stripe layer and a single signature-verification implementation.
Evidence: lib/Registry/Client/Stripe.pm vs lib/Registry/Service/Stripe.pm:201-230 vs lib/Registry/Controller/Webhooks.pm:120-159.
Architecture review finding F-20.
Both
Registry::Service::StripeandRegistry::Client::Stripeexist, and webhook-signature verification is implemented twice (each with its own_secure_compare). Maintaining two copies of security-critical crypto invites drift. Pick one Stripe layer and a single signature-verification implementation.Evidence:
lib/Registry/Client/Stripe.pmvslib/Registry/Service/Stripe.pm:201-230vslib/Registry/Controller/Webhooks.pm:120-159.