Skip to main content

Release Notes

API

v1.1.0 — Security Audit & Quality Hardening (February 2026)

Comprehensive security audit and code quality pass across the entire API surface. Added 244 new tests, bringing total coverage from 407 to 651 tests.

Security Hardening (7 Critical + 13 High Priority)

Critical fixes:

  • SSRF protection on webhook callback URLs and proxy target URLs — block internal/private network ranges
  • Webhook signature verification — constant-time HMAC comparison to prevent timing attacks
  • L402 amount binding — macaroon caveats now bind to the invoiced amount, preventing underpayment exploits
  • Subscription enforcement — active Stripe subscription required for all authenticated API operations
  • Error sanitization — internal exception details, stack traces, and infrastructure information no longer leak in API responses
  • API key hashing — merchant API keys stored as one-way hashes for improved credential security
  • Webhook replay protection — timestamp validation rejects stale webhook deliveries

High priority fixes:

  • Rate limiting on authentication, invoice creation, and webhook endpoints
  • Idempotency keys on all OpenNode charge creation calls to prevent duplicate invoices
  • Request size limits on all endpoints accepting request bodies
  • Input validation on all merchant-supplied URLs (scheme, length, format)
  • Correlation ID propagation via X-Correlation-Id header for end-to-end request tracing
  • Webhook delivery queue hardening with dead-letter handling and bounded retries
  • L402 macaroon expiry enforcement and nonce replay protection
  • Proxy target URL allowlist validation against merchant-registered domains
  • Merchant-scoped database query enforcement across all repository methods
  • Stripe webhook signature verification on all subscription lifecycle events
  • OpenNode API key validation on merchant registration
  • Secure cache headers on all API responses
  • Admin endpoint authentication audit and header validation

API Improvements (12 Medium Priority)

  • OpenAPI annotations on all endpoints with response type documentation
  • Cancellation token propagation through all async controller actions and service methods
  • DTO validation attributes on all request models (required fields, range constraints, URL format)
  • Structured logging with Serilog semantic properties across all services
  • Consistent error response format using ProblemDetails (RFC 9457)
  • Pagination support on list endpoints with cursor-based navigation
  • Health check endpoint expanded with dependency status (database, OpenNode, Stripe)
  • Webhook delivery status tracking with queryable history per merchant
  • Retry-After headers on rate-limited responses
  • Request/response logging middleware with PII redaction
  • ETag support on cacheable GET endpoints
  • Graceful shutdown handling for in-flight webhook deliveries and background jobs

Code Quality (5 Low Priority)

  • Dead code removal across controllers, services, and middleware
  • Consistent async/await patterns — eliminated fire-and-forget calls
  • Nullable reference type annotations on all public API surfaces
  • Standardized exception hierarchy with domain-specific exception types
  • Code style enforcement via .editorconfig and analyzer rules

Test Coverage

  • 244 new tests added (407 to 651 total)
  • Security-focused tests: SSRF blocking, signature verification, replay protection, rate limiting
  • Integration tests for full webhook delivery pipeline
  • L402 protocol tests covering challenge, payment, and verification flows
  • Subscription enforcement tests across all plan tiers
  • Edge case coverage for concurrent requests, timeout handling, and malformed input

MCP Server

v1.5.2 — Version Display Fix (February 2026)

  • Assembly version now matches package version for accurate startup display
  • Includes all v1.5.1 fixes below

v1.5.1 — Critical Bug Fix (February 2026)

Severity: Critical — affects all payment confirmations

Problem: The confirm_payment tool was consuming the payment nonce before pay_invoice could use it. This caused every confirmed payment to fail with:

Invalid, expired, or already-used confirmation nonce

Root Cause: Both confirm_payment and pay_invoice called ValidateAndConsumeConfirmation(), which removes the nonce from memory. Since confirm_payment runs first (to get user approval), it consumed the nonce, leaving nothing for pay_invoice to validate against.

Fix: confirm_payment now uses a read-only ValidateConfirmation() method that checks the nonce without consuming it. Only pay_invoice consumes the nonce.

Update immediately:

# .NET global tool
dotnet tool update -g LightningEnable.Mcp

Affected versions: v1.5.0

v1.5.0 — Multi-Wallet Support

  • Added Strike wallet backend with preimage support
  • Added LND REST wallet backend
  • Added Nostr Wallet Connect (NWC) wallet backend
  • Configurable wallet priority via WALLET_PRIORITY env var or config file
  • Config file support at ~/.lightning-enable/config.json
  • L402 license purchase via Lightning payment (6,000 sats, valid forever)
  • Budget controls with dual USD/sats limits

v1.4.0 — L402 Auto-Pay

  • access_l402_resource tool for automatic L402 payment
  • pay_l402_challenge tool for manual L402 payment
  • Budget enforcement with per-request and per-session limits
  • Payment history tracking

v1.3.0 — Initial Release

  • pay_invoice — Pay any Lightning invoice
  • check_wallet_balance — Check wallet balance
  • get_payment_history — View payment history
  • get_budget_status — View budget limits
  • OpenNode wallet backend