ChannelWeave Website Connector Verification Checklist

1) Authentication
- [ ] API key generated in ChannelWeave
- [ ] Key scoped to website connector only
- [ ] Rotation process tested with grace period

2) Signature Validation
- [ ] HMAC computed from raw request body bytes
- [ ] Secret loaded from secure store
- [ ] Signature mismatch logs include request id only (no payload leakage)

3) Replay Protection
- [ ] Timestamp header required
- [ ] Requests outside 5-minute skew rejected
- [ ] Duplicate request ids handled idempotently

4) Caching Controls
- [ ] Stock responses served with no-store
- [ ] CDN rules bypass dynamic stock endpoints
- [ ] Retries fetch fresh stock state

5) Operational Readiness
- [ ] £0 test order ingested end-to-end
- [ ] Cancelled order webhook processed correctly
- [ ] Monitoring alerts wired for queue failures