fix(payments): strip wallet-auth: prefix from StripePrivy private key

aidandaly24 · aidandaly24 · commit 7bdd4b6791ca · 2026-05-20T17:56:24.000Z
AWS docs (https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/payments-prerequisites.html) ship the StripePrivy authorization-private-key with a 'wallet-auth:' prefix. The CLI's base64 validator rejected this with a misleading error message. Strip the prefix transparently in both CLI and TUI so users can paste the key straight from the docs.
diff --git a/src/cli/primitives/PaymentConnectorPrimitive.ts b/src/cli/primitives/PaymentConnectorPrimitive.ts
@@ -415,7 +415,12 @@ export class PaymentConnectorPrimitive extends BasePrimitive<AddPaymentConnector
 
               // Validate StripePrivy authorizationPrivateKey format (base64-encoded EC P-256 key)
               if (provider === 'StripePrivy') {
-                const trimmedKey = cliOptions.authorizationPrivateKey!.trim();
+                // AWS docs ship the key with a `wallet-auth:` prefix — strip it transparently.
+                let trimmedKey = cliOptions.authorizationPrivateKey!.trim();
+                if (trimmedKey.startsWith('wallet-auth:')) {
+                  trimmedKey = trimmedKey.slice('wallet-auth:'.length);
+                  cliOptions.authorizationPrivateKey = trimmedKey;
+                }
                 const BASE64_REGEX = /^[A-Za-z0-9+/]+=*$/;
                 if (!BASE64_REGEX.test(trimmedKey)) {
                   const error = 'authorizationPrivateKey must be base64-encoded';
diff --git a/src/cli/tui/screens/payment/useAddPaymentWizard.ts b/src/cli/tui/screens/payment/useAddPaymentWizard.ts
@@ -296,7 +296,11 @@ export function useAddPaymentConnectorWizard(preSelectedManager?: string) {
 
   const setAuthorizationPrivateKey = useCallback(
     (authorizationPrivateKey: string) => {
-      setConfig(c => ({ ...c, authorizationPrivateKey }));
+      // AWS docs ship the key with a `wallet-auth:` prefix — strip it transparently.
+      const cleaned = authorizationPrivateKey.startsWith('wallet-auth:')
+        ? authorizationPrivateKey.slice('wallet-auth:'.length)
+        : authorizationPrivateKey;
+      setConfig(c => ({ ...c, authorizationPrivateKey: cleaned }));
       advanceFrom('authorization-private-key');
     },
     [advanceFrom]
