Ruby SDK changelog

Synced from CHANGELOG.md on the latest publish. This is the canonical release history for easy-sdk (Ruby gem).

All notable changes to easy-sdk are documented in this file. The format follows Keep a Changelog and the project adheres to Semantic Versioning.

0.1.0 — Unreleased

Initial release of the Ruby SDK. Mirrors @easylabs/node 0.1.0 feature surface with idiomatic Ruby APIs.

EasyLabs::Client.new(api_key:) factory that validates the API key on construction and exposes resource namespaces (client.customers, client.subscriptions, etc.).
Full resource coverage: customers, payment instruments, transfers (incl. refunds), disputes, settlements, products, product prices, orders, subscriptions (full lifecycle: pause/resume, items, discounts, one-time charges, metered usage, proration preview), checkout, payment links, embedded checkout (incl. validate/confirm/config), webhook management, invoices, coupons, promotion codes, authorizations, analytics, compliance forms, dunning config, revenue-recovery automations.
EasyLabs::Webhooks.construct_event HMAC-SHA256 verifier with the full EVENT_TYPES catalog.
Typed exception hierarchy under EasyLabs::Error (AuthenticationError, PermissionError, NotFoundError, ConflictError, RateLimitError, InvalidRequestError, ServerError) with status, code, details, retry_after_seconds, and raw accessors.
Sandbox auto-routing — sk_test_* keys hit sandbox-api.itseasy.co automatically.

Path-segment encoding: caller-supplied ids are now percent-encoded before interpolation into URL paths and rejected if nil, empty, or containing control characters. Stops ?, #, /, etc. in an id from rewriting the request URL.
internal_api_url is validated: https:// is required for non-local hosts; http:// is only accepted when the host is localhost, 127.0.0.1, ::1, 0.0.0.0, or *.localhost. Prevents accidental exfiltration of the API key over an unencrypted channel.
EASY_DEV_API_URL env var overrides the default dev URL so internal hostnames don't have to live in shipped source.
Webhook query encoding rejects array elements that contain a comma rather than silently splitting them — comma-joining was ambiguous.
EasyLabs::Webhooks.construct_event accepts an optional replay_window: (seconds) that rejects events whose created_at falls outside the window. The HMAC binds the body, so the timestamp is trustworthy and the check provides genuine replay protection.

script/check-release-age.rb: CI gate that refuses gems in the lockfile that were published within the last 7 days (configurable via MIN_RELEASE_AGE_DAYS, with a per-gem ALLOWLIST). Provides the equivalent of npm's min-release-age / bun's minimumReleaseAge for Bundler, which lacks the feature natively.
Sinatra example: direct dependencies pinned to exact versions and Gemfile.lock committed for reproducible installs.
bundler-audit runs on every CI build and blocks PRs with known CVEs in the dependency tree.
.github/dependabot.yml opens weekly PRs for bundler (gem root and example) and github-actions updates, so version bumps go through review and pass the cooldown gate.
notify-public-docs.yml got an explicit permissions: contents: read block instead of inheriting the repo default.