From 0f579a4c708c2461131875c090536826a640a592 Mon Sep 17 00:00:00 2001
From: JEAN REGIS <240509606@firat.edu.tr>
Date: Fri, 3 Apr 2026 20:53:30 +0300
Subject: [PATCH] fix(finstripe): validate vendor_account against registered
 bank account before transfer

Root cause:
vendor_account was a free-form caller-supplied string never compared to
vendor.bank_account_number, allowing funds to be routed to arbitrary accounts.

Solution:
Fetch vendor record inside db_session and assert vendor_account equality
before create_transaction is called. Return error dict on mismatch or
missing vendor; no transaction is written.

Impact:
Write path is guarded pre-commit. Valid callers unaffected. No schema,
dependency, or API contract changes.


Signed-off-by: JEAN REGIS <240509606@firat.edu.tr>
---
 finbot/mcp/servers/finstripe/server.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/finbot/mcp/servers/finstripe/server.py b/finbot/mcp/servers/finstripe/server.py
index 4b17a228..19cae348 100644
--- a/finbot/mcp/servers/finstripe/server.py
+++ b/finbot/mcp/servers/finstripe/server.py
@@ -63,6 +63,11 @@ def create_transfer(
 
         with db_session() as db:
             repo = PaymentTransactionRepository(db, session_context)
+            vendor = repo.get_vendor_by_id(vendor_id)
+            if vendor is None:
+                return {"error": f"Vendor {vendor_id} not found"}
+            if vendor.bank_account_number != vendor_account:
+                return {"error": "vendor_account does not match registered bank account"}
             txn = repo.create_transaction(
                 invoice_id=invoice_id,
                 vendor_id=vendor_id,