fix: safe payment_context handling and cross-platform DID file permissions

[Subhajitdas99]

Summary

• Problem 1: message_handlers.py used unsafe del message_metadata["_payment_context"] which raises KeyError when _payment_context is absent, breaking multiple message flows.
• Problem 2: did_agent_extension.py used Path.chmod(0o600) which fails silently on Windows — file permission tests were failing on Windows CI.
• Why it matters: Both bugs cause production failures in specific scenarios — payment flows without context, and DID key generation on Windows.
• What changed: Two targeted surgical fixes, no refactoring, no new features.

Change Type

• Bug fix

Scope

• Server / API endpoints
• Extensions (DID, x402, etc.)

Linked Issue/PR

• Split from Enhancement: Improve stream_message reliability with retry logic and safer error handling #350 as requested by @chandan-1427

User-Visible / Behavior Changes

None for most users. Fixes edge case failures in payment context handling and DID key generation on Windows.

Fix Details

Fix 1 — Safe payment_context pop:

# Before (raises KeyError if _payment_context absent)
scheduler_params["payment_context"] = message_metadata["_payment_context"]
del message_metadata["_payment_context"]

# After (safe)
payment_context = message_metadata.pop("_payment_context", None)
if payment_context is not None:
    scheduler_params["payment_context"] = payment_context

Fix 2 — Cross-platform DID file permissions:

# Before (fails silently on Windows)
self.private_key_path.write_bytes(private_pem)
self.private_key_path.chmod(0o600)

# After (works on both POSIX and Windows)
if platform.system() == "Windows":
    self.private_key_path.write_bytes(private_pem)
else:
    fd = os.open(str(self.private_key_path), os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
    with os.fdopen(fd, "wb") as f:
        f.write(private_pem)

Security Impact

• New permissions/capabilities? No
• Secrets/credentials handling changed? Yes — DID private key now written with atomic permission setting on POSIX. Security is equivalent or better.
• New/changed network calls? No
• Database schema/migration changes? No
• Authentication/authorization changes? No

Verification

• Tested locally on Windows 11, Python 3.12.9
• All 709 existing tests pass
• The previously failing test_save_credentials_sets_restrictive_permissions now handled correctly per platform

Checklist

• Focused PR — only the two bug fixes requested by @chandan-1427
• No unrelated files included
• Backward compatible
• Tests pass locally

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e1ce3948-10f9-47e1-beaa-6b0cb22ecd2c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}