ignore unknown messages

[kiftio]

What changes are you making?

PR 1 -> parity with web r.e. an allowlist of events

Previously, the SDK responded to certain unsupported ECP methods (e.g. ec.auth, ec.payment.credential_request) with an explicit JSON-RPC -32601 "method not supported" error, and forwarded any unknown methods to the consumer CheckoutCommunicationClient. This approach exposed internal protocol details and allowed arbitrary unrecognized methods to reach the client.

This PR replaces that behavior with an explicit allow-list of supported protocol methods on both Android and iOS:

• Android: Replaces UNSUPPORTED_METHODS (which sent explicit error responses) with SUPPORTED_CLIENT_METHODS, an allow-list aligned with the web component's CHECKOUT_PROTOCOL_MESSAGES. Methods outside this list — including ep.*, ec.auth, and any unknown methods — are now silently ignored rather than forwarded or rejected with an error.
• iOS: Adds a supportedProtocolMethods allow-list in CheckoutWebView. Incoming messages are parsed and their method checked against this list before any further processing or client delegation occurs. Messages with unsupported methods are dropped silently.
• The CheckoutCommunicationClient documentation is updated on both platforms to clarify that only supported ECP messages are forwarded to the client.

How to test

1. Send an ECP message with an unsupported method (e.g. ec.auth, ec.payment.credential_request, ep.cart.ready, or a custom unknown method) to the bridge on both Android and iOS.
2. Verify no JSON-RPC error response is sent back to the web page.
3. Verify the consumer CheckoutCommunicationClient does not receive the message.
4. Send a supported ECP message (e.g. ec.window.open_request, ec.messages.change) and verify it is still correctly delegated to the client and any response is forwarded back to the web page.
5. Run the updated unit tests on both platforms to confirm all cases pass.

---

Before you merge

Important

• I've added tests to support my implementation
• I have read and agree with the Contribution Guidelines
• I have read and agree with the Code of Conduct
• I've updated the relevant platform README (platforms/swift/README.md and/or platforms/android/README.md)

---

Releasing a new Swift version?

• I have bumped the version in ShopifyCheckoutKit.podspec
• I have bumped the version in platforms/swift/Sources/ShopifyCheckoutKit/ShopifyCheckoutKit.swift
• I have updated platforms/swift/CHANGELOG.md
• I have updated the SwiftPM/CocoaPods version snippets in platforms/swift/README.md (major version only)

Releasing a new Android version?

• I have bumped the versionName in platforms/android/lib/build.gradle
• I have updated platforms/android/CHANGELOG.md
• I have updated the Gradle/Maven version snippets in platforms/android/README.md

Tip

See the Contributing documentation for the full release process per platform.

[kiftio]

• hide communication client #288
• remove buyer change in web #290
• Use typed Android JSON-RPC params #300
• Use typed Swift JSON-RPC envelopes #299
• respond to unknown requests with error #289
• ignore unknown messages #287 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[kiftio]

bringing this back in PR 3, but across all platforms

[github-actions]

React Native — Coverage Report

Lines	Statements	Branches	Functions
	91.66% (319/348)	87.86% (181/206)	100% (82/82)

[kieran-osgood-shopify]

CheckoutProtocol is an enum of the events we support
Should we add CaseIterable to it so we can get all supported cases with CheckoutProtocol.allCases

[kieran-osgood-shopify]

feels like this would make sense to exist in the protocol side too

[markmur]

On the protocol side, we're already only binding to a limited set of events →

checkout-kit/protocol/languages/swift/Sources/ShopifyCheckoutProtocol/CheckoutProtocol.swift

Lines 1 to 17 in 7625978

	public enum CheckoutProtocol {
	public static let specVersion = "2026-04-08"
	public static let defaultDelegations: [String] = ["window.open"]
	static let buyerChange = NotificationDescriptor<Checkout>(method: "ec.buyer.change")
	public static let complete = NotificationDescriptor<Checkout>(method: "ec.complete")
	public static let error = NotificationDescriptor<ErrorResponse>(method: "ec.error")
	public static let lineItemsChange = NotificationDescriptor<Checkout>(
	method: "ec.line_items.change"
	)
	public static let messagesChange = NotificationDescriptor<Checkout>(
	method: "ec.messages.change"
	)
	public static let start = NotificationDescriptor<Checkout>(method: "ec.start")
	public static let totalsChange = NotificationDescriptor<Checkout>(method: "ec.totals.change")
	}

So this feels duplicative, but, saying that, if we were to extend the protocol to expose it as separate package we would need to bind the relevant ones here.

What do you think about keeping this logic in the protocol until this is needed?