keysat

grant/keysat

Fork 0

Commit Graph

Author	SHA1	Message	Date
Grant	7c4dfbacd2	WIP — port purchase/subscriptions/reconcile/upgrade/tipping to merchant-profile resolution (part 2) Threads the merchant-profile + payment-provider snapshot semantics through every call site that used to call state.payment_provider() (the legacy "active provider" singleton). New invoices now record which provider settled them; subscriptions snapshot both merchant_profile_id and payment_provider_id at creation so mid-cycle product re-routing doesn't redirect existing buyers; the reconciler picks the right provider per invoice; tipping draws from the same Bitcoin balance that received the purchase; tier-change invoices stick with the buyer's existing merchant identity. migrations/0021_invoice_provider_link.sql (new) Adds invoices.payment_provider_id (nullable FK), backfills existing pending/settled rows to the earliest-connected provider on the default profile. Additive — no drops, no removals. Companion to 0020 from the foundation commit. models.rs Invoice gains payment_provider_id: Option<String>. db/repo.rs row_to_invoice reads the new column. All three invoice SELECTs include it. create_invoice + create_invoice_with_currency take a new optional payment_provider_id parameter and persist it on INSERT. subscriptions.rs Subscription struct gains merchant_profile_id + payment_provider_id (snapshotted on create). SUB_COLS + row_to_subscription + the manual SELECT in find_lapsing_subscriptions all updated. create_subscription accepts both new fields and writes them on the INSERT row. renew_one — reads the sub's payment_provider_id snapshot and resolves the provider via state.payment_provider_by_id(). Falls back to the legacy state.payment_provider() for any subs created pre-:52 that the migration backfill missed. capture_zaprite_payment_profile — uses the INVOICE's provider, not "the active one." Saved-profile ids are scoped per Zaprite org; using the wrong provider would fail the lookup. try_auto_charge_zaprite — uses the sub's snapshotted provider (same rationale). reconcile.rs Per-invoice provider lookup. Each pending invoice is reconciled against state.payment_provider_by_id(inv.payment_provider_id), with graceful fallback for NULL provider ids. No more single-global- provider assumption. tipping.rs Tip pay-out uses the provider that settled the license's purchase invoice (joined via licenses.invoice_id). Same rationale as the capture hook — the tip needs to draw from the right LN node. api/upgrade.rs (both buyer-driven and admin-driven tier-change sites) Tier-change invoices ride on existing licenses. The right provider is whichever the license's subscription is snapshotted to (so the proration charge settles to the same merchant identity that collects renewal fees). Falls back to the invoice's recorded provider, then the legacy default, for licenses with no subscription or pre- snapshot rows. api/purchase.rs StartPurchaseReq gains an optional `rail` field ("lightning"/"onchain"/"card") for the future buy-page multi-rail picker. When omitted (today's behavior), the daemon picks the first rail the product's merchant profile exposes — which is correct for single-provider operators AND back-compat for any pre-:52 client not yet sending the field. Provider resolution: product → merchant_profile → rail → resolve_provider_for_profile_rail. The redirect_url defaults to the profile's post_purchase_redirect_url (with {invoice_id} substitution) if set, else Keysat's own /thank-you. New invoices carry their provider's id via the new create_invoice_with_currency parameter. api/webhook.rs issue_license_for_invoice now passes snapshot fields when calling subscriptions::create_subscription — both merchant_profile_id (from product lookup) and payment_provider_id (from the invoice row). main.rs Replaces the legacy "active provider preference" boot loader with a default-profile-first-provider warm-up. The legacy state.payment singleton stays populated for back-compat with call sites that haven't yet migrated to the on-demand resolution path. Pre-migration fallback to the old singleton-config loaders preserved so the daemon still boots cleanly on a DB that hasn't run 0020 yet. Remaining for part 3: - BTCPay + Zaprite connect flows take merchant_profile_id and INSERT into payment_providers (currently still write to the dropped singleton tables, broken post-migration). - api/payment_provider.rs activate endpoint becomes irrelevant in the new model — repurpose as list-providers, or delete. - Thank-you page (api/mod.rs) provider-kind lookup ports to the invoice's recorded provider. - Webhook routes refactor to /v1/{kind}/webhook/{provider_id}. - Admin UI for Merchant Profiles + product picker + buy-page brand block + rail picker. - Tier-cap wire-up for unlimited_merchant_profiles entitlement. - Version bump to :52 + release notes. Build: cargo check passes. Deprecation warnings remaining flag exactly the call sites listed above as the part 3 todo list. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-03 22:26:22 -05:00
Grant	5ec9a6e8c0	Migrate reconcile + tipping onto PaymentProvider trait; add worker tests Two compat-path holdovers migrated: - src/reconcile.rs: was state.btcpay_client().get_invoice() with manual JSON parsing of BTCPay-specific status strings ("Settled", "Complete", "Expired", "Invalid"). Now state.payment_provider() .get_invoice_status() returning the typed ProviderInvoiceStatus enum. The string normalization moves into BtcpayProvider's impl where it belongs. - src/tipping.rs: was state.btcpay_client().pay_lightning_invoice() returning raw JSON, then manual paymentHash extraction. Now provider.pay_lightning_invoice() returning a typed PaymentReceipt { payment_hash, raw }. The audit message now records the active provider's kind() rather than hardcoding "BTCPay LN node". Combined with v0.1.0:43's purchase migration, the daemon's non-test code now contains zero calls to state.btcpay_client() or .btcpay_webhook_secret(). Those compat accessors stay on AppState for v0.2 (no need to break things gratuitously) but they're dead code in the production path. Zaprite's drop-in only needs to implement the trait. Worker integration tests (tests/worker.rs): - worker_marks_failure_and_schedules_retry_on_500: spins up a tiny axum receiver that 500s, calls webhooks::tick(), verifies attempt count and next-attempt scheduling. - worker_dead_letters_after_max_attempts: seeds a row at attempt count 9, ticks once, verifies attempt_count → 10 and next_attempt_at → NULL. Confirms the row also satisfies the admin DLQ predicate (the contract :43's webhook_deliveries.rs depends on). - worker_marks_success_on_2xx: pins the happy path. webhooks::tick is now `pub` so integration tests can drive it synchronously. Test count: 26 (9 unit + 4 migration + 10 API + 3 worker).	2026-05-08 10:40:11 -05:00
Grant	6ac118ae70	v0.1.0:24 — Keysat licensing service end-to-end Daemon, StartOS wrapper, admin SPA, public buy/thank-you pages, discount codes, free-license redemption, Apply-discount UX, self-licensing, and v0.1.0 release notes.	2026-05-07 10:33:39 -05:00

Author

SHA1

Message

Date

Grant

7c4dfbacd2

WIP — port purchase/subscriptions/reconcile/upgrade/tipping to merchant-profile resolution (part 2)

Threads the merchant-profile + payment-provider snapshot semantics through
every call site that used to call state.payment_provider() (the legacy
"active provider" singleton). New invoices now record which provider
settled them; subscriptions snapshot both merchant_profile_id and
payment_provider_id at creation so mid-cycle product re-routing doesn't
redirect existing buyers; the reconciler picks the right provider per
invoice; tipping draws from the same Bitcoin balance that received the
purchase; tier-change invoices stick with the buyer's existing merchant
identity.

migrations/0021_invoice_provider_link.sql (new)
  Adds invoices.payment_provider_id (nullable FK), backfills existing
  pending/settled rows to the earliest-connected provider on the default
  profile. Additive — no drops, no removals. Companion to 0020 from the
  foundation commit.

models.rs
  Invoice gains payment_provider_id: Option<String>.

db/repo.rs
  row_to_invoice reads the new column. All three invoice SELECTs include
  it. create_invoice + create_invoice_with_currency take a new optional
  payment_provider_id parameter and persist it on INSERT.

subscriptions.rs
  Subscription struct gains merchant_profile_id + payment_provider_id
  (snapshotted on create). SUB_COLS + row_to_subscription + the manual
  SELECT in find_lapsing_subscriptions all updated. create_subscription
  accepts both new fields and writes them on the INSERT row.

  renew_one — reads the sub's payment_provider_id snapshot and resolves
  the provider via state.payment_provider_by_id(). Falls back to the
  legacy state.payment_provider() for any subs created pre-:52 that
  the migration backfill missed.

  capture_zaprite_payment_profile — uses the INVOICE's provider, not
  "the active one." Saved-profile ids are scoped per Zaprite org; using
  the wrong provider would fail the lookup.

  try_auto_charge_zaprite — uses the sub's snapshotted provider (same
  rationale).

reconcile.rs
  Per-invoice provider lookup. Each pending invoice is reconciled
  against state.payment_provider_by_id(inv.payment_provider_id), with
  graceful fallback for NULL provider ids. No more single-global-
  provider assumption.

tipping.rs
  Tip pay-out uses the provider that settled the license's purchase
  invoice (joined via licenses.invoice_id). Same rationale as the
  capture hook — the tip needs to draw from the right LN node.

api/upgrade.rs (both buyer-driven and admin-driven tier-change sites)
  Tier-change invoices ride on existing licenses. The right provider
  is whichever the license's subscription is snapshotted to (so the
  proration charge settles to the same merchant identity that collects
  renewal fees). Falls back to the invoice's recorded provider, then
  the legacy default, for licenses with no subscription or pre-
  snapshot rows.

api/purchase.rs
  StartPurchaseReq gains an optional `rail` field
  ("lightning"/"onchain"/"card") for the future buy-page multi-rail
  picker. When omitted (today's behavior), the daemon picks the first
  rail the product's merchant profile exposes — which is correct for
  single-provider operators AND back-compat for any pre-:52 client
  not yet sending the field.

  Provider resolution: product → merchant_profile → rail →
  resolve_provider_for_profile_rail. The redirect_url defaults to the
  profile's post_purchase_redirect_url (with {invoice_id} substitution)
  if set, else Keysat's own /thank-you. New invoices carry their
  provider's id via the new create_invoice_with_currency parameter.

api/webhook.rs
  issue_license_for_invoice now passes snapshot fields when calling
  subscriptions::create_subscription — both merchant_profile_id (from
  product lookup) and payment_provider_id (from the invoice row).

main.rs
  Replaces the legacy "active provider preference" boot loader with a
  default-profile-first-provider warm-up. The legacy state.payment
  singleton stays populated for back-compat with call sites that
  haven't yet migrated to the on-demand resolution path. Pre-migration
  fallback to the old singleton-config loaders preserved so the
  daemon still boots cleanly on a DB that hasn't run 0020 yet.

Remaining for part 3:
  - BTCPay + Zaprite connect flows take merchant_profile_id and
    INSERT into payment_providers (currently still write to the
    dropped singleton tables, broken post-migration).
  - api/payment_provider.rs activate endpoint becomes irrelevant in
    the new model — repurpose as list-providers, or delete.
  - Thank-you page (api/mod.rs) provider-kind lookup ports to the
    invoice's recorded provider.
  - Webhook routes refactor to /v1/{kind}/webhook/{provider_id}.
  - Admin UI for Merchant Profiles + product picker + buy-page brand
    block + rail picker.
  - Tier-cap wire-up for unlimited_merchant_profiles entitlement.
  - Version bump to :52 + release notes.

Build: cargo check passes. Deprecation warnings remaining flag exactly
the call sites listed above as the part 3 todo list.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-06-03 22:26:22 -05:00

Grant

5ec9a6e8c0

Migrate reconcile + tipping onto PaymentProvider trait; add worker tests

Two compat-path holdovers migrated:

- src/reconcile.rs: was state.btcpay_client().get_invoice() with
  manual JSON parsing of BTCPay-specific status strings ("Settled",
  "Complete", "Expired", "Invalid"). Now state.payment_provider()
  .get_invoice_status() returning the typed ProviderInvoiceStatus
  enum. The string normalization moves into BtcpayProvider's impl
  where it belongs.

- src/tipping.rs: was state.btcpay_client().pay_lightning_invoice()
  returning raw JSON, then manual paymentHash extraction. Now
  provider.pay_lightning_invoice() returning a typed PaymentReceipt
  { payment_hash, raw }. The audit message now records the active
  provider's kind() rather than hardcoding "BTCPay LN node".

Combined with v0.1.0:43's purchase migration, the daemon's
non-test code now contains zero calls to state.btcpay_client() or
.btcpay_webhook_secret(). Those compat accessors stay on AppState
for v0.2 (no need to break things gratuitously) but they're dead
code in the production path. Zaprite's drop-in only needs to
implement the trait.

Worker integration tests (tests/worker.rs):

- worker_marks_failure_and_schedules_retry_on_500: spins up a tiny
  axum receiver that 500s, calls webhooks::tick(), verifies attempt
  count and next-attempt scheduling.
- worker_dead_letters_after_max_attempts: seeds a row at attempt
  count 9, ticks once, verifies attempt_count → 10 and
  next_attempt_at → NULL. Confirms the row also satisfies the admin
  DLQ predicate (the contract :43's webhook_deliveries.rs depends
  on).
- worker_marks_success_on_2xx: pins the happy path.

webhooks::tick is now `pub` so integration tests can drive it
synchronously.

Test count: 26 (9 unit + 4 migration + 10 API + 3 worker).

2026-05-08 10:40:11 -05:00

Grant

6ac118ae70

v0.1.0:24 — Keysat licensing service end-to-end

Daemon, StartOS wrapper, admin SPA, public buy/thank-you pages,
discount codes, free-license redemption, Apply-discount UX,
self-licensing, and v0.1.0 release notes.

2026-05-07 10:33:39 -05:00

3 Commits