keysat

grant/keysat

Fork 0

Commit Graph

Author	SHA1	Message	Date
Grant	54f7ea08b5	P1 — change-tier UX, Zaprite webhook copy, self-tier guard, Lightning copy Bundle of bugfixes from the P1 testing batch. None individually huge; together they close several "tested it, hit a sharp edge" items. 1. Change-tier modal — kill the paid path from UI The Apply-as-comp toggle is gone. Admin tier changes always apply as comp now. The reasoning (per Grant's testing): admin tier changes are operator-driven, payment has either already happened off-rails or it's a comp; the "admin generates invoice and forwards URL" flow is a tiny niche that just produces orphan invoices when the modal gets dismissed. Buyers who want to pay use the SDK's /v1/upgrade. The API path is unchanged for back-compat with scripted operators (skip_payment defaults to true here). 2. Change-tier modal — downgrade detection + warning banner Detects target.tier_rank < current.tier_rank (or price-diff when ranks aren't set), renders a yellow warning card listing the entitlements the buyer is about to lose, and confirms via browser dialog before submit. Operator sees what they're doing. 3. Self-tier guard on admin change-tier POST /v1/admin/licenses/<id>/change-tier rejects when <id> is the daemon's own self_license. Avoids the recursion Grant hit when trying to downgrade himself: the on-disk signed key is the source-of-truth at boot, so the DB tier_change just produces a half-applied state. Error message points at the right paths (re-mint via master Keysat OR rename /data/keysat-license.txt for testing). With the P0 self-tier live-refresh in place the recursion is now fully resolved anyway, but the guard is good belt-and-suspenders for operator clarity. 4. Zaprite webhook — full URL in copy + persistent action - The Connect Zaprite action now shows the EXACT https://your-keysat-url/v1/zaprite/webhook URL to paste into Zaprite's dashboard. Previous copy showed a placeholder "<your Keysat public URL>/...", which Zaprite's form rejects (it requires full https://). Daemon's /v1/admin/zaprite/connect now returns webhook_url; the action displays it. - New "Show Zaprite webhook setup" StartOS Action — operators who skipped the step on first connect, or who lost the output, can run this any time and get the URL again. - Full explainer of what webhooks unlock vs polling-only: "without webhooks, Keysat polls /v1/orders every 60s, so license issuance lags settle by up to a minute; with webhooks, ~1s." Lives on /v1/admin/zaprite/status response as `webhook_explainer` + in the action's display text. 5. Connect-while-connected short-circuit POST /v1/admin/zaprite/connect now returns 409 Conflict with a clear "already connected — disconnect first" message instead of silently overwriting an existing config. (BTCPay's start_connect already had this guard since the durable provider switch work.) 6. Lightning vs on-chain copy on the wait page /thank-you was hard-coded to "next block confirms" — wrong for Lightning payments (instant) and confusing in the common case where buyers paid via Lightning and saw a "waiting for block confirmation" message. Updated to: "Lightning settles in seconds; on-chain typically settles in 10-20 minutes (one block confirmation)." Method-aware copy (parsed from the provider's invoice payload) is a deeper fix but out of scope here — this gets the operator-facing accuracy right today. Test count unchanged; all 77 still passing.	2026-05-09 13:58:03 -05:00
Grant	c5d716a6d4	Tier upgrades Phase 4 — admin force-change + renewal-worker hook Closes the operator side of TIER_UPGRADES_DESIGN.md. With this in, operators can force-change any license to any policy under the same product (sideways, cross-NULL-rank, perpetual downgrades all allowed) — and scheduled tier changes (e.g. recurring downgrades recorded with future effective_at) actually fire at cycle boundaries. New endpoint: - POST /v1/admin/licenses/:id/change-tier Body: { to_policy_slug, skip_payment: bool, reason?: string } skip_payment=true (comp upgrade / support fix-up): apply immediately, write a tier_changes row with proration=0 and invoice_id=NULL, fire the license.tier_changed webhook, audit-log with actor=admin_api_key. skip_payment=false: same as buyer's /v1/upgrade — create a provider invoice for the prorated charge, persist the local invoice + a tier_changes row tied to it, return the checkout URL. Operator forwards it to the buyer through whatever channel they use. Webhook applies on settle. Bypasses ladder rules entirely (sideways, perpetual downgrade, recurring → perpetual all OK). Same-product / different-policy / active-target checks still apply. QuoteMode refactor (src/upgrades.rs): - compute_upgrade_quote now takes QuoteMode::{Buyer, Admin}. - Buyer mode = strict ladder rules (per Phase 2). - Admin mode = bypass ladder + downgrade gates; infer direction from rank-diff if both ranked, else from price-diff. - Buyer endpoint passes Buyer; admin endpoint passes Admin. Renewal-worker hook (src/subscriptions.rs): - Before pricing each renewal cycle, the worker calls apply_pending_tier_changes(state, sub). This finds tier_changes rows for the sub's license where effective_at <= now AND invoice_id IS NULL AND license.policy_id != to_policy_id (i.e. scheduled comp/admin changes that haven't been applied yet). Each pending change is applied via apply_tier_change (which also rewrites the sub's policy_id / listed_value / period_days). After applying, the worker re-fetches the sub and prices the next invoice at the NEW tier's listed_value. - This is what makes recurring downgrades actually take effect at the cycle boundary (admin records "Pro → Standard at next renewal", the worker applies it, the new invoice bills at Standard's price). - Idempotent: re-running the hook on a license already on the target tier finds zero pending rows (the policy_id != check filters them out). Tests (+5, total now 77): - admin_change_tier_skip_payment_applies_immediately — comp path flips license + writes tier_change row with no invoice - admin_change_tier_allows_perpetual_downgrade — the case the buyer endpoint rejects with 400 "admin-only" - admin_change_tier_rejects_zero_charge_paid_path — sideways attempt with skip_payment=false hints at switching to true - admin_change_tier_requires_admin_token — 401 without auth - renewal_worker_applies_pending_tier_change_before_billing — the headline behavior: a pending downgrade tier_change with effective_at=now causes the next renewal to bill at the new (lower) tier's price, NOT the old one. Uses a CapturingProvider mock that stashes the last sat amount it saw so the assertion is on what the worker actually billed.	2026-05-08 20:12:44 -05:00
Grant	b7fa6c7dae	Tier upgrades Phase 3 — buyer-facing HTTP endpoints Closes the buyer self-service tier-upgrade loop. With this in, SDKs can wire an "Upgrade to Pro" button inside the operator's app and the daemon handles quote → invoice → settle → apply without operator involvement. New endpoints (auth via signed license_key in body, same model as /v1/recover and /v1/subscriptions/cancel — no admin token, no cookie): - POST /v1/upgrade-quote — read-only quote. "If I upgraded to <tier>, what would I owe right now, when do entitlements take effect, what will the next renewal charge?" - POST /v1/upgrade — buyer commits. Daemon recomputes the quote (don't trust client shaping), rejects 0-charge upgrades (admin path only), creates a provider invoice for the prorated charge in the listed currency converted to sats, persists the local invoice + a tier_changes row tying them together, returns the checkout URL. Webhook handler change (src/api/webhook.rs): - On invoice settle, BEFORE the subscription / license-issuance branches, look up the invoice in tier_changes via upgrades::get_tier_change_by_invoice. If present, run the apply path: mutate the existing license's policy_id + entitlements + max_machines + grace + expires_at, mutate any tied subscription's policy_id + listed_value + period_days (so future renewals charge the new tier), audit, fire the new `license.tier_changed` webhook event, ack 200. - Idempotent: re-delivered webhook on an already-applied tier change is a no-op (license.policy_id == target.id check). - Critically: the existing license_id is preserved. Buyers keep the same signed key; on next online validation their app sees the new entitlements. No new license is issued. Phase 3 scope deliberately excludes: - Buyer-initiated DOWNGRADES. compute_upgrade_quote already returns 0-charge quotes for recurring downgrades (effective at next_renewal_at), but applying that at the cycle boundary needs renewal-worker integration. Phase 4 lands the admin endpoint AND the worker hook in one go. For v0.2.x the buyer endpoint rejects with 400 "admin-only". - Admin force-change (POST /v1/admin/licenses/:id/change-tier). Phase 4. Tests (+6, total now 72): - upgrade_quote_returns_perpetual_difference (Standard $25 → Pro $75 = $50 = 5000 cents quote, "immediate" effective) - upgrade_quote_rejects_garbage_key (401, doesn't leak whether the target slug exists) - upgrade_quote_rejects_unknown_target_policy (404) - upgrade_start_creates_invoice_and_tier_change_row (verifies the tier_changes row is written tied to the new invoice; the license is NOT yet on Pro until settle) - webhook_settle_on_tier_change_applies_instead_of_issuing (full end-to-end: settle webhook fires → license flips to Pro + Pro entitlements appear; license count stays at 1, NO new license issued; re-delivery idempotent) - upgrade_endpoint_rejects_buyer_downgrade (400 "admin-only" — the clear-message path the quote function intercepts with; Phase 4 will introduce a separate buyer-downgrade path)	2026-05-08 20:06:13 -05:00

Author

SHA1

Message

Date

Grant

54f7ea08b5

P1 — change-tier UX, Zaprite webhook copy, self-tier guard, Lightning copy

Bundle of bugfixes from the P1 testing batch. None individually
huge; together they close several "tested it, hit a sharp edge"
items.

1. Change-tier modal — kill the paid path from UI
   The Apply-as-comp toggle is gone. Admin tier changes always
   apply as comp now. The reasoning (per Grant's testing): admin
   tier changes are operator-driven, payment has either already
   happened off-rails or it's a comp; the "admin generates
   invoice and forwards URL" flow is a tiny niche that just
   produces orphan invoices when the modal gets dismissed.
   Buyers who want to pay use the SDK's /v1/upgrade.
   The API path is unchanged for back-compat with scripted
   operators (skip_payment defaults to true here).

2. Change-tier modal — downgrade detection + warning banner
   Detects target.tier_rank < current.tier_rank (or price-diff
   when ranks aren't set), renders a yellow warning card listing
   the entitlements the buyer is about to lose, and confirms via
   browser dialog before submit. Operator sees what they're
   doing.

3. Self-tier guard on admin change-tier
   POST /v1/admin/licenses/<id>/change-tier rejects when <id>
   is the daemon's own self_license. Avoids the recursion Grant
   hit when trying to downgrade himself: the on-disk signed key
   is the source-of-truth at boot, so the DB tier_change just
   produces a half-applied state. Error message points at the
   right paths (re-mint via master Keysat OR rename
   /data/keysat-license.txt for testing). With the P0 self-tier
   live-refresh in place the recursion is now fully resolved
   anyway, but the guard is good belt-and-suspenders for
   operator clarity.

4. Zaprite webhook — full URL in copy + persistent action
   - The Connect Zaprite action now shows the EXACT
     https://your-keysat-url/v1/zaprite/webhook URL to paste
     into Zaprite's dashboard. Previous copy showed a
     placeholder "<your Keysat public URL>/...", which Zaprite's
     form rejects (it requires full https://). Daemon's
     /v1/admin/zaprite/connect now returns webhook_url; the
     action displays it.
   - New "Show Zaprite webhook setup" StartOS Action — operators
     who skipped the step on first connect, or who lost the
     output, can run this any time and get the URL again.
   - Full explainer of what webhooks unlock vs polling-only:
     "without webhooks, Keysat polls /v1/orders every 60s, so
     license issuance lags settle by up to a minute; with
     webhooks, ~1s." Lives on /v1/admin/zaprite/status response
     as `webhook_explainer` + in the action's display text.

5. Connect-while-connected short-circuit
   POST /v1/admin/zaprite/connect now returns 409 Conflict with a
   clear "already connected — disconnect first" message instead
   of silently overwriting an existing config. (BTCPay's
   start_connect already had this guard since the durable
   provider switch work.)

6. Lightning vs on-chain copy on the wait page
   /thank-you was hard-coded to "next block confirms" — wrong
   for Lightning payments (instant) and confusing in the common
   case where buyers paid via Lightning and saw a "waiting for
   block confirmation" message. Updated to: "Lightning settles
   in seconds; on-chain typically settles in 10-20 minutes (one
   block confirmation)." Method-aware copy (parsed from the
   provider's invoice payload) is a deeper fix but out of scope
   here — this gets the operator-facing accuracy right today.

Test count unchanged; all 77 still passing.

2026-05-09 13:58:03 -05:00

Grant

c5d716a6d4

Tier upgrades Phase 4 — admin force-change + renewal-worker hook

Closes the operator side of TIER_UPGRADES_DESIGN.md. With this in,
operators can force-change any license to any policy under the same
product (sideways, cross-NULL-rank, perpetual downgrades all
allowed) — and scheduled tier changes (e.g. recurring downgrades
recorded with future effective_at) actually fire at cycle boundaries.

New endpoint:
- POST /v1/admin/licenses/:id/change-tier
  Body: { to_policy_slug, skip_payment: bool, reason?: string }

  skip_payment=true (comp upgrade / support fix-up): apply
  immediately, write a tier_changes row with proration=0 and
  invoice_id=NULL, fire the license.tier_changed webhook, audit-log
  with actor=admin_api_key.

  skip_payment=false: same as buyer's /v1/upgrade — create a
  provider invoice for the prorated charge, persist the local
  invoice + a tier_changes row tied to it, return the checkout URL.
  Operator forwards it to the buyer through whatever channel they
  use. Webhook applies on settle.

  Bypasses ladder rules entirely (sideways, perpetual downgrade,
  recurring → perpetual all OK). Same-product / different-policy /
  active-target checks still apply.

QuoteMode refactor (src/upgrades.rs):
- compute_upgrade_quote now takes QuoteMode::{Buyer, Admin}.
- Buyer mode = strict ladder rules (per Phase 2).
- Admin mode = bypass ladder + downgrade gates; infer direction
  from rank-diff if both ranked, else from price-diff.
- Buyer endpoint passes Buyer; admin endpoint passes Admin.

Renewal-worker hook (src/subscriptions.rs):
- Before pricing each renewal cycle, the worker calls
  apply_pending_tier_changes(state, sub). This finds tier_changes
  rows for the sub's license where effective_at <= now AND
  invoice_id IS NULL AND license.policy_id != to_policy_id (i.e.
  scheduled comp/admin changes that haven't been applied yet).
  Each pending change is applied via apply_tier_change (which
  also rewrites the sub's policy_id / listed_value / period_days).
  After applying, the worker re-fetches the sub and prices the
  next invoice at the NEW tier's listed_value.
- This is what makes recurring downgrades actually take effect at
  the cycle boundary (admin records "Pro → Standard at next
  renewal", the worker applies it, the new invoice bills at
  Standard's price).
- Idempotent: re-running the hook on a license already on the
  target tier finds zero pending rows (the policy_id != check
  filters them out).

Tests (+5, total now 77):
- admin_change_tier_skip_payment_applies_immediately — comp path
  flips license + writes tier_change row with no invoice
- admin_change_tier_allows_perpetual_downgrade — the case the
  buyer endpoint rejects with 400 "admin-only"
- admin_change_tier_rejects_zero_charge_paid_path — sideways
  attempt with skip_payment=false hints at switching to true
- admin_change_tier_requires_admin_token — 401 without auth
- renewal_worker_applies_pending_tier_change_before_billing —
  the headline behavior: a pending downgrade tier_change with
  effective_at=now causes the next renewal to bill at the new
  (lower) tier's price, NOT the old one. Uses a CapturingProvider
  mock that stashes the last sat amount it saw so the assertion
  is on what the worker actually billed.

2026-05-08 20:12:44 -05:00

Grant

b7fa6c7dae

Tier upgrades Phase 3 — buyer-facing HTTP endpoints

Closes the buyer self-service tier-upgrade loop. With this in,
SDKs can wire an "Upgrade to Pro" button inside the operator's
app and the daemon handles quote → invoice → settle → apply
without operator involvement.

New endpoints (auth via signed license_key in body, same model
as /v1/recover and /v1/subscriptions/cancel — no admin token,
no cookie):

- POST /v1/upgrade-quote   — read-only quote. "If I upgraded to
                             <tier>, what would I owe right now,
                             when do entitlements take effect,
                             what will the next renewal charge?"
- POST /v1/upgrade         — buyer commits. Daemon recomputes the
                             quote (don't trust client shaping),
                             rejects 0-charge upgrades (admin path
                             only), creates a provider invoice for
                             the prorated charge in the listed
                             currency converted to sats, persists
                             the local invoice + a tier_changes
                             row tying them together, returns the
                             checkout URL.

Webhook handler change (src/api/webhook.rs):
- On invoice settle, BEFORE the subscription / license-issuance
  branches, look up the invoice in tier_changes via
  upgrades::get_tier_change_by_invoice. If present, run the
  apply path: mutate the existing license's policy_id +
  entitlements + max_machines + grace + expires_at, mutate any
  tied subscription's policy_id + listed_value + period_days
  (so future renewals charge the new tier), audit, fire the new
  `license.tier_changed` webhook event, ack 200.
- Idempotent: re-delivered webhook on an already-applied
  tier change is a no-op (license.policy_id == target.id check).
- Critically: the existing license_id is preserved. Buyers
  keep the same signed key; on next online validation their
  app sees the new entitlements. No new license is issued.

Phase 3 scope deliberately excludes:
- Buyer-initiated DOWNGRADES. compute_upgrade_quote already
  returns 0-charge quotes for recurring downgrades (effective at
  next_renewal_at), but applying that at the cycle boundary
  needs renewal-worker integration. Phase 4 lands the admin
  endpoint AND the worker hook in one go. For v0.2.x the buyer
  endpoint rejects with 400 "admin-only".
- Admin force-change (POST /v1/admin/licenses/:id/change-tier).
  Phase 4.

Tests (+6, total now 72):
- upgrade_quote_returns_perpetual_difference (Standard $25 →
  Pro $75 = $50 = 5000 cents quote, "immediate" effective)
- upgrade_quote_rejects_garbage_key (401, doesn't leak whether
  the target slug exists)
- upgrade_quote_rejects_unknown_target_policy (404)
- upgrade_start_creates_invoice_and_tier_change_row (verifies
  the tier_changes row is written tied to the new invoice; the
  license is NOT yet on Pro until settle)
- webhook_settle_on_tier_change_applies_instead_of_issuing
  (full end-to-end: settle webhook fires → license flips to Pro
  + Pro entitlements appear; license count stays at 1, NO new
  license issued; re-delivery idempotent)
- upgrade_endpoint_rejects_buyer_downgrade (400 "admin-only" —
  the clear-message path the quote function intercepts with;
  Phase 4 will introduce a separate buyer-downgrade path)

2026-05-08 20:06:13 -05:00

3 Commits