keysat

grant/keysat

Fork 0

Commit Graph

Author	SHA1	Message	Date
Keysat	0508690d5a	Wire scoped API keys and add advisory settle-amount tripwire Scoped API keys (P1): migrate 58 admin endpoints from require_admin to require_scope so ks_ keys with Read-only/License-issuer/Support/Full-admin roles work as intended. 12 sensitive endpoints stay master-key-only (issuer key, provider connect/disconnect, web password, api-key CRUD, db-info, operator-name, per-license tier change). require_scope is re-exported from api::admin so both auth gates import from one place. Adds role-boundary tests. Settle-amount tripwire (P1): get_invoice_status now returns ProviderInvoiceSnapshot { status, amount }. On a confirmed settle, audit_settle_amount (shared by the webhook and reconcile issue paths) compares the provider-reported sat amount against the invoice's amount_sats and, on drift, logs a warning + writes an invoice.amount_mismatch audit row, then issues anyway. Advisory by design: a hard gate would fight an operator's BTCPay payment tolerance, and Settled already implies paid-in-full. SAT-only — skips non-SAT settles (fiat subscription renewals) and unparseable amounts.	2026-06-13 00:10:45 -05:00
Grant	783372c03b	Confirm settle with provider API before issuing; add test-injection seam The settle-webhook honored payment on the webhook body's claim alone. Zaprite webhooks carry no signature, so a forged order.change/status=PAID POST with a buyer-visible order id minted a signed license without payment. handle_inner now re-fetches provider.get_invoice_status and requires Settled before persisting "settled" or taking any settle-derived action (issuance, tier-change, subscription renewal — the guard precedes all of them). On a provider-API error it acks 200 without issuing, so a transient outage can't trigger a webhook retry storm; the reconcile loop re-confirms and issues later. Adds the always-compiled AppState::provider_override seam (None in prod), honored by provider_from_row at every resolution site, so integration tests drive the real resolver with a MockPaymentProvider. Greens the two paid_purchase_* tests, deletes the dead payment_provider_preference_round_trip, and adds forged-settle + provider-unreachable regression tests. api 47/47. Not addressed: a literal paid-amount/currency check (needs a trait change).	2026-06-12 22:36:42 -05:00
Grant	7007bf8204	Recurring subs Phase 2 — renewal worker (committed, not published) Implements the renewal lifecycle from RECURRING_SUBSCRIPTIONS_DESIGN.md phase 2. Operators don't see this yet (no admin UI); the worker only acts on subscriptions that exist in the schema, and creating subscription rows still requires direct DB insert. Phase 4 (admin UI) wires the buyer-facing surface that creates them. src/subscriptions.rs (new module, ~450 LOC): - find_due_renewals: subs with status active\|past_due whose next_renewal_at has passed and consecutive_failures < cap - find_lapsing_subscriptions: past_due subs whose (next_renewal_at + grace_period_days) is in the past - mark_lapsed / mark_active_after_settle / mark_renewal_failed: state-transition helpers - create_subscription: atomic create-sub + first-cycle invoice (called by purchase flow when policy.is_recurring; not yet wired — that's a separate phase) - on_invoice_settled: helper for webhook handler to flip a sub from past_due back to active and dispatch subscription.renewed - find_subscription_for_invoice: lookup helper - tick: 60s sweep, picks up to 25 due renewals + lapse sweep - spawn: long-lived background task, mirrors webhooks::spawn_delivery_worker Renewal flow per due sub: 1. Convert listed_value to sats via rates::convert_to_sats (identity for SAT subs; live rate fetcher for USD/EUR — per MULTI_CURRENCY_DESIGN.md "USD-stable / re-quote each cycle" decision). 2. Get the active payment provider, call create_invoice with the same trait surface used by one-shot purchases. Works against BTCPay or Zaprite or any future provider. 3. Persist the local invoice row carrying the rate audit (listed_currency / listed_value / exchange_rate_centibps / exchange_rate_source). For SAT subs, rate fields are NULL (identity conversion isn't worth recording). 4. Insert subscription_invoices linking the invoice to the sub with monotonic cycle_number. 5. Update sub: status → past_due, next_renewal_at → end of new cycle, last_renewal_attempt_at → now. 6. Dispatch subscription.renewal_pending webhook to the operator. On settle (webhook handler): if the invoice is linked via subscription_invoices, flip sub → active, reset consecutive_failures to 0, dispatch subscription.renewed. Failure path: increment consecutive_failures, push next_renewal_at out by exponential backoff (5min → 30min → 2h → 6h → 12h, capped at 5 failures ≈ 24h of retries before the worker stops trying). Operator can see stuck subs via the upcoming admin UI; for now they show up in the audit log via webhook deliveries. Lapse path: separate sweep finds past_due subs whose (next_renewal_at + policy.grace_period_days) is past now, flips to lapsed, dispatches subscription.lapsed. Wired into: - src/lib.rs: pub mod subscriptions - src/main.rs: subscriptions::spawn(state.clone()) alongside reconcile + webhooks + analytics - src/api/webhook.rs: settle path now calls subscriptions::on_invoice_settled before license issuance — ordering matters because first-cycle subs create both a sub row AND a license; we want the sub state correct on the way to the license-issuance branch Test: 7 integration tests in tests/subscriptions.rs. Drives the worker against a MockProvider with fail-on-demand semantics: - renewal_worker_creates_invoice_for_sat_priced_due_sub: SAT sub charges listed_value sats verbatim, no rate audit, sub goes active → past_due, subscription_invoices gets a new cycle row - renewal_worker_requotes_rate_for_fiat_priced_sub: $25 USD at pinned $50k/BTC = exactly 50,000 sats; rate audit pinned on invoice; centibps encoded correctly - renewal_worker_backs_off_on_failure: failed create_invoice → consecutive_failures = 1, no invoice created, sub → past_due - renewal_worker_stops_retrying_at_max_failures: pre-set failures = MAX, tick is a no-op for that sub - lapse_sweep_flips_past_due_after_grace: 15-day-old past_due with grace=7 → lapsed - settle_webhook_flips_sub_back_to_active: tick creates renewal, simulate settle, on_invoice_settled flips sub back to active - tick_is_no_op_when_nothing_due: empty fixture, tick is safe Test count: 49 (was 42; +7). NOT bumping version. The recurring-subs feature isn't operator- visible until phases 4+5 (admin UI for creating recurring policies + buy page rendering for "$25/month"). Schema is in, worker runs, but nothing creates subs yet — so this commit ships dormant.	2026-05-08 17:26:10 -05:00

Author

SHA1

Message

Date

Keysat

0508690d5a

Wire scoped API keys and add advisory settle-amount tripwire

Scoped API keys (P1): migrate 58 admin endpoints from require_admin to
require_scope so ks_ keys with Read-only/License-issuer/Support/Full-admin roles
work as intended. 12 sensitive endpoints stay master-key-only (issuer key,
provider connect/disconnect, web password, api-key CRUD, db-info, operator-name,
per-license tier change). require_scope is re-exported from api::admin so both
auth gates import from one place. Adds role-boundary tests.

Settle-amount tripwire (P1): get_invoice_status now returns
ProviderInvoiceSnapshot { status, amount }. On a confirmed settle,
audit_settle_amount (shared by the webhook and reconcile issue paths) compares
the provider-reported sat amount against the invoice's amount_sats and, on drift,
logs a warning + writes an invoice.amount_mismatch audit row, then issues anyway.
Advisory by design: a hard gate would fight an operator's BTCPay payment
tolerance, and Settled already implies paid-in-full. SAT-only — skips non-SAT
settles (fiat subscription renewals) and unparseable amounts.

2026-06-13 00:10:45 -05:00

Grant

783372c03b

Confirm settle with provider API before issuing; add test-injection seam

The settle-webhook honored payment on the webhook body's claim alone.
Zaprite webhooks carry no signature, so a forged order.change/status=PAID
POST with a buyer-visible order id minted a signed license without payment.

handle_inner now re-fetches provider.get_invoice_status and requires Settled
before persisting "settled" or taking any settle-derived action (issuance,
tier-change, subscription renewal — the guard precedes all of them). On a
provider-API error it acks 200 without issuing, so a transient outage can't
trigger a webhook retry storm; the reconcile loop re-confirms and issues later.

Adds the always-compiled AppState::provider_override seam (None in prod),
honored by provider_from_row at every resolution site, so integration tests
drive the real resolver with a MockPaymentProvider. Greens the two
paid_purchase_* tests, deletes the dead payment_provider_preference_round_trip,
and adds forged-settle + provider-unreachable regression tests. api 47/47.

Not addressed: a literal paid-amount/currency check (needs a trait change).

2026-06-12 22:36:42 -05:00

Grant

7007bf8204

Recurring subs Phase 2 — renewal worker (committed, not published)

Implements the renewal lifecycle from RECURRING_SUBSCRIPTIONS_DESIGN.md
phase 2. Operators don't see this yet (no admin UI); the worker
only acts on subscriptions that exist in the schema, and creating
subscription rows still requires direct DB insert. Phase 4 (admin
UI) wires the buyer-facing surface that creates them.

src/subscriptions.rs (new module, ~450 LOC):
- find_due_renewals: subs with status active|past_due whose
  next_renewal_at has passed and consecutive_failures < cap
- find_lapsing_subscriptions: past_due subs whose
  (next_renewal_at + grace_period_days) is in the past
- mark_lapsed / mark_active_after_settle / mark_renewal_failed:
  state-transition helpers
- create_subscription: atomic create-sub + first-cycle invoice
  (called by purchase flow when policy.is_recurring; not yet
  wired — that's a separate phase)
- on_invoice_settled: helper for webhook handler to flip a sub
  from past_due back to active and dispatch subscription.renewed
- find_subscription_for_invoice: lookup helper
- tick: 60s sweep, picks up to 25 due renewals + lapse sweep
- spawn: long-lived background task, mirrors webhooks::spawn_delivery_worker

Renewal flow per due sub:
  1. Convert listed_value to sats via rates::convert_to_sats
     (identity for SAT subs; live rate fetcher for USD/EUR — per
     MULTI_CURRENCY_DESIGN.md "USD-stable / re-quote each cycle"
     decision).
  2. Get the active payment provider, call create_invoice with
     the same trait surface used by one-shot purchases. Works
     against BTCPay or Zaprite or any future provider.
  3. Persist the local invoice row carrying the rate audit
     (listed_currency / listed_value / exchange_rate_centibps /
     exchange_rate_source). For SAT subs, rate fields are NULL
     (identity conversion isn't worth recording).
  4. Insert subscription_invoices linking the invoice to the sub
     with monotonic cycle_number.
  5. Update sub: status → past_due, next_renewal_at → end of new
     cycle, last_renewal_attempt_at → now.
  6. Dispatch subscription.renewal_pending webhook to the operator.

On settle (webhook handler): if the invoice is linked via
subscription_invoices, flip sub → active, reset
consecutive_failures to 0, dispatch subscription.renewed.

Failure path: increment consecutive_failures, push next_renewal_at
out by exponential backoff (5min → 30min → 2h → 6h → 12h, capped
at 5 failures ≈ 24h of retries before the worker stops trying).
Operator can see stuck subs via the upcoming admin UI; for now
they show up in the audit log via webhook deliveries.

Lapse path: separate sweep finds past_due subs whose
(next_renewal_at + policy.grace_period_days) is past now, flips
to lapsed, dispatches subscription.lapsed.

Wired into:
- src/lib.rs: pub mod subscriptions
- src/main.rs: subscriptions::spawn(state.clone()) alongside
  reconcile + webhooks + analytics
- src/api/webhook.rs: settle path now calls
  subscriptions::on_invoice_settled before license issuance —
  ordering matters because first-cycle subs create both a sub
  row AND a license; we want the sub state correct on the way
  to the license-issuance branch

Test: 7 integration tests in tests/subscriptions.rs. Drives the
worker against a MockProvider with fail-on-demand semantics:
- renewal_worker_creates_invoice_for_sat_priced_due_sub: SAT sub
  charges listed_value sats verbatim, no rate audit, sub goes
  active → past_due, subscription_invoices gets a new cycle row
- renewal_worker_requotes_rate_for_fiat_priced_sub: $25 USD at
  pinned $50k/BTC = exactly 50,000 sats; rate audit pinned on
  invoice; centibps encoded correctly
- renewal_worker_backs_off_on_failure: failed create_invoice →
  consecutive_failures = 1, no invoice created, sub → past_due
- renewal_worker_stops_retrying_at_max_failures: pre-set failures
  = MAX, tick is a no-op for that sub
- lapse_sweep_flips_past_due_after_grace: 15-day-old past_due
  with grace=7 → lapsed
- settle_webhook_flips_sub_back_to_active: tick creates renewal,
  simulate settle, on_invoice_settled flips sub back to active
- tick_is_no_op_when_nothing_due: empty fixture, tick is safe

Test count: 49 (was 42; +7).

NOT bumping version. The recurring-subs feature isn't operator-
visible until phases 4+5 (admin UI for creating recurring
policies + buy page rendering for "$25/month"). Schema is in,
worker runs, but nothing creates subs yet — so this commit
ships dormant.

2026-05-08 17:26:10 -05:00

3 Commits