@vibecodiq/cli 0.5.0 → 0.6.0

package/dist/foundation/payments_basic/shared/resolver.ts

@@ -0,0 +1,61 @@
+import { createAdminClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Entitlement resolver — syncs entitlements from plan_features when subscription changes.
+// Called from Stripe webhook handler on plan change events.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+/**
+ * Sync entitlements for user based on their current plan.
+ *
+ * Flow:
+ * 1. Read plan_features for planKey
+ * 2. Delete old plan-sourced entitlements (keep overrides)
+ * 3. Insert new entitlements from plan
+ *
+ * Called from:
+ * - Stripe webhook handler (plan change)
+ * - User registration (set free plan defaults)
+ */
+export async function syncEntitlements(
+  userId: string,
+  planKey: string,
+): Promise<void> {
+  const supabase = createAdminClient();
+
+  // 1. Get plan features
+  const { data: planFeatures } = await supabase
+    .from('plan_features')
+    .select('*')
+    .eq('plan_key', planKey);
+
+  if (!planFeatures || planFeatures.length === 0) {
+    console.warn(`[ASA Entitlements] No plan_features found for plan: ${planKey}`);
+    return;
+  }
+
+  // 2. Delete old plan-sourced entitlements (keep overrides)
+  await supabase
+    .from('entitlements')
+    .delete()
+    .eq('user_id', userId)
+    .eq('source', 'plan');
+
+  // 3. Insert new entitlements from plan
+  const rows = planFeatures.map((pf: { feature_key: string; feature_type: string; value: string }) => ({
+    user_id: userId,
+    feature_key: pf.feature_key,
+    feature_type: pf.feature_type,
+    value: pf.value,
+    source: 'plan',
+  }));
+
+  const { error } = await supabase.from('entitlements').insert(rows);
+  if (error) {
+    console.error(`[ASA Entitlements] Failed to sync entitlements for user ${userId}:`, error);
+  }
+}
+
+// --- USER CODE END ---

package/dist/foundation/payments_basic/shared/stripe-client.ts

@@ -0,0 +1,15 @@
+import Stripe from 'stripe';
+
+// --- ASA GENERATED START ---
+// Stripe client for server-side operations.
+// NEVER import in browser-capable files.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
+  apiVersion: '2024-12-18.acacia',
+  typescript: true,
+});
+
+// --- USER CODE END ---

package/dist/foundation/payments_basic/shared/types.ts

@@ -0,0 +1,84 @@
+// --- ASA GENERATED START ---
+// Billing types for payments-basic module.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+/**
+ * Subscription State Machine (research-validated)
+ *
+ * States and their access implications:
+ * - active:     ✅ Full access
+ * - past_due:   ✅ Still has access (Stripe retrying payment)
+ * - trialing:   ✅ Full access (trial period)
+ * - incomplete: ⚠️  Limited access (initial payment pending)
+ * - canceled:   ❌ Access revoked
+ * - unpaid:     ❌ Access revoked (all retries failed)
+ *
+ * IMPORTANT: past_due = "still has access". Most apps incorrectly
+ * check only for 'active' and lock out paying users during dunning.
+ */
+export type SubscriptionStatus =
+  | 'active'
+  | 'past_due'
+  | 'trialing'
+  | 'incomplete'
+  | 'canceled'
+  | 'unpaid';
+
+export const ACCESS_GRANTED_STATUSES: SubscriptionStatus[] = [
+  'active',
+  'past_due',
+  'trialing',
+];
+
+export const ACCESS_REVOKED_STATUSES: SubscriptionStatus[] = [
+  'canceled',
+  'unpaid',
+];
+
+export function hasActiveAccess(status: SubscriptionStatus): boolean {
+  return ACCESS_GRANTED_STATUSES.includes(status);
+}
+
+export interface Subscription {
+  id: string;
+  user_id: string;
+  stripe_customer_id: string | null;
+  stripe_subscription_id: string | null;
+  plan: string;
+  status: SubscriptionStatus;
+  current_period_end: string | null;
+  cancel_at_period_end: boolean;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface PlanLimitCheck {
+  allowed: boolean;
+  currentUsage: number;
+  limit: number;
+  plan: string;
+}
+
+/**
+ * Stripe webhook event types handled by payments-basic.
+ */
+export type HandledStripeEvent =
+  | 'checkout.session.completed'
+  | 'customer.subscription.created'
+  | 'customer.subscription.updated'
+  | 'customer.subscription.deleted'
+  | 'invoice.paid'
+  | 'invoice.payment_failed';
+
+/**
+ * Processed webhook event record for idempotency.
+ */
+export interface WebhookEventRecord {
+  event_id: string;
+  event_type: string;
+  processed_at: string;
+}
+
+// --- USER CODE END ---

package/dist/foundation/payments_basic/shared/webhook-handler.ts

@@ -0,0 +1,198 @@
+import Stripe from 'stripe';
+import { stripe } from './stripe-client';
+import { createAdminClient } from '@/shared/db/supabase-client';
+import type { HandledStripeEvent, SubscriptionStatus } from './types';
+import { syncEntitlements } from '@/shared/entitlements/resolver';
+
+// --- ASA GENERATED START ---
+// Idempotent Stripe webhook handler for payments-basic module.
+//
+// Research-validated patterns:
+// 1. Raw body for signature verification (await request.text())
+// 2. Idempotent processing (event ID dedup via webhook_events table)
+// 3. Eager state sync (always fetch current state from Stripe API, don't trust payload)
+// 4. Return 200 for unrecognized events (prevent Stripe retry loops)
+// 5. Correct dunning: past_due = still has access
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+const HANDLED_EVENTS: HandledStripeEvent[] = [
+  'checkout.session.completed',
+  'customer.subscription.created',
+  'customer.subscription.updated',
+  'customer.subscription.deleted',
+  'invoice.paid',
+  'invoice.payment_failed',
+];
+
+/**
+ * Process incoming Stripe webhook event.
+ *
+ * IMPORTANT implementation notes:
+ * - Uses raw body (string) for signature verification
+ * - Checks idempotency before processing (event ID in webhook_events table)
+ * - Always fetches current state from Stripe API (never trusts webhook payload alone)
+ * - Returns 200 for all events (including unhandled) to prevent Stripe retries
+ */
+export async function handleWebhook(
+  rawBody: string,
+  signature: string,
+): Promise<{ status: number; message: string }> {
+  const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET!;
+
+  // 1. Verify signature using RAW body (not parsed JSON)
+  let event: Stripe.Event;
+  try {
+    event = stripe.webhooks.constructEvent(rawBody, signature, webhookSecret);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : 'Unknown error';
+    return { status: 400, message: `Webhook signature verification failed: ${message}` };
+  }
+
+  // 2. Idempotency check — skip if already processed
+  const supabase = createAdminClient();
+  const { data: existing } = await supabase
+    .from('webhook_events')
+    .select('event_id')
+    .eq('event_id', event.id)
+    .single();
+
+  if (existing) {
+    return { status: 200, message: `Event ${event.id} already processed` };
+  }
+
+  // 3. Record event as processing (before handling)
+  await supabase.from('webhook_events').insert({
+    event_id: event.id,
+    event_type: event.type,
+    processed_at: new Date().toISOString(),
+  });
+
+  // 4. Handle known events (fetch current state from Stripe, don't trust payload)
+  if (HANDLED_EVENTS.includes(event.type as HandledStripeEvent)) {
+    try {
+      await processEvent(event, supabase);
+    } catch (err) {
+      console.error(`[ASA Webhook] Error processing ${event.type}:`, err);
+      // Still return 200 — retrying won't help if our logic failed
+    }
+  }
+
+  // 5. Return 200 for ALL events (including unrecognized)
+  // Returning 400 for unrecognized events causes Stripe retry loops
+  return { status: 200, message: `Event ${event.id} processed` };
+}
+
+/**
+ * Process a specific Stripe event by fetching current state from Stripe API.
+ *
+ * PATTERN: Webhooks are SIGNALS, not source of truth.
+ * Always fetch the latest canonical state from Stripe before updating DB.
+ */
+async function processEvent(event: Stripe.Event, supabase: any): Promise<void> {
+  switch (event.type) {
+    case 'checkout.session.completed': {
+      const session = event.data.object as Stripe.Checkout.Session;
+      if (session.subscription && session.customer) {
+        // Fetch current subscription state from Stripe (not from webhook payload)
+        const subscription = await stripe.subscriptions.retrieve(
+          session.subscription as string,
+        );
+        await upsertSubscription(supabase, subscription, session.customer as string);
+      }
+      break;
+    }
+
+    case 'customer.subscription.created':
+    case 'customer.subscription.updated':
+    case 'customer.subscription.deleted': {
+      const subEvent = event.data.object as Stripe.Subscription;
+      // Fetch current state from Stripe API (eager sync)
+      const subscription = await stripe.subscriptions.retrieve(subEvent.id);
+      await upsertSubscription(
+        supabase,
+        subscription,
+        subscription.customer as string,
+      );
+      break;
+    }
+
+    case 'invoice.paid':
+    case 'invoice.payment_failed': {
+      const invoice = event.data.object as Stripe.Invoice;
+      if (invoice.subscription) {
+        const subscription = await stripe.subscriptions.retrieve(
+          invoice.subscription as string,
+        );
+        await upsertSubscription(
+          supabase,
+          subscription,
+          subscription.customer as string,
+        );
+      }
+      break;
+    }
+  }
+}
+
+/**
+ * Upsert subscription state in database.
+ *
+ * Maps Stripe subscription status to our state machine:
+ * - active, past_due, trialing → access granted
+ * - canceled, unpaid, incomplete_expired → access revoked
+ */
+async function upsertSubscription(
+  supabase: any,
+  subscription: Stripe.Subscription,
+  stripeCustomerId: string,
+): Promise<void> {
+  // Find user by stripe_customer_id
+  const { data: existingSub } = await supabase
+    .from('subscriptions')
+    .select('id, user_id')
+    .eq('stripe_customer_id', stripeCustomerId)
+    .single();
+
+  const status = mapStripeStatus(subscription.status);
+  const plan = subscription.status === 'canceled' ? 'free' : 'pro';
+
+  const subscriptionData = {
+    stripe_customer_id: stripeCustomerId,
+    stripe_subscription_id: subscription.id,
+    plan,
+    status,
+    current_period_end: subscription.current_period_end
+      ? new Date(subscription.current_period_end * 1000).toISOString()
+      : null,
+    cancel_at_period_end: subscription.cancel_at_period_end ?? false,
+    updated_at: new Date().toISOString(),
+  };
+
+  if (existingSub) {
+    await supabase
+      .from('subscriptions')
+      .update(subscriptionData)
+      .eq('id', existingSub.id);
+
+    // Sync entitlements based on new plan
+    await syncEntitlements(existingSub.user_id, plan);
+  }
+  // If no existing subscription found, the checkout handler should have created it
+}
+
+function mapStripeStatus(stripeStatus: string): SubscriptionStatus {
+  const statusMap: Record<string, SubscriptionStatus> = {
+    active: 'active',
+    past_due: 'past_due',
+    trialing: 'trialing',
+    incomplete: 'incomplete',
+    canceled: 'canceled',
+    unpaid: 'unpaid',
+    incomplete_expired: 'canceled',
+  };
+  return statusMap[stripeStatus] ?? 'canceled';
+}
+
+// --- USER CODE END ---

package/dist/foundation/payments_basic/shared/webhook-processor.ts

@@ -0,0 +1,174 @@
+import { createAdminClient } from '@/shared/db/supabase-client';
+import { stripe } from '@/shared/billing/stripe-client';
+import type Stripe from 'stripe';
+
+// --- ASA GENERATED START ---
+// Webhook event processor — processes pending events from webhook_events table.
+// Called by scheduled processor (Supabase Cron or Vercel Cron).
+// Implements: idempotency, locking, retry tracking, always-fetch-current-state.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+const BATCH_SIZE = 10;
+const LOCK_TIMEOUT_MINUTES = 5;
+
+/**
+ * Process pending webhook events from the inbox table.
+ * Call this from a cron job / scheduled function.
+ */
+export async function processWebhookEvents(): Promise<{ processed: number; failed: number }> {
+  const supabase = createAdminClient();
+  let processed = 0;
+  let failed = 0;
+
+  // Lock and fetch pending events (skip already locked)
+  const cutoff = new Date(Date.now() - LOCK_TIMEOUT_MINUTES * 60 * 1000).toISOString();
+
+  const { data: events } = await supabase
+    .from('webhook_events')
+    .select('*')
+    .eq('status', 'pending')
+    .or(`locked_at.is.null,locked_at.lt.${cutoff}`)
+    .order('received_at', { ascending: true })
+    .limit(BATCH_SIZE);
+
+  if (!events || events.length === 0) return { processed, failed };
+
+  for (const event of events) {
+    // Lock the event
+    await supabase
+      .from('webhook_events')
+      .update({ locked_at: new Date().toISOString(), status: 'processing' })
+      .eq('id', event.id)
+      .eq('status', 'pending');
+
+    try {
+      await handleStripeEvent(event.type, event.payload);
+
+      // Mark as processed
+      await supabase
+        .from('webhook_events')
+        .update({
+          status: 'processed',
+          processed_at: new Date().toISOString(),
+          attempt_count: event.attempt_count + 1,
+          locked_at: null,
+        })
+        .eq('id', event.id);
+
+      processed++;
+    } catch (err) {
+      // Mark as failed with error
+      await supabase
+        .from('webhook_events')
+        .update({
+          status: event.attempt_count >= 2 ? 'failed' : 'pending',
+          last_error: err instanceof Error ? err.message : String(err),
+          attempt_count: event.attempt_count + 1,
+          locked_at: null,
+        })
+        .eq('id', event.id);
+
+      failed++;
+    }
+  }
+
+  return { processed, failed };
+}
+
+/**
+ * Handle a single Stripe event.
+ * Always fetches current state from Stripe — never trusts webhook payload alone.
+ */
+async function handleStripeEvent(type: string, payload: Record<string, unknown>): Promise<void> {
+  const supabase = createAdminClient();
+  const object = payload.object as Record<string, unknown>;
+
+  switch (type) {
+    case 'customer.subscription.created':
+    case 'customer.subscription.updated': {
+      // Always fetch current subscription from Stripe
+      const sub = await stripe.subscriptions.retrieve(object.id as string);
+      await syncSubscription(supabase, sub);
+      break;
+    }
+
+    case 'customer.subscription.deleted': {
+      const sub = payload.object as unknown as Stripe.Subscription;
+      const customerId = typeof sub.customer === 'string' ? sub.customer : sub.customer?.id;
+
+      await supabase
+        .from('subscriptions')
+        .update({ plan: 'free', status: 'canceled', stripe_subscription_id: null })
+        .eq('stripe_customer_id', customerId);
+      break;
+    }
+
+    case 'invoice.payment_failed': {
+      const invoice = payload.object as unknown as Stripe.Invoice;
+      const customerId = typeof invoice.customer === 'string' ? invoice.customer : invoice.customer?.id;
+
+      await supabase
+        .from('subscriptions')
+        .update({ status: 'past_due' })
+        .eq('stripe_customer_id', customerId);
+      break;
+    }
+
+    case 'invoice.paid': {
+      const invoice = payload.object as unknown as Stripe.Invoice;
+      const customerId = typeof invoice.customer === 'string' ? invoice.customer : invoice.customer?.id;
+
+      // Re-activate if was past_due
+      await supabase
+        .from('subscriptions')
+        .update({ status: 'active' })
+        .eq('stripe_customer_id', customerId)
+        .eq('status', 'past_due');
+      break;
+    }
+
+    default:
+      // Unhandled event type — log but don't fail
+      console.log(`[webhook-processor] Unhandled event type: ${type}`);
+  }
+}
+
+/**
+ * Sync subscription state from Stripe to local DB.
+ * Implements "always fetch current state" pattern.
+ */
+async function syncSubscription(
+  supabase: ReturnType<typeof createAdminClient>,
+  sub: Stripe.Subscription,
+): Promise<void> {
+  const customerId = typeof sub.customer === 'string' ? sub.customer : sub.customer.id;
+  const priceId = sub.items.data[0]?.price?.id;
+
+  // Map Stripe status to our billing state machine
+  let status: string;
+  switch (sub.status) {
+    case 'active': status = 'active'; break;
+    case 'trialing': status = 'trialing'; break;
+    case 'past_due': status = 'past_due'; break;
+    case 'canceled': status = 'canceled'; break;
+    case 'unpaid': status = 'past_due'; break;
+    default: status = sub.status;
+  }
+
+  // Determine plan from price ID
+  const { PLANS } = await import('@/shared/billing/plans');
+  const plan = PLANS.find((p: { stripe_price_id?: string }) => p.stripe_price_id === priceId)?.id ?? 'pro';
+
+  await supabase
+    .from('subscriptions')
+    .update({
+      plan,
+      status,
+      stripe_subscription_id: sub.id,
+    })
+    .eq('stripe_customer_id', customerId);
+}
+
+// --- USER CODE END ---

package/dist/foundation/payments_basic/slices/cancel/handler.ts

@@ -0,0 +1,55 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { requireAuth } from '@/shared/auth/guards';
+import { stripe } from '@/shared/billing/stripe-client';
+import { createAdminClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Route handler for billing/cancel slice.
+// Cancels subscription at period end (not immediately).
+// Security: requires authenticated user, validates subscription ownership.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  try {
+    const { user, response } = await requireAuth(request);
+    if (response) return response;
+
+    const supabase = createAdminClient();
+
+    const { data: subscription } = await supabase
+      .from('subscriptions')
+      .select('stripe_subscription_id, status')
+      .eq('user_id', user!.id)
+      .single();
+
+    if (!subscription?.stripe_subscription_id) {
+      return NextResponse.json(
+        { success: false, error: 'No active subscription found' },
+        { status: 404 },
+      );
+    }
+
+    // Cancel at period end — user keeps access until billing period ends
+    await stripe.subscriptions.update(subscription.stripe_subscription_id, {
+      cancel_at_period_end: true,
+    });
+
+    // Update local status
+    await supabase
+      .from('subscriptions')
+      .update({ status: 'canceling' })
+      .eq('user_id', user!.id);
+
+    return NextResponse.json({ success: true, error: null });
+  } catch (err) {
+    console.error('[billing/cancel] Error:', err);
+    return NextResponse.json(
+      { success: false, error: 'Failed to cancel subscription' },
+      { status: 500 },
+    );
+  }
+}
+
+// --- USER CODE END ---

package/dist/foundation/payments_basic/slices/cancel/slice.contract.json

@@ -0,0 +1,17 @@
+{
+  "domain": "billing",
+  "slice": "cancel",
+  "type": "route",
+  "has_ui": true,
+  "has_repository": true,
+  "description": "Cancel active subscription via Stripe. Cancels at period end (not immediately).",
+  "input": {},
+  "output": {
+    "success": "boolean",
+    "error": "string | null"
+  },
+  "side_effects": [
+    "Sets Stripe subscription to cancel_at_period_end",
+    "Updates local subscription status"
+  ]
+}

package/dist/foundation/payments_basic/slices/cancel/ui/hook.ts

@@ -0,0 +1,45 @@
+import { useState } from 'react';
+
+// --- ASA GENERATED START ---
+// React hook for billing/cancel slice.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export function useCancel() {
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [success, setSuccess] = useState(false);
+
+  async function cancel(): Promise<boolean> {
+    setLoading(true);
+    setError(null);
+    setSuccess(false);
+
+    try {
+      const res = await fetch('/api/billing/cancel', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+      });
+
+      const data = await res.json();
+
+      if (!data.success) {
+        setError(data.error);
+        return false;
+      }
+
+      setSuccess(true);
+      return true;
+    } catch {
+      setError('Failed to cancel subscription. Please try again.');
+      return false;
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  return { cancel, loading, error, success };
+}
+
+// --- USER CODE END ---

package/dist/foundation/payments_basic/slices/check_limits/handler.ts

@@ -0,0 +1,33 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { requireAuth } from '@/shared/auth/guards';
+import { checkEntitlement } from '@/shared/billing/entitlements';
+
+// --- ASA GENERATED START ---
+// Route handler for billing/check-limits slice.
+// Returns current plan entitlements and whether user can access a specific feature.
+// Security: requires authenticated user.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  try {
+    const { user, response } = await requireAuth(request);
+    if (response) return response;
+
+    const url = new URL(request.url);
+    const feature = url.searchParams.get('feature');
+
+    const result = await checkEntitlement(user!.id, feature ?? undefined);
+
+    return NextResponse.json(result);
+  } catch (err) {
+    console.error('[billing/check-limits] Error:', err);
+    return NextResponse.json(
+      { plan: 'free', entitlements: {}, can_access: false },
+      { status: 500 },
+    );
+  }
+}
+
+// --- USER CODE END ---