@wopr-network/platform-core 1.46.0 → 1.47.0

package/dist/trpc/index.d.ts

@@ -2,3 +2,4 @@ export { createAdminFleetUpdateRouter } from "./admin-fleet-update-router.js";
 export { createFleetUpdateConfigRouter } from "./fleet-update-config-router.js";
 export { adminProcedure, createCallerFactory, orgAdminProcedure, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, type TRPCContext, tenantProcedure, } from "./init.js";
 export { createNotificationTemplateRouter } from "./notification-template-router.js";
+export { createOrgRemovePaymentMethodRouter, type OrgRemovePaymentMethodDeps, } from "./org-remove-payment-method-router.js";

package/dist/trpc/index.js

@@ -2,3 +2,4 @@ export { createAdminFleetUpdateRouter } from "./admin-fleet-update-router.js";
 export { createFleetUpdateConfigRouter } from "./fleet-update-config-router.js";
 export { adminProcedure, createCallerFactory, orgAdminProcedure, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, tenantProcedure, } from "./init.js";
 export { createNotificationTemplateRouter } from "./notification-template-router.js";
+export { createOrgRemovePaymentMethodRouter, } from "./org-remove-payment-method-router.js";

package/dist/trpc/org-remove-payment-method-router.d.ts

@@ -0,0 +1,23 @@
+import type { IPaymentProcessor } from "../billing/payment-processor.js";
+import type { IAutoTopupSettingsRepository } from "../credits/auto-topup-settings-repository.js";
+export interface OrgRemovePaymentMethodDeps {
+    processor: IPaymentProcessor;
+    autoTopupSettingsStore?: IAutoTopupSettingsRepository;
+}
+export declare function createOrgRemovePaymentMethodRouter(getDeps: () => OrgRemovePaymentMethodDeps): import("@trpc/server").TRPCBuiltRouter<{
+    ctx: import("./init.js").TRPCContext;
+    meta: object;
+    errorShape: import("@trpc/server").TRPCDefaultErrorShape;
+    transformer: false;
+}, import("@trpc/server").TRPCDecorateCreateRouterOptions<{
+    orgRemovePaymentMethod: import("@trpc/server").TRPCMutationProcedure<{
+        input: {
+            orgId: string;
+            paymentMethodId: string;
+        };
+        output: {
+            removed: boolean;
+        };
+        meta: object;
+    }>;
+}>>;

package/dist/trpc/org-remove-payment-method-router.js

@@ -0,0 +1,61 @@
+import { TRPCError } from "@trpc/server";
+import { z } from "zod";
+import { PaymentMethodOwnershipError } from "../billing/payment-processor.js";
+import { orgAdminProcedure, router } from "./init.js";
+export function createOrgRemovePaymentMethodRouter(getDeps) {
+    return router({
+        orgRemovePaymentMethod: orgAdminProcedure
+            .input(z.object({
+            orgId: z.string().min(1),
+            paymentMethodId: z.string().min(1),
+        }))
+            .mutation(async ({ input }) => {
+            const { processor, autoTopupSettingsStore } = getDeps();
+            if (!autoTopupSettingsStore) {
+                console.warn("orgRemovePaymentMethod: autoTopupSettingsStore not provided — last-payment-method guard is inactive");
+            }
+            // Guard: prevent removing the last payment method when auto-topup is enabled
+            if (autoTopupSettingsStore) {
+                const methods = await processor.listPaymentMethods(input.orgId);
+                if (methods.length <= 1) {
+                    const settings = await autoTopupSettingsStore.getByTenant(input.orgId);
+                    if (settings && (settings.usageEnabled || settings.scheduleEnabled)) {
+                        throw new TRPCError({
+                            code: "FORBIDDEN",
+                            message: "Cannot remove last payment method while auto-topup is enabled. Disable auto-topup first.",
+                        });
+                    }
+                }
+            }
+            try {
+                await processor.detachPaymentMethod(input.orgId, input.paymentMethodId);
+            }
+            catch (err) {
+                if (err instanceof PaymentMethodOwnershipError) {
+                    throw new TRPCError({
+                        code: "FORBIDDEN",
+                        message: "Payment method does not belong to this organization",
+                    });
+                }
+                throw new TRPCError({
+                    code: "INTERNAL_SERVER_ERROR",
+                    message: "Failed to remove payment method. Please try again.",
+                });
+            }
+            // TOCTOU guard: re-check count after detach. A concurrent request
+            // may have already removed another payment method between our pre-check
+            // and this detach, leaving the org with 0 methods while auto-topup is
+            // still enabled. Warn operators — the method is already gone.
+            if (autoTopupSettingsStore) {
+                const remaining = await processor.listPaymentMethods(input.orgId);
+                if (remaining.length === 0) {
+                    const settings = await autoTopupSettingsStore.getByTenant(input.orgId);
+                    if (settings && (settings.usageEnabled || settings.scheduleEnabled)) {
+                        console.warn("orgRemovePaymentMethod: TOCTOU — org %s now has 0 payment methods with auto-topup enabled. Operator must add a payment method or disable auto-topup.", input.orgId);
+                    }
+                }
+            }
+            return { removed: true };
+        }),
+    });
+}

package/dist/trpc/org-remove-payment-method-router.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/trpc/org-remove-payment-method-router.test.js

@@ -0,0 +1,166 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { createCallerFactory, router, setTrpcOrgMemberRepo } from "./init.js";
+import { createOrgRemovePaymentMethodRouter } from "./org-remove-payment-method-router.js";
+// ---------------------------------------------------------------------------
+// Mock helpers
+// ---------------------------------------------------------------------------
+function makeMockOrgMemberRepo(overrides) {
+    return {
+        listMembers: vi.fn().mockResolvedValue([]),
+        addMember: vi.fn().mockResolvedValue(undefined),
+        updateMemberRole: vi.fn().mockResolvedValue(undefined),
+        removeMember: vi.fn().mockResolvedValue(undefined),
+        findMember: vi.fn().mockResolvedValue({ userId: "u1", role: "owner" }),
+        countAdminsAndOwners: vi.fn().mockResolvedValue(1),
+        listInvites: vi.fn().mockResolvedValue([]),
+        createInvite: vi.fn().mockResolvedValue(undefined),
+        findInviteById: vi.fn().mockResolvedValue(null),
+        findInviteByToken: vi.fn().mockResolvedValue(null),
+        deleteInvite: vi.fn().mockResolvedValue(undefined),
+        deleteAllMembers: vi.fn().mockResolvedValue(undefined),
+        deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+        listOrgsByUser: vi.fn().mockResolvedValue([]),
+        markInviteAccepted: vi.fn().mockResolvedValue(undefined),
+        ...overrides,
+    };
+}
+function makeMockProcessor(methods) {
+    return {
+        name: "mock",
+        createCheckoutSession: vi.fn(),
+        handleWebhook: vi.fn(),
+        supportsPortal: vi.fn().mockReturnValue(false),
+        createPortalSession: vi.fn(),
+        setupPaymentMethod: vi.fn(),
+        listPaymentMethods: vi.fn().mockResolvedValue(methods),
+        charge: vi.fn(),
+        detachPaymentMethod: vi.fn().mockResolvedValue(undefined),
+        getCustomerEmail: vi.fn().mockResolvedValue(""),
+        updateCustomerEmail: vi.fn(),
+        listInvoices: vi.fn().mockResolvedValue([]),
+    };
+}
+function makeMockAutoTopupSettings(overrides) {
+    const settings = overrides
+        ? {
+            tenantId: "org-1",
+            usageEnabled: false,
+            usageThreshold: { toCentsRounded: () => 0 },
+            usageTopup: { toCentsRounded: () => 0 },
+            usageConsecutiveFailures: 0,
+            usageChargeInFlight: false,
+            scheduleEnabled: false,
+            scheduleAmount: { toCentsRounded: () => 0 },
+            scheduleIntervalHours: 0,
+            scheduleNextAt: null,
+            scheduleConsecutiveFailures: 0,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+            ...overrides,
+        }
+        : null;
+    return {
+        getByTenant: vi.fn().mockResolvedValue(settings),
+        upsert: vi.fn(),
+        setUsageChargeInFlight: vi.fn(),
+        tryAcquireUsageInFlight: vi.fn(),
+        incrementUsageFailures: vi.fn(),
+        resetUsageFailures: vi.fn(),
+        disableUsage: vi.fn(),
+        incrementScheduleFailures: vi.fn(),
+        resetScheduleFailures: vi.fn(),
+        disableSchedule: vi.fn(),
+        advanceScheduleNextAt: vi.fn(),
+        listDueScheduled: vi.fn().mockResolvedValue([]),
+        getMaxConsecutiveFailures: vi.fn().mockResolvedValue(0),
+    };
+}
+function authedContext() {
+    return { user: { id: "u1", roles: ["user"] }, tenantId: "org-1" };
+}
+function unauthedContext() {
+    return { user: undefined, tenantId: undefined };
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("orgRemovePaymentMethod router", () => {
+    let processor;
+    let autoTopupStore;
+    beforeEach(() => {
+        processor = makeMockProcessor([{ id: "pm_1", label: "Visa ending 4242", isDefault: true }]);
+        autoTopupStore = makeMockAutoTopupSettings();
+        setTrpcOrgMemberRepo(makeMockOrgMemberRepo());
+    });
+    function buildCaller(deps) {
+        const subRouter = createOrgRemovePaymentMethodRouter(() => ({
+            processor: deps.processor,
+            autoTopupSettingsStore: deps.autoTopupSettingsStore,
+        }));
+        const appRouter = router({ org: subRouter });
+        return createCallerFactory(appRouter);
+    }
+    it("successfully removes a payment method", async () => {
+        const caller = buildCaller({ processor, autoTopupSettingsStore: autoTopupStore })(authedContext());
+        const result = await caller.org.orgRemovePaymentMethod({
+            orgId: "org-1",
+            paymentMethodId: "pm_1",
+        });
+        expect(result).toEqual({ removed: true });
+        expect(processor.detachPaymentMethod).toHaveBeenCalledWith("org-1", "pm_1");
+    });
+    it("rejects unauthenticated users", async () => {
+        const caller = buildCaller({ processor, autoTopupSettingsStore: autoTopupStore })(unauthedContext());
+        await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+            code: "UNAUTHORIZED",
+        });
+    });
+    it("rejects when removing last PM with auto-topup usage enabled", async () => {
+        const usageStore = makeMockAutoTopupSettings({ usageEnabled: true });
+        const caller = buildCaller({
+            processor,
+            autoTopupSettingsStore: usageStore,
+        })(authedContext());
+        await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+            code: "FORBIDDEN",
+        });
+    });
+    it("rejects when removing last PM with auto-topup schedule enabled", async () => {
+        const scheduleStore = makeMockAutoTopupSettings({ scheduleEnabled: true });
+        const caller = buildCaller({
+            processor,
+            autoTopupSettingsStore: scheduleStore,
+        })(authedContext());
+        await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+            code: "FORBIDDEN",
+        });
+    });
+    it("allows removing non-last PM even with auto-topup enabled", async () => {
+        const multiProcessor = makeMockProcessor([
+            { id: "pm_1", label: "Visa ending 4242", isDefault: true },
+            { id: "pm_2", label: "Mastercard ending 5555", isDefault: false },
+        ]);
+        const usageStore = makeMockAutoTopupSettings({ usageEnabled: true });
+        const caller = buildCaller({
+            processor: multiProcessor,
+            autoTopupSettingsStore: usageStore,
+        })(authedContext());
+        const result = await caller.org.orgRemovePaymentMethod({
+            orgId: "org-1",
+            paymentMethodId: "pm_1",
+        });
+        expect(result).toEqual({ removed: true });
+    });
+    it("returns FORBIDDEN when detachPaymentMethod throws PaymentMethodOwnershipError", async () => {
+        const { PaymentMethodOwnershipError } = await import("../billing/payment-processor.js");
+        const ownershipErrorProcessor = makeMockProcessor([]);
+        ownershipErrorProcessor.detachPaymentMethod.mockRejectedValue(new PaymentMethodOwnershipError());
+        const caller = buildCaller({
+            processor: ownershipErrorProcessor,
+            autoTopupSettingsStore: autoTopupStore,
+        })(authedContext());
+        await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+            code: "FORBIDDEN",
+        });
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/platform-core",
-  "version": "1.46.0",
+  "version": "1.47.0",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/trpc/index.ts

@@ -13,3 +13,7 @@ export {
   tenantProcedure,
 } from "./init.js";
 export { createNotificationTemplateRouter } from "./notification-template-router.js";
+export {
+  createOrgRemovePaymentMethodRouter,
+  type OrgRemovePaymentMethodDeps,
+} from "./org-remove-payment-method-router.js";

package/src/trpc/org-remove-payment-method-router.test.ts

@@ -0,0 +1,188 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import type { IPaymentProcessor, SavedPaymentMethod } from "../billing/payment-processor.js";
+import type { AutoTopupSettings, IAutoTopupSettingsRepository } from "../credits/auto-topup-settings-repository.js";
+import type { IOrgMemberRepository } from "../tenancy/org-member-repository.js";
+import { createCallerFactory, router, setTrpcOrgMemberRepo } from "./init.js";
+import { createOrgRemovePaymentMethodRouter } from "./org-remove-payment-method-router.js";
+
+// ---------------------------------------------------------------------------
+// Mock helpers
+// ---------------------------------------------------------------------------
+
+function makeMockOrgMemberRepo(overrides?: Partial<IOrgMemberRepository>): IOrgMemberRepository {
+  return {
+    listMembers: vi.fn().mockResolvedValue([]),
+    addMember: vi.fn().mockResolvedValue(undefined),
+    updateMemberRole: vi.fn().mockResolvedValue(undefined),
+    removeMember: vi.fn().mockResolvedValue(undefined),
+    findMember: vi.fn().mockResolvedValue({ userId: "u1", role: "owner" }),
+    countAdminsAndOwners: vi.fn().mockResolvedValue(1),
+    listInvites: vi.fn().mockResolvedValue([]),
+    createInvite: vi.fn().mockResolvedValue(undefined),
+    findInviteById: vi.fn().mockResolvedValue(null),
+    findInviteByToken: vi.fn().mockResolvedValue(null),
+    deleteInvite: vi.fn().mockResolvedValue(undefined),
+    deleteAllMembers: vi.fn().mockResolvedValue(undefined),
+    deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+    listOrgsByUser: vi.fn().mockResolvedValue([]),
+    markInviteAccepted: vi.fn().mockResolvedValue(undefined),
+    ...overrides,
+  };
+}
+
+function makeMockProcessor(methods: SavedPaymentMethod[]): IPaymentProcessor {
+  return {
+    name: "mock",
+    createCheckoutSession: vi.fn(),
+    handleWebhook: vi.fn(),
+    supportsPortal: vi.fn().mockReturnValue(false),
+    createPortalSession: vi.fn(),
+    setupPaymentMethod: vi.fn(),
+    listPaymentMethods: vi.fn().mockResolvedValue(methods),
+    charge: vi.fn(),
+    detachPaymentMethod: vi.fn().mockResolvedValue(undefined),
+    getCustomerEmail: vi.fn().mockResolvedValue(""),
+    updateCustomerEmail: vi.fn(),
+    listInvoices: vi.fn().mockResolvedValue([]),
+  };
+}
+
+function makeMockAutoTopupSettings(overrides?: Partial<AutoTopupSettings>): IAutoTopupSettingsRepository {
+  const settings: AutoTopupSettings | null = overrides
+    ? ({
+        tenantId: "org-1",
+        usageEnabled: false,
+        usageThreshold: { toCentsRounded: () => 0 },
+        usageTopup: { toCentsRounded: () => 0 },
+        usageConsecutiveFailures: 0,
+        usageChargeInFlight: false,
+        scheduleEnabled: false,
+        scheduleAmount: { toCentsRounded: () => 0 },
+        scheduleIntervalHours: 0,
+        scheduleNextAt: null,
+        scheduleConsecutiveFailures: 0,
+        createdAt: new Date().toISOString(),
+        updatedAt: new Date().toISOString(),
+        ...overrides,
+      } as AutoTopupSettings)
+    : null;
+
+  return {
+    getByTenant: vi.fn().mockResolvedValue(settings),
+    upsert: vi.fn(),
+    setUsageChargeInFlight: vi.fn(),
+    tryAcquireUsageInFlight: vi.fn(),
+    incrementUsageFailures: vi.fn(),
+    resetUsageFailures: vi.fn(),
+    disableUsage: vi.fn(),
+    incrementScheduleFailures: vi.fn(),
+    resetScheduleFailures: vi.fn(),
+    disableSchedule: vi.fn(),
+    advanceScheduleNextAt: vi.fn(),
+    listDueScheduled: vi.fn().mockResolvedValue([]),
+    getMaxConsecutiveFailures: vi.fn().mockResolvedValue(0),
+  };
+}
+
+function authedContext() {
+  return { user: { id: "u1", roles: ["user"] }, tenantId: "org-1" };
+}
+
+function unauthedContext() {
+  return { user: undefined, tenantId: undefined };
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("orgRemovePaymentMethod router", () => {
+  let processor: IPaymentProcessor;
+  let autoTopupStore: IAutoTopupSettingsRepository;
+
+  beforeEach(() => {
+    processor = makeMockProcessor([{ id: "pm_1", label: "Visa ending 4242", isDefault: true }]);
+    autoTopupStore = makeMockAutoTopupSettings();
+    setTrpcOrgMemberRepo(makeMockOrgMemberRepo());
+  });
+
+  function buildCaller(deps: { processor: IPaymentProcessor; autoTopupSettingsStore?: IAutoTopupSettingsRepository }) {
+    const subRouter = createOrgRemovePaymentMethodRouter(() => ({
+      processor: deps.processor,
+      autoTopupSettingsStore: deps.autoTopupSettingsStore,
+    }));
+    const appRouter = router({ org: subRouter });
+    return createCallerFactory(appRouter);
+  }
+
+  it("successfully removes a payment method", async () => {
+    const caller = buildCaller({ processor, autoTopupSettingsStore: autoTopupStore })(authedContext());
+    const result = await caller.org.orgRemovePaymentMethod({
+      orgId: "org-1",
+      paymentMethodId: "pm_1",
+    });
+    expect(result).toEqual({ removed: true });
+    expect(processor.detachPaymentMethod).toHaveBeenCalledWith("org-1", "pm_1");
+  });
+
+  it("rejects unauthenticated users", async () => {
+    const caller = buildCaller({ processor, autoTopupSettingsStore: autoTopupStore })(unauthedContext());
+    await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+      code: "UNAUTHORIZED",
+    });
+  });
+
+  it("rejects when removing last PM with auto-topup usage enabled", async () => {
+    const usageStore = makeMockAutoTopupSettings({ usageEnabled: true });
+    const caller = buildCaller({
+      processor,
+      autoTopupSettingsStore: usageStore,
+    })(authedContext());
+    await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+      code: "FORBIDDEN",
+    });
+  });
+
+  it("rejects when removing last PM with auto-topup schedule enabled", async () => {
+    const scheduleStore = makeMockAutoTopupSettings({ scheduleEnabled: true });
+    const caller = buildCaller({
+      processor,
+      autoTopupSettingsStore: scheduleStore,
+    })(authedContext());
+    await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+      code: "FORBIDDEN",
+    });
+  });
+
+  it("allows removing non-last PM even with auto-topup enabled", async () => {
+    const multiProcessor = makeMockProcessor([
+      { id: "pm_1", label: "Visa ending 4242", isDefault: true },
+      { id: "pm_2", label: "Mastercard ending 5555", isDefault: false },
+    ]);
+    const usageStore = makeMockAutoTopupSettings({ usageEnabled: true });
+    const caller = buildCaller({
+      processor: multiProcessor,
+      autoTopupSettingsStore: usageStore,
+    })(authedContext());
+    const result = await caller.org.orgRemovePaymentMethod({
+      orgId: "org-1",
+      paymentMethodId: "pm_1",
+    });
+    expect(result).toEqual({ removed: true });
+  });
+
+  it("returns FORBIDDEN when detachPaymentMethod throws PaymentMethodOwnershipError", async () => {
+    const { PaymentMethodOwnershipError } = await import("../billing/payment-processor.js");
+    const ownershipErrorProcessor = makeMockProcessor([]);
+    (ownershipErrorProcessor.detachPaymentMethod as ReturnType<typeof vi.fn>).mockRejectedValue(
+      new PaymentMethodOwnershipError(),
+    );
+    const caller = buildCaller({
+      processor: ownershipErrorProcessor,
+      autoTopupSettingsStore: autoTopupStore,
+    })(authedContext());
+    await expect(caller.org.orgRemovePaymentMethod({ orgId: "org-1", paymentMethodId: "pm_1" })).rejects.toMatchObject({
+      code: "FORBIDDEN",
+    });
+  });
+});

package/src/trpc/org-remove-payment-method-router.ts

@@ -0,0 +1,80 @@
+import { TRPCError } from "@trpc/server";
+import { z } from "zod";
+import type { IPaymentProcessor } from "../billing/payment-processor.js";
+import { PaymentMethodOwnershipError } from "../billing/payment-processor.js";
+import type { IAutoTopupSettingsRepository } from "../credits/auto-topup-settings-repository.js";
+import { orgAdminProcedure, router } from "./init.js";
+
+export interface OrgRemovePaymentMethodDeps {
+  processor: IPaymentProcessor;
+  autoTopupSettingsStore?: IAutoTopupSettingsRepository;
+}
+
+export function createOrgRemovePaymentMethodRouter(getDeps: () => OrgRemovePaymentMethodDeps) {
+  return router({
+    orgRemovePaymentMethod: orgAdminProcedure
+      .input(
+        z.object({
+          orgId: z.string().min(1),
+          paymentMethodId: z.string().min(1),
+        }),
+      )
+      .mutation(async ({ input }) => {
+        const { processor, autoTopupSettingsStore } = getDeps();
+
+        if (!autoTopupSettingsStore) {
+          console.warn(
+            "orgRemovePaymentMethod: autoTopupSettingsStore not provided — last-payment-method guard is inactive",
+          );
+        }
+
+        // Guard: prevent removing the last payment method when auto-topup is enabled
+        if (autoTopupSettingsStore) {
+          const methods = await processor.listPaymentMethods(input.orgId);
+          if (methods.length <= 1) {
+            const settings = await autoTopupSettingsStore.getByTenant(input.orgId);
+            if (settings && (settings.usageEnabled || settings.scheduleEnabled)) {
+              throw new TRPCError({
+                code: "FORBIDDEN",
+                message: "Cannot remove last payment method while auto-topup is enabled. Disable auto-topup first.",
+              });
+            }
+          }
+        }
+
+        try {
+          await processor.detachPaymentMethod(input.orgId, input.paymentMethodId);
+        } catch (err) {
+          if (err instanceof PaymentMethodOwnershipError) {
+            throw new TRPCError({
+              code: "FORBIDDEN",
+              message: "Payment method does not belong to this organization",
+            });
+          }
+          throw new TRPCError({
+            code: "INTERNAL_SERVER_ERROR",
+            message: "Failed to remove payment method. Please try again.",
+          });
+        }
+
+        // TOCTOU guard: re-check count after detach. A concurrent request
+        // may have already removed another payment method between our pre-check
+        // and this detach, leaving the org with 0 methods while auto-topup is
+        // still enabled. Warn operators — the method is already gone.
+        if (autoTopupSettingsStore) {
+          const remaining = await processor.listPaymentMethods(input.orgId);
+          if (remaining.length === 0) {
+            const settings = await autoTopupSettingsStore.getByTenant(input.orgId);
+            if (settings && (settings.usageEnabled || settings.scheduleEnabled)) {
+              console.warn(
+                "orgRemovePaymentMethod: TOCTOU — org %s now has 0 payment methods with auto-topup enabled. Operator must add a payment method or disable auto-topup.",
+                input.orgId,
+              );
+            }
+          }
+        }
+
+        return { removed: true };
+      }),
+  });
+}