backend-manager 5.0.194 → 5.0.196

package/CHANGELOG.md

@@ -14,6 +14,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+# [5.0.196] - 2026-04-10
+### Changed
+- Moved disposable domain fetch from `prepublishOnly` lifecycle hook to `prepare-package`'s new `hooks.before` config. The fetch now runs on every `npm run prepare` / `npm install` / `npm publish`, so fresh domains land in both the git working tree and the published tarball — no more drift between git and npm.
+- Bumped `prepare-package` devDep to ^2.1.0 (required for hooks support)
+
+# [5.0.195] - 2026-04-10
+### Fixed
+- 24-hour cancellation guard in `payments/cancel` was comparing `Date.now()` (milliseconds) against `startDateUNIX` (seconds), producing an "age" of ~56 years for every subscription — guard never fired and users could cancel brand-new subscriptions. Now multiplies `startDateUNIX` by 1000 before subtraction.
+### Changed
+- Standardized CLI examples in `CLAUDE.md` and `README.md` to use `npx mgr` instead of the deprecated `npx bm` alias
+
 # [5.0.194] - 2026-04-08
 ### Fixed
 - Fix email template data merge: caller's `settings.data` is now deep-merged at root of template data tree, removing the broken `data.` prefix indirection that caused empty order confirmation emails since 5.0.185

package/CLAUDE.md

@@ -600,30 +600,30 @@ The `POST /admin/post` route creates blog posts via GitHub's API. It handles ima
 ### Running Tests
 ```bash
 # Option 1: Two terminals
-npx bm emulator  # Terminal 1 - keeps emulator running
-npx bm test      # Terminal 2 - runs tests
+npx mgr emulator  # Terminal 1 - keeps emulator running
+npx mgr test      # Terminal 2 - runs tests
 
 # Option 2: Single command (auto-starts emulator)
-npx bm test
+npx mgr test
 ```
 
 ### Log Files
 BEM CLI commands automatically save all output to log files in `functions/` while still streaming to the console:
-- **`functions/serve.log`** — Output from `npx bm serve` (Firebase serve)
+- **`functions/serve.log`** — Output from `npx mgr serve` (Firebase serve)
 - **`functions/emulator.log`** — Full emulator output (Firebase emulator + Cloud Functions logs)
 - **`functions/test.log`** — Test runner output (when running against an existing emulator)
-- **`functions/logs.log`** — Cloud Function logs from `npx bm logs:read` or `npx bm logs:tail` (raw JSON for `read`, streaming text for `tail`)
+- **`functions/logs.log`** — Cloud Function logs from `npx mgr logs:read` or `npx mgr logs:tail` (raw JSON for `read`, streaming text for `tail`)
 
-When `npx bm test` starts its own emulator, logs go to `emulator.log` (since it delegates to the emulator command). When running against an already-running emulator, logs go to `test.log`.
+When `npx mgr test` starts its own emulator, logs go to `emulator.log` (since it delegates to the emulator command). When running against an already-running emulator, logs go to `test.log`.
 
 These files are overwritten on each run and are gitignored (`*.log`). Use them to search for errors, debug webhook pipelines, or review full function output after a test run.
 
 ### Filtering Tests
 ```bash
-npx bm test rules/             # Run rules tests (both BEM and project)
-npx bm test bem:rules/         # Only BEM's rules tests
-npx bm test project:rules/     # Only project's rules tests
-npx bm test user/ admin/       # Multiple paths
+npx mgr test rules/             # Run rules tests (both BEM and project)
+npx mgr test bem:rules/         # Only BEM's rules tests
+npx mgr test project:rules/     # Only project's rules tests
+npx mgr test user/ admin/       # Multiple paths
 ```
 
 ### Test Locations
@@ -716,7 +716,7 @@ assert.fail(message)                           // Explicit fail
 
 ## Stripe Webhook Forwarding
 
-BEM auto-starts Stripe CLI webhook forwarding when running `npx bm serve` or `npx bm emulator`. This forwards Stripe test webhooks to the local server so the full payment pipeline works end-to-end during development.
+BEM auto-starts Stripe CLI webhook forwarding when running `npx mgr serve` or `npx mgr emulator`. This forwards Stripe test webhooks to the local server so the full payment pipeline works end-to-end during development.
 
 **Requirements:**
 - `STRIPE_SECRET_KEY` set in `functions/.env`
@@ -725,7 +725,7 @@ BEM auto-starts Stripe CLI webhook forwarding when running `npx bm serve` or `np
 
 **Standalone usage:**
 ```bash
-npx bm stripe
+npx mgr stripe
 ```
 
 If any prerequisite is missing, webhook forwarding is silently skipped with an info message.
@@ -736,28 +736,28 @@ The forwarding URL is: `http://localhost:{hostingPort}/backend-manager/payments/
 
 Quick commands for reading/writing Firestore and managing Auth users directly from the terminal. Works in any BEM consumer project (requires `functions/service-account.json` for production, or `--emulator` for local).
 
-**IMPORTANT: All CLI commands (`npx mgr ...` / `npx bm ...`) MUST be run from the consumer project's `functions/` subdirectory** (e.g., `cd /path/to/my-project/functions && npx mgr ...`). The `mgr` binary lives in `functions/node_modules/.bin/` — running from the project root or any other directory will fail.
+**IMPORTANT: All CLI commands (`npx mgr ...`) MUST be run from the consumer project's `functions/` subdirectory** (e.g., `cd /path/to/my-project/functions && npx mgr ...`). The `mgr` binary lives in `functions/node_modules/.bin/` — running from the project root or any other directory will fail.
 
 ### Firestore Commands
 
 ```bash
-npx bm firestore:get <path>                          # Read a document
-npx bm firestore:set <path> '<json>'                 # Write/merge a document
-npx bm firestore:set <path> '<json>' --no-merge      # Overwrite a document entirely
-npx bm firestore:query <collection>                  # Query a collection (default limit 25)
+npx mgr firestore:get <path>                          # Read a document
+npx mgr firestore:set <path> '<json>'                 # Write/merge a document
+npx mgr firestore:set <path> '<json>' --no-merge      # Overwrite a document entirely
+npx mgr firestore:query <collection>                  # Query a collection (default limit 25)
   --where "field==value"                              #   Filter (repeatable for AND)
   --orderBy "field:desc"                              #   Sort
   --limit N                                           #   Limit results
-npx bm firestore:delete <path>                       # Delete a document (prompts for confirmation)
+npx mgr firestore:delete <path>                       # Delete a document (prompts for confirmation)
 ```
 
 ### Auth Commands
 
 ```bash
-npx bm auth:get <uid-or-email>                       # Get user by UID or email (auto-detected via @)
-npx bm auth:list [--limit N] [--page-token T]        # List users (default 100)
-npx bm auth:delete <uid-or-email>                    # Delete user (prompts for confirmation)
-npx bm auth:set-claims <uid-or-email> '<json>'       # Set custom claims
+npx mgr auth:get <uid-or-email>                       # Get user by UID or email (auto-detected via @)
+npx mgr auth:list [--limit N] [--page-token T]        # List users (default 100)
+npx mgr auth:delete <uid-or-email>                    # Delete user (prompts for confirmation)
+npx mgr auth:set-claims <uid-or-email> '<json>'       # Set custom claims
 ```
 
 ### Logs Commands
@@ -765,21 +765,21 @@ npx bm auth:set-claims <uid-or-email> '<json>'       # Set custom claims
 Fetch or stream Cloud Function logs from Google Cloud Logging. Requires `gcloud` CLI installed and authenticated. Auto-resolves the project ID from `service-account.json`, `.firebaserc`, or `GCLOUD_PROJECT`.
 
 ```bash
-npx bm logs:read                                     # Read last 1h of logs (default: 300 entries, newest first)
-npx bm logs:read --fn bm_api                         # Filter by function name
-npx bm logs:read --fn bm_api --severity ERROR        # Filter by severity (DEBUG, INFO, WARNING, ERROR, CRITICAL)
-npx bm logs:read --since 2d --limit 100              # Custom time range and limit
-npx bm logs:read --search "72.134.242.25"            # Search textPayload for a string (IP, email, error, etc.)
-npx bm logs:read --fn bm_authBeforeCreate --search "ian@example.com" --since 7d  # Combined filters
-npx bm logs:read --order asc                         # Oldest first (default: desc/newest first)
-npx bm logs:read --filter 'jsonPayload.level="error"'  # Raw gcloud filter passthrough
-npx bm logs:tail                                     # Stream live logs
-npx bm logs:tail --fn bm_paymentsWebhookOnWrite      # Stream filtered live logs
+npx mgr logs:read                                     # Read last 1h of logs (default: 300 entries, newest first)
+npx mgr logs:read --fn bm_api                         # Filter by function name
+npx mgr logs:read --fn bm_api --severity ERROR        # Filter by severity (DEBUG, INFO, WARNING, ERROR, CRITICAL)
+npx mgr logs:read --since 2d --limit 100              # Custom time range and limit
+npx mgr logs:read --search "72.134.242.25"            # Search textPayload for a string (IP, email, error, etc.)
+npx mgr logs:read --fn bm_authBeforeCreate --search "ian@example.com" --since 7d  # Combined filters
+npx mgr logs:read --order asc                         # Oldest first (default: desc/newest first)
+npx mgr logs:read --filter 'jsonPayload.level="error"'  # Raw gcloud filter passthrough
+npx mgr logs:tail                                     # Stream live logs
+npx mgr logs:tail --fn bm_paymentsWebhookOnWrite      # Stream filtered live logs
 ```
 
 Both commands save output to `functions/logs.log` (overwritten on each run). `logs:read` saves raw JSON; `logs:tail` streams text.
 
-**Cloud Logs vs Local Logs:** These commands query **production** Google Cloud Logging. For **local/dev** logs, read `functions/serve.log` (from `npx bm serve`) or `functions/emulator.log` (from `npx bm test`) directly — they are plain text files, not gcloud.
+**Cloud Logs vs Local Logs:** These commands query **production** Google Cloud Logging. For **local/dev** logs, read `functions/serve.log` (from `npx mgr serve`) or `functions/emulator.log` (from `npx mgr test`) directly — they are plain text files, not gcloud.
 
 | Flag | Description | Default | Commands |
 |------|-------------|---------|----------|
@@ -834,22 +834,22 @@ The `--fn` flag uses the **deployed Cloud Function name**, not the route path.
 
 ```bash
 # Read a user document from production
-npx bm firestore:get users/abc123
+npx mgr firestore:get users/abc123
 
 # Write to emulator
-npx bm firestore:set users/test123 '{"name":"Test User"}' --emulator
+npx mgr firestore:set users/test123 '{"name":"Test User"}' --emulator
 
 # Query with filters
-npx bm firestore:query users --where "subscription.status==active" --limit 10
+npx mgr firestore:query users --where "subscription.status==active" --limit 10
 
 # Look up auth user by email
-npx bm auth:get user@example.com
+npx mgr auth:get user@example.com
 
 # Set admin claims
-npx bm auth:set-claims user@example.com '{"admin":true}'
+npx mgr auth:set-claims user@example.com '{"admin":true}'
 
 # Delete from emulator (no confirmation needed)
-npx bm firestore:delete users/test123 --emulator
+npx mgr firestore:delete users/test123 --emulator
 ```
 
 ## Usage & Rate Limiting
@@ -1366,7 +1366,7 @@ Campaigns reference segments by SSOT key: `segments: ['subscription_free']`. Aut
 
 ### Seed Campaigns
 
-Created by `npx bm setup` (idempotent, enforced fields checked every run):
+Created by `npx mgr setup` (idempotent, enforced fields checked every run):
 
 | ID | Type | Description |
 |----|------|-------------|
@@ -1419,7 +1419,7 @@ marketing: {
 
 8. **Increment usage before update** - Call `usage.increment()` then `usage.update()`
 
-9. **Add Firestore composite indexes for new compound queries** - Any new Firestore query using multiple `.where()` clauses or `.where()` + `.orderBy()` requires a composite index. Add it to `src/cli/commands/setup-tests/helpers/required-indexes.js` (the SSOT). Consumer projects pick these up via `npx bm setup`, which syncs them into `firestore.indexes.json`. Without the index, the query will crash with `FAILED_PRECONDITION` in production.
+9. **Add Firestore composite indexes for new compound queries** - Any new Firestore query using multiple `.where()` clauses or `.where()` + `.orderBy()` requires a composite index. Add it to `src/cli/commands/setup-tests/helpers/required-indexes.js` (the SSOT). Consumer projects pick these up via `npx mgr setup`, which syncs them into `firestore.indexes.json`. Without the index, the query will crash with `FAILED_PRECONDITION` in production.
 
 ## Key Files Reference
 
@@ -1463,7 +1463,7 @@ marketing: {
 ```javascript
 assistant.isDevelopment()  // true when ENVIRONMENT !== 'production' or in emulator
 assistant.isProduction()   // true when ENVIRONMENT === 'production'
-assistant.isTesting()      // true when running tests (via npx bm test)
+assistant.isTesting()      // true when running tests (via npx mgr test)
 ```
 
 ## Model Context Protocol (MCP)
@@ -1473,7 +1473,7 @@ BEM includes a built-in MCP server that exposes BEM routes as tools for Claude C
 ### Architecture
 
 Two transport modes:
-- **Stdio** (local): `npx bm mcp` — for Claude Code / Claude Desktop
+- **Stdio** (local): `npx mgr mcp` — for Claude Code / Claude Desktop
 - **Streamable HTTP** (remote): `POST /backend-manager/mcp` — for Claude Chat (stateless, Firebase Functions compatible)
 
 ### Available Tools (19)
@@ -1507,7 +1507,7 @@ Two transport modes:
 
 ### Hosting Rewrites
 
-The `npx bm setup` command automatically adds required Firebase Hosting rewrites for MCP OAuth:
+The `npx mgr setup` command automatically adds required Firebase Hosting rewrites for MCP OAuth:
 ```json
 {
   "source": "{/backend-manager,/backend-manager/**,/.well-known/oauth-protected-resource,/.well-known/oauth-authorization-server,/authorize,/token}",
@@ -1518,7 +1518,7 @@ The `npx bm setup` command automatically adds required Firebase Hosting rewrites
 ### CLI Usage
 
 ```bash
-npx bm mcp                    # Start stdio MCP server (for Claude Code)
+npx mgr mcp                    # Start stdio MCP server (for Claude Code)
 ```
 
 ### Claude Code Configuration

package/README.md

@@ -89,7 +89,7 @@ module.exports = function (assistant) {
 Run the setup command:
 
 ```bash
-npx bm setup
+npx mgr setup
 ```
 
 ## Initialization Options
@@ -802,28 +802,28 @@ BEM includes an integration test framework that runs against the Firebase emulat
 
 ```bash
 # Option 1: Two terminals (recommended for development)
-npx bm emulator  # Terminal 1 - keeps emulator running
-npx bm test      # Terminal 2 - runs tests
+npx mgr emulator  # Terminal 1 - keeps emulator running
+npx mgr test      # Terminal 2 - runs tests
 
 # Option 2: Single command (auto-starts emulator, shuts down after)
-npx bm test
+npx mgr test
 ```
 
 ### Filtering Tests
 
 ```bash
-npx bm test rules/             # Run rules tests (both BEM and project)
-npx bm test bem:rules/         # Only BEM's rules tests
-npx bm test project:rules/     # Only project's rules tests
-npx bm test user/ admin/       # Multiple paths
+npx mgr test rules/             # Run rules tests (both BEM and project)
+npx mgr test bem:rules/         # Only BEM's rules tests
+npx mgr test project:rules/     # Only project's rules tests
+npx mgr test user/ admin/       # Multiple paths
 ```
 
 ### Log Files
 
 BEM CLI commands automatically save output to log files in the project directory:
-- **`emulator.log`** — Full emulator + Cloud Functions output (`npx bm emulator`)
-- **`test.log`** — Test runner output (`npx bm test`, when running against an existing emulator)
-- **`logs.log`** — Cloud Function logs (`npx bm logs:read` or `npx bm logs:tail`)
+- **`emulator.log`** — Full emulator + Cloud Functions output (`npx mgr emulator`)
+- **`test.log`** — Test runner output (`npx mgr test`, when running against an existing emulator)
+- **`logs.log`** — Cloud Function logs (`npx mgr logs:read` or `npx mgr logs:tail`)
 
 Logs are overwritten on each run. Use them to debug failing tests or review function output.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.194",
+  "version": "5.0.196",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {
@@ -11,7 +11,6 @@
   },
   "scripts": {
     "start": "node src/manager/index.js",
-    "prepublishOnly": "node scripts/update-disposable-domains.js",
     "prepare": "node -e \"require('prepare-package')()\"",
     "prepare:watch": "node -e \"require('prepare-package/watch')()\""
   },
@@ -44,7 +43,10 @@
     "input": "./src_",
     "output": "./dist_",
     "replace": {},
-    "type": "copy"
+    "type": "copy",
+    "hooks": {
+      "before": "node scripts/update-disposable-domains.js"
+    }
   },
   "dependencies": {
     "@firebase/rules-unit-testing": "^5.0.0",
@@ -54,7 +56,7 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@octokit/rest": "^22.0.1",
     "@sendgrid/mail": "^8.1.6",
-    "@sentry/node": "^10.47.0",
+    "@sentry/node": "^10.48.0",
     "body-parser": "^2.2.2",
     "busboy": "^1.6.0",
     "chalk": "^5.6.2",
@@ -78,7 +80,7 @@
     "npm-api": "^1.0.1",
     "pushid": "^1.0.0",
     "sanitize-html": "^2.17.2",
-    "stripe": "^22.0.0",
+    "stripe": "^22.0.1",
     "uid-generator": "^2.0.0",
     "uuid": "^13.0.0",
     "wonderful-fetch": "^2.0.5",
@@ -88,10 +90,10 @@
     "yargs": "^18.0.0"
   },
   "devDependencies": {
-    "prepare-package": "^2.0.8"
+    "prepare-package": "^2.1.0"
   },
   "peerDependencies": {
-    "firebase-admin": "^13.7.0",
-    "firebase-functions": "^7.2.3"
+    "firebase-admin": "^13.8.0",
+    "firebase-functions": "^7.2.5"
   }
 }

package/src/manager/libraries/disposable-domains.json

@@ -3152,6 +3152,7 @@
   "moneypipe.net",
   "mongrec.top",
   "monmail.fr.nf",
+  "monomoho.site",
   "monumentmail.com",
   "moolee.net",
   "moonapps.org",

package/src/manager/routes/payments/cancel/post.js

@@ -35,7 +35,7 @@ module.exports = async ({ assistant, user, settings }) => {
   // Guard: subscription younger than 24 hours
   const startDateUNIX = subscription.payment?.startDate?.timestampUNIX;
   if (startDateUNIX) {
-    const ageMs = Date.now() - startDateUNIX;
+    const ageMs = Date.now() - (startDateUNIX * 1000);
     const twentyFourHoursMs = 24 * 60 * 60 * 1000;
     if (ageMs < twentyFourHoursMs) {
       assistant.log(`Cancel rejected: uid=${uid}, subscription is only ${Math.round(ageMs / 1000 / 60)} minutes old`);

package/_zombie-sub-guard-wip/GAP.md

@@ -1,25 +0,0 @@
-## BEM Gap: Webhook overwrites user doc with stale subscription data
-
-### Problem
-When a non-current subscription is cancelled on the provider (e.g. cancelling a zombie/duplicate PayPal sub), the provider fires a cancellation webhook. BEM processes it, finds the user by UID, and overwrites `subscription.*` on the user doc with the cancelled sub's data — even though the user has a different, active subscription.
-
-### Example
-- User has active Chargebee sub (current) + old suspended PayPal sub (zombie)
-- We cancel the PayPal sub → PayPal fires `BILLING.SUBSCRIPTION.CANCELLED`
-- BEM finds user by UID → sets `subscription.status = 'cancelled'`, `subscription.payment.resourceId = <old PayPal sub>`
-- User is now broken — their active Chargebee sub is invisible
-
-### Fix needed in `on-write.js`
-Before writing the unified subscription data to the user doc, check:
-```
-if (user.subscription.payment.resourceId !== webhook.resourceId) {
-  // This webhook is for a DIFFERENT subscription than the user's current one.
-  // Update the payments-orders doc only. Do NOT touch the user doc.
-}
-```
-
-### Affected file
-`backend-manager/src/manager/events/firestore/payments-webhooks/on-write.js` — the section that writes to `users/{uid}`
-
-### Impact
-Without this fix, any cancellation/suspension of a non-current subscription (duplicate cleanup, provider-side cancellation of old subs) will corrupt the user doc. Currently requires manual restoration after each occurrence.

package/_zombie-sub-guard-wip/journey-payments-zombie-sub.js

@@ -1,159 +0,0 @@
-/**
- * Test: Payment Journey - Zombie/Stale Subscription Guard
- * Simulates: user has active sub A → webhook arrives for old sub B (cancellation)
- *
- * Verifies that on-write.js does NOT overwrite the user doc when a webhook
- * arrives for a subscription that doesn't match the user's current resourceId.
- * The order doc should still be updated, but user.subscription must remain unchanged.
- */
-module.exports = {
-  description: 'Payment journey: zombie subscription webhook does not overwrite current subscription',
-  type: 'suite',
-  timeout: 30000,
-
-  tests: [
-    {
-      name: 'setup-active-subscription',
-      async run({ accounts, firestore, assert, state, config, http, waitFor }) {
-        const uid = accounts['journey-payments-zombie-sub'].uid;
-
-        // Resolve first paid product from config
-        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
-        assert.ok(paidProduct, 'Config should have at least one paid product');
-
-        state.uid = uid;
-        state.paidProductId = paidProduct.id;
-        state.paidProductName = paidProduct.name;
-        state.paidStripeProductId = paidProduct.stripe?.productId;
-
-        // Create subscription via test intent
-        const response = await http.as('journey-payments-zombie-sub').post('payments/intent', {
-          processor: 'test',
-          productId: paidProduct.id,
-          frequency: 'monthly',
-        });
-        assert.isSuccess(response, 'Intent should succeed');
-        state.orderId = response.data.orderId;
-
-        // Wait for subscription to activate
-        await waitFor(async () => {
-          const userDoc = await firestore.get(`users/${uid}`);
-          return userDoc?.subscription?.product?.id === paidProduct.id;
-        }, 15000, 500);
-
-        const userDoc = await firestore.get(`users/${uid}`);
-        assert.equal(userDoc.subscription?.product?.id, paidProduct.id, `Should be ${paidProduct.id}`);
-        assert.equal(userDoc.subscription?.status, 'active', 'Should be active');
-
-        // Save the current (real) subscription resourceId
-        state.currentResourceId = userDoc.subscription.payment.resourceId;
-        assert.ok(state.currentResourceId, 'Should have a resourceId');
-      },
-    },
-
-    {
-      name: 'send-zombie-cancellation-webhook',
-      async run({ http, assert, state, config }) {
-        // Send a cancellation webhook for a DIFFERENT subscription (the "zombie")
-        state.zombieResourceId = 'sub_zombie_old_dead_' + Date.now();
-        state.zombieEventId = `_test-evt-zombie-cancel-${Date.now()}`;
-
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
-          id: state.zombieEventId,
-          type: 'customer.subscription.deleted',
-          data: {
-            object: {
-              id: state.zombieResourceId,
-              object: 'subscription',
-              status: 'canceled',
-              metadata: { uid: state.uid },
-              cancel_at_period_end: false,
-              canceled_at: Math.floor(Date.now() / 1000),
-              current_period_end: Math.floor(Date.now() / 1000),
-              current_period_start: Math.floor(Date.now() / 1000) - 86400 * 30,
-              start_date: Math.floor(Date.now() / 1000) - 86400 * 60,
-              trial_start: null,
-              trial_end: null,
-              plan: { product: state.paidStripeProductId, interval: 'month' },
-            },
-          },
-        });
-
-        assert.isSuccess(response, 'Webhook should be accepted');
-      },
-    },
-
-    {
-      name: 'user-doc-unchanged',
-      async run({ firestore, assert, state, waitFor }) {
-        // Wait for the zombie webhook to complete processing
-        await waitFor(async () => {
-          const doc = await firestore.get(`payments-webhooks/${state.zombieEventId}`);
-          return doc?.status === 'completed';
-        }, 15000, 500);
-
-        // Verify the webhook completed but did NOT trigger a transition
-        const webhookDoc = await firestore.get(`payments-webhooks/${state.zombieEventId}`);
-        assert.equal(webhookDoc.status, 'completed', 'Webhook should complete successfully');
-        assert.equal(webhookDoc.transition, null, 'Transition should be null (suppressed for zombie sub)');
-
-        // Verify user doc was NOT overwritten — subscription should still be active with original resourceId
-        const userDoc = await firestore.get(`users/${state.uid}`);
-        assert.equal(userDoc.subscription.status, 'active', 'User subscription should still be active');
-        assert.equal(userDoc.subscription.product.id, state.paidProductId, `Product should still be ${state.paidProductId}`);
-        assert.equal(userDoc.subscription.payment.resourceId, state.currentResourceId, 'ResourceId should still be the current subscription, not the zombie');
-        assert.notEqual(userDoc.subscription.payment.resourceId, state.zombieResourceId, 'ResourceId should NOT be the zombie subscription');
-      },
-    },
-
-    {
-      name: 'send-zombie-suspension-webhook',
-      async run({ http, assert, state, config }) {
-        // Also test that a payment failure for a zombie sub doesn't suspend the user
-        state.zombieSuspendEventId = `_test-evt-zombie-suspend-${Date.now()}`;
-
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
-          id: state.zombieSuspendEventId,
-          type: 'invoice.payment_failed',
-          data: {
-            object: {
-              id: state.zombieResourceId,
-              object: 'subscription',
-              status: 'active',
-              metadata: { uid: state.uid },
-              cancel_at_period_end: false,
-              canceled_at: null,
-              current_period_end: Math.floor(Date.now() / 1000) + 86400 * 30,
-              current_period_start: Math.floor(Date.now() / 1000),
-              start_date: Math.floor(Date.now() / 1000) - 86400 * 60,
-              trial_start: null,
-              trial_end: null,
-              plan: { product: state.paidStripeProductId, interval: 'month' },
-            },
-          },
-        });
-
-        assert.isSuccess(response, 'Webhook should be accepted');
-      },
-    },
-
-    {
-      name: 'user-still-active-after-zombie-suspension',
-      async run({ firestore, assert, state, waitFor }) {
-        await waitFor(async () => {
-          const doc = await firestore.get(`payments-webhooks/${state.zombieSuspendEventId}`);
-          return doc?.status === 'completed';
-        }, 15000, 500);
-
-        const webhookDoc = await firestore.get(`payments-webhooks/${state.zombieSuspendEventId}`);
-        assert.equal(webhookDoc.status, 'completed', 'Webhook should complete');
-        assert.equal(webhookDoc.transition, null, 'Transition should be null (suppressed for zombie sub)');
-
-        // User should STILL be active — zombie payment failure must not suspend them
-        const userDoc = await firestore.get(`users/${state.uid}`);
-        assert.equal(userDoc.subscription.status, 'active', 'User should still be active after zombie payment failure');
-        assert.equal(userDoc.subscription.payment.resourceId, state.currentResourceId, 'ResourceId should still be the current subscription');
-      },
-    },
-  ],
-};

package/_zombie-sub-guard-wip/on-write.js

@@ -1,442 +0,0 @@
-const powertools = require('node-powertools');
-const transitions = require('./transitions/index.js');
-const { trackPayment } = require('./analytics.js');
-
-/**
- * Firestore trigger: payments-webhooks/{eventId} onWrite
- *
- * Processes pending webhook events:
- * 1. Loads the processor library
- * 2. Fetches the latest resource from the processor API (not the stale webhook payload)
- * 3. Branches on event.category to transform + write:
- *    - subscription → toUnifiedSubscription → users/{uid}.subscription + payments-orders/{orderId}
- *    - one-time    → toUnifiedOneTime → payments-orders/{orderId}
- * 4. Detects state transitions and dispatches handler files (non-blocking)
- * 5. Marks the webhook as completed
- */
-module.exports = async ({ assistant, change, context }) => {
-  const Manager = assistant.Manager;
-  const admin = Manager.libraries.admin;
-
-  const dataAfter = change.after.data();
-
-  // Short-circuit: deleted doc or non-pending status
-  if (!dataAfter || dataAfter.status !== 'pending') {
-    return;
-  }
-
-  const eventId = context.params.eventId;
-  const webhookRef = admin.firestore().doc(`payments-webhooks/${eventId}`);
-
-  // Set status to processing
-  await webhookRef.set({ status: 'processing' }, { merge: true });
-
-  // Hoisted so orderId is available in catch block for audit trail
-  let orderId = null;
-
-  try {
-    const processor = dataAfter.processor;
-    let uid = dataAfter.owner;
-    const raw = dataAfter.raw;
-    const eventType = dataAfter.event?.type;
-    const category = dataAfter.event?.category;
-    const resourceType = dataAfter.event?.resourceType;
-    const resourceId = dataAfter.event?.resourceId;
-
-    assistant.log(`Processing webhook ${eventId}: processor=${processor}, eventType=${eventType}, category=${category}, resourceType=${resourceType}, resourceId=${resourceId}, uid=${uid || 'null'}`);
-
-    // Validate category
-    if (!category) {
-      throw new Error(`Webhook event has no category — cannot process`);
-    }
-
-    // Load the shared library for this processor
-    let library;
-    try {
-      library = require(`../../../libraries/payment/processors/${processor}.js`);
-    } catch (e) {
-      throw new Error(`Unknown processor library: ${processor}`);
-    }
-
-    // Fetch the latest resource from the processor API
-    // This ensures we always work with the most current state, not stale webhook data
-    const rawFallback = raw.data?.object || {};
-    const resource = await library.fetchResource(resourceType, resourceId, rawFallback, { admin, eventType, config: Manager.config });
-
-    assistant.log(`Fetched resource: type=${resourceType}, id=${resourceId}, status=${resource.status || 'unknown'}`);
-
-    // Resolve UID from the fetched resource if not available from webhook parse
-    // This handles events like PAYMENT.SALE where the Sale object doesn't carry custom_id
-    // but the parent subscription (fetched via fetchResource) does
-    if (!uid && library.getUid) {
-      uid = library.getUid(resource);
-      assistant.log(`UID resolved from fetched resource: uid=${uid || 'null'}, processor=${processor}, resourceType=${resourceType}`);
-
-      // Update the webhook doc with the resolved UID so it's persisted for debugging
-      if (uid) {
-        await webhookRef.set({ owner: uid }, { merge: true });
-      }
-    }
-
-    // Fallback: resolve UID from the hosted page's pass_thru_content
-    // Chargebee hosted page checkouts don't forward subscription[meta_data] to the subscription,
-    // but pass_thru_content is stored on the hosted page and contains our UID + orderId
-    let resolvedFromPassThru = false;
-    let passThruOrderId = null;
-    if (!uid && library.resolveUidFromHostedPage) {
-      const passThruResult = await library.resolveUidFromHostedPage(resourceId, assistant);
-      if (passThruResult) {
-        uid = passThruResult.uid;
-        passThruOrderId = passThruResult.orderId || null;
-        resolvedFromPassThru = true;
-        assistant.log(`UID resolved from hosted page pass_thru_content: uid=${uid}, orderId=${passThruOrderId}, resourceId=${resourceId}`);
-
-        await webhookRef.set({ owner: uid }, { merge: true });
-      }
-    }
-
-    // Validate UID — must have one by now
-    if (!uid) {
-      throw new Error(`Webhook event has no UID — could not extract from webhook parse, fetched ${resourceType} resource, or hosted page pass_thru_content`);
-    }
-
-    // Backfill: if UID was resolved from pass_thru_content, set meta_data on the subscription
-    // so future webhooks (renewals, cancellations) can resolve the UID directly
-    if (resolvedFromPassThru && resourceType === 'subscription' && library.setMetaData) {
-      library.setMetaData(resource, { uid, orderId: passThruOrderId })
-        .then(() => assistant.log(`Backfilled meta_data on subscription ${resourceId} + customer: uid=${uid}, orderId=${passThruOrderId}`))
-        .catch((e) => assistant.error(`Failed to backfill meta_data on ${resourceType} ${resourceId}: ${e.message}`));
-    }
-
-    // Build timestamps
-    const now = powertools.timestamp(new Date(), { output: 'string' });
-    const nowUNIX = powertools.timestamp(now, { output: 'unix' });
-    const webhookReceivedUNIX = dataAfter.metadata?.created?.timestampUNIX || nowUNIX;
-
-    // Extract orderId from resource (processor-agnostic)
-    // Falls back to pass_thru_content orderId when meta_data wasn't available on the resource
-    orderId = library.getOrderId(resource) || passThruOrderId;
-
-    // Process the payment event (subscription or one-time)
-    if (category !== 'subscription' && category !== 'one-time') {
-      throw new Error(`Unknown event category: ${category}`);
-    }
-
-    const transitionName = await processPaymentEvent({ category, library, resource, resourceType, uid, processor, eventType, eventId, resourceId, orderId, now, nowUNIX, webhookReceivedUNIX, assistant, raw });
-
-    // Mark webhook as completed (include transition name for auditing/testing)
-    await webhookRef.set({
-      status: 'completed',
-      owner: uid,
-      orderId: orderId,
-      transition: transitionName,
-      metadata: {
-        completed: {
-          timestamp: now,
-          timestampUNIX: nowUNIX,
-        },
-      },
-    }, { merge: true });
-
-    assistant.log(`Webhook ${eventId} completed`);
-  } catch (e) {
-    assistant.error(`Webhook ${eventId} failed: ${e.message}`, e);
-
-    const now = powertools.timestamp(new Date(), { output: 'string' });
-    const nowUNIX = powertools.timestamp(now, { output: 'unix' });
-
-    // Mark as failed with error message
-    await webhookRef.set({
-      status: 'failed',
-      error: e.message || String(e),
-    }, { merge: true });
-
-    // Mark intent as failed if we resolved the orderId before the error
-    if (orderId) {
-      await admin.firestore().doc(`payments-intents/${orderId}`).set({
-        status: 'failed',
-        error: e.message || String(e),
-        metadata: {
-          completed: {
-            timestamp: now,
-            timestampUNIX: nowUNIX,
-          },
-        },
-      }, { merge: true });
-    }
-  }
-};
-
-/**
- * Process a payment event (subscription or one-time)
- * 1. Staleness check
- * 2. Read user doc (for transition detection)
- * 3. Transform raw resource → unified object
- * 4. Build order object
- * 5. Detect and dispatch transition handlers (non-blocking)
- * 6. Track analytics (non-blocking)
- * 7. Write to Firestore (user doc for subscriptions + payments-orders)
- */
-async function processPaymentEvent({ category, library, resource, resourceType, uid, processor, eventType, eventId, resourceId, orderId, now, nowUNIX, webhookReceivedUNIX, assistant, raw }) {
-  const Manager = assistant.Manager;
-  const admin = Manager.libraries.admin;
-  const isSubscription = category === 'subscription';
-
-  // Staleness check: skip if a newer webhook already wrote to this order
-  if (orderId) {
-    const existingDoc = await admin.firestore().doc(`payments-orders/${orderId}`).get();
-    if (existingDoc.exists) {
-      const existingUpdatedUNIX = existingDoc.data()?.metadata?.updated?.timestampUNIX || 0;
-      if (webhookReceivedUNIX < existingUpdatedUNIX) {
-        assistant.log(`Stale webhook ${eventId}: received=${webhookReceivedUNIX}, existing updated=${existingUpdatedUNIX}, skipping`);
-        return null;
-      }
-    }
-  }
-
-  // Read current user doc (needed for transition detection + handler context)
-  const userDoc = await admin.firestore().doc(`users/${uid}`).get();
-  const userData = userDoc.exists ? userDoc.data() : {};
-  const before = isSubscription ? (userData.subscription || null) : null;
-
-  assistant.log(`User doc for ${uid}: exists=${userDoc.exists}, email=${userData?.auth?.email || 'null'}, name=${userData?.personal?.name?.first || 'null'}, subscription=${userData?.subscription?.product?.id || 'null'}`);
-
-  // Auto-fill user name from payment processor if not already set
-  if (!userData?.personal?.name?.first) {
-    const customerName = extractCustomerName(resource, resourceType);
-    if (customerName?.first) {
-      await admin.firestore().doc(`users/${uid}`).set({
-        personal: { name: customerName },
-      }, { merge: true });
-      assistant.log(`Auto-filled user name from ${resourceType}: ${customerName.first} ${customerName.last || ''}`);
-    }
-  }
-
-  // Transform raw resource → unified object
-  const transformOptions = { config: Manager.config, eventName: eventType, eventId: eventId };
-  const unified = isSubscription
-    ? library.toUnifiedSubscription(resource, transformOptions)
-    : library.toUnifiedOneTime(resource, transformOptions);
-
-  // Override: immediately suspend on payment denial
-  // Processors keep the sub active while retrying, but we revoke access right away.
-  // If the retry succeeds (e.g. PAYMENT.SALE.COMPLETED), it will restore active status.
-  // PayPal: PAYMENT.SALE.DENIED, Stripe: invoice.payment_failed, Chargebee: payment_failed
-  const PAYMENT_DENIED_EVENTS = ['PAYMENT.SALE.DENIED', 'invoice.payment_failed', 'payment_failed'];
-  if (isSubscription && PAYMENT_DENIED_EVENTS.includes(eventType) && unified.status === 'active') {
-    assistant.log(`Overriding status to suspended: ${eventType} received but provider still says active`);
-    unified.status = 'suspended';
-  }
-
-  assistant.log(`Unified ${category}: product=${unified.product.id}, status=${unified.status}`, unified);
-
-  // Read checkout context from payments-intents (attribution, discount, supplemental)
-  let intentData = {};
-  if (orderId) {
-    const intentDoc = await admin.firestore().doc(`payments-intents/${orderId}`).get();
-    intentData = intentDoc.exists ? intentDoc.data() : {};
-  }
-
-  // Build the order object (single source of truth for handlers + Firestore)
-  const order = {
-    id: orderId,
-    type: category,
-    owner: uid,
-    productId: unified.product.id,
-    processor: processor,
-    resourceId: resourceId,
-    unified: unified,
-    attribution: intentData.attribution || {},
-    discount: intentData.discount || null,
-    supplemental: intentData.supplemental || {},
-    metadata: {
-      created: {
-        timestamp: now,
-        timestampUNIX: nowUNIX,
-      },
-      updated: {
-        timestamp: now,
-        timestampUNIX: nowUNIX,
-      },
-      updatedBy: {
-        event: {
-          name: eventType,
-          id: eventId,
-        },
-      },
-    },
-  };
-
-  // Guard: check if this webhook is for the user's current subscription
-  const currentResourceId = userData?.subscription?.payment?.resourceId;
-  const isCurrentSub = !currentResourceId || currentResourceId === resourceId;
-
-  // Detect and dispatch transition (non-blocking)
-  // Only run transitions for the user's current subscription — zombie webhooks should not trigger emails
-  const shouldRunHandlers = !assistant.isTesting() || process.env.TEST_EXTENDED_MODE;
-  const transitionName = isCurrentSub
-    ? transitions.detectTransition(category, before, unified, eventType)
-    : null;
-
-  if (!isCurrentSub && isSubscription) {
-    const wouldBeTransition = transitions.detectTransition(category, before, unified, eventType);
-    if (wouldBeTransition) {
-      assistant.log(`Transition suppressed for stale sub: ${category}/${wouldBeTransition} (webhook resourceId=${resourceId} != current resourceId=${currentResourceId})`);
-    }
-  }
-
-  if (transitionName) {
-    assistant.log(`Transition detected: ${category}/${transitionName} (before.status=${before?.status || 'null'}, after.status=${unified.status})`);
-
-    if (shouldRunHandlers) {
-      // Extract unified refund details from the processor library (keeps handlers processor-agnostic)
-      const refundDetails = (transitionName === 'payment-refunded' && library.getRefundDetails)
-        ? library.getRefundDetails(raw)
-        : null;
-
-      transitions.dispatch(transitionName, category, {
-        before, after: unified, order, uid, userDoc: userData, assistant, refundDetails,
-      });
-    } else {
-      assistant.log(`Transition handler skipped (testing mode): ${category}/${transitionName}`);
-    }
-  }
-
-  // Track payment analytics (non-blocking)
-  // Fires independently of transitions — renewals have no transition but still need tracking
-  if (shouldRunHandlers) {
-    trackPayment({ category, transitionName, eventType, unified, order, uid, processor, assistant });
-  }
-
-  // Write unified subscription to user doc (subscriptions only)
-  if (isSubscription) {
-    if (isCurrentSub) {
-      await admin.firestore().doc(`users/${uid}`).set({ subscription: unified }, { merge: true });
-      assistant.log(`Updated users/${uid}.subscription: status=${unified.status}, product=${unified.product.id}`);
-
-      // Sync marketing contact with updated subscription data (non-blocking)
-      if (shouldRunHandlers) {
-        const email = Manager.Email(assistant);
-        const updatedUserDoc = { ...userData, subscription: unified };
-        email.sync(updatedUserDoc)
-          .then((r) => assistant.log('Marketing sync after payment:', r))
-          .catch((e) => assistant.error('Marketing sync after payment failed:', e));
-      }
-    } else {
-      assistant.log(`Skipping user doc update: webhook resourceId=${resourceId} does not match current subscription resourceId=${currentResourceId}. This is a stale/zombie subscription webhook — only the order doc will be updated.`);
-    }
-  }
-
-  // Write to payments-orders/{orderId}
-  if (orderId) {
-    const orderRef = admin.firestore().doc(`payments-orders/${orderId}`);
-    const orderSnap = await orderRef.get();
-
-    if (!orderSnap.exists) {
-      // Initialize requests on first creation only (avoid overwriting cancel/refund data set by endpoints)
-      order.requests = {
-        cancellation: null,
-        refund: null,
-      };
-    } else {
-      // Preserve original created timestamp on subsequent webhook events
-      order.metadata.created = orderSnap.data().metadata?.created || order.metadata.created;
-    }
-
-    await orderRef.set(order, { merge: true });
-    assistant.log(`Updated payments-orders/${orderId}: type=${category}, uid=${uid}, eventType=${eventType}`);
-  }
-
-  // Update payments-intents/{orderId} status to match webhook outcome
-  if (orderId) {
-    await admin.firestore().doc(`payments-intents/${orderId}`).set({
-      status: 'completed',
-      metadata: {
-        completed: {
-          timestamp: now,
-          timestampUNIX: nowUNIX,
-        },
-      },
-    }, { merge: true });
-    assistant.log(`Updated payments-intents/${orderId}: status=completed`);
-  }
-
-  // Mark abandoned cart as completed (non-blocking, fire-and-forget)
-  const { COLLECTION } = require('../../../libraries/abandoned-cart-config.js');
-  admin.firestore().doc(`${COLLECTION}/${uid}`).set({
-    status: 'completed',
-    metadata: {
-      updated: {
-        timestamp: now,
-        timestampUNIX: nowUNIX,
-      },
-    },
-  }, { merge: true })
-    .then(() => assistant.log(`Updated ${COLLECTION}/${uid}: status=completed`))
-    .catch((e) => {
-      // Ignore not-found — cart may not exist for this user
-      if (e.code !== 5) {
-        assistant.error(`Failed to update ${COLLECTION}/${uid}: ${e.message}`);
-      }
-    });
-
-  return transitionName;
-}
-
-/**
- * Extract customer name from a raw payment processor resource
- *
- * @param {object} resource - Raw processor resource (Stripe subscription, session, invoice)
- * @param {string} resourceType - 'subscription' | 'session' | 'invoice'
- * @returns {{ first: string, last: string }|null}
- */
-function extractCustomerName(resource, resourceType) {
-  let fullName = null;
-
-  // Checkout sessions have customer_details.name
-  if (resourceType === 'session') {
-    fullName = resource.customer_details?.name;
-  }
-
-  // Invoices have customer_name
-  if (resourceType === 'invoice') {
-    fullName = resource.customer_name;
-  }
-
-  // PayPal orders have payer.name
-  if (resourceType === 'order') {
-    const givenName = resource.payer?.name?.given_name;
-    const surname = resource.payer?.name?.surname;
-
-    if (givenName) {
-      const { capitalize } = require('../../../libraries/infer-contact.js');
-      return {
-        first: capitalize(givenName) || null,
-        last: capitalize(surname) || null,
-      };
-    }
-  }
-
-  // Chargebee subscriptions carry shipping_address / billing_address with first_name + last_name
-  if (resourceType === 'subscription') {
-    const addr = resource.shipping_address || resource.billing_address;
-    if (addr?.first_name) {
-      const { capitalize } = require('../../../libraries/infer-contact.js');
-      return {
-        first: capitalize(addr.first_name) || null,
-        last: capitalize(addr.last_name) || null,
-      };
-    }
-  }
-
-  if (!fullName) {
-    return null;
-  }
-
-  const { capitalize } = require('../../../libraries/infer-contact.js');
-  const parts = fullName.trim().split(/\s+/);
-  return {
-    first: capitalize(parts[0]) || null,
-    last: capitalize(parts.slice(1).join(' ')) || null,
-  };
-}

package/_zombie-sub-guard-wip/test-accounts.diff

@@ -1,21 +0,0 @@
-diff --git a/src/test/test-accounts.js b/src/test/test-accounts.js
-index 796f4c3..5b5efc4 100644
---- a/src/test/test-accounts.js
-+++ b/src/test/test-accounts.js
-@@ -417,6 +417,16 @@ const JOURNEY_ACCOUNTS = {
-       subscription: { product: { id: 'basic' }, status: 'active' },
-     },
-   },
-+  // Journey: zombie/stale subscription guard (webhook for old sub should not overwrite current sub)
-+  'journey-payments-zombie-sub': {
-+    id: 'journey-payments-zombie-sub',
-+    uid: '_test-journey-payments-zombie-sub',
-+    email: '_test.journey-payments-zombie-sub@{domain}',
-+    properties: {
-+      roles: {},
-+      subscription: { product: { id: 'basic' }, status: 'active' },
-+    },
-+  },
-   // Journey: legacy product ID resolution (webhook with legacy product ID maps to correct product)
-   'journey-payments-legacy-product': {
-     id: 'journey-payments-legacy-product',