backend-manager 5.1.2 → 5.2.0

package/src/manager/routes/marketing/webhook/processors/sendgrid.js

@@ -0,0 +1,171 @@
+/**
+ * SendGrid webhook processor
+ *
+ * SendGrid sends an array of events per POST. This module parses the array,
+ * decides which events represent an unsubscribe (revocation of marketing consent),
+ * and exposes a per-event handler that:
+ *   1. Looks up the user by email in this brand's Firestore (silent skip if not found)
+ *   2. Writes consent.marketing.status = 'revoked' to the user doc, source: 'sendgrid'
+ *   3. Calls Beehiiv to remove the contact too (cross-provider sync — idempotent on 404)
+ *
+ * Supported event types (anything else is silently ignored):
+ *   - 'unsubscribe'         — user clicked the unified unsubscribe link
+ *   - 'group_unsubscribe'   — user unsubscribed from a specific ASM group
+ *   - 'spamreport'          — user marked email as spam
+ *   - 'bounce'              — hard bounce (treat as revoke to avoid future sends)
+ *   - 'dropped'             — SendGrid dropped the message (often due to suppression)
+ *
+ * Note: 'group_unsubscribe' is the most common one (matches our ASM-link flow), and since
+ * GROUPS.marketing (25928) is account-global across all brands, an unsub from group 25928
+ * legitimately removes the user from marketing across the entire SendGrid account.
+ *
+ * Idempotency is enforced by the dispatcher via marketing-webhooks/{eventId} doc.
+ */
+
+const REVOKE_EVENT_TYPES = new Set([
+  'unsubscribe',
+  'group_unsubscribe',
+  'spamreport',
+  'bounce',
+  'dropped',
+]);
+
+/**
+ * Parse the raw webhook request into a normalized array of events.
+ * SendGrid sends an array of events as the body. Some HTTP clients (including
+ * BEM's own test client) JSON-encode arrays as objects with numeric keys —
+ * we tolerate both shapes plus the rare single-event object form.
+ */
+function parseWebhook(req) {
+  const body = req.body;
+
+  if (!body) {
+    throw new Error('Empty webhook body');
+  }
+
+  let events;
+  if (Array.isArray(body)) {
+    // Real SendGrid: array body
+    events = body;
+  } else if (body && typeof body === 'object' && typeof body['0'] === 'object' && body['0'] !== null) {
+    // Array serialized as object-with-numeric-keys (test clients, some proxies)
+    events = [];
+    let i = 0;
+    while (body[String(i)]) {
+      events.push(body[String(i)]);
+      i += 1;
+    }
+  } else {
+    // Single event sent as a bare object
+    events = [body];
+  }
+
+  return events.map((event) => {
+    // sg_event_id is SendGrid's per-event unique ID, used for idempotency.
+    // smtp-id is another stable identifier we fall back to.
+    const eventId = event.sg_event_id || event['smtp-id'] || event.smtpId || null;
+    const eventType = event.event;
+    const email = typeof event.email === 'string' ? event.email.trim().toLowerCase() : null;
+    const timestamp = typeof event.timestamp === 'number' ? event.timestamp : null;
+    const asmGroupId = event.asm_group_id || null;
+
+    return {
+      eventId,
+      eventType,
+      email,
+      timestamp,
+      asmGroupId,
+      raw: event,
+    };
+  });
+}
+
+/**
+ * Returns true if this event type represents a revocation we should act on.
+ */
+function isSupported(eventType) {
+  return REVOKE_EVENT_TYPES.has(eventType);
+}
+
+/**
+ * Process a single parsed event. Called by the dispatcher AFTER idempotency check passes.
+ *
+ * Returns a result object summarizing what happened (for logging/response).
+ */
+async function handleEvent({ Manager, assistant, parsed }) {
+  const { admin } = Manager.libraries;
+  const { eventId, eventType, email, timestamp } = parsed;
+
+  if (!email) {
+    assistant.log(`sendgrid webhook: event ${eventId} (${eventType}) missing email, skipping`);
+    return { handled: false, reason: 'missing-email' };
+  }
+
+  // Convert SendGrid's UNIX timestamp to our canonical { timestamp, timestampUNIX } shape.
+  // Fall back to server time if missing.
+  const startTime = assistant.meta.startTime;
+  const eventUNIX = typeof timestamp === 'number' ? timestamp : startTime.timestampUNIX;
+  const eventISO = new Date(eventUNIX * 1000).toISOString();
+
+  // Look up the user by email
+  const snapshot = await admin.firestore().collection('users')
+    .where('auth.email', '==', email)
+    .limit(1)
+    .get()
+    .catch((e) => {
+      assistant.error(`sendgrid webhook: user lookup failed for ${email}:`, e);
+      return null;
+    });
+
+  if (!snapshot || snapshot.empty) {
+    // Silent skip — this email may not map to a customer of THIS brand (shared SendGrid account).
+    assistant.log(`sendgrid webhook: no user found for ${email}, skipping doc update`);
+    return { handled: false, reason: 'user-not-found', email };
+  }
+
+  const userDoc = snapshot.docs[0];
+  const uid = userDoc.id;
+
+  // Write consent.marketing.status = 'revoked' (preserve grantedAt — informational audit trail)
+  await admin.firestore().doc(`users/${uid}`).set({
+    consent: {
+      marketing: {
+        status: 'revoked',
+        revokedAt: {
+          timestamp: eventISO,
+          timestampUNIX: eventUNIX,
+          source: 'sendgrid',
+          ip: null,
+          text: null,
+        },
+      },
+    },
+    metadata: Manager.Metadata().set({ tag: 'marketing/webhook:sendgrid' }),
+  }, { merge: true });
+
+  assistant.log(`sendgrid webhook: revoked consent.marketing for ${uid} (${email}) — eventType=${eventType}`);
+
+  // Cross-provider sync: also remove from Beehiiv (best-effort, idempotent on 404)
+  const shouldCallExternalAPIs = !assistant.isTesting() || process.env.TEST_EXTENDED_MODE;
+
+  if (shouldCallExternalAPIs) {
+    try {
+      const mailer = Manager.Email(assistant);
+      await mailer.remove(email);
+      assistant.log(`sendgrid webhook: cross-provider sync complete for ${email}`);
+    } catch (e) {
+      // Best-effort — user doc is already updated. Log + continue.
+      assistant.error(`sendgrid webhook: cross-provider sync failed for ${email}:`, e);
+    }
+  } else {
+    assistant.log('sendgrid webhook: skipping cross-provider sync (BEM_TESTING=true)');
+  }
+
+  return { handled: true, uid, email, eventType };
+}
+
+module.exports = {
+  parseWebhook,
+  isSupported,
+  handleEvent,
+};

package/src/manager/routes/payments/cancel/post.js

@@ -32,9 +32,9 @@ module.exports = async ({ assistant, user, settings }) => {
     return assistant.respond('No active paid subscription found', { code: 400 });
   }
 
-  // Guard: subscription younger than 24 hours
+  // Guard: subscription younger than 24 hours (callers may bypass via skipGuards)
   const startDateUNIX = subscription.payment?.startDate?.timestampUNIX;
-  if (startDateUNIX) {
+  if (!settings.skipGuards && startDateUNIX) {
     const ageMs = Date.now() - (startDateUNIX * 1000);
     const twentyFourHoursMs = 24 * 60 * 60 * 1000;
     if (ageMs < twentyFourHoursMs) {

package/src/manager/routes/payments/cancel/processors/test.js

@@ -23,7 +23,8 @@ module.exports = {
     const now = Math.floor(timestamp / 1000);
     const periodEnd = now + (30 * 86400);
 
-    // Look up the Stripe product ID from the existing order so resolveProduct() can match
+    // Look up the Stripe product ID from the existing order so resolveProduct() can match.
+    // Falls back to the "_test_<id>" sentinel when no real Stripe product is configured.
     const orderId = subscription?.payment?.orderId;
     let stripeProductId = null;
 
@@ -34,7 +35,9 @@ module.exports = {
         const productId = orderData.unified?.product?.id;
         const products = assistant.Manager.config.payment?.products || [];
         const product = products.find(p => p.id === productId);
-        stripeProductId = product?.stripe?.productId || null;
+        if (product) {
+          stripeProductId = product.stripe?.productId || `_test_${product.id}`;
+        }
       }
     }
 

package/src/manager/routes/payments/intent/processors/test.js

@@ -57,14 +57,18 @@ async function createSubscriptionIntent({ uid, orderId, product, frequency, tria
   const now = Math.floor(timestamp / 1000);
   const periodEnd = now + (FREQUENCY_TO_PERIOD[frequency] || 30 * 86400);
 
-  // Build Stripe-shaped subscription object
-  // Uses product's Stripe product ID so resolveProduct() can match it
+  // Build Stripe-shaped subscription object.
+  // Prefer the real Stripe product ID if configured; otherwise use a sentinel of the
+  // form "_test_<id>" that the Stripe resolver recognizes and maps back to product.id.
+  // This lets the test processor work in brands that haven't wired up Stripe yet.
+  const planProductId = product.stripe?.productId || `_test_${product.id}`;
+
   const subscription = {
     id: subscriptionId,
     object: 'subscription',
     status: trial && product.trial?.days ? 'trialing' : 'active',
     metadata: { uid, orderId },
-    plan: { product: product.stripe?.productId || null, interval },
+    plan: { product: planProductId, interval },
     current_period_end: periodEnd,
     current_period_start: now,
     start_date: now,

package/src/manager/routes/payments/refund/processors/test.js

@@ -22,6 +22,7 @@ module.exports = {
 
     // Look up the Stripe product ID from the existing order so resolveProduct() can match
     const orderId = subscription?.payment?.orderId;
+    // Falls back to the "_test_<id>" sentinel when no real Stripe product is configured.
     let stripeProductId = null;
 
     if (orderId) {
@@ -31,7 +32,9 @@ module.exports = {
         const productId = orderData.unified?.product?.id;
         const products = assistant.Manager.config.payment?.products || [];
         const product = products.find(p => p.id === productId);
-        stripeProductId = product?.stripe?.productId || null;
+        if (product) {
+          stripeProductId = product.stripe?.productId || `_test_${product.id}`;
+        }
       }
     }
 

package/src/manager/routes/test/health/get.js

@@ -1,5 +1,22 @@
+const path = require('path');
+const { readTestMode, applyEnvFromFile } = require('../../../../test/utils/test-mode-file.js');
+
 module.exports = async ({ assistant, Manager }) => {
 
+  // Belt-and-suspenders freshness check: re-read the test-mode file before
+  // reporting `testExtendedMode`. fs.watch installed in Manager.init usually
+  // catches changes within ~50ms, but this handler hits the disk directly to
+  // guarantee the runner sees the actual current value even if the watcher
+  // missed an event. ~1ms cost on a debug endpoint.
+  try {
+    const projectDir = path.dirname(Manager.cwd);
+    const data = readTestMode(projectDir);
+    applyEnvFromFile(data);
+  } catch (e) {
+    // Non-fatal — if the file can't be read, fall through to whatever
+    // process.env already has.
+  }
+
   const response = {
     status: 'healthy',
     timestamp: new Date().toISOString(),

package/src/manager/routes/user/signup/post.js

@@ -76,7 +76,12 @@ module.exports = async ({ assistant, user, settings, libraries }) => {
   await processAffiliate(assistant, uid, email, settings);
 
   // 6. Send emails + marketing (non-blocking, fire-and-forget)
-  syncMarketingContact(assistant, uid, email);
+  // Gate marketing sync on explicit consent — never add a user to marketing lists without it
+  if (userRecord.consent?.marketing?.status === 'granted') {
+    syncMarketingContact(assistant, uid, email);
+  } else {
+    assistant.log(`signup(): Skipping marketing sync — consent.marketing.status is "${userRecord.consent?.marketing?.status}"`);
+  }
   sendWelcomeEmails(assistant, uid, inferred?.firstName);
 
   return assistant.respond({ signedUp: true });
@@ -137,6 +142,7 @@ function buildUserRecord(assistant, settings, inferred) {
       },
     },
     attribution: attribution || {},
+    consent: buildConsentRecord(assistant, settings.consent),
     metadata: Manager.Metadata().set({ tag: 'user/signup' }),
   };
 
@@ -156,6 +162,64 @@ function buildUserRecord(assistant, settings, inferred) {
   return record;
 }
 
+/**
+ * Translate the client's lightweight consent payload into the canonical user-doc shape.
+ *
+ * Client sends: { legal: { granted, text }, marketing: { granted, text } }
+ * Server writes: { legal: { status, grantedAt: {...} }, marketing: { status, grantedAt: {...}, revokedAt: {...} } }
+ *
+ * Server time (not client-supplied) is authoritative — defends against clock manipulation.
+ * IP is captured from request geolocation.
+ *
+ * Legal is REQUIRED — the client must send legal.granted=true. If missing/false we still
+ * record what the client sent, but the route will not have reached this point in practice
+ * (the signup-form HTML5-requires the legal checkbox).
+ */
+function buildConsentRecord(assistant, clientConsent) {
+  const consent = clientConsent || {};
+  const ip = assistant.request.geolocation?.ip || null;
+  const timestamp = assistant.meta.startTime.timestamp;
+  const timestampUNIX = assistant.meta.startTime.timestampUNIX;
+
+  // Build empty leaf shape — used wherever grantedAt or revokedAt is "not set"
+  const emptyMeta = { timestamp: null, timestampUNIX: null, source: null, ip: null, text: null };
+
+  // --- Legal ---
+  const legalGranted = consent.legal?.granted === true;
+  const legalText = typeof consent.legal?.text === 'string' ? consent.legal.text : null;
+
+  const legal = legalGranted
+    ? {
+      status: 'granted',
+      grantedAt: { timestamp, timestampUNIX, source: 'signup', ip, text: legalText },
+    }
+    : {
+      status: 'revoked',
+      grantedAt: { ...emptyMeta },
+    };
+
+  // --- Marketing ---
+  const marketingGranted = consent.marketing?.granted === true;
+  const marketingText = typeof consent.marketing?.text === 'string' ? consent.marketing.text : null;
+
+  const marketing = marketingGranted
+    ? {
+      status: 'granted',
+      grantedAt: { timestamp, timestampUNIX, source: 'signup', ip, text: marketingText },
+      revokedAt: { ...emptyMeta },
+    }
+    : {
+      status: 'revoked',
+      grantedAt: { ...emptyMeta },
+      // Record the decline with source=signup-form-declined. text=null (no message shown).
+      revokedAt: { timestamp, timestampUNIX, source: 'signup', ip, text: null },
+    };
+
+  assistant.log(`buildConsentRecord: legal=${legal.status}, marketing=${marketing.status} (raw input legal.granted=${consent.legal?.granted}, marketing.granted=${consent.marketing?.granted})`);
+
+  return { legal, marketing };
+}
+
 /**
  * Infer name/company from email using AI (or regex fallback)
  * Returns the inferred contact info, or null on failure

package/src/manager/schemas/marketing/email-preferences/post.js

@@ -1,9 +1,13 @@
 /**
  * Schema for POST /marketing/email-preferences
+ *
+ * Two supported modes (route decides based on user.authenticated):
+ * - Authenticated (account page toggle): action ('subscribe' | 'unsubscribe'). Other fields ignored.
+ * - Anonymous (HMAC link from email footer): email + asmId + sig + action ('subscribe' | 'unsubscribe').
  */
 module.exports = () => ({
-  email: { types: ['string'], default: undefined, required: true },
-  asmId: { types: ['string', 'number'], default: undefined, required: true },
-  action: { types: ['string'], default: 'unsubscribe' },
-  sig: { types: ['string'], default: undefined, required: true },
+  email: { types: ['string'], default: undefined, required: false },
+  asmId: { types: ['string', 'number'], default: undefined, required: false },
+  action: { types: ['string'], default: 'unsubscribe', required: true },
+  sig: { types: ['string'], default: undefined, required: false },
 });

package/src/manager/schemas/marketing/webhook/forward/post.js

@@ -0,0 +1,8 @@
+/**
+ * Schema: POST /marketing/webhook/forward
+ *
+ * Empty by design — the body is the raw provider webhook payload that gets
+ * forwarded to every child BEM unchanged. Validation happens in the dispatcher
+ * (provider + key query params) and at each child's receiver.
+ */
+module.exports = () => ({});

package/src/manager/schemas/marketing/webhook/post.js

@@ -0,0 +1,7 @@
+/**
+ * Schema: POST /marketing/webhook
+ *
+ * Empty by design — webhook payloads are provider-defined and validated inside
+ * each processor module. Auth + provider come from query params, not the body.
+ */
+module.exports = () => ({});

package/src/manager/schemas/payments/cancel/post.js

@@ -15,4 +15,9 @@ module.exports = () => ({
     types: ['boolean'],
     required: true,
   },
+  // Bypass route-level guards (e.g. 24-hour subscription age). Used by tests and internal callers.
+  skipGuards: {
+    types: ['boolean'],
+    default: false,
+  },
 });

package/src/manager/schemas/user/signup/post.js

@@ -19,4 +19,9 @@ module.exports = ({ user }) => ({
     default: {},
     required: false,
   },
+  consent: {
+    types: ['object'],
+    default: {},
+    required: false,
+  },
 });

package/src/test/run-tests.js

@@ -6,6 +6,13 @@
  * It reads configuration from BEM_TEST_CONFIG environment variable and runs the test suite
  */
 
+// Mark this process as the test runner BEFORE loading any BEM code. Manager.init()
+// auto-detects this and skips Firebase Functions / server / Sentry wiring (which
+// can't run outside a real Functions runtime). This is what lets tests receive a
+// fully-wired Manager + assistant in their context — no per-test stub.
+process.env.BEM_TEST_RUNNER = '1';
+
+const path = require('path');
 const TestRunner = require('./runner.js');
 
 async function main() {
@@ -33,10 +40,33 @@ async function main() {
     console.error('Warning: Could not initialize Firebase Admin:', error.message);
   }
 
+  // Boot a real Manager. With BEM_TEST_RUNNER set, init() loads libraries +
+  // resolves project config but skips the parts that need a Functions runtime
+  // (handler wiring, server boot, Sentry, admin.initializeApp re-init).
+  // The resulting Manager + assistant are passed into every test context, so
+  // tests can call Manager.AI(), Manager.Email(), Manager.User(), etc. exactly
+  // like production code does — no hand-rolled stubs.
+  let Manager = null;
+  let assistant = null;
+  try {
+    const projectDir = testConfig.projectDir || process.cwd();
+    const BackendManager = require('../manager/index.js');
+    Manager = new BackendManager();
+    Manager.init(null, {
+      cwd: path.join(projectDir, 'functions'),
+      log: false,
+    });
+    assistant = Manager.Assistant({}, { functionName: 'bem-test-runner', accept: 'json' });
+  } catch (error) {
+    console.error('Warning: Could not initialize BEM Manager for tests:', error.message);
+  }
+
   // Create and run the test runner
   const runner = new TestRunner({
     ...testConfig,
     admin,
+    Manager,
+    assistant,
   });
 
   const results = await runner.run();

package/src/test/runner.js

@@ -87,7 +87,7 @@ class TestRunner {
     // Health check (use basic http client without accounts)
     // Use hosting URL for all requests (rewrites to bm_api function)
     const healthHttp = new HttpClient({
-      hostingUrl: this.options.hostingUrl,
+      apiUrl: this.options.apiUrl,
       timeout: this.options.timeout,
     });
 
@@ -119,23 +119,30 @@ class TestRunner {
       await this.runTestsInDir(projectTestsDir, 'project');
     }
 
+    // Post-run cleanup: scrub test accounts from third-party marketing providers
+    // (SendGrid/Beehiiv) so each test run leaves the contact list in the same
+    // state it found it. Pairs with the pre-run cleanup as defense in depth —
+    // pre-run handles crashed previous runs, post-run handles the current run.
+    // Only fires in extended mode (normal mode never touches real providers).
+    if (process.env.TEST_EXTENDED_MODE) {
+      process.stdout.write(chalk.gray('\n  Cleaning up test accounts from marketing providers... '));
+      try {
+        const cleanupResult = await testAccounts.cleanupMarketingProviders(this.options.domain, {
+          apiUrl: this.options.apiUrl,
+          backendManagerKey: this.options.backendManagerKey,
+        });
+        console.log(chalk.green(`✓ (${cleanupResult.cleaned} cleaned)`));
+      } catch (e) {
+        // Post-run cleanup is best-effort — failures shouldn't change the test result
+        console.log(chalk.yellow(`⚠ cleanup error: ${e.message}`));
+      }
+    }
+
     // Cleanup rules context
     if (this.rulesContext) {
       await this.rulesContext.cleanup();
     }
 
-    // Clean up test accounts from marketing providers (SendGrid/Beehiiv)
-    // Run at end of tests so auth:on-create has time to complete
-    if (process.env.TEST_EXTENDED_MODE) {
-      console.log('');
-      process.stdout.write(chalk.gray('  Cleaning test accounts from marketing providers... '));
-      const cleanupResult = await testAccounts.cleanupMarketingProviders(this.options.domain, {
-        apiUrl: this.options.apiUrl,
-        backendManagerKey: this.options.backendManagerKey,
-      });
-      console.log(chalk.green(`✓ (${cleanupResult.cleaned} cleaned)`));
-    }
-
     // Report results
     this.reportResults();
 
@@ -147,9 +154,9 @@ class TestRunner {
    * Validate configuration
    */
   validateConfig() {
-    if (!this.options.hostingUrl) {
-      console.log(chalk.red('  ✗ Missing hostingUrl'));
-      console.log(chalk.gray('    Set BEM_HOSTING_URL environment variable or pass --url flag'));
+    if (!this.options.apiUrl) {
+      console.log(chalk.red('  ✗ Missing apiUrl'));
+      console.log(chalk.gray('    Set BEM_API_URL environment variable or pass --url flag'));
       return false;
     }
 
@@ -186,22 +193,20 @@ class TestRunner {
       if (response.success) {
         console.log(chalk.green('✓'));
 
-        // Warn if TEST_EXTENDED_MODE mismatch between test runner and emulator
-        const runnerExtended = !!process.env.TEST_EXTENDED_MODE;
+        // Report the live mode the emulator just confirmed. The test command
+        // writes `.temp/test-mode.json` before invoking us; the emulator's
+        // file-watcher mutates its `process.env.TEST_EXTENDED_MODE` to match;
+        // the health endpoint re-reads the file as a freshness guard. By
+        // construction these are equal — no mismatch warning needed.
         const emulatorExtended = !!response.data?.testExtendedMode;
-
-        if (runnerExtended !== emulatorExtended) {
-          console.log(chalk.red.bold(`\n  ⚠️⚠️⚠️  TEST_EXTENDED_MODE mismatch (runner=${runnerExtended}, emulator=${emulatorExtended})  ⚠️⚠️⚠️`));
-          console.log(chalk.red('  Both must match or tests will behave unexpectedly.'));
-          console.log(chalk.red(`  Restart with: ${runnerExtended ? '' : 'TEST_EXTENDED_MODE=true '}npx bm emulator\n`));
-        }
+        console.log(chalk.gray(`  Mode: ${emulatorExtended ? 'EXTENDED (real APIs)' : 'normal (mocked)'}`));
 
         return true;
       }
 
       console.log(chalk.red('✗'));
       console.log(chalk.red(`  Server not responding: ${response.error}`));
-      console.log(chalk.gray(`  Make sure your functions are deployed and running at ${this.options.hostingUrl}`));
+      console.log(chalk.gray(`  Make sure your functions are deployed and running at ${this.options.apiUrl}`));
       return false;
     } catch (error) {
       console.log(chalk.red('✗'));
@@ -224,6 +229,18 @@ class TestRunner {
     const deleteResult = await testAccounts.deleteTestUsers(this.options.admin);
     console.log(chalk.green(`✓ (${deleteResult.deleted} deleted, ${deleteResult.skipped} skipped)`));
 
+    // Clean any leftover test accounts from third-party marketing providers
+    // (SendGrid/Beehiiv). Runs BEFORE we create fresh users so a previously
+    // killed run doesn't leave the contact list polluted.
+    if (process.env.TEST_EXTENDED_MODE) {
+      process.stdout.write(chalk.gray('  Cleaning test accounts from marketing providers... '));
+      const cleanupResult = await testAccounts.cleanupMarketingProviders(this.options.domain, {
+        apiUrl: this.options.apiUrl,
+        backendManagerKey: this.options.backendManagerKey,
+      });
+      console.log(chalk.green(`✓ (${cleanupResult.cleaned} cleaned)`));
+    }
+
     process.stdout.write(chalk.gray('  Creating test accounts... '));
 
     // Create fresh test accounts
@@ -534,6 +551,20 @@ class TestRunner {
             duration,
             suite: suiteDescription,
           });
+
+          // For suites (sequential, state-dependent tests), a skip on any step means
+          // subsequent steps can't run cleanly — propagate skip to the rest of the suite.
+          // Groups (independent tests) continue normally.
+          const shouldStopOnSkip = suite.type !== 'group' && suite.stopOnFailure !== false;
+          if (shouldStopOnSkip) {
+            const remaining = tests.length - i - 1;
+            if (remaining > 0) {
+              console.log(chalk.yellow(`        Skipping ${remaining} remaining test(s) in suite (suite-level skip)`));
+              this.results.skipped += remaining;
+            }
+            break;
+          }
+
           continue;
         }
 
@@ -657,7 +688,7 @@ class TestRunner {
     // Create HTTP client with accounts for as() method
     // Use hosting URL for all requests (rewrites to bm_api function)
     const http = new HttpClient({
-      hostingUrl: this.options.hostingUrl,
+      apiUrl: this.options.apiUrl,
       timeout: this.options.timeout,
       accounts: this.accounts,
       backendManagerKey: this.options.backendManagerKey,
@@ -696,6 +727,15 @@ class TestRunner {
       throw new SkipError(reason);
     };
 
+    // Precomputed map of BEM product id → Stripe-compatible product ID for tests.
+    // Falls back to the "_test_<id>" sentinel when no real Stripe product is configured,
+    // letting the Stripe resolver match it back to the BEM product. SSOT for tests that
+    // need to construct Stripe-shaped webhook payloads (cancel, refund, plan-change, etc.).
+    const products = this.config.payment?.products || [];
+    const stripeProductIds = Object.fromEntries(
+      products.map((p) => [p.id, p.stripe?.productId || `_test_${p.id}`])
+    );
+
     return {
       http,
       accounts: this.accounts,
@@ -706,8 +746,14 @@ class TestRunner {
       pubsub,
       skip,
       admin: this.config.admin,
+      // Real BEM Manager + assistant, booted by run-tests.js with BEM_TEST_RUNNER=1.
+      // Tests can call Manager.AI(), Manager.Email(), Manager.User(), etc. exactly
+      // like production code — no stubs.
+      Manager: this.config.Manager,
+      assistant: this.config.assistant,
       rules: this.rulesContext,
       config: this.config,
+      payments: { stripeProductIds },
     };
   }