backend-manager 5.1.4 → 5.2.0

package/test/routes/marketing/webhook.js

@@ -0,0 +1,582 @@
+/**
+ * Test: POST /marketing/webhook
+ *
+ * Cross-provider unsubscribe webhook receiver. Phase E covers SendGrid;
+ * Beehiiv will be added in a separate file.
+ *
+ * Dispatcher tests:
+ *   - Auth via ?key= query param
+ *   - Provider validation
+ *   - Brand filter (ignore mismatched brand)
+ *   - Idempotency via marketing-webhooks/{eventId} doc
+ *
+ * SendGrid processor tests:
+ *   - Various event types (group_unsubscribe, unsubscribe, spamreport, bounce, dropped)
+ *   - Email lookup → user doc mutation with source='sendgrid'
+ *   - Silent skip when email doesn't map to a user (shared SendGrid account scenario)
+ *   - Batched events processed independently
+ *   - Unsupported event types ignored
+ */
+const { TEST_ACCOUNTS } = require('../../../src/test/test-accounts.js');
+
+// Helper — generate a unique sg_event_id per test
+function sgEventId(name) {
+  return `_test-sg-${name}-${Date.now()}`;
+}
+
+// Helper — build a SendGrid event payload
+function sgEvent({ id, type, email, timestamp, asmGroupId }) {
+  return {
+    sg_event_id: id,
+    event: type,
+    email,
+    timestamp: timestamp || Math.floor(Date.now() / 1000),
+    ...(asmGroupId !== undefined ? { asm_group_id: asmGroupId } : {}),
+  };
+}
+
+module.exports = {
+  description: 'Marketing webhook endpoint (SendGrid)',
+  type: 'group',
+  timeout: 30000,
+
+  tests: [
+    // ─── Dispatcher auth + validation ───
+
+    {
+      name: 'rejects-missing-provider',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post('marketing/webhook', []);
+        assert.isError(response, 400, 'Should reject missing provider');
+      },
+    },
+
+    {
+      name: 'rejects-missing-key',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post('marketing/webhook?provider=sendgrid', []);
+        assert.isError(response, 401, 'Should reject missing key');
+      },
+    },
+
+    {
+      name: 'rejects-invalid-key',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post('marketing/webhook?provider=sendgrid&key=wrong-key', []);
+        assert.isError(response, 401, 'Should reject invalid key');
+      },
+    },
+
+    {
+      name: 'rejects-unknown-provider',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=unknown&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          []
+        );
+        assert.isError(response, 400, 'Should reject unknown provider');
+      },
+    },
+
+    {
+      name: 'ignores-mismatched-brand',
+      auth: 'none',
+      async run({ http, assert }) {
+        // Brand filter should silently ignore (200 with ignored: true), not error
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}&brand=some-other-brand-that-does-not-exist`,
+          []
+        );
+        assert.isSuccess(response, 'Should silently ignore mismatched brand (200 OK)');
+        assert.propertyEquals(response, 'data.ignored', true, 'Response should indicate ignored');
+      },
+    },
+
+    // ─── SendGrid processor — supported events ───
+
+    {
+      name: 'sendgrid-group-unsubscribe-writes-consent',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const eventId = sgEventId('group-unsub');
+        const eventTimestamp = Math.floor(Date.now() / 1000);
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'group_unsubscribe', email, timestamp: eventTimestamp, asmGroupId: 25928 })]
+        );
+
+        assert.isSuccess(response, `Webhook should accept group_unsubscribe: ${JSON.stringify(response, null, 2)}`);
+        assert.propertyEquals(response, 'data.processed', 1, 'Should report 1 event processed');
+
+        // User doc should now show revoked marketing with source=sendgrid
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked', 'marketing.status should be revoked');
+        assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'sendgrid', 'revokedAt.source should be sendgrid');
+        assert.equal(userDoc?.consent?.marketing?.revokedAt?.timestampUNIX, eventTimestamp, 'revokedAt.timestampUNIX should match event timestamp');
+
+        // Idempotency doc should exist with status=completed
+        const webhookDoc = await firestore.get(`marketing-webhooks/${eventId}`);
+        assert.ok(webhookDoc, 'Idempotency doc should exist');
+        assert.equal(webhookDoc?.status, 'completed', 'Idempotency doc should be marked completed');
+        assert.equal(webhookDoc?.provider, 'sendgrid', 'Idempotency doc should record provider');
+      },
+    },
+
+    {
+      name: 'sendgrid-unsubscribe-event-handled',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const eventId = sgEventId('unsub');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'unsubscribe', email })]
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 1, 'Should process the unsubscribe event');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked', 'marketing.status should be revoked');
+        assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'sendgrid', 'source should be sendgrid');
+      },
+    },
+
+    {
+      name: 'sendgrid-spamreport-event-handled',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const eventId = sgEventId('spamreport');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'spamreport', email })]
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 1, 'Spamreport should be treated as a revoke');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked');
+      },
+    },
+
+    {
+      name: 'sendgrid-bounce-event-handled',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const eventId = sgEventId('bounce');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'bounce', email })]
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 1, 'Bounce should be treated as a revoke');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked');
+      },
+    },
+
+    // ─── SendGrid processor — events we ignore ───
+
+    {
+      name: 'sendgrid-delivered-event-ignored',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        const email = accounts.basic.email;
+        const eventId = sgEventId('delivered');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'delivered', email })]
+        );
+
+        assert.isSuccess(response, 'Should accept the request (not error) but ignore the event');
+        assert.propertyEquals(response, 'data.processed', 0, 'No events should be processed');
+        assert.propertyEquals(response, 'data.skipped', 1, '1 event should be skipped');
+      },
+    },
+
+    {
+      name: 'sendgrid-open-event-ignored',
+      auth: 'none',
+      async run({ http, assert, accounts }) {
+        const email = accounts.basic.email;
+        const eventId = sgEventId('open');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'open', email })]
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 0, 'Open events should be ignored');
+      },
+    },
+
+    // ─── Email not mapped to a user ───
+
+    {
+      name: 'sendgrid-unknown-email-silent-skip',
+      auth: 'none',
+      async run({ http, assert }) {
+        // Email that doesn't match any user in this brand's Firestore — shared SendGrid scenario
+        const eventId = sgEventId('unknown-email');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'group_unsubscribe', email: '_test.never-existed@example.com' })]
+        );
+
+        // Dispatcher still processes the event (idempotency doc written, handler runs and returns
+        // handled:false). From the dispatcher's POV this counts as 'processed=1' since the handler
+        // didn't throw. The handler's internal "user-not-found" branch is silent by design.
+        assert.isSuccess(response, 'Should accept unknown-email gracefully');
+        assert.propertyEquals(response, 'data.failed', 0, 'No failures for unknown email');
+      },
+    },
+
+    // ─── Batched events ───
+
+    {
+      name: 'sendgrid-batched-events-processed-independently',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const e1 = sgEventId('batch-1');
+        const e2 = sgEventId('batch-2');
+        const e3 = sgEventId('batch-3');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [
+            sgEvent({ id: e1, type: 'group_unsubscribe', email }),
+            sgEvent({ id: e2, type: 'open', email }), // ignored — unsupported type
+            sgEvent({ id: e3, type: 'spamreport', email }),
+          ]
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 2, '2 supported events should be processed');
+        assert.propertyEquals(response, 'data.skipped', 1, '1 unsupported event should be skipped');
+
+        // Each processed event gets its own idempotency doc
+        const doc1 = await firestore.get(`marketing-webhooks/${e1}`);
+        const doc3 = await firestore.get(`marketing-webhooks/${e3}`);
+        assert.ok(doc1 && doc1.status === 'completed', 'First event idempotency doc completed');
+        assert.ok(doc3 && doc3.status === 'completed', 'Third event idempotency doc completed');
+
+        // The skipped event should NOT have an idempotency doc (we filter by isSupported before writing)
+        const doc2 = await firestore.get(`marketing-webhooks/${e2}`);
+        assert.ok(!doc2, 'Unsupported event should NOT have an idempotency doc');
+
+        // User doc should be revoked
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked');
+      },
+    },
+
+    // ─── Idempotency ───
+
+    {
+      name: 'sendgrid-duplicate-event-skipped',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        const email = accounts.basic.email;
+        const eventId = sgEventId('duplicate');
+
+        // First delivery
+        const response1 = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'group_unsubscribe', email })]
+        );
+        assert.isSuccess(response1);
+        assert.propertyEquals(response1, 'data.processed', 1, 'First delivery should process');
+
+        // Second delivery — same eventId
+        const response2 = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [sgEvent({ id: eventId, type: 'group_unsubscribe', email })]
+        );
+        assert.isSuccess(response2);
+        assert.propertyEquals(response2, 'data.processed', 0, 'Duplicate should NOT reprocess');
+        assert.propertyEquals(response2, 'data.skipped', 1, 'Duplicate should be skipped');
+
+        // Idempotency doc should still be there and completed
+        const webhookDoc = await firestore.get(`marketing-webhooks/${eventId}`);
+        assert.equal(webhookDoc?.status, 'completed');
+      },
+    },
+
+    // ─── Missing event ID ───
+
+    {
+      name: 'sendgrid-event-without-eventId-skipped',
+      auth: 'none',
+      async run({ http, assert, accounts }) {
+        const email = accounts.basic.email;
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [{ event: 'group_unsubscribe', email, timestamp: Math.floor(Date.now() / 1000) }] // NO sg_event_id
+        );
+
+        assert.isSuccess(response, 'Should accept the request');
+        assert.propertyEquals(response, 'data.processed', 0, 'Event without eventId cannot be deduped, so it is skipped');
+        assert.propertyEquals(response, 'data.skipped', 1, 'Event should be skipped');
+      },
+    },
+
+    // ──────────────────────────────────────────────────────────────────────
+    // Beehiiv processor tests
+    // ──────────────────────────────────────────────────────────────────────
+
+    {
+      name: 'beehiiv-subscription-unsubscribed-writes-consent',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts, config }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const eventId = `_test-bh-unsub-${Date.now()}`;
+        const eventISO = new Date().toISOString();
+        const publicationId = config.marketing?.beehiiv?.publicationId;
+
+        assert.ok(publicationId, 'Test brand must have a Beehiiv publication ID configured');
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          {
+            id: eventId,
+            event: 'subscription.unsubscribed',
+            email,
+            publication_id: publicationId,
+            created_at: eventISO,
+          }
+        );
+
+        assert.isSuccess(response, `Beehiiv unsub should succeed: ${JSON.stringify(response, null, 2)}`);
+        assert.propertyEquals(response, 'data.processed', 1, 'Should process 1 event');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked', 'marketing.status should be revoked');
+        assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'beehiiv', 'revokedAt.source should be beehiiv');
+        assert.ok(userDoc?.consent?.marketing?.revokedAt?.timestamp, 'revokedAt.timestamp should be set');
+
+        // Idempotency doc should exist
+        const webhookDoc = await firestore.get(`marketing-webhooks/${eventId}`);
+        assert.ok(webhookDoc, 'Idempotency doc should exist');
+        assert.equal(webhookDoc?.status, 'completed');
+        assert.equal(webhookDoc?.provider, 'beehiiv');
+      },
+    },
+
+    {
+      name: 'beehiiv-subscription-deleted-handled',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts, config }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const eventId = `_test-bh-deleted-${Date.now()}`;
+        const publicationId = config.marketing?.beehiiv?.publicationId;
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          {
+            id: eventId,
+            event: 'subscription.deleted',
+            email,
+            publication_id: publicationId,
+            created_at: new Date().toISOString(),
+          }
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 1, 'subscription.deleted should be processed as a revoke');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked');
+        assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'beehiiv');
+      },
+    },
+
+    {
+      name: 'beehiiv-subscription-paused-handled',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts, config }) {
+        const uid = accounts.basic.uid;
+        const email = accounts.basic.email;
+        const eventId = `_test-bh-paused-${Date.now()}`;
+        const publicationId = config.marketing?.beehiiv?.publicationId;
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          {
+            id: eventId,
+            event: 'subscription.paused',
+            email,
+            publication_id: publicationId,
+            created_at: new Date().toISOString(),
+          }
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 1, 'subscription.paused should be processed as a revoke');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked');
+      },
+    },
+
+    {
+      name: 'beehiiv-publication-mismatch-silent-skip',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts }) {
+        // Send an event with a publication_id that does NOT match this brand's pub.
+        // Simulates the shared-devbeans scenario where the parent forwarder fans
+        // an event to brands that don't share the publication — they silent-skip.
+        const email = accounts.basic.email;
+        const eventId = `_test-bh-pubmismatch-${Date.now()}`;
+
+        // Snapshot revokedAt BEFORE the request so we can prove the pub-mismatch
+        // handler didn't write anything new. (The basic account may already have
+        // a beehiiv-sourced revoke from a prior test that legitimately fired.)
+        const beforeDoc = await firestore.get(`users/${accounts.basic.uid}`);
+        const beforeRevokedAt = beforeDoc?.consent?.marketing?.revokedAt || null;
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          {
+            id: eventId,
+            event: 'subscription.unsubscribed',
+            email,
+            publication_id: 'pub_does-not-belong-to-this-brand-xxxxxxxxxxxxxx',
+            created_at: new Date().toISOString(),
+          }
+        );
+
+        // The dispatcher counts this as 'processed' from its POV (the handler
+        // ran without error and the idempotency doc was written), but the
+        // handler returned { handled: false, reason: 'publication-mismatch' }.
+        // What matters: the user doc should NOT have been mutated.
+        assert.isSuccess(response, 'Pub-mismatch event should be accepted gracefully');
+
+        // Reload the user doc and verify revokedAt is byte-equivalent to before —
+        // pub-mismatch must not write a new revoke entry.
+        const afterDoc = await firestore.get(`users/${accounts.basic.uid}`);
+        const afterRevokedAt = afterDoc?.consent?.marketing?.revokedAt || null;
+
+        assert.deepEqual(
+          afterRevokedAt,
+          beforeRevokedAt,
+          'consent.marketing.revokedAt must be UNCHANGED after a pub-mismatch event (handler should silent-skip)'
+        );
+      },
+    },
+
+    {
+      name: 'beehiiv-unknown-email-silent-skip',
+      auth: 'none',
+      async run({ http, assert, config }) {
+        // Email that doesn't map to any user — shared publication scenario where
+        // multiple brands receive the same event but only one has the user.
+        const publicationId = config.marketing?.beehiiv?.publicationId;
+        const eventId = `_test-bh-unknown-${Date.now()}`;
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          {
+            id: eventId,
+            event: 'subscription.unsubscribed',
+            email: '_test.no-such-user@example.com',
+            publication_id: publicationId,
+            created_at: new Date().toISOString(),
+          }
+        );
+
+        assert.isSuccess(response, 'Unknown email should not error');
+        assert.propertyEquals(response, 'data.failed', 0, 'No failures for unknown email');
+      },
+    },
+
+    {
+      name: 'beehiiv-unsupported-event-ignored',
+      auth: 'none',
+      async run({ http, assert, accounts, config }) {
+        // 'subscription.created' (new signup) is NOT a revoke — should be ignored.
+        const email = accounts.basic.email;
+        const publicationId = config.marketing?.beehiiv?.publicationId;
+        const eventId = `_test-bh-created-${Date.now()}`;
+
+        const response = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          {
+            id: eventId,
+            event: 'subscription.created',
+            email,
+            publication_id: publicationId,
+            created_at: new Date().toISOString(),
+          }
+        );
+
+        assert.isSuccess(response);
+        assert.propertyEquals(response, 'data.processed', 0, 'Unsupported events should not be processed');
+        assert.propertyEquals(response, 'data.skipped', 1, 'Unsupported events should be skipped');
+      },
+    },
+
+    {
+      name: 'beehiiv-duplicate-event-skipped',
+      auth: 'none',
+      async run({ http, firestore, assert, accounts, config }) {
+        const email = accounts.basic.email;
+        const publicationId = config.marketing?.beehiiv?.publicationId;
+        const eventId = `_test-bh-dup-${Date.now()}`;
+
+        const payload = {
+          id: eventId,
+          event: 'subscription.unsubscribed',
+          email,
+          publication_id: publicationId,
+          created_at: new Date().toISOString(),
+        };
+
+        // First delivery
+        const r1 = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          payload
+        );
+        assert.isSuccess(r1);
+        assert.propertyEquals(r1, 'data.processed', 1, 'First delivery should process');
+
+        // Second delivery — same id
+        const r2 = await http.as('none').post(
+          `marketing/webhook?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          payload
+        );
+        assert.isSuccess(r2);
+        assert.propertyEquals(r2, 'data.processed', 0, 'Duplicate should NOT reprocess');
+        assert.propertyEquals(r2, 'data.skipped', 1, 'Duplicate should be skipped');
+
+        const webhookDoc = await firestore.get(`marketing-webhooks/${eventId}`);
+        assert.equal(webhookDoc?.status, 'completed');
+      },
+    },
+  ],
+};

package/test/routes/payments/cancel.js

@@ -113,16 +113,11 @@ module.exports = {
             && userDoc?.subscription?.status === 'active';
         }, 15000, 500);
 
-        // Backdate startDate so the 24-hour guard doesn't block cancellation
-        const twoDaysAgo = new Date(Date.now() - 2 * 24 * 60 * 60 * 1000);
-        await firestore.set(`users/${uid}`, {
-          subscription: { payment: { startDate: { timestamp: twoDaysAgo.toISOString(), timestampUNIX: twoDaysAgo.getTime() } } },
-        }, { merge: true });
-
-        // Step 2: Call the cancel endpoint
+        // Step 2: Call the cancel endpoint (skipGuards bypasses the 24-hour age guard)
         const cancelResponse = await http.as('route-cancel-success').post('payments/cancel', {
           confirmed: true,
           reason: 'Too expensive',
+          skipGuards: true,
         });
 
         assert.isSuccess(cancelResponse, 'Cancel should succeed');