backend-manager 5.2.3 → 5.2.6

package/src/test/test-accounts.js

@@ -162,10 +162,14 @@ const STATIC_ACCOUNTS = {
       subscription: { product: { id: 'basic' }, status: 'active' },
     },
   },
+  // The two `consent-*` accounts use the `_test.allow_*` prefix so they bypass
+  // the `_test.*` marketing-block in blocked-local-patterns.js. They're the
+  // live-provider integration sentinels — they intentionally round-trip through
+  // SendGrid + Beehiiv to verify the consent gate works end-to-end.
   'consent-granted': {
     id: 'consent-granted',
-    uid: '_test-consent-granted',
-    email: '_test.consent-granted@{domain}',
+    uid: '_test-allow-consent-granted',
+    email: '_test.allow_consent-granted@{domain}',
     properties: {
       roles: {},
       subscription: { product: { id: 'basic' }, status: 'active' },
@@ -173,8 +177,8 @@ const STATIC_ACCOUNTS = {
   },
   'consent-declined': {
     id: 'consent-declined',
-    uid: '_test-consent-declined',
-    email: '_test.consent-declined@{domain}',
+    uid: '_test-allow-consent-declined',
+    email: '_test.allow_consent-declined@{domain}',
     properties: {
       roles: {},
       subscription: { product: { id: 'basic' }, status: 'active' },
@@ -805,64 +809,6 @@ const TEST_DATA = {
   defaultProjectId: 'demo-test',
 };
 
-/**
- * Clean up test accounts from marketing providers (SendGrid + Beehiiv)
- * Called after account setup when TEST_EXTENDED_MODE is set to remove
- * contacts added by auth:on-create
- * @param {string} domain - Domain for email addresses
- * @param {object} options - Options with apiUrl and backendManagerKey
- * @returns {Promise<object>} Result with cleaned count
- */
-async function cleanupMarketingProviders(domain, options = {}) {
-  const fetch = require('wonderful-fetch');
-  const results = { cleaned: 0, errors: [] };
-
-  const { apiUrl, backendManagerKey } = options;
-  if (!apiUrl || !backendManagerKey) {
-    console.error('cleanupMarketingProviders: Missing apiUrl or backendManagerKey');
-    return results;
-  }
-
-  // Get all test account emails (test contacts like rachel.greene+bem cleaned up by their own tests)
-  const definitions = getAccountDefinitions(domain);
-  const emails = Object.values(definitions).map(acc => acc.email);
-
-  // Clean up each email via the API endpoint (uses hosting port 5002)
-  await Promise.all(
-    emails.map(async (email) => {
-      try {
-        const response = await fetch(`${apiUrl}/backend-manager/marketing/contact`, {
-          method: 'DELETE',
-          response: 'json',
-          timeout: 30000,
-          body: {
-            backendManagerKey,
-            email,
-          },
-        });
-
-        // Log the result for debugging
-        if (response.providers?.beehiiv?.deleted) {
-          results.cleaned++;
-        } else if (response.providers?.beehiiv?.skipped) {
-          // Skipped means not found - that's fine
-          results.cleaned++;
-        } else if (response.providers?.beehiiv?.error) {
-          console.error(`Failed to delete ${email} from Beehiiv:`, response.providers.beehiiv.error);
-          results.errors.push({ email, error: response.providers.beehiiv.error });
-        } else {
-          results.cleaned++;
-        }
-      } catch (error) {
-        console.error(`Failed to cleanup ${email}:`, error.message);
-        results.errors.push({ email, error: error.message });
-      }
-    })
-  );
-
-  return results;
-}
-
 module.exports = {
   STATIC_ACCOUNTS,
   JOURNEY_ACCOUNTS,
@@ -873,5 +819,4 @@ module.exports = {
   fetchPrivateKeys,
   deleteTestUsers,
   createTestAccounts,
-  cleanupMarketingProviders,
 };

package/src/test/utils/http-client.js

@@ -22,6 +22,7 @@ class HttpClient {
     // Store accounts reference for as() method
     this.accounts = options.accounts || null;
     this.backendManagerKey = options.backendManagerKey || '';
+    this.backendManagerWebhookKey = options.backendManagerWebhookKey || '';
   }
 
   /**

package/test/events/payments/journey-payments-cancel.js

@@ -56,7 +56,7 @@ module.exports = {
 
         state.eventId1 = `_test-evt-journey-cancel-pending-${Date.now()}`;
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId1,
           type: 'customer.subscription.updated',
           data: {
@@ -64,7 +64,7 @@ module.exports = {
               id: state.subscriptionId,
               object: 'subscription',
               status: 'active',
-              metadata: { uid: state.uid },
+              metadata: { uid: state.uid, orderId: state.orderId },
               cancel_at_period_end: true,
               cancel_at: Math.floor(futureDate.getTime() / 1000),
               canceled_at: null,
@@ -105,7 +105,7 @@ module.exports = {
       async run({ http, assert, state, config, payments }) {
         state.eventId2 = `_test-evt-journey-cancel-final-${Date.now()}`;
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId2,
           type: 'customer.subscription.deleted',
           data: {
@@ -113,7 +113,7 @@ module.exports = {
               id: state.subscriptionId,
               object: 'subscription',
               status: 'canceled',
-              metadata: { uid: state.uid },
+              metadata: { uid: state.uid, orderId: state.orderId },
               cancel_at_period_end: false,
               canceled_at: Math.floor(Date.now() / 1000),
               current_period_end: Math.floor(Date.now() / 1000),

package/test/events/payments/journey-payments-failure.js

@@ -58,7 +58,7 @@ module.exports = {
 
         // Send invoice.payment_failed with subscription billing reason
         // This tests the new parseWebhook routing: billing_reason=subscription_cycle → subscription category
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId,
           type: 'invoice.payment_failed',
           data: {
@@ -72,7 +72,7 @@ module.exports = {
               parent: {
                 subscription_details: {
                   subscription: state.subscriptionId,
-                  metadata: { uid: state.uid },
+                  metadata: { uid: state.uid, orderId: state.orderId },
                 },
                 type: 'subscription_details',
               },

package/test/events/payments/journey-payments-legacy-product.js

@@ -66,7 +66,7 @@ module.exports = {
         // Send a subscription created webhook with the LEGACY product ID
         // This simulates an existing subscriber whose Stripe subscription still
         // references the old product ID from before migration
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.legacyEventId,
           type: 'customer.subscription.created',
           data: {

package/test/events/payments/journey-payments-one-time-failure.js

@@ -39,7 +39,7 @@ module.exports = {
 
         // Send invoice.payment_failed with a non-subscription billing reason
         // This routes to category: 'one-time' in the webhook parser
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId,
           type: 'invoice.payment_failed',
           data: {

package/test/events/payments/journey-payments-plan-change.js

@@ -59,7 +59,7 @@ module.exports = {
         state.eventId = `_test-evt-journey-plan-change-${Date.now()}`;
 
         // Send subscription.updated with product B's Stripe product ID (or test sentinel)
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId,
           type: 'customer.subscription.updated',
           data: {

package/test/events/payments/journey-payments-refund-webhook.js

@@ -59,7 +59,7 @@ module.exports = {
 
         state.cancelEventId = `_test-evt-journey-refund-cancel-${Date.now()}`;
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.cancelEventId,
           type: 'customer.subscription.updated',
           data: {
@@ -67,7 +67,7 @@ module.exports = {
               id: state.subscriptionId,
               object: 'subscription',
               status: 'active',
-              metadata: { uid: state.uid },
+              metadata: { uid: state.uid, orderId: state.orderId },
               cancel_at_period_end: true,
               cancel_at: Math.floor(futureDate.getTime() / 1000),
               canceled_at: null,
@@ -110,7 +110,7 @@ module.exports = {
         state.refundEventId = `_test-evt-journey-refund-charge-${Date.now()}`;
         state.refundAmountCents = 2800; // $28.00
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.refundEventId,
           type: 'charge.refunded',
           data: {
@@ -121,7 +121,7 @@ module.exports = {
               amount_refunded: state.refundAmountCents,
               currency: 'usd',
               subscription: state.subscriptionId,
-              metadata: { uid: state.uid },
+              metadata: { uid: state.uid, orderId: state.orderId },
               refunds: {
                 data: [
                   {

package/test/events/payments/journey-payments-suspend.js

@@ -53,7 +53,7 @@ module.exports = {
       async run({ http, assert, state, config, payments }) {
         state.eventId1 = `_test-evt-journey-suspend-fail-${Date.now()}`;
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId1,
           type: 'customer.subscription.updated',
           data: {
@@ -61,7 +61,7 @@ module.exports = {
               id: state.subscriptionId,
               object: 'subscription',
               status: 'past_due',
-              metadata: { uid: state.uid },
+              metadata: { uid: state.uid, orderId: state.orderId },
               cancel_at_period_end: false,
               canceled_at: null,
               current_period_end: Math.floor(Date.now() / 1000) + 86400,
@@ -104,7 +104,7 @@ module.exports = {
 
         state.eventId2 = `_test-evt-journey-suspend-recover-${Date.now()}`;
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId2,
           type: 'customer.subscription.updated',
           data: {
@@ -112,7 +112,7 @@ module.exports = {
               id: state.subscriptionId,
               object: 'subscription',
               status: 'active',
-              metadata: { uid: state.uid },
+              metadata: { uid: state.uid, orderId: state.orderId },
               cancel_at_period_end: false,
               canceled_at: null,
               current_period_end: Math.floor(futureDate.getTime() / 1000),

package/test/events/payments/journey-payments-trial.js

@@ -115,7 +115,7 @@ module.exports = {
 
         state.eventId2 = `_test-evt-journey-trial-active-${Date.now()}`;
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.eventId2,
           type: 'customer.subscription.updated',
           data: {
@@ -123,7 +123,7 @@ module.exports = {
               id: state.subscriptionId,
               object: 'subscription',
               status: 'active',
-              metadata: { uid: state.uid },
+              metadata: { uid: state.uid, orderId: state.orderId },
               cancel_at_period_end: false,
               canceled_at: null,
               current_period_end: Math.floor(futureDate.getTime() / 1000),

package/test/events/payments/journey-payments-uid-resolution.js

@@ -65,7 +65,7 @@ module.exports = {
 
         state.noUidEventId = `_test-evt-journey-uid-resolve-${Date.now()}`;
 
-        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerKey}`, {
+        const response = await http.as('none').post(`payments/webhook?processor=test&key=${config.backendManagerWebhookKey}`, {
           id: state.noUidEventId,
           type: 'customer.subscription.updated',
           data: {

package/test/marketing/consent-lifecycle.js

@@ -0,0 +1,255 @@
+/**
+ * Test: Marketing Provider Lifecycle (end-to-end against live SendGrid + Beehiiv)
+ *
+ * Walks two long-lived test accounts through their full lifecycle and verifies
+ * provider state at every transition:
+ *
+ *   1. Pre-check    — both accounts should be absent from SendGrid + Beehiiv
+ *   2. Sync         — flip consent.marketing.status and call Marketing.sync()
+ *   3. Verify       — granted account present in both, declined account absent from both
+ *   4. Unsubscribe  — hit the email-preferences endpoint for the granted account
+ *   5. Verify       — granted account now absent from both
+ *
+ * The two accounts use the `_test.allow_*` prefix so they bypass the
+ * blocked-local-patterns gate (which blocks plain `_test.*` from reaching
+ * providers). They are the only accounts intentionally allowed to round-trip
+ * through SendGrid + Beehiiv.
+ *
+ * Run with TEST_EXTENDED_MODE=true (no-op otherwise). Requires SENDGRID_API_KEY
+ * and BEEHIIV_API_KEY in env. Total runtime is ~60-90s — most of it spent waiting
+ * for SendGrid's async upsert/delete background jobs to surface.
+ */
+const sendgridProvider = require('../../src/manager/libraries/email/providers/sendgrid.js');
+const beehiivProvider = require('../../src/manager/libraries/email/providers/beehiiv.js');
+
+const SETTLE_MS = 5000; // Beehiiv settles in 1-2s; SendGrid's background-job upsert can take 10-20s+
+const POLL_INTERVAL_MS = 2000;
+const POLL_MAX_MS = 90000; // SendGrid's delete-contact job can take 30-60s+ to surface
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+/**
+ * Poll a provider lookup until it matches the expected state (present/absent).
+ * Returns the resolved value (contact object or null) once condition is met, or
+ * the last value seen after timing out.
+ *
+ * @param {Function} fetchFn - async function that returns contact or null
+ * @param {boolean} expectPresent - true = wait until present, false = wait until absent
+ */
+async function pollProvider(fetchFn, expectPresent) {
+  const start = Date.now();
+  let lastValue = null;
+
+  while (Date.now() - start < POLL_MAX_MS) {
+    lastValue = await fetchFn();
+    const present = !!lastValue;
+    if (present === expectPresent) {
+      return lastValue;
+    }
+    await sleep(POLL_INTERVAL_MS);
+  }
+
+  return lastValue;
+}
+
+module.exports = {
+  description: 'Marketing provider lifecycle (live SendGrid + Beehiiv round-trip)',
+  type: 'group',
+  skip: !process.env.TEST_EXTENDED_MODE
+    ? 'TEST_EXTENDED_MODE not set (this test hits live SendGrid + Beehiiv APIs)'
+    : false,
+  tests: [
+    // ─────────────────────────────────────────────────────────────────────
+    // Phase 1 — Pre-check: both accounts should be absent from providers
+    // ─────────────────────────────────────────────────────────────────────
+    {
+      name: 'phase-1-pre-check-both-accounts-absent',
+      auth: 'admin',
+      timeout: 180000,
+
+      async run({ accounts, assert }) {
+        const granted = accounts['consent-granted'];
+        const declined = accounts['consent-declined'];
+
+        // Force-clean any leftovers from a prior run (e.g. the previous phase-2a
+        // left a contact in SendGrid that THIS run's phase-1 needs to start
+        // without). SendGrid's delete is an async job, so wait for absence.
+        await sendgridProvider.removeContact(granted.email);
+        await sendgridProvider.removeContact(declined.email);
+        await beehiivProvider.removeContact(granted.email);
+        await beehiivProvider.removeContact(declined.email);
+
+        const grantedSg = await pollProvider(() => sendgridProvider.findContact(granted.email), false);
+        const declinedSg = await pollProvider(() => sendgridProvider.findContact(declined.email), false);
+        const grantedBh = await pollProvider(() => beehiivProvider.findContact(granted.email), false);
+        const declinedBh = await pollProvider(() => beehiivProvider.findContact(declined.email), false);
+
+        assert.equal(grantedSg, null, 'granted account should be absent from SendGrid');
+        assert.equal(declinedSg, null, 'declined account should be absent from SendGrid');
+        assert.equal(grantedBh, null, 'granted account should be absent from Beehiiv');
+        assert.equal(declinedBh, null, 'declined account should be absent from Beehiiv');
+      },
+    },
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Phase 2 — Sync granted account → both providers
+    // ─────────────────────────────────────────────────────────────────────
+    {
+      name: 'phase-2a-granted-account-syncs-to-both-providers',
+      auth: 'admin',
+      timeout: 180000,
+
+      async run({ accounts, assert, Manager, assistant }) {
+        const granted = accounts['consent-granted'];
+        const admin = Manager.libraries.admin;
+
+        // Set consent.marketing.status = 'granted' on the user doc
+        await admin.firestore().doc(`users/${granted.uid}`).set({
+          consent: {
+            marketing: {
+              status: 'granted',
+              grantedAt: {
+                timestamp: new Date().toISOString(),
+                timestampUNIX: Math.floor(Date.now() / 1000),
+                source: 'test',
+                ip: null,
+                text: 'consent-lifecycle test',
+              },
+            },
+            legal: {
+              status: 'granted',
+              grantedAt: {
+                timestamp: new Date().toISOString(),
+                timestampUNIX: Math.floor(Date.now() / 1000),
+                source: 'test',
+                ip: null,
+                text: 'consent-lifecycle test',
+              },
+            },
+          },
+        }, { merge: true });
+
+        // Trigger marketing sync via the Email() surface
+        const result = await Manager.Email(assistant).sync(granted.uid);
+        assert.ok(result, 'sync should return a result');
+        assert.notEqual(result.blocked, 'validation', 'sync should not be blocked by validation (uses _test.allow_*)');
+
+        // Poll providers until they reflect the upsert. SendGrid's upsert is
+        // an async background job (returns a job_id, not the inserted contact)
+        // so a single check 5s later isn't enough — it can take 10-20s to
+        // surface. Beehiiv is usually instant but uses the same poll for symmetry.
+        const sgContact = await pollProvider(() => sendgridProvider.findContact(granted.email), true);
+        const bhContact = await pollProvider(() => beehiivProvider.findContact(granted.email), true);
+
+        assert.ok(sgContact, 'granted account should now exist in SendGrid');
+        assert.ok(bhContact, 'granted account should now exist in Beehiiv');
+      },
+    },
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Phase 2b — Declined account: verify it stays out of providers when we
+    // DON'T call sync (which is what the signup route does for declined
+    // marketing consent).
+    // ─────────────────────────────────────────────────────────────────────
+    {
+      name: 'phase-2b-declined-account-stays-out-of-providers',
+      auth: 'admin',
+      timeout: 180000,
+
+      async run({ accounts, assert, Manager, assistant }) {
+        const declined = accounts['consent-declined'];
+        const admin = Manager.libraries.admin;
+
+        // Set consent.marketing.status = 'revoked' on the user doc.
+        // We deliberately do NOT call sync — the production signup route gates
+        // on consent.marketing.status === 'granted' before calling sync, so a
+        // declined user simply never gets a sync call. We verify that contract
+        // by NOT calling sync and asserting the user stays absent.
+        await admin.firestore().doc(`users/${declined.uid}`).set({
+          consent: {
+            marketing: {
+              status: 'revoked',
+              grantedAt: { timestamp: null, timestampUNIX: null, source: null, ip: null, text: null },
+              revokedAt: {
+                timestamp: new Date().toISOString(),
+                timestampUNIX: Math.floor(Date.now() / 1000),
+                source: 'test',
+                ip: null,
+                text: null,
+              },
+            },
+            legal: {
+              status: 'granted',
+              grantedAt: {
+                timestamp: new Date().toISOString(),
+                timestampUNIX: Math.floor(Date.now() / 1000),
+                source: 'test',
+                ip: null,
+                text: 'consent-lifecycle test',
+              },
+            },
+          },
+        }, { merge: true });
+
+        await sleep(SETTLE_MS);
+
+        const sgContact = await sendgridProvider.findContact(declined.email);
+        const bhContact = await beehiivProvider.findContact(declined.email);
+
+        assert.equal(sgContact, null, 'declined account should remain absent from SendGrid');
+        assert.equal(bhContact, null, 'declined account should remain absent from Beehiiv');
+      },
+    },
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Phase 3 — Unsubscribe: granted account is removed via Manager.Email().remove
+    // ─────────────────────────────────────────────────────────────────────
+    {
+      name: 'phase-3-granted-account-unsubscribe-removes-from-both',
+      auth: 'admin',
+      timeout: 180000,
+
+      async run({ accounts, assert, Manager, assistant }) {
+        const granted = accounts['consent-granted'];
+
+        // Trigger removal — simulates the email-preferences opt-out flow
+        const result = await Manager.Email(assistant).remove(granted.email);
+        assert.ok(result, 'remove should return a result');
+
+        // Poll for absence — SendGrid's contact delete is also an async job.
+        const sgContact = await pollProvider(() => sendgridProvider.findContact(granted.email), false);
+        const bhContact = await pollProvider(() => beehiivProvider.findContact(granted.email), false);
+
+        assert.equal(sgContact, null, 'granted account should now be absent from SendGrid');
+        assert.equal(bhContact, null, 'granted account should now be absent from Beehiiv');
+      },
+    },
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Phase 4 — Validation gate: _test.* (non-allow) is blocked by validate()
+    // ─────────────────────────────────────────────────────────────────────
+    {
+      name: 'phase-4-non-allow-test-email-blocked-by-validation',
+      auth: 'admin',
+      timeout: 30000,
+
+      async run({ assert, Manager, assistant }) {
+        // _test.never-reaches-providers@... is NOT _test.allow_* → should be blocked
+        const blockedEmail = '_test.never-reaches-providers@somiibo.com';
+
+        const result = await Manager.Email(assistant).add({ email: blockedEmail });
+
+        assert.equal(result.blocked, 'validation', 'non-allow _test.* email should be blocked by validation');
+
+        // And the provider lookup should show nothing
+        const sgContact = await sendgridProvider.findContact(blockedEmail);
+        const bhContact = await beehiivProvider.findContact(blockedEmail);
+
+        assert.equal(sgContact, null, 'blocked email should never appear in SendGrid');
+        assert.equal(bhContact, null, 'blocked email should never appear in Beehiiv');
+      },
+    },
+  ],
+};

package/test/routes/payments/dispute-alert.js

@@ -32,7 +32,7 @@ module.exports = {
       name: 'rejects-unknown-provider',
       auth: 'none',
       async run({ http, assert }) {
-        const response = await http.as('none').post(`payments/dispute-alert?provider=unknown&key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?provider=unknown&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: '_test-dispute-unknown-provider',
           card: '4242',
           amount: 9.99,
@@ -47,7 +47,7 @@ module.exports = {
       name: 'rejects-missing-id',
       auth: 'none',
       async run({ http, assert }) {
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           card: '4242',
           amount: 9.99,
           transactionDate: '2026-01-15',
@@ -61,7 +61,7 @@ module.exports = {
       name: 'rejects-missing-card',
       auth: 'none',
       async run({ http, assert }) {
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: '_test-dispute-no-card',
           amount: 9.99,
           transactionDate: '2026-01-15',
@@ -75,7 +75,7 @@ module.exports = {
       name: 'rejects-missing-amount',
       auth: 'none',
       async run({ http, assert }) {
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: '_test-dispute-no-amount',
           card: '4242',
           transactionDate: '2026-01-15',
@@ -89,7 +89,7 @@ module.exports = {
       name: 'rejects-missing-transaction-date',
       auth: 'none',
       async run({ http, assert }) {
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: '_test-dispute-no-date',
           card: '4242',
           amount: 9.99,
@@ -105,7 +105,7 @@ module.exports = {
       async run({ http, assert, firestore }) {
         const alertId = '_test-dispute-valid';
 
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: alertId,
           card: '4242424242424242',
           cardBrand: 'Visa',
@@ -164,7 +164,7 @@ module.exports = {
         const alertId = '_test-dispute-alertid-field';
 
         // Chargeblast alert.created events use alertId instead of id
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           alertId: alertId,
           card: '546616******5805',
           cardBrand: 'Mastercard',
@@ -189,7 +189,7 @@ module.exports = {
         const alertId = '_test-dispute-minimal';
 
         // Send minimal alert (alert.created shape — no externalOrder, metadata, etc.)
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: alertId,
           card: '9124',
           amount: 10,
@@ -218,7 +218,7 @@ module.exports = {
       async run({ http, assert, firestore }) {
         const alertId = '_test-dispute-last4';
 
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: alertId,
           card: '1234',
           amount: 9.99,
@@ -240,7 +240,7 @@ module.exports = {
         const alertId = '_test-dispute-duplicate';
 
         // Send first alert
-        await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: alertId,
           card: '4242',
           amount: 29.99,
@@ -248,7 +248,7 @@ module.exports = {
         });
 
         // Send duplicate
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: alertId,
           card: '4242',
           amount: 29.99,
@@ -274,7 +274,7 @@ module.exports = {
         });
 
         // Send alert with same ID — should retry since previous status was 'failed'
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: alertId,
           card: '4242',
           amount: 29.99,
@@ -300,7 +300,7 @@ module.exports = {
         const alertId = '_test-dispute-default-provider';
 
         // Send without provider query param
-        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`, {
           id: alertId,
           card: '4242',
           amount: 9.99,