backend-manager 5.9.4 → 5.9.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CLAUDE.md +6 -0
- package/package.json +8 -1
- package/src/cli/commands/install.js +4 -3
- package/src/cli/commands/setup-tests/backend-manager.js +2 -1
- package/src/cli/commands/setup-tests/firebase-admin.js +2 -1
- package/src/cli/commands/setup-tests/firebase-functions.js +2 -1
- package/src/cli/utils/safe-install.js +13 -0
- package/src/manager/routes/payments/cancel/post.js +22 -2
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/metadata.json +14 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.html +486 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.md +41 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.mjml +97 -0
- package/{test/email/fixtures/clean.json → src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/structure.json} +16 -4
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/summary.md +1 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/metadata.json +14 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.html +486 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.md +41 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.mjml +97 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/structure.json +42 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/summary.md +1 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/metadata.json +14 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.html +486 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.md +41 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.mjml +97 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/structure.json +42 -0
- package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/summary.md +1 -0
- package/src/test/fixtures/firebase-project/.temp/test-mode.json +6 -0
- package/src/test/fixtures/firebase-project/database-debug.log +12 -0
- package/src/test/fixtures/firebase-project/firestore-debug.log +136 -0
- package/src/test/fixtures/firebase-project/pubsub-debug.log +17 -0
- package/src/test/test-accounts.js +9 -0
- package/.codeclimate.yml +0 -32
- package/.nvmrc +0 -1
- package/CHANGELOG.md +0 -1432
- package/PROGRESS.md +0 -86
- package/TODO-2.md +0 -121
- package/TODO-CHARGEBLAST.md +0 -32
- package/TODO-WEBHOOK-KEY-LEGACY-REMOVAL.md +0 -15
- package/TODO-WEBHOOK-KEY-UPGRADE.md +0 -138
- package/TODO-email-auth.md +0 -14
- package/TODO.md +0 -187
- package/plans/mcp2.md +0 -247
- package/scripts/test-helper-providers.js +0 -162
- package/scripts/update-disposable-domains.js +0 -44
- package/templates/_.env +0 -42
- package/templates/_.gitignore +0 -60
- package/templates/backend-manager-config.json +0 -249
- package/templates/database.rules.json +0 -83
- package/templates/firebase.json +0 -66
- package/templates/firestore.indexes.json +0 -4
- package/templates/firestore.rules +0 -112
- package/templates/public/404.html +0 -26
- package/templates/public/index.html +0 -24
- package/templates/remoteconfig.template.json +0 -1
- package/templates/storage-lifecycle-config-1-day.json +0 -9
- package/templates/storage-lifecycle-config-30-days.json +0 -9
- package/templates/storage.rules +0 -8
- package/test/_init/accounts-validation.js +0 -58
- package/test/_legacy/ai/index.js +0 -231
- package/test/_legacy/ai/test.jpg +0 -0
- package/test/_legacy/ai/test.pdf +0 -0
- package/test/_legacy/index.js +0 -31
- package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
- package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +0 -98
- package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +0 -578
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +0 -38
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +0 -135
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +0 -42
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +0 -44
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +0 -39
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +0 -143
- package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +0 -48
- package/test/_legacy/payment-resolver/coinbase/orders/regular.json +0 -204
- package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +0 -204
- package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +0 -125
- package/test/_legacy/payment-resolver/index.js +0 -1558
- package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
- package/test/_legacy/payment-resolver/paypal/orders/regular.json +0 -120
- package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +0 -323
- package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +0 -192
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +0 -125
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +0 -76
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +0 -114
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +0 -114
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +0 -111
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +0 -132
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +0 -107
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +0 -91
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +0 -147
- package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +0 -120
- package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
- package/test/_legacy/payment-resolver/stripe/orders/regular.json +0 -91
- package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +0 -421
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +0 -349
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +0 -430
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +0 -319
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +0 -319
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +0 -414
- package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +0 -319
- package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +0 -339
- package/test/_legacy/test-new +0 -1178
- package/test/_legacy/test.md +0 -89
- package/test/_legacy/usage.js +0 -175
- package/test/_legacy/user.js +0 -31
- package/test/ai/tools-live.js +0 -170
- package/test/boot/emulator-boots.js +0 -37
- package/test/content/blog-generate.js +0 -160
- package/test/email/campaign-send.js +0 -45
- package/test/email/consent-lifecycle.js +0 -257
- package/test/email/feedback-and-plain-send.js +0 -52
- package/test/email/fixtures/editorial.json +0 -30
- package/test/email/fixtures/field-report.json +0 -53
- package/test/email/marketing-lifecycle.js +0 -132
- package/test/email/newsletter-generate.js +0 -819
- package/test/email/newsletter-templates.js +0 -491
- package/test/email/templates.js +0 -207
- package/test/email/transactional-send.js +0 -34
- package/test/email/transactional.js +0 -560
- package/test/email/validation.js +0 -710
- package/test/events/auth-delete-race.js +0 -201
- package/test/events/payments/journey-payments-cancel-endpoint.js +0 -100
- package/test/events/payments/journey-payments-cancel.js +0 -182
- package/test/events/payments/journey-payments-discount.js +0 -89
- package/test/events/payments/journey-payments-failure.js +0 -146
- package/test/events/payments/journey-payments-legacy-product.js +0 -149
- package/test/events/payments/journey-payments-one-time-failure.js +0 -111
- package/test/events/payments/journey-payments-one-time.js +0 -136
- package/test/events/payments/journey-payments-plan-change.js +0 -144
- package/test/events/payments/journey-payments-refund-webhook.js +0 -180
- package/test/events/payments/journey-payments-suspend.js +0 -181
- package/test/events/payments/journey-payments-trial-cancel.js +0 -130
- package/test/events/payments/journey-payments-trial.js +0 -171
- package/test/events/payments/journey-payments-uid-resolution.js +0 -132
- package/test/events/payments/journey-payments-upgrade.js +0 -135
- package/test/fixtures/chargebee/invoice-one-time.json +0 -27
- package/test/fixtures/chargebee/subscription-active.json +0 -44
- package/test/fixtures/chargebee/subscription-cancelled.json +0 -42
- package/test/fixtures/chargebee/subscription-in-trial.json +0 -41
- package/test/fixtures/chargebee/subscription-legacy-plan.json +0 -41
- package/test/fixtures/chargebee/subscription-non-renewing.json +0 -41
- package/test/fixtures/chargebee/subscription-paused.json +0 -42
- package/test/fixtures/chargebee/webhook-payment-failed.json +0 -51
- package/test/fixtures/chargebee/webhook-subscription-created.json +0 -47
- package/test/fixtures/paypal/order-approved.json +0 -62
- package/test/fixtures/paypal/order-completed.json +0 -110
- package/test/fixtures/paypal/subscription-active.json +0 -76
- package/test/fixtures/paypal/subscription-cancelled.json +0 -50
- package/test/fixtures/paypal/subscription-suspended.json +0 -65
- package/test/fixtures/stripe/checkout-session-completed.json +0 -130
- package/test/fixtures/stripe/invoice-payment-failed.json +0 -148
- package/test/fixtures/stripe/invoice-subscription-payment-failed.json +0 -28
- package/test/fixtures/stripe/subscription-active.json +0 -161
- package/test/fixtures/stripe/subscription-canceled.json +0 -161
- package/test/fixtures/stripe/subscription-trialing.json +0 -161
- package/test/functions/admin/database-read.js +0 -134
- package/test/functions/admin/database-write.js +0 -159
- package/test/functions/admin/edit-post.js +0 -366
- package/test/functions/admin/firestore-query.js +0 -207
- package/test/functions/admin/firestore-read.js +0 -129
- package/test/functions/admin/firestore-write.js +0 -105
- package/test/functions/admin/get-stats.js +0 -115
- package/test/functions/admin/send-email.js +0 -119
- package/test/functions/admin/send-notification.js +0 -208
- package/test/functions/admin/write-repo-content.js +0 -223
- package/test/functions/general/add-marketing-contact.js +0 -335
- package/test/functions/general/fetch-post.js +0 -54
- package/test/functions/general/generate-uuid.js +0 -114
- package/test/functions/test/authenticate.js +0 -64
- package/test/functions/user/create-custom-token.js +0 -73
- package/test/functions/user/delete.js +0 -135
- package/test/functions/user/get-active-sessions.js +0 -111
- package/test/functions/user/get-subscription-info.js +0 -99
- package/test/functions/user/regenerate-api-keys.js +0 -156
- package/test/functions/user/resolve.js +0 -52
- package/test/functions/user/sign-out-all-sessions.js +0 -94
- package/test/functions/user/sign-up.js +0 -252
- package/test/functions/user/submit-feedback.js +0 -104
- package/test/functions/user/validate-settings.js +0 -82
- package/test/helpers/ai-request-payload.js +0 -300
- package/test/helpers/ai-test-provider.js +0 -202
- package/test/helpers/ai-tools-format.js +0 -383
- package/test/helpers/content/blog-auto-publisher.js +0 -484
- package/test/helpers/content/feed-parser.js +0 -528
- package/test/helpers/content/ghostii-blocks.js +0 -134
- package/test/helpers/content/ghostii-feed-integration.js +0 -404
- package/test/helpers/content/ghostii-write-article.js +0 -243
- package/test/helpers/environment.js +0 -230
- package/test/helpers/infer-contact.js +0 -113
- package/test/helpers/merge-line-files.js +0 -271
- package/test/helpers/payment/chargebee/parse-webhook.js +0 -413
- package/test/helpers/payment/chargebee/to-unified-one-time.js +0 -147
- package/test/helpers/payment/chargebee/to-unified-subscription.js +0 -648
- package/test/helpers/payment/paypal/parse-webhook.js +0 -539
- package/test/helpers/payment/paypal/to-unified-one-time.js +0 -382
- package/test/helpers/payment/paypal/to-unified-subscription.js +0 -820
- package/test/helpers/payment/stripe/parse-webhook.js +0 -447
- package/test/helpers/payment/stripe/to-unified-one-time.js +0 -306
- package/test/helpers/payment/stripe/to-unified-subscription.js +0 -708
- package/test/helpers/sanitize.js +0 -222
- package/test/helpers/slugify.js +0 -394
- package/test/helpers/storage.js +0 -194
- package/test/helpers/user.js +0 -755
- package/test/helpers/webhook-forward.js +0 -418
- package/test/mcp/discovery.js +0 -53
- package/test/mcp/oauth.js +0 -161
- package/test/mcp/protocol.js +0 -268
- package/test/mcp/roles.js +0 -188
- package/test/mcp/utils.js +0 -245
- package/test/routes/admin/create-post.js +0 -364
- package/test/routes/admin/database.js +0 -131
- package/test/routes/admin/deduplicate-image-alts.js +0 -190
- package/test/routes/admin/email.js +0 -114
- package/test/routes/admin/firestore-query.js +0 -204
- package/test/routes/admin/firestore.js +0 -127
- package/test/routes/admin/infer-contact.js +0 -218
- package/test/routes/admin/notification.js +0 -198
- package/test/routes/admin/post-resize-image.js +0 -184
- package/test/routes/admin/post.js +0 -368
- package/test/routes/admin/repo-content.js +0 -223
- package/test/routes/admin/stats.js +0 -112
- package/test/routes/content/post.js +0 -54
- package/test/routes/general/uuid.js +0 -115
- package/test/routes/marketing/campaign.js +0 -125
- package/test/routes/marketing/contact.js +0 -370
- package/test/routes/marketing/email-preferences.js +0 -292
- package/test/routes/marketing/push-send.js +0 -32
- package/test/routes/marketing/webhook-forward.js +0 -61
- package/test/routes/marketing/webhook.js +0 -639
- package/test/routes/payments/cancel.js +0 -140
- package/test/routes/payments/discount.js +0 -80
- package/test/routes/payments/dispute-alert.js +0 -320
- package/test/routes/payments/intent.js +0 -336
- package/test/routes/payments/portal.js +0 -92
- package/test/routes/payments/refund.js +0 -179
- package/test/routes/payments/trial-eligibility.js +0 -71
- package/test/routes/payments/webhook.js +0 -107
- package/test/routes/test/authenticate.js +0 -59
- package/test/routes/test/schema.js +0 -554
- package/test/routes/test/usage.js +0 -342
- package/test/routes/user/api-keys.js +0 -156
- package/test/routes/user/delete.js +0 -136
- package/test/routes/user/feedback.js +0 -104
- package/test/routes/user/sessions.js +0 -199
- package/test/routes/user/settings-validate.js +0 -82
- package/test/routes/user/signup.js +0 -542
- package/test/routes/user/subscription.js +0 -99
- package/test/routes/user/token.js +0 -73
- package/test/routes/user/user.js +0 -157
- package/test/rules/notifications.js +0 -410
- package/test/rules/payments-carts.js +0 -371
- package/test/rules/user.js +0 -396
package/PROGRESS.md
DELETED
|
@@ -1,86 +0,0 @@
|
|
|
1
|
-
# Project Progress Tracker
|
|
2
|
-
> Agents and maintainers should update this file regularly to reflect the current state of the project.
|
|
3
|
-
|
|
4
|
-
## 🎯 Current Focus
|
|
5
|
-
* **Goal:** Ghostii feed sources cleanup + Somiibo consumer config
|
|
6
|
-
* **Current Phase:** Fixes applied + tested, pending commit + publish
|
|
7
|
-
* **Priority:** High
|
|
8
|
-
* **Last Updated:** 2026-06-19 3:05 AM PDT
|
|
9
|
-
* **Notes:** Renamed Firestore collection `ghostii-feed-items` → `ghostii-sources`. Fixed `FieldValue.serverTimestamp()` → BEM metadata pattern. Added 5 marketing/social feeds to extended tests. All tests passing (20/20 standard, 9/9 extended). Somiibo consumer has feeds configured + `ghostii-sources.md` evaluation doc. Needs BEM publish + consumer deploy.
|
|
10
|
-
|
|
11
|
-
## 📌 Active Task List
|
|
12
|
-
* [ ] Phase 6: Setup scaffolds essential configs for fresh projects
|
|
13
|
-
* [x] Task 6.1: Add `templates/firebase.json` standard template
|
|
14
|
-
* [x] Task 6.2: Add `scaffoldConfigs()` + `resolveProjectId()` to setup.js (runs before config resolution)
|
|
15
|
-
* [x] Task 6.3: Auto-fix `engines.node` instead of throwing
|
|
16
|
-
* [x] Task 6.4: Fix `dependencies['backend-manager']` crash when BEM is in devDependencies
|
|
17
|
-
* [x] Task 6.5: Verify fix on truly bare project (dailyembers-backend — 13/14 pass, only service-account expected)
|
|
18
|
-
* [x] Task 6.6: Optimize — consolidate scattered scaffolding into one `[DEFAULTS]` pass with `loadFiles()` DRY extraction
|
|
19
|
-
* [x] Task 6.7: Regression test on existing project (ultimate-jekyll-backend — all pass)
|
|
20
|
-
* [x] Task 6.8: Update docs (CLAUDE.md, CHANGELOG.md)
|
|
21
|
-
* [ ] Task 6.9: Publish new BEM version
|
|
22
|
-
* [ ] Phase 5: Ghostii feed-based article system
|
|
23
|
-
* [x] Task 5.1: Create `feed-parser.js` (RSS 2.0, Atom 1.0, JSON Feed parser + article extractor)
|
|
24
|
-
* [x] Task 5.2: Add `fast-xml-parser` dependency to BEM
|
|
25
|
-
* [x] Task 5.3: Add `sourceContent` field to Ghostii backend schema (16KB)
|
|
26
|
-
* [x] Task 5.4: Update Ghostii outline prompt (Step 2 only) with sourceContent for efficient spinning
|
|
27
|
-
* [x] Task 5.5: Update `writeArticle()` to accept `sourceContent` and per-entry `overrides`
|
|
28
|
-
* [x] Task 5.6: Upgrade `ghostii-auto-publisher.js` — `$feed:` source type, feed processing, Firestore tracking, fallback
|
|
29
|
-
* [x] Task 5.7: Update config template with new source types and overrides
|
|
30
|
-
* [x] Task 5.8: Write extensive test suite (4 test files: unit, integration, extended E2E)
|
|
31
|
-
* [x] Task 5.9: Verify all tests pass (84 standard + 8 extended against real RSS feeds)
|
|
32
|
-
* [x] Task 5.10: Create `docs/ghostii.md` deep reference, update CLAUDE.md + CHANGELOG.md
|
|
33
|
-
* [x] Task 5.11: Verify all recommended feed URLs work (The Verge removed — CDN blocks programmatic access)
|
|
34
|
-
* [x] Task 5.12: Write ghostii-backend tests for sourceContent (4 schema + 1 extended generation)
|
|
35
|
-
* [x] Task 5.13: Ghostii sourceContent accepts URL (auto-fetches + extracts article text)
|
|
36
|
-
* [x] Task 5.14: Add fact paraphrasing to outline prompt + newsletter writer
|
|
37
|
-
* [x] Task 5.15: Fix Step 3 prompts — assertive link insertion + blockquote in every body section
|
|
38
|
-
* [x] Task 5.16: Fix humanizer stripping links — `injectBurstiness` was breaking `[text](url)` syntax; added protect-and-restore pattern + tests
|
|
39
|
-
* [x] Task 5.17: Fix 403 links treated as "working" in link verification step
|
|
40
|
-
* [x] Task 5.18: Add detective-level `[LINKS]` diagnostic logging to article pipeline
|
|
41
|
-
* [x] Task 5.19: Ship BEM v5.8.0 to npm
|
|
42
|
-
* [x] Task 5.20: Ship Ghostii-backend v1.0.5 + deploy to Firebase
|
|
43
|
-
* [ ] Task 5.17: Publish BEM with feed support
|
|
44
|
-
* [ ] Task 5.12: Publish BEM with feed support
|
|
45
|
-
* [ ] Task 5.13: Configure consumer project(s) with `$feed:` sources
|
|
46
|
-
* [ ] Phase 3: Post-audit bug fixes
|
|
47
|
-
* [x] Newsletter ReferenceError: `beehiivConfig` → `newsletterRoleConfig` (committed v5.7.1)
|
|
48
|
-
* [x] HTTPS proxy: `serve.js` returns boolean, caller uses `httpsReady` not `httpsEnabled`
|
|
49
|
-
* [x] AI normalizeOptions: array-content system messages now get rules injected
|
|
50
|
-
* [x] Setup warn handling: `warnCount` tracked separately, warns don't trigger retry
|
|
51
|
-
* [x] Copy-paste fix: `sender: 'electron-manager'` → `'backend-manager'`
|
|
52
|
-
* [x] Test: AI array-content-blocks test added + passing (20/20)
|
|
53
|
-
* [x] Fix: consent rules test — write `'forged'` instead of `'granted'` to avoid value collision with prior email-preferences tests
|
|
54
|
-
* [x] Fix: `cancel-too-young` account `timestampUNIX` uses seconds (was ms)
|
|
55
|
-
* [x] Fix: auth on-delete race condition — `deleteTestUsers` uses emulator bulk-clear REST API instead of individual `deleteUser()` calls (eliminates async on-delete triggers that clobbered freshly-created accounts)
|
|
56
|
-
* [x] Diagnostic: auth-delete-race test — proved the race condition (80-100% clobber rate without mitigation), removed after fix verified
|
|
57
|
-
* [x] Commit + publish framework fixes (v5.7.2)
|
|
58
|
-
* [ ] Deploy somiibo-backend + advance stuck sendAt
|
|
59
|
-
* [ ] Phase 4: Root package.json proxy scripts
|
|
60
|
-
* [x] Task 4.1: Create `root-package-json.js` setup test (proxies `projectScripts` with `cd functions &&` prefix + `preinstall` guard)
|
|
61
|
-
* [x] Task 4.2: Register in setup test index (after `npm-project-scripts`)
|
|
62
|
-
* [ ] Task 4.3: Test in consumer project (`npx mgr setup` from ultimate-jekyll-backend)
|
|
63
|
-
* [ ] Task 4.4: Verify `npm test` / `npm start` work from project root
|
|
64
|
-
|
|
65
|
-
## ✅ Completed Task List
|
|
66
|
-
* [x] Phase 1: MCP role-based tool scoping + consumer extensibility
|
|
67
|
-
* [x] Foundation utilities (`src/mcp/utils.js`)
|
|
68
|
-
* [x] Add `role` to all 19 tools (`src/mcp/tools.js`)
|
|
69
|
-
* [x] User token support in HTTP client (`src/mcp/client.js`)
|
|
70
|
-
* [x] Stdio server role filtering + consumer tools (`src/mcp/index.js`)
|
|
71
|
-
* [x] CLI `--token` flag + `cwd` passthrough (`src/cli/commands/mcp.js`)
|
|
72
|
-
* [x] HTTP handler — role filtering, OAuth user flow, consumer tool execution (`src/mcp/handler.js`)
|
|
73
|
-
* [x] Test suite — 44 tests across 5 files
|
|
74
|
-
* [x] Documentation — `docs/mcp.md`, `CLAUDE.md`
|
|
75
|
-
* [x] UJM `/token` page update (separate repo)
|
|
76
|
-
* [x] Phase 2: HTTPS local dev + Claude Desktop MCP testing
|
|
77
|
-
* [x] HTTPS proxy in `npx mgr serve` (mkcert certs, port 5002 → 5443)
|
|
78
|
-
* [x] `getApiUrl()` returns `https://` when `BEM_HTTPS_PORT` is set
|
|
79
|
-
* [x] Fix OAuth discovery (root-level issuer per RFC 8414)
|
|
80
|
-
* [x] Add dynamic client registration (`POST /mcp/register`)
|
|
81
|
-
* [x] Fix 401 trigger for OAuth flow
|
|
82
|
-
* [x] Tool annotations (title, readOnlyHint, destructiveHint, etc.)
|
|
83
|
-
* [x] Role reassignment (cancel/refund/uuid → admin, user = read-only)
|
|
84
|
-
* [x] Consumer tool override bug fix (listing/execution sync)
|
|
85
|
-
* [x] Test MCP connection in Claude Desktop — verified end-to-end
|
|
86
|
-
* [x] Update tests (44 passing) + docs
|
package/TODO-2.md
DELETED
|
@@ -1,121 +0,0 @@
|
|
|
1
|
-
TODO
|
|
2
|
-
* pdate deps LIKE WF, PP, ETC
|
|
3
|
-
|
|
4
|
-
TODO
|
|
5
|
-
* remove shim in
|
|
6
|
-
/Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/src/manager/libraries/email/transactional/index.js:59-61 — legacy template name map
|
|
7
|
-
/Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/src/manager/libraries/email/transactional/index.js:132-135 — data.body → data.content shim
|
|
8
|
-
ONly needed for about 10 days after Jue 6th 2026, then safe to remove (queued emails)
|
|
9
|
-
|
|
10
|
-
PAYMENT SYSTEM
|
|
11
|
-
* Ensure attribution is working (utm but also the AD ID shit like from adwords, tiktok ads, meta etc)
|
|
12
|
-
* ensure legacy plan RESOLVING is working
|
|
13
|
-
|
|
14
|
-
payments/reactivate
|
|
15
|
-
* takes a subscription id and reactivates a cancelled subscription. this can only be done if the subscription is still within its billing period, otherwise the user would have to create a new subscription.
|
|
16
|
-
payments/upgrade
|
|
17
|
-
* takes a subscription id and a new plan id and upgrades the user's subscription to the new plan. this can only be done if the user has an active subscription.
|
|
18
|
-
|
|
19
|
-
I'd call that cancellation-reversed — it pairs naturally with the existing cancellation-requested transition and clearly communicates the action (they reversed/undid the pending cancellation).
|
|
20
|
-
|
|
21
|
-
on the email we send, for payment recovered what is the category
|
|
22
|
-
Let me check the handler.
|
|
23
|
-
|
|
24
|
-
Read payment-recovered.js
|
|
25
|
-
The category is order/payment-recovered (line 13).
|
|
26
|
-
|
|
27
|
-
TODO-2.md
|
|
28
|
-
waht about when they request a cancel
|
|
29
|
-
Read cancellation-requested.js
|
|
30
|
-
The category is order/cancellation-requested (line 13).
|
|
31
|
-
|
|
32
|
-
----
|
|
33
|
-
add a dedicated BEM JSON field for usage to reset
|
|
34
|
-
* this way we can have clear LIMITS with their definitions like
|
|
35
|
-
* [
|
|
36
|
-
{
|
|
37
|
-
name: 'credits'
|
|
38
|
-
reset: true,
|
|
39
|
-
},
|
|
40
|
-
{
|
|
41
|
-
name: 'agents',
|
|
42
|
-
reset: false,
|
|
43
|
-
}
|
|
44
|
-
]
|
|
45
|
-
* mirrors: [
|
|
46
|
-
{
|
|
47
|
-
collection: 'agents',
|
|
48
|
-
fields: ['usage.credits.daily', 'runs.replies.daily],
|
|
49
|
-
}
|
|
50
|
-
]
|
|
51
|
-
|
|
52
|
-
---
|
|
53
|
-
MIRROR settigns in BEM JSON so that usage reset can properly get MIRRED DOCS liek slapform forms or chatsy agents DOCS
|
|
54
|
-
|
|
55
|
-
---
|
|
56
|
-
GHOSTII REVAMP
|
|
57
|
-
* better logic for generating posts. better model? claude?
|
|
58
|
-
|
|
59
|
-
---- MCP
|
|
60
|
-
* ability for consuming prjec to specify MCP functions
|
|
61
|
-
|
|
62
|
-
-------
|
|
63
|
-
UPSELL
|
|
64
|
-
* products in BEM can have an UPSELL where you link another product ID and it allows you to add it to your cart OR shows you after checkout?
|
|
65
|
-
|
|
66
|
-
-------
|
|
67
|
-
USER OBJECT UPDGRADE --> INSTANCE?
|
|
68
|
-
|
|
69
|
-
const User = require('backend-manager/src/manager/helpers/user');
|
|
70
|
-
+
|
|
71
|
-
User.resolveSubscription(self.request.user);
|
|
72
|
-
-->
|
|
73
|
-
one object that cna do resolveSubscription(), getAccount(), etc
|
|
74
|
-
|
|
75
|
-
since you changed some things, do all tests in all projects align still?
|
|
76
|
-
|
|
77
|
-
after that, udpate README, CLAUDE.md and ANY TOPLEVLE CLAUDE SKILLS so that we never make this mistake again
|
|
78
|
-
|
|
79
|
-
including
|
|
80
|
-
|
|
81
|
-
---------
|
|
82
|
-
|
|
83
|
-
TEST NEWSLETTER
|
|
84
|
-
POST /admin/cron { id: 'daily/marketing-newsletter-generate' }
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
SIGNUP HANDLER
|
|
88
|
-
Here are the instructions for BEM:
|
|
89
|
-
|
|
90
|
-
Update updateReferral() in sign-up.js to resolve all legacy affiliate code formats:
|
|
91
|
-
|
|
92
|
-
The affiliateCode value coming from the client could be in 3 formats:
|
|
93
|
-
|
|
94
|
-
Format Example How to resolve
|
|
95
|
-
Affiliate code (7-14 alphanumeric) rmUKlC4z1 Query users where affiliate.code == value (current behavior)
|
|
96
|
-
UID (28 chars) 6sNjQFxTsObA73D8lkF01gcWdP92 Direct doc lookup: users/{value}
|
|
97
|
-
Base64 email (e.g. cG9ldH...Lm_2) cG9ldHJ5aW5hY3Rpb24yMDE4QGdtYWlsLmNvbQ_2 Strip _\d+ suffix, base64-decode, query users where auth.email == decoded
|
|
98
|
-
Any other format → ignore (resolve with no referrer).
|
|
99
|
-
|
|
100
|
-
The resolution logic should go at the top of updateReferral(), before the current where('affiliate.code', '==', affiliateCode) query. Try each format in order:
|
|
101
|
-
|
|
102
|
-
If affiliateCode matches /^[0-9a-zA-Z_-]{7,14}$/ → query by affiliate.code (current path)
|
|
103
|
-
Else if affiliateCode.length === 28 → direct doc get users/{affiliateCode}, use that as the referrer
|
|
104
|
-
Else try base64 decode: strip trailing _\d+, decode, if result contains @ → query by auth.email
|
|
105
|
-
Else → log and return (unrecognized format)
|
|
106
|
-
Once the referrer doc is found (by any method), the rest stays the same: push to affiliate.referrals.
|
|
107
|
-
|
|
108
|
-
* if the usage was used and the user is actuall authenticated (uid, not just an admin or unauthed user),
|
|
109
|
-
* set the user's context (ip, location, etc)
|
|
110
|
-
|
|
111
|
-
Payment attribution
|
|
112
|
-
* can you ensure the the user's attribution (utm etc) is assocaited with the purchase
|
|
113
|
-
* mostly i am referring to the payent events sent to GA4, tiktok, meta
|
|
114
|
-
* i think we should make it so if the attribution was set less than 30 days ago (the date is in the attribution) then it counts
|
|
115
|
-
* it shouldbe attached to the payments-orders and then ALL FUTURE EVENTS should send that (thats a good idea right??)
|
|
116
|
-
|
|
117
|
-
Payment disputes
|
|
118
|
-
* automatic dispute handling
|
|
119
|
-
* during bm_cron daily, we should check for open disputes for pypal stripe etc... we should then FILL THEM WITH INFORMATION USEFUL FOR WINNING
|
|
120
|
-
* we should attach USAGE LOGS, IP logs, etc. you should take inspiration from my previous attmept at this (/Users/ian/Developer/Repositories/ITW-Creative-Works/subscription-profile-sync/main/disputes)
|
|
121
|
-
* HOWEVER, i know for a fact i got a lot of it wrong. so JUST USE AS INSPO, you should recreate it full
|
package/TODO-CHARGEBLAST.md
DELETED
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
As for the AMEX enrollment, AMEX alerts are not supported on Stripe/Shopify. To enable them, you’ll need a dedicated AMEX MID and a payment orchestrator to route all AMEX transactions through that dedicated MID. Using a dedicated AMEX MID allows for a dispute rate of up to 5%, so routing all AMEX traffic through it will significantly reduce your dispute rate on Stripe.
|
|
2
|
-
|
|
3
|
-
06:44 PM
|
|
4
|
-
For Discover,
|
|
5
|
-
|
|
6
|
-
In order to enroll in Discover coverage, you will need to do the following:
|
|
7
|
-
|
|
8
|
-
First, provide us with details about your business below:
|
|
9
|
-
- Merchant Legal Name:
|
|
10
|
-
- Merchant DBA Name:
|
|
11
|
-
- Merchant Registered Street Address:
|
|
12
|
-
- City:
|
|
13
|
-
- Country:
|
|
14
|
-
- State/Province:
|
|
15
|
-
- ZIP/Postal Code:
|
|
16
|
-
|
|
17
|
-
Second, you must request from your payment processor’s support for a few pieces of information. To do so, please follow the steps below and send them the email template below.
|
|
18
|
-
|
|
19
|
-
""I am enrolling for Discover Ethoca Alerts via my third-party vendor, Chargeblast. I need my 15-Digit Discover SE number. Can you please provide these pieces of information to me ASAP? Let me know if you need any additional info from me. Please feel free to provide me with these pieces of information piecemeal.”
|
|
20
|
-
|
|
21
|
-
06:44 PM
|
|
22
|
-
For AMEX If you’d like to proceed with obtaining a dedicated AMEX MID, we’d be happy to arrange an introduction for you.
|
|
23
|
-
|
|
24
|
-
06:45 PM
|
|
25
|
-
Avatar of Zander
|
|
26
|
-
Zander
|
|
27
|
-
Are we still connected?
|
|
28
|
-
|
|
29
|
-
06:56 PM
|
|
30
|
-
Avatar of Zander
|
|
31
|
-
Zander
|
|
32
|
-
Since this chat has been inactive, I’ll close it for now. If you have more questions, feel free to contact us at any time. Have a great day ahead!
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
# TODO: Remove legacy BACKEND_MANAGER_KEY acceptance from webhook routes
|
|
2
|
-
|
|
3
|
-
When v5.2.x shipped, the two payment-webhook routes were switched to prefer `BACKEND_MANAGER_WEBHOOK_KEY` but still accept `BACKEND_MANAGER_KEY` as a transitional fallback so existing provider URLs (registered with the old key) keep working until OMEGA re-registers them with the new key.
|
|
4
|
-
|
|
5
|
-
Once every brand's provider URLs (Stripe / PayPal / Chargebee / Chargeblast / Coinbase / etc.) have been re-registered via OMEGA to use `BACKEND_MANAGER_WEBHOOK_KEY`, drop the legacy fallback:
|
|
6
|
-
|
|
7
|
-
## Files to update
|
|
8
|
-
|
|
9
|
-
- `src/manager/routes/payments/webhook/post.js` — line ~28: remove the `|| key === process.env.BACKEND_MANAGER_KEY` half of the validation check.
|
|
10
|
-
- `src/manager/routes/payments/dispute-alert/post.js` — line ~20: same removal. Also update the docstring at line ~11 to drop the "BACKEND_MANAGER_KEY accepted as legacy fallback" note.
|
|
11
|
-
- `docs/stripe-webhook-forwarding.md` — drop the "BACKEND_MANAGER_KEY also accepted as a legacy fallback" parenthetical.
|
|
12
|
-
|
|
13
|
-
## How to verify it's safe
|
|
14
|
-
|
|
15
|
-
Grep production logs (`npx mgr logs:read --fn bm_api --grep "payments/webhook" --limit 1000`) and confirm zero `401 Invalid key` hits over a meaningful window. If there are any, those are providers still on the old URL — re-register them via OMEGA before dropping the fallback.
|
|
@@ -1,138 +0,0 @@
|
|
|
1
|
-
# TODO: Payment Webhook Key Upgrade — `BACKEND_MANAGER_KEY` → `BACKEND_MANAGER_WEBHOOK_KEY`
|
|
2
|
-
|
|
3
|
-
## Context
|
|
4
|
-
|
|
5
|
-
In BEM v5.2.0 we introduced `BACKEND_MANAGER_WEBHOOK_KEY` as a dedicated env var for third-party webhook authentication, scoped narrowly so it can be rotated independently of the admin key. The marketing routes (`/marketing/webhook`, `/marketing/webhook/forward`) use it correctly.
|
|
6
|
-
|
|
7
|
-
The **payment webhook** (`/payments/webhook`) and **dispute-alert webhook** (`/payments/dispute-alert`) still validate against `BACKEND_MANAGER_KEY` — the general-purpose admin key. This is a security misalignment: a leaked admin key could forge payment webhooks, and rotating the admin key forces every Stripe/PayPal/Chargebee webhook URL to be re-registered.
|
|
8
|
-
|
|
9
|
-
Plan: gradual rollout. Phase 1 (this BEM release) makes the payment routes accept **either** key so existing brand deploys (with only `BACKEND_MANAGER_KEY` set) keep working AND new brands can start using `BACKEND_MANAGER_WEBHOOK_KEY` immediately. Phase 2 (a later BEM release) drops the legacy fallback after every brand has been migrated.
|
|
10
|
-
|
|
11
|
-
## Files needing the dual-key check
|
|
12
|
-
|
|
13
|
-
| File | Line | Current |
|
|
14
|
-
|---|---|---|
|
|
15
|
-
| [src/manager/routes/payments/webhook/post.js](src/manager/routes/payments/webhook/post.js) | 28 | `if (!key \|\| key !== process.env.BACKEND_MANAGER_KEY)` |
|
|
16
|
-
| [src/manager/routes/payments/dispute-alert/post.js](src/manager/routes/payments/dispute-alert/post.js) | 20 | `if (!key \|\| key !== process.env.BACKEND_MANAGER_KEY)` |
|
|
17
|
-
| [src/manager/routes/payments/intent/processors/test.js](src/manager/routes/payments/intent/processors/test.js) | 158 | `key=${process.env.BACKEND_MANAGER_KEY}` |
|
|
18
|
-
|
|
19
|
-
## Phase 1 — Dual-key acceptance (this BEM release)
|
|
20
|
-
|
|
21
|
-
### Validation change (webhook + dispute-alert)
|
|
22
|
-
|
|
23
|
-
Replace the single-key check with a dual-key check. Accept the request if `key` matches EITHER `BACKEND_MANAGER_WEBHOOK_KEY` OR the legacy `BACKEND_MANAGER_KEY`.
|
|
24
|
-
|
|
25
|
-
```js
|
|
26
|
-
// Before
|
|
27
|
-
if (!key || key !== process.env.BACKEND_MANAGER_KEY) {
|
|
28
|
-
return assistant.respond('Invalid key', { code: 401 });
|
|
29
|
-
}
|
|
30
|
-
|
|
31
|
-
// After (Phase 1 — dual-key fallback)
|
|
32
|
-
const validKeys = [
|
|
33
|
-
process.env.BACKEND_MANAGER_WEBHOOK_KEY,
|
|
34
|
-
process.env.BACKEND_MANAGER_KEY, // legacy — remove in Phase 2
|
|
35
|
-
].filter(Boolean);
|
|
36
|
-
|
|
37
|
-
if (!key || !validKeys.includes(key)) {
|
|
38
|
-
return assistant.respond('Invalid key', { code: 401 });
|
|
39
|
-
}
|
|
40
|
-
```
|
|
41
|
-
|
|
42
|
-
Notes:
|
|
43
|
-
- `.filter(Boolean)` matters — if a brand hasn't set `BACKEND_MANAGER_WEBHOOK_KEY` yet, `validKeys` becomes `[BACKEND_MANAGER_KEY]` (single-element). If a brand HAS set it, both are accepted.
|
|
44
|
-
- If BOTH env vars are unset (misconfigured brand), `validKeys` is `[]` and every request 401s. That's the right behavior — explicit failure beats silent acceptance.
|
|
45
|
-
- Update the route header comments (lines 11 and 27 of dispute-alert, 27 of webhook) to mention both keys.
|
|
46
|
-
|
|
47
|
-
### Test processor self-fire URL
|
|
48
|
-
|
|
49
|
-
Switch [src/manager/routes/payments/intent/processors/test.js:158](src/manager/routes/payments/intent/processors/test.js#L158) to PREFER `BACKEND_MANAGER_WEBHOOK_KEY` and fall back to `BACKEND_MANAGER_KEY`:
|
|
50
|
-
|
|
51
|
-
```js
|
|
52
|
-
const webhookKey = process.env.BACKEND_MANAGER_WEBHOOK_KEY || process.env.BACKEND_MANAGER_KEY;
|
|
53
|
-
const webhookUrl = `${assistant.Manager.project.apiUrl}/backend-manager/payments/webhook?processor=test&key=${webhookKey}`;
|
|
54
|
-
```
|
|
55
|
-
|
|
56
|
-
This way the test processor exercises the new key when it's set, and falls back to the legacy key on brands that haven't migrated yet.
|
|
57
|
-
|
|
58
|
-
### Test infrastructure updates
|
|
59
|
-
|
|
60
|
-
**`src/test/utils/http-client.js`** — add `backendManagerWebhookKey` field alongside the existing `backendManagerKey`.
|
|
61
|
-
|
|
62
|
-
**`src/test/runner.js`** — thread `backendManagerWebhookKey` through the runner context the same way `backendManagerKey` is threaded today (3 sites).
|
|
63
|
-
|
|
64
|
-
**`src/cli/commands/test.js`** — read `BACKEND_MANAGER_WEBHOOK_KEY` from env (parallel to the existing `BACKEND_MANAGER_KEY` read), pass it through to the runner, fall back to the admin key if unset.
|
|
65
|
-
|
|
66
|
-
**Route + journey tests** — update test fixtures to prefer `BACKEND_MANAGER_WEBHOOK_KEY` when set:
|
|
67
|
-
- `test/routes/payments/webhook.js` — all `${config.backendManagerKey}` interpolations in `payments/webhook?...&key=` URLs
|
|
68
|
-
- `test/routes/payments/dispute-alert.js` — same (13 sites)
|
|
69
|
-
- `test/events/payments/journey-*.js` — only the `payments/webhook?...&key=` URLs (NOT the admin-auth uses elsewhere in journey tests)
|
|
70
|
-
|
|
71
|
-
Use `config.backendManagerWebhookKey || config.backendManagerKey` everywhere so both keys are exercised.
|
|
72
|
-
|
|
73
|
-
### Docs
|
|
74
|
-
|
|
75
|
-
- **`docs/stripe-webhook-forwarding.md`** — line 7 + 18 — note the dual-key acceptance, recommend `BACKEND_MANAGER_WEBHOOK_KEY` for new setups, note legacy `BACKEND_MANAGER_KEY` is still accepted for backwards compatibility.
|
|
76
|
-
- **`CHANGELOG.md`** — entry under the next version. Categorize under `Changed` (NOT `BREAKING` — that's reserved for Phase 2). Spell out: "Payment webhook + dispute-alert routes now accept either `BACKEND_MANAGER_WEBHOOK_KEY` (preferred) or `BACKEND_MANAGER_KEY` (legacy). Set `BACKEND_MANAGER_WEBHOOK_KEY` in every consumer brand's `.env` and run OMEGA payment ensure before Phase 2 ships."
|
|
77
|
-
- **`templates/_.env`** — already declares both keys, no change.
|
|
78
|
-
|
|
79
|
-
### Verification (manual)
|
|
80
|
-
|
|
81
|
-
1. **Local test (no `BACKEND_MANAGER_WEBHOOK_KEY` set)** — confirm legacy fallback still passes:
|
|
82
|
-
```bash
|
|
83
|
-
npx mgr test routes/payments/webhook routes/payments/dispute-alert events/payments
|
|
84
|
-
```
|
|
85
|
-
Expect green.
|
|
86
|
-
|
|
87
|
-
2. **Local test (`BACKEND_MANAGER_WEBHOOK_KEY` set to a different value)** — confirm the new key is accepted AND the legacy key still works:
|
|
88
|
-
```bash
|
|
89
|
-
BACKEND_MANAGER_WEBHOOK_KEY=test-webhook-key npx mgr test routes/payments/webhook routes/payments/dispute-alert events/payments
|
|
90
|
-
```
|
|
91
|
-
Expect green.
|
|
92
|
-
|
|
93
|
-
3. **Live spot-check on one brand (Somiibo)** — deploy this BEM release to Somiibo (whose `.env` currently only has `BACKEND_MANAGER_KEY` set OR has both), trigger a Stripe test event, confirm the webhook doc lands in Firestore.
|
|
94
|
-
|
|
95
|
-
## Phase 2 — Drop legacy fallback (future BEM release)
|
|
96
|
-
|
|
97
|
-
**Do NOT do this until every consumer brand has been migrated and verified.** Tracking checklist for migration readiness:
|
|
98
|
-
|
|
99
|
-
- [ ] Every consumer `.env` has `BACKEND_MANAGER_WEBHOOK_KEY` set (spot-check via OMEGA across all brands)
|
|
100
|
-
- [ ] OMEGA `payment/ensure/{stripe,paypal,chargebee}-webhook.js` updated to use `BACKEND_MANAGER_WEBHOOK_KEY` when constructing webhook URLs (see "OMEGA changes" below)
|
|
101
|
-
- [ ] OMEGA `--service payment` run across every brand to re-register webhook URLs at Stripe/PayPal/Chargebee with the new key
|
|
102
|
-
- [ ] Stale webhook URLs (the old ones with `key=BACKEND_MANAGER_KEY`) deleted from each provider — these will start 401-ing the moment Phase 2 ships
|
|
103
|
-
- [ ] At least one live billing cycle (Stripe charge, refund, dispute) observed working end-to-end on the new key for at least 3 brands
|
|
104
|
-
|
|
105
|
-
When all boxes are checked, Phase 2 ships as a **breaking change**:
|
|
106
|
-
|
|
107
|
-
```js
|
|
108
|
-
// Phase 2 — single-key (legacy removed)
|
|
109
|
-
if (!key || key !== process.env.BACKEND_MANAGER_WEBHOOK_KEY) {
|
|
110
|
-
return assistant.respond('Invalid key', { code: 401 });
|
|
111
|
-
}
|
|
112
|
-
```
|
|
113
|
-
|
|
114
|
-
Phase 2 CHANGELOG entry goes under `BREAKING`.
|
|
115
|
-
|
|
116
|
-
## OMEGA changes (separate repo, needed for Phase 2 prep)
|
|
117
|
-
|
|
118
|
-
Touched files (do NOT do these in Phase 1 — they're for Phase 2 prep):
|
|
119
|
-
|
|
120
|
-
| File | Change |
|
|
121
|
-
|---|---|
|
|
122
|
-
| `/Users/ian/Developer/Repositories/ITW-Creative-Works/omega-manager/src/services/payment/ensure/stripe-webhook.js` | Line 38: swap `BACKEND_MANAGER_KEY` → `BACKEND_MANAGER_WEBHOOK_KEY`. Line 76 check + line 77 message + line 64 doc comment: update env var name. |
|
|
123
|
-
| `/Users/ian/Developer/Repositories/ITW-Creative-Works/omega-manager/src/services/payment/ensure/paypal-webhook.js` | Same change at lines 40, 66, 77, 78, 79. |
|
|
124
|
-
| `/Users/ian/Developer/Repositories/ITW-Creative-Works/omega-manager/src/services/payment/ensure/chargebee-webhook.js` | Same change at lines 34, 45, 57, 58, 59. |
|
|
125
|
-
|
|
126
|
-
**Idempotent re-registration + stale cleanup:** Each ensure file looks up existing webhooks **by URL**. Since the URL will change (the `key=` query param differs), the existing webhook will NOT match and a new one will be created. The OLD webhook (with the admin key) needs to be cleaned up — otherwise the third party will deliver to both and the old one will start failing 401 once Phase 2 ships.
|
|
127
|
-
|
|
128
|
-
Cleanup approach in each ensure file: after creating the new webhook, scan for any other webhook whose URL points at `/payments/webhook?processor={name}` (regardless of key) and delete the stale ones. Match on path prefix, not full URL. Stripe + PayPal + Chargebee all support webhook deletion via the same API methods these files already use for listing.
|
|
129
|
-
|
|
130
|
-
Helper: extract a `pathMatchesOurProcessor(url, processor)` in each ensure file — strip query string, match the path-and-processor segment.
|
|
131
|
-
|
|
132
|
-
## Known constraints / gotchas
|
|
133
|
-
|
|
134
|
-
1. **Phase 1 is non-breaking.** Any consumer can deploy this BEM release without touching their `.env` — the legacy key still works.
|
|
135
|
-
2. **`BACKEND_MANAGER_KEY` continues to grant admin via `assistant.authenticate()`.** That hasn't changed; it's still the admin secret for internal API calls (newsletter, send-email, user/delete, ghostii cron, electron-client, oauth2 state encryption). This TODO is *only* about scoping webhook endpoints to a separate key.
|
|
136
|
-
3. **`UNSUBSCRIBE_HMAC_KEY` is unrelated** and stays separate.
|
|
137
|
-
4. **Admin grant is NOT triggered by the webhook routes.** Middleware auto-runs `assistant.authenticate()` via `Usage.init()`, which reads `data.backendManagerKey` from the request body. The three webhook routes get their key via `?key=` query string (NOT body), and their request bodies are third-party payloads (Stripe events, PayPal events, Chargeblast alerts) that can't contain the real admin secret. So switching the routes' validation does NOT remove any admin-grant the handlers depend on — they write to Firestore via `libraries.admin` (Admin SDK, always full access) anyway.
|
|
138
|
-
5. **Test processor self-fire** must use the same key the BEM endpoint accepts, which is why the test processor URL also gets updated in Phase 1.
|
package/TODO-email-auth.md
DELETED
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
https://github.com/disposable-email-domains/disposable-email-domains?tab=readme-ov-file
|
|
2
|
-
https://www.npmjs.com/package/disposable-domains
|
|
3
|
-
https://github.com/tompec/disposable-email-domains
|
|
4
|
-
|
|
5
|
-
Two repos:
|
|
6
|
-
|
|
7
|
-
Repo Domains Approach
|
|
8
|
-
disposable-email-domains/disposable-email-domains 5,359 Curated, conservative, high confidence
|
|
9
|
-
ivolo/disposable-email-domains 121,569 Aggressive, aggregated from many sources, more false positives
|
|
10
|
-
Our current list has 854 — so even the smaller curated list is 6x larger.
|
|
11
|
-
|
|
12
|
-
For our use case (currently only used to skip marketing sync, not blocking signups), I'd recommend the 5,359 curated list — it's comprehensive enough without being overly aggressive. And if we ever do use it for blocking signups, the false positive risk is much lower.
|
|
13
|
-
|
|
14
|
-
Want to swap to that one?
|
package/TODO.md
DELETED
|
@@ -1,187 +0,0 @@
|
|
|
1
|
-
????
|
|
2
|
-
// Attach assistant to req and res
|
|
3
|
-
if (ref.req && ref.res) {
|
|
4
|
-
ref.req.assistant = self;
|
|
5
|
-
ref.res.assistant = self;
|
|
6
|
-
}
|
|
7
|
-
|
|
8
|
-
console.log('*** err', err);
|
|
9
|
-
console.log('*** req.assistant', req.assistant);
|
|
10
|
-
console.log('*** res.assistant', res.assistant);
|
|
11
|
-
|
|
12
|
-
# OAUTH2 (INBOUND + OUTBOUND)
|
|
13
|
-
UJM + BEM CHANGE
|
|
14
|
-
* UJM /oauth2 = for conencting OTHER accounts to user account
|
|
15
|
-
* UJM /token = for connecting user account to OTHER accounts
|
|
16
|
-
* we should rename this (requires backend change too)
|
|
17
|
-
* /authorize (most common says claude) or /connect
|
|
18
|
-
|
|
19
|
-
# PAYMETNS
|
|
20
|
-
https://github.com/invertase/stripe-firebase-extensions/tree/next/firestore-stripe-payments
|
|
21
|
-
|
|
22
|
-
# Make new BEM API using middleware system
|
|
23
|
-
|
|
24
|
-
# BEM Test
|
|
25
|
-
* Create test accounts (admin, free user, user with paid plan)
|
|
26
|
-
* Run tests to ensure each account has correct access to features
|
|
27
|
-
|
|
28
|
-
BEM
|
|
29
|
-
* Teach it how to mock requests and use test user's SECRET API KEYS to authenticate requests
|
|
30
|
-
* BEM should create a few test accounts: basic, then one for each plan level
|
|
31
|
-
|
|
32
|
-
TODO
|
|
33
|
-
Update deps!!!! theres lots
|
|
34
|
-
* we culd have a test that TRIES EACH IMPORT ?? incase updating it fails due to ESM VULLSHIT?
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
TODO
|
|
38
|
-
PAYMENT
|
|
39
|
-
https://hookdeck.com/webhooks/platforms/guide-to-paypal-webhooks-features-and-best-practices
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
# TEST REWRRK
|
|
43
|
-
btw... the account.json needs to be removed. remove it from BEM and the consumong project. when we make our test system, we DO NOT NEED TO STORE THE ACCOUBT IN A JSON file. we just need a source of truth in BEM for what uid/emails to look for
|
|
44
|
-
|
|
45
|
-
need a "projectScripts" that creates the npm start, npm test, etc scripts in the consuming project.
|
|
46
|
-
|
|
47
|
-
during test run, we need to check that the test accounts exist. we also need to ALWAYS reset them at the begining of the run to ensure they are in the proper format, specifically by resetting their usage, roles, amd subscriptipn
|
|
48
|
-
|
|
49
|
-
needa new account type that we can change the subscription level of to test the sub events? maybe _test-upgrade that starts free and we test how it progresses from free to paid to canceled?
|
|
50
|
-
|
|
51
|
-
# Use gitignore from backend-manager-tempalte
|
|
52
|
-
|
|
53
|
-
# CLEAN
|
|
54
|
-
having different ID and UID is messy and annoying, just make it the same
|
|
55
|
-
admin: {
|
|
56
|
-
id: 'admin',
|
|
57
|
-
uid: '_test-admin',
|
|
58
|
-
email: '_test.admin@{domain}',
|
|
59
|
-
|
|
60
|
-
should be "admin" for ALL
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
# TODO
|
|
64
|
-
Update deps
|
|
65
|
-
Remove unused deps like
|
|
66
|
-
* node-fetch
|
|
67
|
-
|
|
68
|
-
# MOVE LEGACY BEM INDIVIDUAL FUNCTIONS TO AN _OLD FOLDER
|
|
69
|
-
/Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/src/manager/functions/core/actions/create-post-handler.js
|
|
70
|
-
/Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/src/manager/functions/core/actions/generate-uuid.js
|
|
71
|
-
/Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/src/manager/functions/core/actions/sign-up-handler.js
|
|
72
|
-
/Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/src/manager/functions/test
|
|
73
|
-
/Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/src/manager/functions/core/admin
|
|
74
|
-
|
|
75
|
-
# Things to deprecate
|
|
76
|
-
* api manager
|
|
77
|
-
|
|
78
|
-
# Email
|
|
79
|
-
Move the sendEmail function to HERE instead of calling ITW
|
|
80
|
-
|
|
81
|
-
# BEM TESTS
|
|
82
|
-
# User Auth rules
|
|
83
|
-
* User can only access their own user doc
|
|
84
|
-
* fails when trying to access another user's doc
|
|
85
|
-
* succeeds when accessing their own,
|
|
86
|
-
* fails when NOT authed
|
|
87
|
-
* fails when trying to perform an admin action (can create/use the test:admin http event to test this)
|
|
88
|
-
* fails when a user tries to write to a restricted field/key like roles, subscription, usage, etc (SEE RULES)
|
|
89
|
-
* Any other rules: /Users/ian/Developer/Repositories/ITW-Creative-Works/backend-manager/templates/firestore.rules
|
|
90
|
-
* User can delete their own user doc (can use _test-delete via user:delete http event)
|
|
91
|
-
* fails when trying to delete another user's doc
|
|
92
|
-
* succeeds when deleting their own,
|
|
93
|
-
* fails when NOT authed
|
|
94
|
-
|
|
95
|
-
# Signup Flow
|
|
96
|
-
* Create a referrer user and a referred user then use user:signup http event on the referred user to test that
|
|
97
|
-
* the referral code works and the bonus is applied to the referrer
|
|
98
|
-
* something is added to the account to denote it received the signup event??? not sure
|
|
99
|
-
* context data is added to the referred user's account
|
|
100
|
-
* a second signup event
|
|
101
|
-
|
|
102
|
-
# Test
|
|
103
|
-
* test:authenticate http event
|
|
104
|
-
* success when valid uid
|
|
105
|
-
* fail when invalid uid
|
|
106
|
-
* fail when no uid
|
|
107
|
-
* test admin
|
|
108
|
-
* all admin functions fail when not authed as admin
|
|
109
|
-
* test each admin function
|
|
110
|
-
|
|
111
|
-
# Usage
|
|
112
|
-
* Using an account with a specific plan, test that the usage limits are enforced
|
|
113
|
-
* success if user has access to the plan
|
|
114
|
-
* success if the user is within the usage limits
|
|
115
|
-
* fail if the user exceeds the usage limits
|
|
116
|
-
* fail if the user is on a plan that does not allow usage (free plan)
|
|
117
|
-
* successful usage should increment the usage count
|
|
118
|
-
|
|
119
|
-
# Events
|
|
120
|
-
* trigger cron daily
|
|
121
|
-
* it should reset temp usage for all users
|
|
122
|
-
* reset userdocs to current usage = 0
|
|
123
|
-
|
|
124
|
-
# Payment
|
|
125
|
-
* test subscription upgrade flow via http event
|
|
126
|
-
* start with free plan
|
|
127
|
-
* upgrade to paid plan
|
|
128
|
-
* verify plan is updated
|
|
129
|
-
* verify usage limits are updated
|
|
130
|
-
* downgrade back to free plan
|
|
131
|
-
* verify plan is updated
|
|
132
|
-
* verify usage limits are updated
|
|
133
|
-
|
|
134
|
-
# BEM API
|
|
135
|
-
# Admin
|
|
136
|
-
* All functions need to fail when not authed as admin
|
|
137
|
-
* then test each one
|
|
138
|
-
|
|
139
|
-
# Advanced
|
|
140
|
-
* test sub accounts
|
|
141
|
-
|
|
142
|
-
# payment system
|
|
143
|
-
* dont store a "resolved" status, but make a universal library that frontend and backend use to determine whther a user has access to a plan currently
|
|
144
|
-
|
|
145
|
-
# New bem api and test to make
|
|
146
|
-
# test:usage
|
|
147
|
-
* the fnction itself just utilizes the usage API to increment an arbitrary usage item
|
|
148
|
-
|
|
149
|
-
the test should check the usage storage and ensure that it was incremented successfully
|
|
150
|
-
|
|
151
|
-
# test for bm_cronDaily
|
|
152
|
-
then, we need to test the bm_cronDaily function to ensure that it does its things like clearing the usage storage properly
|
|
153
|
-
|
|
154
|
-
# test for schema
|
|
155
|
-
* a comprehesive schema with fields that test EVERY possible field type including required, default, min, max, "value" etc (both static and FUNCTIONS)
|
|
156
|
-
* test multiple plan levels including unathenticated, basic, & premium
|
|
157
|
-
|
|
158
|
-
# quetsion
|
|
159
|
-
* how does usage get reset? does it reset daily? or monthly?
|
|
160
|
-
* how do we set usage limits?
|
|
161
|
-
* per plan? or when users prmeium is updated do we set it inside their doc?
|
|
162
|
-
* if we store it per plan, where should we store the plan data? firestore or in code?
|
|
163
|
-
* if its firestore we will use lots of reads, if we store in code we have to push new code to update plan limits (not a huge issue)
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
change name from routes/content/post to maye routes/blog/post??? whatfdo you think??
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
# MIGRATIONS
|
|
170
|
-
## user
|
|
171
|
-
affiliate: {
|
|
172
|
-
referrer: affiliateCode,
|
|
173
|
-
},
|
|
174
|
-
-->
|
|
175
|
-
attribution.affiliate.code
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
## OLD TESTS
|
|
181
|
-
"_test": "npm run prepare && ./node_modules/mocha/bin/mocha test/ --recursive --timeout=10000",
|
|
182
|
-
"test": "./node_modules/mocha/bin/mocha test/ --recursive --timeout=10000",
|
|
183
|
-
"test:cli": "./node_modules/mocha/bin/mocha test/cli-commands.test.js --timeout=10000",
|
|
184
|
-
"test:usage": "./node_modules/mocha/bin/mocha test/usage.js --timeout=10000",
|
|
185
|
-
"test:payment-resolver": "./node_modules/mocha/bin/mocha test/payment-resolver/index.js --timeout=10000",
|
|
186
|
-
"test:user": "./node_modules/mocha/bin/mocha test/user.js --timeout=10000",
|
|
187
|
-
"test:ai": "./node_modules/mocha/bin/mocha test/ai/index.js --timeout=10000",
|