payment-kit 1.29.1 → 1.29.2

package/api/dev.ts

@@ -1,10 +1,49 @@
+// Dev shell — express→hono Phase 4. Dev-only (NOT bundled into production:
+// tsconfig.api excludes api/dev.ts; the production entry is ./src → index.ts).
+//
+// Hosts the Vite client + HMR on a `connect` app and routes backend paths to the
+// hono service. `vite-plugin-blocklet`'s setupClient only knows `app.use(vite
+// .middlewares)`, so the dev shell hosts Vite on connect (NOT express — core is
+// express-free). Backend paths are routed to service.fetch EXPLICITLY by prefix:
+// a Web-Fetch 404 cannot call connect next(), so hono must never be the trailing
+// catch-all (that would swallow client routes the SPA fallback should serve).
+import { createServer } from 'http';
+
+import { getRequestListener } from '@hono/node-server';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import connect from 'connect';
 // eslint-disable-next-line import/no-extraneous-dependencies
 import { setupClient } from 'vite-plugin-blocklet';
 
-import { app, server } from './src';
+import { buildService, onListening } from './src/bootstrap';
+
+const { service, port } = buildService();
+
+// Hand backend paths to the hono app; everything else falls through to the Vite
+// middleware setupClient() mounts after this router.
+const honoListener = getRequestListener(service.fetch);
+const isBackendPath = (url: string): boolean => {
+  const pathname = url.split('?')[0] || '';
+  return pathname === '/api' || pathname.startsWith('/api/') || pathname.startsWith('/.well-known/');
+};
 
+const app = connect();
+app.use((req, res, next) => {
+  if (isBackendPath(req.url || '')) {
+    honoListener(req, res);
+    return;
+  }
+  next();
+});
+
+const server = createServer(app);
+
+// setupClient appends the Vite connect middleware (client assets + HMR + SPA
+// fallback) AFTER our backend router, and wires the HMR ws upgrade onto `server`.
 setupClient(app, {
   server,
-  // @ts-ignore
+  // @ts-ignore — import.meta.hot is injected by tsx/vite-node at runtime
   importMetaHot: import.meta.hot,
 });
+
+server.listen(port, () => onListening(service, port));

package/api/hono.d.ts

@@ -0,0 +1,42 @@
+// ContextVariableMap skeleton (Phase 0, express→hono migration).
+//
+// Mirrors the express `Request` augmentation in api/third.d.ts so that
+// `c.set(...)` / `c.get(...)` are typed everywhere across the migration. This
+// file only declares the key→type contract; the actual injection lands later:
+//   - user / customer / doc / customer_id  → Phase 1 (libs/security.ts)
+//   - locale / t                           → Phase 1 (libs/middleware.ts)
+//   - sanitizedBody                        → Phase 1 (forked xss middleware)
+//   - livemode / baseCurrency              → Phase 3 (routes/index.ts middleware)
+//   - stripeEvent / stripeClient           → Phase 3e (stripe verifyWebhookSig)
+//
+// Two keys exist only on the hono side (no express equivalent), because hono's
+// Request is immutable and cannot be rewritten in place the way express was:
+//   - sanitizedBody : xss is the single body read-point; routes read this, never
+//                     c.req.json() (a re-read would return the UN-sanitized
+//                     original — see design §7 security note).
+//   - customer_id   : security "mine" mode injects the verified customer id here
+//                     (express wrote req.query.customer_id =, impossible on hono).
+import 'hono';
+
+declare module 'hono' {
+  interface ContextVariableMap {
+    user: {
+      did: string;
+      role: string;
+      provider: string;
+      fullName: string;
+      walletOS: string;
+      via?: string;
+    };
+    livemode: boolean;
+    locale: string;
+    t: (key: string, ...args: any[]) => string;
+    doc: any;
+    customer: any;
+    baseCurrency: any;
+    customer_id: string;
+    sanitizedBody: any;
+    stripeEvent: any;
+    stripeClient: any;
+  }
+}

package/api/node-sqlite.d.ts

@@ -0,0 +1,12 @@
+// Ambient declaration for node:sqlite (experimental, Node 22+). It exists at
+// runtime (the tests + schema-drift-guard run on a node that ships it) but
+// @types/node does not yet declare it, so tsc --noEmit fails to resolve the import.
+// Declared as a class so it works both as a value (`new DatabaseSync()`) and as a
+// type (`let db: DatabaseSync`). Typed loosely — test/tooling-only consumers.
+declare module 'node:sqlite' {
+  export class DatabaseSync {
+    constructor(path?: string, options?: any);
+
+    [key: string]: any;
+  }
+}

package/api/src/bootstrap.ts

@@ -0,0 +1,36 @@
+// Blocklet server service bootstrap — shared by the production entry
+// (./index.ts → api/dist/index.js) and the dev shell (../dev.ts).
+//
+// Phase 4 (express→hono): the listened surface is the hono app (service.fetch).
+// Production serves it directly via @hono/node-server. Dev hosts the Vite client
+// + HMR on a `connect` shell (../dev.ts) and routes backend paths to the same
+// service.fetch — so both entries build the service identically here and only
+// differ in HOW they put it behind a socket.
+
+import logger from './libs/logger';
+import { getDefaultInstanceDid, getTenantMode } from './libs/tenant';
+import { createEmbeddedPaymentService, type EmbeddedPaymentService } from './service';
+import { sequelize } from './store/sequelize';
+import { blockletPort } from './libs/env';
+
+export function buildService(): { service: EmbeddedPaymentService; port: number } {
+  const tenancy =
+    getTenantMode() === 'multi'
+      ? ({ mode: 'multi' } as const)
+      : ({ mode: 'single', instanceDid: getDefaultInstanceDid() } as const);
+
+  const service = createEmbeddedPaymentService({
+    config: { ...process.env }, // Phase 12 narrows this to an explicit schema
+    db: { sequelize },
+    tenancy,
+  });
+
+  const port = parseInt(blockletPort()!, 10);
+  return { service, port };
+}
+
+/** Start background services once the socket is bound (the listen callback). */
+export function onListening(service: EmbeddedPaymentService, port: number): void {
+  logger.info(`> payment-kit ready on ${port}`);
+  service.lifecycle.start().catch((startErr) => logger.error('failed to start background services', startErr));
+}

package/api/src/crons/base.ts

@@ -175,7 +175,7 @@ export abstract class BaseSubscriptionScheduleNotification<Options extends any>
     await pAll(
       deleteTasks.map((task) => () => task()),
       {
-        concurrency: notificationCronConcurrency,
+        concurrency: notificationCronConcurrency(),
         stopOnError: false,
       }
     );
@@ -192,7 +192,7 @@ export abstract class BaseSubscriptionScheduleNotification<Options extends any>
         };
       }),
       {
-        concurrency: notificationCronConcurrency,
+        concurrency: notificationCronConcurrency(),
         stopOnError: false,
       }
     );
@@ -231,7 +231,7 @@ export abstract class BaseSubscriptionScheduleNotification<Options extends any>
     );
 
     await pAll(deletePromises, {
-      concurrency: notificationCronConcurrency,
+      concurrency: notificationCronConcurrency(),
       stopOnError: false,
     });
   }

package/api/src/crons/currency.ts

@@ -1,5 +1,5 @@
 import { Op } from 'sequelize';
-import { getUrl } from '@blocklet/sdk';
+import { getUrl } from '@blocklet/sdk/lib/component';
 import { PaymentMethod, PaymentCurrency } from '../store/models';
 import logger from '../libs/logger';
 

package/api/src/crons/index.ts

@@ -1,4 +1,4 @@
-import Cron from '@abtnode/cron';
+import { getCronDriver } from '../libs/drivers/cron';
 
 import { checkStakeRevokeTx } from '../integrations/arcblock/stake';
 import { runIapReconcile } from '../integrations/iap-reconcile';
@@ -63,30 +63,33 @@ function init() {
           },
         ]
       : [];
-  Cron.init({
-    context: {},
-    jobs: [
+  // D2: register through the injected cron driver (no bare @abtnode/cron). On
+  // the node host the driver self-schedules via @abtnode/cron; on CF the host
+  // drives runDue() from scheduled(). register() is idempotent (clears + re-adds
+  // + restarts the scheduler), so a stop()/start() cycle never double-registers.
+  getCronDriver().register(
+    [
       {
         name: 'subscription.will.renew',
-        time: notificationCronTime,
+        time: notificationCronTime(),
         fn: () => new SubscriptionWillRenewSchedule().run(),
         options: { runOnInit: true },
       },
       {
         name: 'subscription.trial.will.end',
-        time: notificationCronTime,
+        time: notificationCronTime(),
         fn: () => new SubscriptionTrialWillEndSchedule().run(),
         options: { runOnInit: true },
       },
       {
         name: 'customer.subscription.will_canceled',
-        time: notificationCronTime,
+        time: notificationCronTime(),
         fn: () => new SubscriptionWillCanceledSchedule().run(),
         options: { runOnInit: true },
       },
       {
         name: 'subscription.schedule.retry',
-        time: subscriptionCronTime,
+        time: subscriptionCronTime(),
         fn: startSubscriptionQueue,
         options: { runOnInit: false },
       },
@@ -101,7 +104,7 @@ function init() {
       },
       {
         name: 'checkoutSession.cleanup.expired',
-        time: expiredSessionCleanupCronTime,
+        time: expiredSessionCleanupCronTime(),
         fn: async () => {
           const removedCount = await CheckoutSession.cleanupExpiredSessions();
           logger.info('CheckoutSession.cleanupExpiredSessions', { removedCount });
@@ -110,25 +113,25 @@ function init() {
       },
       {
         name: 'stripe.invoice.sync',
-        time: stripeInvoiceCronTime,
+        time: stripeInvoiceCronTime(),
         fn: batchHandleStripeInvoices,
         options: { runOnInit: false },
       },
       {
         name: 'stripe.payment.sync',
-        time: stripePaymentCronTime,
+        time: stripePaymentCronTime(),
         fn: batchHandleStripePayments,
         options: { runOnInit: false },
       },
       {
         name: 'stripe.subscription.sync',
-        time: stripeSubscriptionCronTime,
+        time: stripeSubscriptionCronTime(),
         fn: batchHandleStripeSubscriptions,
         options: { runOnInit: false },
       },
       {
         name: 'customer.stake.revoked',
-        time: revokeStakeCronTime,
+        time: revokeStakeCronTime(),
         fn: checkStakeRevokeTx,
         options: { runOnInit: false },
       },
@@ -137,7 +140,7 @@ function init() {
         // subscription state and patches local drift (refunds/renewals the
         // webhook missed). See blocklets/core/api/src/integrations/iap-reconcile.ts.
         name: 'iap.reconcile',
-        time: iapReconcileCronTime,
+        time: iapReconcileCronTime(),
         fn: () => runIapReconcile(),
         options: { runOnInit: false },
       },
@@ -146,52 +149,52 @@ function init() {
         // with pending_webhooks>0 older than 60s and re-invokes handleEvent.
         // See blocklets/core/api/src/crons/retry-pending-events.ts.
         name: 'event.retry',
-        time: eventRetryCronTime,
+        time: eventRetryCronTime(),
         fn: () => retryPendingEvents(),
         options: { runOnInit: false },
       },
       {
         name: 'payment.stat',
-        time: paymentStatCronTime,
+        time: paymentStatCronTime(),
         fn: () => createPaymentStat(),
         options: { runOnInit: false },
       },
       {
         name: 'payment.daily.report',
-        time: overdueDetectionCronTime,
+        time: overdueDetectionCronTime(),
         fn: () => createOverdueDetection(),
         options: { runOnInit: false },
       },
       {
         name: 'deposit.vault',
-        time: depositVaultCronTime,
+        time: depositVaultCronTime(),
         fn: () => startDepositVaultQueue(),
         options: { runOnInit: true },
       },
       {
         name: 'credit.consumption',
-        time: creditConsumptionCronTime,
+        time: creditConsumptionCronTime(),
         fn: () => startCreditConsumeQueue(),
         options: { runOnInit: true },
       },
       {
         name: 'vendor.status.check',
-        time: vendorStatusCheckCronTime,
+        time: vendorStatusCheckCronTime(),
         fn: () => startVendorStatusCheckSchedule(),
         options: { runOnInit: false },
       },
       {
         name: 'vendor.return.scan',
-        time: vendorReturnScanCronTime,
+        time: vendorReturnScanCronTime(),
         fn: () => scheduleVendorReturnScan(),
         options: { runOnInit: false },
       },
       ...archiveJobs,
     ],
-    onError: (error: Error, name: string) => {
+    (error: Error, name: string) => {
       logger.error('run job failed', { name, error });
-    },
-  });
+    }
+  );
 }
 
 export default {

package/api/src/crons/metering-subscription-detection.ts

@@ -1,4 +1,4 @@
-import { Notification } from '@blocklet/sdk';
+import Notification from '@blocklet/sdk/service/notification';
 import { Op } from 'sequelize';
 import { env } from '@blocklet/sdk/lib/config';
 import dayjs from '../libs/dayjs';

package/api/src/crons/overdue-detection.ts

@@ -1,4 +1,4 @@
-import { Notification } from '@blocklet/sdk';
+import Notification from '@blocklet/sdk/service/notification';
 import { getUrl } from '@blocklet/sdk/lib/component';
 import { env } from '@blocklet/sdk/lib/config';
 import { fromUnitToToken, BN } from '@ocap/util';
@@ -175,7 +175,7 @@ export class HealthReportTemplate implements BaseEmailTemplate<HealthReportConte
           currencyTotals.set(currencyId, currentTotal.add(group.total));
 
           // Check if this user's pending exceeds threshold for this currency
-          const thresholdInUnit = new BN(overdueThreshold.toString()).mul(new BN(10).pow(new BN(currency.decimal)));
+          const thresholdInUnit = new BN(overdueThreshold().toString()).mul(new BN(10).pow(new BN(currency.decimal)));
           if (group.total.gt(thresholdInUnit)) {
             exceedsThreshold = true;
           }

package/api/src/crons/retry-pending-events.ts

@@ -33,6 +33,12 @@ const REALTIME_GRACE_SECONDS = 60;
 // generous headroom and we still drain the backlog over a few minutes.
 const BATCH_LIMIT = 5;
 
+// Phase 4 (W1-3): this scan is deliberately tenant-agnostic — it only
+// re-enqueues event IDs. Tenant enforcement happens downstream in
+// handleEvent's fanout (endpoints filtered by the event's instance_did) and
+// handleWebhook's event/endpoint tenant invariant. Events whose creation was
+// tenant-rejected never produced a row, so this backstop cannot "rescue"
+// them — permanent loss of rejected events is the intended semantic.
 export async function retryPendingEvents(): Promise<void> {
   const threshold = new Date(Date.now() - REALTIME_GRACE_SECONDS * 1000);
   const docs = await Event.findAll({

package/api/src/index.ts

@@ -1,168 +1,29 @@
-import 'express-async-errors';
-
-import path from 'path';
-
-import { fallback } from '@blocklet/sdk/lib/middlewares/fallback';
-import cookieParser from 'cookie-parser';
-import cors from 'cors';
+// Blocklet server shell — Phase 7 (W2-0); express→hono Phase 4.
+//
+// Service assembly lives in ./bootstrap (shared with the dev shell ../dev.ts).
+// This file is the PRODUCTION entry (api/dist/index.js): build the service and
+// LISTEN the hono app via @hono/node-server `serve({ fetch })`, then start
+// background services in the listen callback. Other hosts import
+// @arcblock/payment-service and own listen/lifecycle themselves.
+//
+// Phase 4: the loopback bridge + express app shell are gone — the hono app
+// (service.fetch) serves every route natively (resource domains + DID-Connect +
+// production static/SPA fallback). The dev client + HMR are served by ../dev.ts
+// (a connect shell), never by this production entry.
 import dotenv from 'dotenv-flow';
-import express, { ErrorRequestHandler } from 'express';
-// eslint-disable-next-line import/no-extraneous-dependencies
-import { CustomError, formatError, getStatusFromError } from '@blocklet/error';
-import { csrf } from '@blocklet/sdk/lib/middlewares';
-import { cdn } from '@blocklet/sdk/lib/middlewares/cdn';
-import { xss } from '@blocklet/xss';
-
-import { syncCurrencyLogo } from './crons/currency';
-import crons from './crons/index';
-import { ensureStakedForGas } from './integrations/arcblock/stake';
-import { initResourceHandler } from './integrations/blocklet/resource';
-import { initUserHandler } from './integrations/blocklet/user';
-import { ensureWebhookRegistered } from './integrations/stripe/setup';
-import { handlers } from './libs/auth';
-import logger, { setupAccessLogger } from './libs/logger';
-import { contextMiddleware, ensureI18n } from './libs/middleware';
-import { ensureCreateOverdraftProtectionPrices } from './libs/overdraft-protection';
-import { initEventBroadcast } from './libs/ws';
-import { startCheckoutSessionQueue } from './queues/checkout-session';
-import { startCreditConsumeQueue } from './queues/credit-consume';
-import { startCreditGrantQueue } from './queues/credit-grant';
-import { startReconciliationQueue } from './queues/credit-reconciliation';
-import { startDiscountStatusQueue } from './queues/discount-status';
-import { startEventQueue } from './queues/event';
-import { startExchangeRateHealthQueue } from './queues/exchange-rate-health';
-import { startInvoiceQueue } from './queues/invoice';
-import { startNotificationQueue } from './queues/notification';
-import { startPaymentQueue } from './queues/payment';
-import { startPayoutQueue } from './queues/payout';
-import { startRefundQueue } from './queues/refund';
-import { startUploadBillingInfoListener } from './queues/space';
-import { startSubscriptionQueue } from './queues/subscription';
-import { startTokenTransferQueue } from './queues/token-transfer';
-import { startVendorCommissionQueue } from './queues/vendors/commission';
-import { startVendorFulfillmentQueue } from './queues/vendors/fulfillment';
-import { startCoordinatedFulfillmentQueue } from './queues/vendors/fulfillment-coordinator';
-import routes from './routes';
-import autoRechargeAuthorizationHandlers from './routes/connect/auto-recharge-auth';
-import changePaymentHandlers from './routes/connect/change-payment';
-import changePlanHandlers from './routes/connect/change-plan';
-import collectHandlers from './routes/connect/collect';
-import collectBatchHandlers from './routes/connect/collect-batch';
-import delegationHandlers from './routes/connect/delegation';
-import overdraftProtectionHandlers from './routes/connect/overdraft-protection';
-import payHandlers from './routes/connect/pay';
-import reStakeHandlers from './routes/connect/re-stake';
-import rechargeHandlers from './routes/connect/recharge';
-import rechargeAccountHandlers from './routes/connect/recharge-account';
-import setupHandlers from './routes/connect/setup';
-import subscribeHandlers from './routes/connect/subscribe';
-import changePayerHandlers from './routes/connect/change-payer';
-import { initialize } from './store/models';
-import { sequelize } from './store/sequelize';
+import { serve } from '@hono/node-server';
 
 dotenv.config();
 
-initialize(sequelize);
-
-export const app = express();
-setupAccessLogger(app);
-app.set('trust proxy', true);
-app.use(cookieParser());
-app.use((req, res, next) => {
-  if (req.originalUrl.startsWith('/api/integrations/stripe/webhook')) {
-    next();
-  } else {
-    express.json({ limit: '1 mb' })(req, res, next);
-  }
-});
-app.use(express.urlencoded({ extended: true, limit: '1 mb' }));
-app.use(cors());
-app.use(xss({ allowedKeys: [] }));
-app.use(csrf());
-app.use(ensureI18n());
-app.use(cdn());
-
-const router = express.Router();
-handlers.attach(Object.assign({ app: router }, collectHandlers));
-handlers.attach(Object.assign({ app: router }, collectBatchHandlers));
-handlers.attach(Object.assign({ app: router }, payHandlers));
-handlers.attach(Object.assign({ app: router }, setupHandlers));
-handlers.attach(Object.assign({ app: router }, subscribeHandlers));
-handlers.attach(Object.assign({ app: router }, changePaymentHandlers));
-handlers.attach(Object.assign({ app: router }, changePlanHandlers));
-handlers.attach(Object.assign({ app: router }, rechargeHandlers));
-handlers.attach(Object.assign({ app: router }, rechargeAccountHandlers));
-handlers.attach(Object.assign({ app: router }, delegationHandlers));
-handlers.attach(Object.assign({ app: router }, overdraftProtectionHandlers));
-handlers.attach(Object.assign({ app: router }, reStakeHandlers));
-handlers.attach(Object.assign({ app: router }, autoRechargeAuthorizationHandlers));
-handlers.attach(Object.assign({ app: router }, changePayerHandlers));
-router.use('/api', routes);
-
-const isProduction = process.env.BLOCKLET_MODE === 'production';
-
-app.use(contextMiddleware);
-app.use(router);
-
-if (isProduction) {
-  const staticDir = path.resolve(process.env.BLOCKLET_APP_DIR!, 'dist');
-  app.use(express.static(staticDir, { maxAge: '30d', index: false }));
-  app.use(fallback('index.html', { root: staticDir }));
-}
-
-// eslint-disable-next-line @typescript-eslint/no-unused-vars
-app.use(<ErrorRequestHandler>((err, req, res, _next) => {
-  logger.error('handle router error', err);
-  if (err instanceof CustomError) {
-    res.status(getStatusFromError(err)).json({ error: formatError(err) });
-    return;
-  }
-  if (req.accepts('json')) {
-    res.status(500).send({ error: err.message });
-  } else {
-    res.status(500).send('Something broke!');
-  }
-}));
-
-const port = parseInt(process.env.BLOCKLET_PORT!, 10);
-
-export const server = app.listen(port, (err?: any) => {
-  if (err) throw err;
-  logger.info(`> payment-kit ready on ${port}`);
-
-  syncCurrencyLogo();
-  ensureCreateOverdraftProtectionPrices();
-  startPaymentQueue().then(() => logger.info('payment queue started'));
-  startInvoiceQueue().then(() => logger.info('invoice queue started'));
-  startSubscriptionQueue().then(() => logger.info('subscription queue started'));
-  startEventQueue().then(() => logger.info('event queue started'));
-  startPayoutQueue().then(() => logger.info('payout queue started'));
-  startVendorCommissionQueue().then(() => logger.info('vendor commission queue started'));
-  startVendorFulfillmentQueue().then(() => logger.info('vendor fulfillment queue started'));
-  startCoordinatedFulfillmentQueue().then(() => logger.info('coordinated fulfillment queue started'));
-  startCheckoutSessionQueue().then(() => logger.info('checkoutSession queue started'));
-  startNotificationQueue().then(() => logger.info('notification queue started'));
-  startRefundQueue().then(() => logger.info('refund queue started'));
-  startCreditConsumeQueue().then(() => logger.info('credit queue started'));
-  startCreditGrantQueue().then(() => logger.info('credit grant queue started'));
-  startTokenTransferQueue().then(() => logger.info('token transfer queue started'));
-  startReconciliationQueue().then(() => logger.info('credit reconciliation queue started'));
-  startDiscountStatusQueue().then(() => logger.info('discount status queue started'));
-  startExchangeRateHealthQueue();
-  logger.info('exchange rate health queue started');
-  startUploadBillingInfoListener();
-
-  if (process.env.BLOCKLET_MODE === 'production') {
-    ensureWebhookRegistered().catch(console.error);
-  }
-
-  ensureStakedForGas().catch(console.error);
-
-  crons.init();
+// eslint-disable-next-line import/first
+import { buildService, onListening } from './bootstrap';
 
-  initEventBroadcast();
+const { service, port } = buildService();
 
-  initResourceHandler();
+// @hono/node-server serve(): the listeningListener is the exact equivalent of the
+// old express app.listen(port, cb) — it fires once the socket is bound, which is
+// where background services start. serve() returns the underlying Node Server
+// (used by dev tooling for HMR upgrades and by lifecycle teardown).
+export const server = serve({ fetch: service.fetch, port }, (info) => onListening(service, info.port));
 
-  initUserHandler();
-});
+export { service };

package/api/src/integrations/app-store/client.ts

@@ -18,6 +18,7 @@
 // Tests replace this class via jest mocks.
 
 import { config as configApple, validate as validateAppleReceipt } from 'node-apple-receipt-verify';
+import { appStoreWriteEnabled } from '../../libs/env';
 
 import logger from '../../libs/logger';
 import {
@@ -112,8 +113,6 @@ export type AppStoreSettings = {
   private_key_pem?: string;
 };
 
-const WRITE_ENABLED = process.env.APP_STORE_WRITE_ENABLED === 'true';
-
 export class AppStoreClient {
   declare readonly bundleId: string;
 
@@ -348,7 +347,7 @@ export class AppStoreClient {
   /** Refund — Apple actually doesn't let third parties refund subscriptions; this is here for symmetry with GooglePlayClient. */
   // eslint-disable-next-line class-methods-use-this, require-await
   public async refundSubscription(originalTransactionId: string): Promise<void> {
-    if (!WRITE_ENABLED) {
+    if (!appStoreWriteEnabled()) {
       throw new Error(
         `refundSubscription(${originalTransactionId}) is gated behind APP_STORE_WRITE_ENABLED env. Note: Apple Server API has no third-party refund endpoint — refunds must be requested by the end user via reportProblem.apple.com or by Apple support.`
       );
@@ -359,7 +358,7 @@ export class AppStoreClient {
   /** Cancel — same caveat as refund: Apple expects the user to cancel via App Store > Subscriptions. */
   // eslint-disable-next-line class-methods-use-this, require-await
   public async cancelSubscription(originalTransactionId: string): Promise<void> {
-    if (!WRITE_ENABLED) {
+    if (!appStoreWriteEnabled()) {
       throw new Error(
         `cancelSubscription(${originalTransactionId}) is gated behind APP_STORE_WRITE_ENABLED env. Apple does not expose a server-initiated cancel — the user must cancel from their device.`
       );

package/api/src/integrations/app-store/handlers/subscription.ts

@@ -10,7 +10,7 @@
 // `transactionId` changes per charge. We store both in payment_details for
 // audit, but uniqueness/de-dup keys off originalTransactionId.
 
-import { createEvent } from '../../../libs/audit';
+import { createEvent, reportAuditFailure } from '../../../libs/audit';
 import logger from '../../../libs/logger';
 import { Customer, PaymentMethod, Price, Subscription, SubscriptionItem } from '../../../store/models';
 import {
@@ -156,7 +156,7 @@ export async function ingestVerifiedAppStorePurchase({
         }
       }
       await existing.update(updatePatch);
-      createEvent('Subscription', 'customer.subscription.started', existing).catch(console.error);
+      createEvent('Subscription', 'customer.subscription.started', existing).catch(reportAuditFailure);
       logger.info('app_store verify: reactivated lapsed subscription from fresh transaction', {
         subscriptionId: existing.id,
         originalTransactionId: transaction.originalTransactionId,
@@ -331,7 +331,7 @@ export async function ingestVerifiedAppStorePurchase({
     } as any);
   }
 
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   logger.info('app_store verify: subscription created', {
     subscriptionId: subscription.id,
     customerId: customer.id,
@@ -545,7 +545,7 @@ async function handleAppStoreSubscribed({
     pending_invoice_item_interval: { interval: 'month', interval_count: 1 } as any,
   } as any);
 
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
   logger.info('app_store SUBSCRIBED — subscription created from webhook', {
     subscriptionId: subscription.id,
     customerId: customer.id,
@@ -574,13 +574,13 @@ async function handleAppStoreRenewed(
       },
     },
   });
-  createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
 }
 
 async function markAppStoreExpired(subscription: Subscription): Promise<void> {
   if (['canceled', 'incomplete_expired'].includes(subscription.status as string)) return;
   await subscription.update({ status: 'canceled', ended_at: Math.floor(Date.now() / 1000) });
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }
 
 async function markAppStorePastDue(subscription: Subscription): Promise<void> {
@@ -631,5 +631,5 @@ async function handleAppStoreRevoked(
     refunded: isRefund,
   });
 
-  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(console.error);
+  createEvent('Subscription', 'customer.subscription.deleted', subscription).catch(reportAuditFailure);
 }