payment-kit 1.29.1 → 1.29.2

package/api/src/routes/{credit-grants.ts → hono/credit-grants.ts}

@@ -1,12 +1,17 @@
-import { Router } from 'express';
+// Phase 3 (express→hono) — hono fork of routes/credit-grants.ts. Sub-app with
+// routes relative to /api/credit-grants (mounted via mountResourceGroup). The
+// business logic is unchanged; only the express plumbing becomes hono:
+//   req.body → c.get('sanitizedBody') ?? {}; res.status(n).json(x) → c.json(x, n).
+//   req.(c.get('customer_id') ?? query.customer_id) → (c.get('customer_id') ?? c.req.query('customer_id'))  [SECURITY]
+import { Hono } from 'hono';
 import Joi from 'joi';
 import { BN, fromTokenToUnit } from '@ocap/util';
 
 import { literal, OrderItem, fn, col, Op } from 'sequelize';
 import pick from 'lodash/pick';
-import { createListParamSchema, getOrder, getWhereFromKvQuery, MetadataSchema } from '../libs/api';
-import logger from '../libs/logger';
-import { authenticate } from '../libs/security';
+import { createListParamSchema, getOrder, getWhereFromKvQuery, MetadataSchema } from '../../libs/api';
+import logger from '../../libs/logger';
+import { authenticate } from '../../middlewares/hono/security';
 import {
   AutoRechargeConfig,
   ChainType,
@@ -19,22 +24,22 @@ import {
   Price,
   Product,
   Subscription,
-} from '../store/models';
-import { createCreditGrant, getCreditGrantStats } from '../libs/credit-grant';
-import { expireGrant } from '../queues/credit-grant';
-import { getMeterPriceIdsFromSubscription } from '../libs/subscription';
-import { blocklet } from '../libs/auth';
-import { formatMetadata } from '../libs/util';
-import { getPriceUintAmountByCurrency } from '../libs/price';
-import { checkTokenBalance } from '../libs/payment';
-import { measurePhase } from '../libs/timing';
-import { getExchangeRateService } from '../libs/exchange-rate/service';
-import { getExchangeRateSymbol, hasTokenAddress } from '../libs/exchange-rate/token-address-mapping';
-import { isRateBelowMinAcceptableRate } from '../libs/slippage';
-import { trimDecimals } from '../libs/math-utils';
-import { systemMaxPendingAmount } from '../libs/env';
-
-const router = Router();
+} from '../../store/models';
+import { createCreditGrant, getCreditGrantStats } from '../../libs/credit-grant';
+import { expireGrant } from '../../queues/credit-grant';
+import { getMeterPriceIdsFromSubscription } from '../../libs/subscription';
+import { blocklet } from '../../libs/auth';
+import { formatMetadata } from '../../libs/util';
+import { getPriceUintAmountByCurrency } from '../../libs/price';
+import { checkTokenBalance } from '../../libs/payment';
+import { measurePhase } from '../../libs/timing';
+import { getExchangeRateService } from '../../libs/exchange-rate/service';
+import { getExchangeRateSymbol, hasTokenAddress } from '../../libs/exchange-rate/token-address-mapping';
+import { isRateBelowMinAcceptableRate } from '../../libs/slippage';
+import { trimDecimals } from '../../libs/math-utils';
+import { systemMaxPendingAmount } from '../../libs/env';
+
+const app = new Hono();
 const auth = authenticate<CreditGrant>({ component: true, roles: ['owner', 'admin'] });
 const authMine = authenticate<CreditGrant>({ component: true, roles: ['owner', 'admin'], mine: true });
 const authPortal = authenticate<CreditGrant>({
@@ -92,14 +97,14 @@ async function expandScopePrices(creditGrant: CreditGrant) {
   return [];
 }
 
-router.get('/', authMine, async (req, res) => {
+app.get('/', authMine, async (c) => {
   try {
-    const { page, pageSize, ...query } = await listSchema.validateAsync(req.query, { stripUnknown: true });
+    const { page, pageSize, ...query } = await listSchema.validateAsync(c.req.query(), { stripUnknown: true });
     const where = getWhereFromKvQuery(query.q);
-    if (query.customer_id) {
-      const customer = await Customer.findByPkOrDid(query.customer_id);
+    if (c.get('customer_id') ?? query.customer_id) {
+      const customer = await Customer.findByPkOrDid(c.get('customer_id') ?? query.customer_id);
       if (!customer) {
-        throw new Error(`Customer ${query.customer_id} not found`);
+        throw new Error(`Customer ${c.get('customer_id') ?? query.customer_id} not found`);
       }
       where.customer_id = customer.id;
     }
@@ -128,7 +133,7 @@ router.get('/', authMine, async (req, res) => {
       where.livemode = query.livemode;
     }
 
-    const order: OrderItem[] = getOrder(req.query);
+    const order: OrderItem[] = getOrder(c.req.query());
     // 默认granted 、pending、depleted 排序
     order.unshift([literal("CASE status WHEN 'granted' THEN 1 WHEN 'pending' THEN 2 ELSE 3 END"), 'ASC']);
 
@@ -143,35 +148,36 @@ router.get('/', authMine, async (req, res) => {
       ],
     });
 
-    res.json({ count, list, paging: { page, pageSize } });
+    return c.json({ count, list, paging: { page, pageSize } });
   } catch (err) {
     logger.error('Error listing credit grants', err);
-    res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-router.get('/summary', authMine, async (req, res) => {
+// Static path — registered before /:id so hono matches it first.
+app.get('/summary', authMine, async (c) => {
   try {
-    const customerId = req.query.customer_id;
+    const customerId = (c.get('customer_id') ?? c.req.query('customer_id')) as string | undefined;
     if (!customerId) {
-      return res.status(400).json({ error: 'customer_id is required' });
+      return c.json({ error: 'customer_id is required' }, 400);
     }
 
     const customer = await Customer.findByPkOrDid(customerId as string);
     if (!customer) {
-      return res.status(404).json({ error: `Customer ${customerId} not found` });
+      return c.json({ error: `Customer ${customerId} not found` }, 404);
     }
 
-    const { subscription_id: subscriptionId } = req.query;
+    const subscriptionId = c.req.query('subscription_id');
     if (subscriptionId && typeof subscriptionId !== 'string') {
-      return res.status(400).json({ error: 'subscription_id must be a string' });
+      return c.json({ error: 'subscription_id must be a string' }, 400);
     }
 
     let priceIds: string[] = [];
     if (subscriptionId) {
       const subscription = await Subscription.findByPk(subscriptionId);
       if (!subscription) {
-        return res.status(404).json({ error: 'Subscription not found' });
+        return c.json({ error: 'Subscription not found' }, 404);
       }
       priceIds = await getMeterPriceIdsFromSubscription(subscription);
     }
@@ -181,10 +187,10 @@ router.get('/summary', authMine, async (req, res) => {
       priceIds,
     });
 
-    return res.json(result);
+    return c.json(result);
   } catch (err: any) {
-    logger.error('get credit balance failed', { error: err.message, customerId: req.params.customer_id });
-    return res.status(400).json({ error: err.message });
+    logger.error('get credit balance failed', { error: err.message, customerId: c.req.param('customer_id') });
+    return c.json({ error: err.message }, 400);
   }
 });
 
@@ -196,22 +202,23 @@ const holdersSchema = Joi.object({
 });
 
 // Get all holders (customers with balance) for a specific credit currency
-router.get('/holders', auth, async (req, res) => {
+// Static path — registered before /:id so hono matches it first.
+app.get('/holders', auth, async (c) => {
   try {
-    const { error, value } = holdersSchema.validate(req.query, { stripUnknown: true });
+    const { error, value } = holdersSchema.validate(c.req.query(), { stripUnknown: true });
     if (error) {
-      return res.status(400).json({ error: error.message });
+      return c.json({ error: error.message }, 400);
     }
 
     const { currency_id: currencyId, page, pageSize, livemode } = value;
 
     const currency = await PaymentCurrency.findByPk(currencyId);
     if (!currency) {
-      return res.status(404).json({ error: `PaymentCurrency ${currencyId} not found` });
+      return c.json({ error: `PaymentCurrency ${currencyId} not found` }, 404);
     }
 
     if (currency.type !== 'credit') {
-      return res.status(400).json({ error: 'Currency must be of type credit' });
+      return c.json({ error: 'Currency must be of type credit' }, 400);
     }
 
     // Build where clause for credit grants
@@ -250,7 +257,7 @@ router.get('/holders', auth, async (req, res) => {
       grantCount: parseInt(item.grantCount || '0', 10),
     }));
 
-    return res.json({
+    return c.json({
       holders,
       currency: {
         id: currency.id,
@@ -267,7 +274,7 @@ router.get('/holders', auth, async (req, res) => {
     });
   } catch (err: any) {
     logger.error('Error getting credit holders', { error: err.message });
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
@@ -281,11 +288,12 @@ const checkAutoRechargeSchema = Joi.object({
     .optional(),
 });
 
-router.get('/verify-availability', authMine, async (req, res) => {
+// Static path — registered before /:id so hono matches it first.
+app.get('/verify-availability', authMine, async (c) => {
   try {
-    const { error, value } = checkAutoRechargeSchema.validate(req.query, { stripUnknown: true });
+    const { error, value } = checkAutoRechargeSchema.validate(c.req.query(), { stripUnknown: true });
     if (error) {
-      return res.status(400).json({ error: error.message });
+      return c.json({ error: error.message }, 400);
     }
 
     const { customer_id: customerId, currency_id: currencyId } = value;
@@ -297,10 +305,10 @@ router.get('/verify-availability', authMine, async (req, res) => {
       PaymentCurrency.findByPk(currencyId),
     ]);
     if (!customer) {
-      return res.status(404).json({ error: `Customer ${customerId} not found` });
+      return c.json({ error: `Customer ${customerId} not found` }, 404);
     }
     if (!currency) {
-      return res.status(404).json({ error: `PaymentCurrency ${currencyId} not found` });
+      return c.json({ error: `PaymentCurrency ${currencyId} not found` }, 404);
     }
 
     // AutoRechargeConfig needs customer.id which we now have
@@ -324,7 +332,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       | null;
 
     if (!config) {
-      return res.json({
+      return c.json({
         can_continue: false,
         has_auto_recharge: false,
         reason: 'auto_recharge_config_not_found',
@@ -333,21 +341,21 @@ router.get('/verify-availability', authMine, async (req, res) => {
 
     // 1. Check config completeness
     if (!config.rechargeCurrency) {
-      return res.json({
+      return c.json({
         can_continue: false,
         reason: 'recharge_currency_not_found',
       });
     }
 
     if (!config.price) {
-      return res.json({
+      return c.json({
         can_continue: false,
         reason: 'price_not_found',
       });
     }
 
     if (!config.paymentMethod) {
-      return res.json({
+      return c.json({
         can_continue: false,
         reason: 'payment_method_not_found',
       });
@@ -355,7 +363,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
 
     // 2. Check if stripe (balance check not supported)
     if (config.paymentMethod.type === 'stripe') {
-      return res.json({
+      return c.json({
         can_continue: false,
         reason: 'balance_check_not_supported',
       });
@@ -364,7 +372,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
     // 3. Check price amount
     const priceAmount = await getPriceUintAmountByCurrency(config.price, config.rechargeCurrency.id);
     if (!priceAmount) {
-      return res.json({
+      return c.json({
         can_continue: false,
         reason: 'invalid_price_amount',
       });
@@ -378,7 +386,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       const [pendingSummary] = await MeterEvent.getPendingAmounts({
         customerId: customer.id,
         currencyId,
-        livemode: req.livemode,
+        livemode: c.get('livemode'),
       });
       pendingAmount = pendingSummary?.[currencyId] || '0';
     }
@@ -386,14 +394,14 @@ router.get('/verify-availability', authMine, async (req, res) => {
     const pendingAmountBN = new BN(pendingAmount);
 
     // 5. Check system-level maximum pending amount limit (highest priority, cannot be bypassed)
-    // systemMaxPendingAmount is configured via PAYMENT_KIT_MAX_PENDING_AMOUNT (in token format)
-    if (systemMaxPendingAmount > 0 && pendingAmountBN.gt(new BN(0))) {
+    // systemMaxPendingAmount() is configured via PAYMENT_KIT_MAX_PENDING_AMOUNT (in token format)
+    if (systemMaxPendingAmount() > 0 && pendingAmountBN.gt(new BN(0))) {
       const systemMaxPendingAmountBN = fromTokenToUnit(
-        trimDecimals(String(systemMaxPendingAmount), currency.decimal),
+        trimDecimals(String(systemMaxPendingAmount()), currency.decimal),
         currency.decimal
       );
       if (pendingAmountBN.gt(systemMaxPendingAmountBN)) {
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'system_pending_limit_exceeded',
           pending_amount: pendingAmount,
@@ -411,7 +419,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
         currency.decimal
       );
       if (pendingAmountBN.gt(maxPendingAmountBN)) {
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'pending_amount_exceeds_limit',
           pending_amount: pendingAmount,
@@ -428,7 +436,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       ]?.payer || customer.did;
 
     if (!payer) {
-      return res.json({
+      return c.json({
         can_continue: false,
         reason: 'payer_not_found',
       });
@@ -440,7 +448,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       // Get credit amount per recharge from price metadata
       const creditConfig = config.price.metadata?.credit_config;
       if (!creditConfig || !creditConfig.credit_amount) {
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'credit_config_not_found',
         });
@@ -461,7 +469,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       // Check if required recharge times exceeds limit
       const maxRechargeTimes = value.max_recharge_times;
       if (requiredRechargeTimesBN.gt(new BN(maxRechargeTimes))) {
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'too_many_recharges_required',
           pending_amount: pendingAmount,
@@ -489,7 +497,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
           const requiredRechargeTimes = requiredRechargeTimesBN.toNumber();
           const remainingAttempts = maxAttempts - Number(attemptCount);
           if (requiredRechargeTimes > remainingAttempts) {
-            return res.json({
+            return c.json({
               can_continue: false,
               reason: 'daily_limit_reached',
               detail: 'attempt_limit_exceeded',
@@ -502,7 +510,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
         if (maxAmount.gt(new BN(0))) {
           const remainingAmount = maxAmount.sub(new BN(totalAmountStats || '0'));
           if (requiredPaymentAmount.gt(remainingAmount)) {
-            return res.json({
+            return c.json({
               can_continue: false,
               reason: 'daily_limit_reached',
               detail: 'amount_limit_exceeded',
@@ -526,7 +534,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       );
 
       if (!balanceResult.sufficient) {
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'insufficient_balance',
           payment_account_balance: balanceResult.token?.balance || '0',
@@ -548,7 +556,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       );
 
       if (!balanceResult.sufficient) {
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'insufficient_balance',
           payment_account_balance: balanceResult.token?.balance || '0',
@@ -568,7 +576,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       // 7a. Check if exchange rate is available
       const methodType = config.paymentMethod.type as ChainType;
       if (!hasTokenAddress(config.rechargeCurrency.symbol, methodType)) {
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'exchange_rate_not_supported',
           is_dynamic_pricing: true,
@@ -590,7 +598,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
           error: err.message,
           symbol: config.rechargeCurrency.symbol,
         });
-        return res.json({
+        return c.json({
           can_continue: false,
           reason: 'exchange_rate_fetch_failed',
           is_dynamic_pricing: true,
@@ -610,7 +618,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
         };
 
         if (rateBelowMin) {
-          return res.json({
+          return c.json({
             can_continue: false,
             reason: 'slippage_exceeded',
             is_dynamic_pricing: true,
@@ -636,7 +644,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
         canCoverPending = creditAmount.gte(pendingAmountBN);
 
         if (!canCoverPending) {
-          return res.json({
+          return c.json({
             can_continue: false,
             reason: 'cannot_cover_pending_single_recharge',
             is_dynamic_pricing: true,
@@ -649,7 +657,7 @@ router.get('/verify-availability', authMine, async (req, res) => {
       }
     }
 
-    return res.json({
+    return c.json({
       can_continue: true,
       payment_account_sufficient: true,
       payment_account_balance: balanceResult?.token?.balance || '0',
@@ -662,10 +670,10 @@ router.get('/verify-availability', authMine, async (req, res) => {
   } catch (err: any) {
     logger.error('check auto recharge failed', {
       error: err.message,
-      customerId: req.query.customer_id,
-      currencyId: req.query.currency_id,
+      customerId: c.get('customer_id') ?? c.req.query('customer_id'),
+      currencyId: c.req.query('currency_id'),
     });
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
@@ -686,11 +694,12 @@ const statsSchema = Joi.object({
 });
 
 // Get credit grant statistics with flexible filtering
-router.get('/stats', auth, async (req, res) => {
+// Static path — registered before /:id so hono matches it first.
+app.get('/stats', auth, async (c) => {
   try {
-    const { error, value } = statsSchema.validate(req.query, { stripUnknown: true });
+    const { error, value } = statsSchema.validate(c.req.query(), { stripUnknown: true });
     if (error) {
-      return res.status(400).json({ error: error.message });
+      return c.json({ error: error.message }, 400);
     }
 
     const {
@@ -703,7 +712,7 @@ router.get('/stats', auth, async (req, res) => {
     } = value;
 
     if (startDate > endDate) {
-      return res.status(400).json({ error: 'start_date must be less than or equal to end_date' });
+      return c.json({ error: 'start_date must be less than or equal to end_date' }, 400);
     }
 
     const result = await getCreditGrantStats({
@@ -715,22 +724,22 @@ router.get('/stats', auth, async (req, res) => {
       timezoneOffset,
     });
 
-    return res.json(result);
+    return c.json(result);
   } catch (err: any) {
-    logger.error('Error getting credit grant stats', { error: err.message, query: req.query });
-    return res.status(400).json({ error: err.message });
+    logger.error('Error getting credit grant stats', { error: err.message, query: c.req.query() });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-router.get('/:id', authPortal, async (req, res) => {
-  const creditGrant = (await CreditGrant.findByPk(req.params.id, {
+app.get('/:id', authPortal, async (c) => {
+  const creditGrant = (await CreditGrant.findByPk(c.req.param('id'), {
     include: [
       { model: Customer, as: 'customer' },
       { model: PaymentCurrency, as: 'paymentCurrency' },
     ],
   })) as CreditGrant & { paymentCurrency?: PaymentCurrency };
   if (!creditGrant) {
-    return res.status(404).json({ error: `Credit grant ${req.params.id} not found` });
+    return c.json({ error: `Credit grant ${c.req.param('id')} not found` }, 404);
   }
 
   let paymentMethod = null;
@@ -738,40 +747,41 @@ router.get('/:id', authPortal, async (req, res) => {
     paymentMethod = await PaymentMethod.findByPk(creditGrant.paymentCurrency.payment_method_id);
   }
   const expandedPrices = await expandScopePrices(creditGrant);
-  return res.json({
+  return c.json({
     ...creditGrant.toJSON(),
     items: expandedPrices,
     paymentMethod,
   });
 });
 
-router.post('/', auth, async (req, res) => {
+app.post('/', auth, async (c) => {
   try {
-    const { error } = creditGrantSchema.validate(req.body);
+    const body = c.get('sanitizedBody') ?? {};
+    const { error } = creditGrantSchema.validate(body);
     if (error) {
-      return res.status(400).json({ error: `Credit grant create request invalid: ${error.message}` });
+      return c.json({ error: `Credit grant create request invalid: ${error.message}` }, 400);
     }
 
     // 获取币种信息用于金额转换
-    const currencyId = req.body.currency_id;
+    const currencyId = body.currency_id;
     if (!currencyId) {
-      return res.status(400).json({ error: 'currency_id is required' });
+      return c.json({ error: 'currency_id is required' }, 400);
     }
 
     const paymentCurrency = await PaymentCurrency.findByPk(currencyId);
     if (!paymentCurrency) {
-      return res.status(404).json({ error: `PaymentCurrency ${currencyId} not found` });
+      return c.json({ error: `PaymentCurrency ${currencyId} not found` }, 404);
     }
 
-    let customer = await Customer.findByPkOrDid(req.body.customer_id);
+    let customer = await Customer.findByPkOrDid(body.customer_id);
     if (!customer) {
-      if (req.body.customer_id.startsWith('cus_')) {
-        return res.status(404).json({ error: `Customer ${req.body.customer_id} not found` });
+      if (body.customer_id.startsWith('cus_')) {
+        return c.json({ error: `Customer ${body.customer_id} not found` }, 404);
       }
-      const did = req.body.customer_id;
+      const did = body.customer_id;
       const { user: userInfo } = await blocklet.getUser(did);
       if (!userInfo) {
-        return res.status(404).json({ error: `User ${did} not found` });
+        return c.json({ error: `User ${did} not found` }, 404);
       }
       customer = await Customer.create({
         livemode: true,
@@ -793,9 +803,9 @@ router.post('/', auth, async (req, res) => {
       });
     }
 
-    const unitAmount = fromTokenToUnit(req.body.amount, paymentCurrency.decimal).toString();
-    let applicabilityConfig = req.body.applicability_config;
-    if (!req.body.applicability_config || !req.body.applicability_config.scope?.prices) {
+    const unitAmount = fromTokenToUnit(body.amount, paymentCurrency.decimal).toString();
+    let applicabilityConfig = body.applicability_config;
+    if (!body.applicability_config || !body.applicability_config.scope?.prices) {
       applicabilityConfig = {
         scope: {
           price_type: 'metered',
@@ -807,26 +817,26 @@ router.post('/', auth, async (req, res) => {
       amount: unitAmount,
       currency_id: currencyId,
       customer_id: customer.id,
-      name: req.body.name,
-      category: req.body.category,
-      priority: req.body.priority,
-      effective_at: req.body.effective_at,
-      expires_at: req.body.expires_at,
+      name: body.name,
+      category: body.category,
+      priority: body.priority,
+      effective_at: body.effective_at,
+      expires_at: body.expires_at,
       applicability_config: applicabilityConfig,
-      metadata: req.body.metadata,
-      livemode: req.livemode,
-      created_via: req.user?.via || 'api',
-      created_by: req.user?.did,
+      metadata: body.metadata,
+      livemode: c.get('livemode'),
+      created_via: c.get('user')?.via || 'api',
+      created_by: c.get('user')?.did,
     });
 
-    return res.json({
+    return c.json({
       ...creditGrant.toJSON(),
       customer,
       paymentCurrency,
     });
   } catch (err: any) {
-    logger.error('create credit grant failed', { error: err, request: req.body });
-    return res.status(400).json({ error: err.message });
+    logger.error('create credit grant failed', { error: err, request: c.get('sanitizedBody') ?? {} });
+    return c.json({ error: err.message }, 400);
   }
 });
 
@@ -835,15 +845,16 @@ const updateSchema = Joi.object({
   expired: Joi.boolean().optional(),
 });
 
-router.put('/:id', auth, async (req, res) => {
-  const creditGrant = await CreditGrant.findByPk(req.params.id);
+app.put('/:id', auth, async (c) => {
+  const body = c.get('sanitizedBody') ?? {};
+  const creditGrant = await CreditGrant.findByPk(c.req.param('id'));
   if (!creditGrant) {
-    return res.status(404).json({ error: `Credit grant ${req.params.id} not found` });
+    return c.json({ error: `Credit grant ${c.req.param('id')} not found` }, 404);
   }
 
-  const { error, value } = updateSchema.validate(pick(req.body, ['metadata', 'expired']), { stripUnknown: true });
+  const { error, value } = updateSchema.validate(pick(body, ['metadata', 'expired']), { stripUnknown: true });
   if (error) {
-    return res.status(400).json({ error: `Credit grant update request invalid: ${error.message}` });
+    return c.json({ error: `Credit grant update request invalid: ${error.message}` }, 400);
   }
 
   // Handle metadata update
@@ -855,21 +866,24 @@ router.put('/:id', auth, async (req, res) => {
   if (value.expired === true) {
     // Only pending or granted grants can be expired
     if (!['pending', 'granted'].includes(creditGrant.status)) {
-      return res.status(400).json({
-        error: `Cannot expire credit grant with status '${creditGrant.status}'. Only 'pending' or 'granted' grants can be expired.`,
-      });
+      return c.json(
+        {
+          error: `Cannot expire credit grant with status '${creditGrant.status}'. Only 'pending' or 'granted' grants can be expired.`,
+        },
+        400
+      );
     }
 
     await expireGrant(creditGrant);
 
     logger.info('Credit grant manually expired', {
-      creditGrantId: req.params.id,
+      creditGrantId: c.req.param('id'),
       previousStatus: creditGrant.status,
-      requestedBy: req.user?.did,
+      requestedBy: c.get('user')?.did,
     });
   }
 
-  return res.json({ success: true });
+  return c.json({ success: true });
 });
 
-export default router;
+export default app;