payment-kit 1.29.1 → 1.29.3

package/api/src/routes/{subscriptions.ts → hono/subscriptions.ts}

@@ -1,6 +1,7 @@
+// Phase 3 (express→hono) — hono fork of routes/subscriptions.ts
 /* eslint-disable no-await-in-loop */
+/* eslint-disable consistent-return */
 import { isValid } from '@arcblock/did';
-import { Router } from 'express';
 import Joi from 'joi';
 import isObject from 'lodash/isObject';
 import pick from 'lodash/pick';
@@ -8,22 +9,30 @@ import uniq from 'lodash/uniq';
 
 import { literal, Op, OrderItem } from 'sequelize';
 import { BN, fromTokenToUnit } from '@ocap/util';
-import { createEvent } from '../libs/audit';
-import { ensureStripeCustomer, ensureStripePrice, ensureStripeSubscription } from '../integrations/stripe/resource';
-import { createListParamSchema, getOrder, getWhereFromKvQuery, getWhereFromQuery, MetadataSchema } from '../libs/api';
-import dayjs from '../libs/dayjs';
-import logger from '../libs/logger';
-import { isDelegationSufficientForPayment } from '../libs/payment';
-import { authenticate } from '../libs/security';
+import { Hono } from 'hono';
+import { isProduction } from '../../libs/env';
+import { createEvent, reportAuditFailure } from '../../libs/audit';
+import { ensureStripeCustomer, ensureStripePrice, ensureStripeSubscription } from '../../integrations/stripe/resource';
+import {
+  createListParamSchema,
+  getOrder,
+  getWhereFromKvQuery,
+  getWhereFromQuery,
+  MetadataSchema,
+} from '../../libs/api';
+import dayjs from '../../libs/dayjs';
+import logger from '../../libs/logger';
+import { isDelegationSufficientForPayment } from '../../libs/payment';
+import { authenticate } from '../../middlewares/hono/security';
 import {
   expandLineItems,
   getFastCheckoutAmount,
   getSubscriptionCreateSetup,
   isLineItemAligned,
   SlippageOptions,
-} from '../libs/session';
-import { getExchangeRateService } from '../libs/exchange-rate/service';
-import { getExchangeRateSymbol } from '../libs/exchange-rate/token-address-mapping';
+} from '../../libs/session';
+import { getExchangeRateService } from '../../libs/exchange-rate/service';
+import { getExchangeRateSymbol } from '../../libs/exchange-rate/token-address-mapping';
 import {
   checkRemainingStake,
   createProration,
@@ -36,10 +45,10 @@ import {
   getSubscriptionUnpaidInvoicesCount,
   getUpcomingInvoiceAmount,
   isSubscriptionOverdraftProtectionEnabled,
-} from '../libs/subscription';
-import { MAX_SUBSCRIPTION_ITEM_COUNT, formatMetadata } from '../libs/util';
-import { trimDecimals, limitTokenPrecision } from '../libs/math-utils';
-import { invoiceQueue } from '../queues/invoice';
+} from '../../libs/subscription';
+import { MAX_SUBSCRIPTION_ITEM_COUNT, formatMetadata } from '../../libs/util';
+import { trimDecimals, limitTokenPrecision } from '../../libs/math-utils';
+import { invoiceQueue } from '../../queues/invoice';
 import {
   addSubscriptionJob,
   returnOverdraftProtectionQueue,
@@ -47,38 +56,36 @@ import {
   slashOverdraftProtectionQueue,
   slashStakeQueue,
   subscriptionQueue,
-} from '../queues/subscription';
-import type { TLineItemExpanded, ChainType } from '../store/models';
-import { Customer } from '../store/models/customer';
-import { Invoice } from '../store/models/invoice';
-import { InvoiceItem } from '../store/models/invoice-item';
-import { Lock } from '../store/models/lock';
-import { PaymentCurrency } from '../store/models/payment-currency';
-import { PaymentIntent } from '../store/models/payment-intent';
-import { PaymentMethod } from '../store/models/payment-method';
-import { Price } from '../store/models/price';
-import { PriceQuote } from '../store/models/price-quote';
-import { PricingTable } from '../store/models/pricing-table';
-import { Product } from '../store/models/product';
-import { SetupIntent } from '../store/models/setup-intent';
-import { Subscription, TSubscription } from '../store/models/subscription';
-import { SubscriptionItem } from '../store/models/subscription-item';
-import type { LineItem, ServiceAction, SubscriptionUpdateItem } from '../store/models/types';
-import { UsageRecord } from '../store/models/usage-record';
+} from '../../queues/subscription';
+import type { TLineItemExpanded, ChainType } from '../../store/models';
+import { Customer } from '../../store/models/customer';
+import { Invoice } from '../../store/models/invoice';
+import { InvoiceItem } from '../../store/models/invoice-item';
+import { Lock } from '../../store/models/lock';
+import { PaymentCurrency } from '../../store/models/payment-currency';
+import { PaymentIntent } from '../../store/models/payment-intent';
+import { PaymentMethod } from '../../store/models/payment-method';
+import { Price } from '../../store/models/price';
+import { PriceQuote } from '../../store/models/price-quote';
+import { PricingTable } from '../../store/models/pricing-table';
+import { Product } from '../../store/models/product';
+import { SetupIntent } from '../../store/models/setup-intent';
+import { Subscription, TSubscription } from '../../store/models/subscription';
+import { SubscriptionItem } from '../../store/models/subscription-item';
+import type { LineItem, ServiceAction, SubscriptionUpdateItem } from '../../store/models/types';
+import { UsageRecord } from '../../store/models/usage-record';
 import {
   cleanupInvoiceAndItems,
   ensureInvoiceAndItems,
   migrateSubscriptionPaymentMethodInvoice,
-} from '../libs/invoice';
-import { createUsageRecordQueryFn } from './usage-records';
-import { SubscriptionWillCanceledSchedule } from '../crons/subscription-will-canceled';
-import { getTokenByAddress } from '../integrations/arcblock/stake';
-import { ensureOverdraftProtectionPrice } from '../libs/overdraft-protection';
-import { CHARGE_SUPPORTED_CHAIN_TYPES } from '../libs/constants';
-import { getSubscriptionDiscountStats } from '../libs/discount/redemption';
-
-// S1 optimization: Load only the products/prices referenced by a set of subscriptions,
-// instead of Product.findAll() + Price.findAll() full table scans.
+} from '../../libs/invoice';
+import { SubscriptionWillCanceledSchedule } from '../../crons/subscription-will-canceled';
+import { getTokenByAddress } from '../../integrations/arcblock/stake';
+import { ensureOverdraftProtectionPrice } from '../../libs/overdraft-protection';
+import { CHARGE_SUPPORTED_CHAIN_TYPES } from '../../libs/constants';
+import { getSubscriptionDiscountStats } from '../../libs/discount/redemption';
+
+// S1 optimization: Load only the products/prices referenced by a set of subscriptions
 async function loadProductsAndPricesForSubscriptions(docs: any[]): Promise<{ products: any[]; prices: any[] }> {
   const priceIds = uniq(docs.flatMap((x) => (x.items || []).map((i: any) => i.price_id)).filter(Boolean));
   if (priceIds.length === 0) {
@@ -89,7 +96,6 @@ async function loadProductsAndPricesForSubscriptions(docs: any[]): Promise<{ pro
     include: [{ model: Product, as: 'product' }],
   });
   const pricesJson = prices.map((x) => x.toJSON());
-  // Derive products from the already-included price.product association
   const productMap = new Map<string, any>();
   pricesJson.forEach((p: any) => {
     if (p.product) {
@@ -99,7 +105,7 @@ async function loadProductsAndPricesForSubscriptions(docs: any[]): Promise<{ pro
   return { products: Array.from(productMap.values()), prices: pricesJson };
 }
 
-const router = Router();
+const app = new Hono();
 const auth = authenticate<Subscription>({ component: true, roles: ['owner', 'admin'] });
 const authMine = authenticate<Subscription>({ component: true, roles: ['owner', 'admin'], mine: true });
 const exchangeRateService = getExchangeRateService();
@@ -268,7 +274,6 @@ const createSchema = Joi.object({
     .min(1)
     .max(MAX_SUBSCRIPTION_ITEM_COUNT)
     .required(),
-  // Optional: if not provided, subscription won't have automatic billing (for prepaid/gifted subscriptions)
   default_payment_method_id: Joi.string().optional(),
   currency_id: Joi.string().optional(),
   trial_period_days: Joi.number().integer().min(0).optional(),
@@ -281,12 +286,13 @@ const createSchema = Joi.object({
   collection_method: Joi.string().valid('charge_automatically', 'send_invoice').default('charge_automatically'),
   proration_behavior: Joi.string().valid('always_invoice', 'create_prorations', 'none').default('none'),
   service_actions: Joi.array().items(Joi.object()).optional(),
-  livemode: Joi.boolean().optional(), // Required if no payment_method_id provided
+  livemode: Joi.boolean().optional(),
 });
 
-router.post('/', auth, async (req, res) => {
+app.post('/', auth, async (c) => {
   try {
-    const value = await createSchema.validateAsync(req.body);
+    const body = c.get('sanitizedBody') ?? {};
+    const value = await createSchema.validateAsync(body);
     const {
       customer_id: customerId,
       items,
@@ -304,35 +310,30 @@ router.post('/', auth, async (req, res) => {
       livemode: livemodeInput,
     } = value;
 
-    // Validate customer exists
     const customer = await Customer.findByPk(customerId);
     if (!customer) {
-      return res.status(404).json({ error: `Customer ${customerId} not found` });
+      return c.json({ error: `Customer ${customerId} not found` }, 404);
     }
 
-    // Validate payment method if provided
     let paymentMethod: PaymentMethod | null = null;
     if (paymentMethodId) {
       paymentMethod = await PaymentMethod.findByPk(paymentMethodId);
       if (!paymentMethod) {
-        return res.status(404).json({ error: `Payment method ${paymentMethodId} not found` });
+        return c.json({ error: `Payment method ${paymentMethodId} not found` }, 404);
       }
     }
 
-    // If no payment method, automatic billing is disabled (for prepaid/gifted subscriptions)
     const hasAutomaticBilling = !!paymentMethod;
 
-    // Determine livemode
     let livemode = livemodeInput;
     if (livemode === undefined) {
       if (paymentMethod) {
         livemode = paymentMethod.livemode;
       } else {
-        livemode = true; // Default to livemode if not specified
+        livemode = true;
       }
     }
 
-    // Expand and validate line items
     const priceIds = items.map((item: any) => item.price_id);
     const prices = await Price.findAll({
       where: { id: priceIds },
@@ -342,33 +343,33 @@ router.post('/', auth, async (req, res) => {
     if (prices.length !== priceIds.length) {
       const foundIds = prices.map((p) => p.id);
       const missingIds = priceIds.filter((id: string) => !foundIds.includes(id));
-      return res.status(404).json({ error: `Prices not found: ${missingIds.join(', ')}` });
+      return c.json({ error: `Prices not found: ${missingIds.join(', ')}` }, 404);
     }
 
-    // Validate all items are recurring
     const nonRecurringPrices = prices.filter((p) => p.type !== 'recurring');
     if (nonRecurringPrices.length > 0) {
-      return res.status(400).json({
-        error: `Subscription only supports recurring prices. Non-recurring prices: ${nonRecurringPrices.map((p) => p.id).join(', ')}`,
-      });
+      return c.json(
+        {
+          error: `Subscription only supports recurring prices. Non-recurring prices: ${nonRecurringPrices.map((p) => p.id).join(', ')}`,
+        },
+        400
+      );
     }
 
-    // Determine currency from first price if not provided
     let currencyId = value.currency_id;
     const firstPrice = prices[0];
     if (!currencyId && firstPrice) {
       currencyId = firstPrice.currency_id;
     }
     if (!currencyId) {
-      return res.status(400).json({ error: 'currency_id is required' });
+      return c.json({ error: 'currency_id is required' }, 400);
     }
 
     const paymentCurrency = await PaymentCurrency.findByPk(currencyId);
     if (!paymentCurrency) {
-      return res.status(404).json({ error: `Payment currency ${currencyId} not found` });
+      return c.json({ error: `Payment currency ${currencyId} not found` }, 404);
     }
 
-    // Build line items
     const lineItems: TLineItemExpanded[] = items.map((item: any) => {
       const price = prices.find((p) => p.id === item.price_id);
       return {
@@ -379,15 +380,13 @@ router.post('/', auth, async (req, res) => {
       };
     });
 
-    // Calculate subscription setup (periods, trial, etc.)
     const setup = getSubscriptionCreateSetup(lineItems, currencyId, trialPeriodDays, trialEndInput);
 
-    // Create subscription
     const subscription = await Subscription.create({
       livemode,
       currency_id: currencyId,
       customer_id: customerId,
-      status: 'active', // Direct creation starts as active
+      status: 'active',
       current_period_start: setup.period.start,
       current_period_end: setup.period.end,
       billing_cycle_anchor: billingCycleAnchor || setup.cycle.anchor,
@@ -414,7 +413,6 @@ router.post('/', auth, async (req, res) => {
       service_actions: serviceActions || [],
     });
 
-    // Create subscription items
     await Promise.all(
       lineItems.map((item) =>
         SubscriptionItem.create({
@@ -427,15 +425,13 @@ router.post('/', auth, async (req, res) => {
       )
     );
 
-    // If has trial period, set status to trialing
     if (setup.trial.end && setup.trial.end > dayjs().unix()) {
       await subscription.update({ status: 'trialing' });
-      createEvent('Subscription', 'customer.subscription.trial_start', subscription).catch(console.error);
+      createEvent('Subscription', 'customer.subscription.trial_start', subscription).catch(reportAuditFailure);
     } else {
-      createEvent('Subscription', 'customer.subscription.started', subscription).catch(console.error);
+      createEvent('Subscription', 'customer.subscription.started', subscription).catch(reportAuditFailure);
     }
 
-    // Schedule subscription cycle job only if has automatic billing
     if (hasAutomaticBilling) {
       await addSubscriptionJob(subscription, 'cycle', false, setup.trial.end || setup.period.end);
     }
@@ -447,7 +443,6 @@ router.post('/', auth, async (req, res) => {
       hasAutomaticBilling,
     });
 
-    // Return expanded subscription
     const result = await Subscription.findOne({
       where: { id: subscription.id },
       include: [
@@ -463,14 +458,14 @@ router.post('/', auth, async (req, res) => {
     // @ts-ignore
     expandLineItems(doc.items, products, allPrices);
 
-    return res.json(doc);
+    return c.json(doc);
   } catch (err: any) {
     logger.error('Failed to create subscription', { error: err.message });
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-router.get('/', authMine, async (req, res) => {
+app.get('/', authMine, async (c) => {
   const {
     page,
     pageSize,
@@ -478,7 +473,7 @@ router.get('/', authMine, async (req, res) => {
     livemode,
     include_latest_invoice_quote: includeLatestInvoiceQuoteParam = false,
     ...query
-  } = await schema.validateAsync(req.query, {
+  } = await schema.validateAsync(c.req.query(), {
     stripUnknown: false,
     allowUnknown: true,
   });
@@ -488,19 +483,18 @@ router.get('/', authMine, async (req, res) => {
   if (status) {
     where.status = status
       .split(',')
-      .map((x) => x.trim())
+      .map((x: string) => x.trim())
       .filter(Boolean);
   }
-  if (query.customer_id) {
-    where.customer_id = query.customer_id;
+  if (c.get('customer_id') ?? query.customer_id) {
+    where.customer_id = c.get('customer_id') ?? query.customer_id;
   }
   if (query.customer_did && isValid(query.customer_did)) {
     const customer = await Customer.findOne({ where: { did: query.customer_did } });
     if (customer) {
       where.customer_id = customer.id;
     } else {
-      res.json({ count: 0, list: [], paging: { page, pageSize } });
-      return;
+      return c.json({ count: 0, list: [], paging: { page, pageSize } });
     }
   }
   where.livemode = typeof livemode === 'boolean' ? livemode : true;
@@ -512,7 +506,7 @@ router.get('/', authMine, async (req, res) => {
       where[key] = query[key];
     });
 
-  const order: OrderItem[] = getOrder(req.query, []);
+  const order: OrderItem[] = getOrder(c.req.query(), []);
 
   if (query.activeFirst) {
     order.unshift([
@@ -541,7 +535,6 @@ router.get('/', authMine, async (req, res) => {
         { model: SubscriptionItem, as: 'items' },
         { model: Customer, as: 'customer' },
       ],
-      // https://github.com/sequelize/sequelize/issues/9481
       distinct: true,
     });
     const docs = list.map((x) => x.toJSON());
@@ -560,13 +553,12 @@ router.get('/', authMine, async (req, res) => {
         },
         distinct: true,
       });
-      res.json({ count, list: docs, paging: { page, pageSize }, totalCount });
-    } else {
-      res.json({ count, list: docs, paging: { page, pageSize } });
+      return c.json({ count, list: docs, paging: { page, pageSize }, totalCount });
     }
+    return c.json({ count, list: docs, paging: { page, pageSize } });
   } catch (err) {
     logger.error(err);
-    res.json({ count: 0, list: [], paging: { page, pageSize } });
+    return c.json({ count: 0, list: [], paging: { page, pageSize } });
   }
 });
 
@@ -578,7 +570,8 @@ const searchSchema = createListParamSchema<{
   query: Joi.string(),
   include_latest_invoice_quote: Joi.boolean().optional(),
 });
-router.get('/search', auth, async (req, res) => {
+
+app.get('/search', auth, async (c) => {
   const {
     page,
     pageSize,
@@ -587,7 +580,7 @@ router.get('/search', auth, async (req, res) => {
     q,
     o,
     include_latest_invoice_quote: includeLatestInvoiceQuoteParam = false,
-  } = await searchSchema.validateAsync(req.query, {
+  } = await searchSchema.validateAsync(c.req.query(), {
     stripUnknown: false,
     allowUnknown: true,
   });
@@ -597,10 +590,9 @@ router.get('/search', auth, async (req, res) => {
   if (typeof livemode === 'boolean') {
     where.livemode = livemode;
   }
-  // fix here https://github.com/blocklet/payment-kit/issues/394
   const { rows: list, count } = await Subscription.findAndCountAll({
     where,
-    order: getOrder(req.query, [['created_at', o === 'asc' ? 'ASC' : 'DESC']]),
+    order: getOrder(c.req.query(), [['created_at', o === 'asc' ? 'ASC' : 'DESC']]),
     offset: (page - 1) * pageSize,
     limit: pageSize,
     distinct: true,
@@ -619,13 +611,13 @@ router.get('/search', auth, async (req, res) => {
   if (includeLatestInvoiceQuote) {
     await attachLatestInvoiceQuotes(docs);
   }
-  res.json({ count, list: docs, paging: { page, pageSize } });
+  return c.json({ count, list: docs, paging: { page, pageSize } });
 });
 
-router.get('/:id', authPortal, async (req, res) => {
+app.get('/:id', authPortal, async (c) => {
   try {
     const doc = (await Subscription.findOne({
-      where: { id: req.params.id },
+      where: { id: c.req.param('id') },
       include: [
         { model: PaymentCurrency, as: 'paymentCurrency' },
         { model: PaymentMethod, as: 'paymentMethod' },
@@ -649,7 +641,6 @@ router.get('/:id', authPortal, async (req, res) => {
       // @ts-ignore
       json.serviceType = serviceType;
 
-      // Get discount statistics if subscription has active discounts
       let discountStats = null;
       try {
         const stats = await getSubscriptionDiscountStats(json.id);
@@ -660,7 +651,6 @@ router.get('/:id', authPortal, async (req, res) => {
         logger.error('Failed to fetch subscription discount stats', { error, subscriptionId: json.id });
       }
 
-      // Get payment method details
       let paymentMethodDetails = null;
       try {
         const paymentMethod = (doc as any).paymentMethod as PaymentMethod | null;
@@ -720,47 +710,48 @@ router.get('/:id', authPortal, async (req, res) => {
         logger.error('Failed to fetch payment method details', { error, subscriptionId: json.id });
       }
 
-      res.json({
+      return c.json({
         ...json,
         discountStats,
         paymentMethodDetails,
       });
-    } else {
-      res.status(404).json(null);
     }
-  } catch (err) {
+    return c.json(null, 404);
+  } catch (err: any) {
     logger.error(err);
-    res.status(500).json({ error: `Failed to get subscription: ${err.message}` });
+    return c.json({ error: `Failed to get subscription: ${err.message}` }, 500);
   }
 });
 
 const CommentSchema = Joi.string().max(200).empty('').optional();
 const SlashStakeSchema = Joi.string().max(200).required();
 
-router.put('/:id/cancel', authPortal, async (req, res) => {
-  const { error: commentError } = CommentSchema.validate(req.body?.comment);
+app.put('/:id/cancel', authPortal, async (c) => {
+  const body = c.get('sanitizedBody') ?? {};
+  const { error: commentError } = CommentSchema.validate(body?.comment);
   if (commentError) {
-    return res.status(400).json({ error: `comment invalid: ${commentError.message}` });
+    return c.json({ error: `comment invalid: ${commentError.message}` }, 400);
   }
 
-  const requestByAdmin = ['owner', 'admin'].includes(req.user?.role as string);
-  const slashStake = requestByAdmin && req.body?.staking === 'slash';
+  const user = c.get('user');
+  const requestByAdmin = ['owner', 'admin'].includes(user?.role as string);
+  const slashStake = requestByAdmin && body?.staking === 'slash';
 
   if (slashStake) {
-    const { error: slashReasonError } = SlashStakeSchema.validate(req.body?.slashReason);
+    const { error: slashReasonError } = SlashStakeSchema.validate(body?.slashReason);
     if (slashReasonError) {
-      return res.status(400).json({ error: `slash reason invalid: ${slashReasonError.message}` });
+      return c.json({ error: `slash reason invalid: ${slashReasonError.message}` }, 400);
     }
   }
 
-  const subscription = await Subscription.findByPk(req.params.id);
-  logger.info('subscription cancel request', { ...req.params, ...req.body });
+  const subscription = await Subscription.findByPk(c.req.param('id'));
+  logger.info('subscription cancel request', { id: c.req.param('id'), ...body });
 
   if (!subscription) {
-    return res.status(404).json({ error: 'subscription not found' });
+    return c.json({ error: 'subscription not found' }, 404);
   }
   if (subscription.status === 'canceled') {
-    return res.status(400).json({ error: 'Subscription already canceled' });
+    return c.json({ error: 'Subscription already canceled' }, 400);
   }
 
   const {
@@ -772,20 +763,19 @@ router.put('/:id/cancel', authPortal, async (req, res) => {
     reason = 'payment_disputed',
     staking = 'none',
     slashReason = 'admin slash',
-  } = req.body;
+  } = body;
   if (at === 'custom' && dayjs(time).unix() < dayjs().unix()) {
-    return res.status(400).json({ error: 'cancel at must be a future timestamp' });
+    return c.json({ error: 'cancel at must be a future timestamp' }, 400);
   }
 
   let canReturnStake = false;
-  if ((requestByAdmin && staking === 'proration') || req.body?.cancel_from === 'customer') {
+  if ((requestByAdmin && staking === 'proration') || body?.cancel_from === 'customer') {
     canReturnStake = true;
   }
   const haveStake = !!subscription.payment_details?.arcblock?.staking?.tx_hash;
-  // update cancel at
   const updates: Partial<Subscription> = {
     cancelation_details: {
-      comment: comment || `Requested by ${req.user?.role}:${req.user?.did}`,
+      comment: comment || `Requested by ${user?.role}:${user?.did}`,
       reason: reason || 'payment_disputed',
       feedback: feedback || 'other',
       return_stake: canReturnStake && haveStake,
@@ -794,7 +784,7 @@ router.put('/:id/cancel', authPortal, async (req, res) => {
     },
   };
   const now = dayjs().unix() + 3;
-  if (req.user?.via === 'portal' || req.body?.cancel_from === 'customer') {
+  if (user?.via === 'portal' || body?.cancel_from === 'customer') {
     const inTrialing = subscription.status === 'trialing';
     updates.cancel_at_period_end = true;
     updates.cancel_at = subscription.current_period_end;
@@ -813,8 +803,8 @@ router.put('/:id/cancel', authPortal, async (req, res) => {
     }
     await addSubscriptionJob(subscription, 'cancel', true, updates.cancel_at);
   } else {
-    if (['owner', 'admin'].includes(req.user?.role as string) === false) {
-      return res.status(403).json({ error: 'Not authorized to perform this action' });
+    if (['owner', 'admin'].includes(user?.role as string) === false) {
+      return c.json({ error: 'Not authorized to perform this action' }, 403);
     }
 
     if (at === 'now') {
@@ -842,7 +832,11 @@ router.put('/:id/cancel', authPortal, async (req, res) => {
   if (subscription.payment_details?.stripe?.subscription_id) {
     const method = await PaymentMethod.findOne({ where: { type: 'stripe', livemode: subscription.livemode } });
     if (method) {
-      logger.info('subscription cancel attempt on stripe', { subscription: req.params.id, method: method.id, updates });
+      logger.info('subscription cancel attempt on stripe', {
+        subscription: c.req.param('id'),
+        method: method.id,
+        updates,
+      });
       const client = method.getStripeClient();
       try {
         if (updates.cancel_at_period_end) {
@@ -855,18 +849,20 @@ router.put('/:id/cancel', authPortal, async (req, res) => {
             proration_behavior: 'none',
           });
         }
-        logger.info('subscription cancel done on stripe', { subscription: req.params.id, method: method.id, updates });
+        logger.info('subscription cancel done on stripe', {
+          subscription: c.req.param('id'),
+          method: method.id,
+          updates,
+        });
       } catch (err) {
-        // FIXME: how do we handle failure here?
-        logger.error('subscription cancel failed on stripe', { subscription: req.params.id, updates, error: err });
+        logger.error('subscription cancel failed on stripe', { subscription: c.req.param('id'), updates, error: err });
       }
     }
   }
 
-  // trigger refund
   if (updates.cancel_at < subscription.current_period_end && refund !== 'none') {
-    if (['owner', 'admin'].includes(req.user?.role as string) === false) {
-      return res.status(403).json({ error: 'Not authorized to refund' });
+    if (['owner', 'admin'].includes(user?.role as string) === false) {
+      return c.json({ error: 'Not authorized to refund' }, 403);
     }
     const result = await getSubscriptionRefundSetup(subscription, updates.cancel_at);
     if (result.remainingUnused !== '0') {
@@ -874,18 +870,18 @@ router.put('/:id/cancel', authPortal, async (req, res) => {
       updates.cancelation_details = {
         ...(updates.cancelation_details || {}),
         refund,
-        requested_by: req.user?.did,
+        requested_by: user?.did,
       };
       logger.info('subscription cancel with refund', {
-        ...req.params,
-        ...req.body,
+        id: c.req.param('id'),
+        ...body,
         refund,
         ...pick(result, ['total', 'unused']),
       });
     } else {
       logger.info('subscription cancel no refund', {
-        ...req.params,
-        ...req.body,
+        id: c.req.param('id'),
+        ...body,
         ...pick(result, ['total', 'unused']),
       });
     }
@@ -895,19 +891,19 @@ router.put('/:id/cancel', authPortal, async (req, res) => {
   logger.info('Update subscription for cancel request successful', {
     subscriptionId: subscription.id,
     customerId: subscription.customer_id,
-    reason: req.body.reason,
+    reason: body.reason,
     cancelAt: subscription.cancel_at,
-    requestedBy: req.user?.did,
+    requestedBy: user?.did,
     updates,
   });
-  return res.json(subscription);
+  return c.json(subscription);
 });
 
-router.get('/:id/recover-info', authPortal, async (req, res) => {
-  const doc = await Subscription.findByPk(req.params.id);
+app.get('/:id/recover-info', authPortal, async (c) => {
+  const doc = await Subscription.findByPk(c.req.param('id'));
 
   if (!doc) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
 
   const paymentMethod = await PaymentMethod.findByPk(doc.default_payment_method_id);
@@ -932,39 +928,38 @@ router.get('/:id/recover-info', authPortal, async (req, res) => {
     }
   }
 
-  return res.json({
+  return c.json({
     subscription: doc,
     needStake,
     revokedStake,
   });
 });
 
-router.put('/:id/recover', authPortal, async (req, res) => {
-  const doc = await Subscription.findByPk(req.params.id);
+app.put('/:id/recover', authPortal, async (c) => {
+  const doc = await Subscription.findByPk(c.req.param('id'));
 
   if (!doc) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   if (!doc.cancel_at_period_end) {
-    return res.status(400).json({ error: 'Subscription not recoverable from cancellation config' });
+    return c.json({ error: 'Subscription not recoverable from cancellation config' }, 400);
   }
   if (doc.cancelation_details?.reason === 'payment_failed') {
-    return res.status(400).json({ error: 'Subscription not recoverable from payment failed' });
+    return c.json({ error: 'Subscription not recoverable from payment failed' }, 400);
   }
   if (doc.status === 'canceled') {
-    return res.status(400).json({ error: 'Subscription not recoverable from cancellation' });
+    return c.json({ error: 'Subscription not recoverable from cancellation' }, 400);
   }
 
   const paymentMethod = await PaymentMethod.findByPk(doc.default_payment_method_id);
   if (!paymentMethod) {
-    return res.status(400).json({ error: 'Payment method not found' });
+    return c.json({ error: 'Payment method not found' }, 400);
   }
   const paymentCurrency = await PaymentCurrency.findByPk(doc.currency_id);
   if (!paymentCurrency) {
-    return res.status(400).json({ error: 'Payment currency not found' });
+    return c.json({ error: 'Payment currency not found' }, 400);
   }
 
-  // check if need stake
   if (paymentMethod.type === 'arcblock') {
     const address = doc.payment_details?.arcblock?.staking?.address;
     if (address) {
@@ -972,7 +967,7 @@ router.put('/:id/recover', authPortal, async (req, res) => {
         const { revoked } = await checkRemainingStake(paymentMethod, paymentCurrency, address, '0');
         const cancelReason = doc.cancelation_details?.reason;
         if (revoked && revoked.value !== '0' && cancelReason === 'stake_revoked') {
-          return res.json({
+          return c.json({
             needStake: true,
             subscription: doc,
             revoked,
@@ -999,29 +994,29 @@ router.put('/:id/recover', authPortal, async (req, res) => {
     canceled_at: 0,
   });
   await new SubscriptionWillCanceledSchedule().deleteScheduleSubscriptionJobs([doc]);
-  // reschedule jobs
   subscriptionQueue
     .delete(`cancel-${doc.id}`)
     .then(() => logger.info('subscription cancel job is canceled'))
     .catch((err) => logger.error('subscription cancel job failed to cancel', { error: err }));
   await addSubscriptionJob(doc, 'cycle');
 
-  return res.json({ subscription: doc });
+  return c.json({ subscription: doc });
 });
 
-router.put('/:id/pause', auth, async (req, res) => {
-  const doc = await Subscription.findByPk(req.params.id);
+app.put('/:id/pause', auth, async (c) => {
+  const doc = await Subscription.findByPk(c.req.param('id'));
 
   if (!doc) {
-    return res.status(404).json({ error: 'subscription not found' });
+    return c.json({ error: 'subscription not found' }, 404);
   }
   if (doc.status === 'paused') {
-    return res.status(400).json({ error: 'Subscription already paused' });
+    return c.json({ error: 'Subscription already paused' }, 400);
   }
 
-  const { type, resumesAt, behavior } = req.body;
+  const body = c.get('sanitizedBody') ?? {};
+  const { type, resumesAt, behavior } = body;
   if (type === 'custom' && dayjs(resumesAt).unix() < dayjs().unix()) {
-    return res.status(400).json({ error: 'resumesAt must be a future timestamp' });
+    return c.json({ error: 'resumesAt must be a future timestamp' }, 400);
   }
 
   const timestamp = type === 'custom' ? dayjs(resumesAt).unix() : 0;
@@ -1045,17 +1040,17 @@ router.put('/:id/pause', auth, async (req, res) => {
     await addSubscriptionJob(doc, 'resume', false, timestamp);
   }
 
-  return res.json(doc);
+  return c.json(doc);
 });
 
-router.put('/:id/resume', auth, async (req, res) => {
-  const doc = await Subscription.findByPk(req.params.id);
+app.put('/:id/resume', auth, async (c) => {
+  const doc = await Subscription.findByPk(c.req.param('id'));
 
   if (!doc) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   if (doc.status !== 'paused' && doc.pause_collection === null) {
-    return res.status(400).json({ error: 'Subscription not paused' });
+    return c.json({ error: 'Subscription not paused' }, 400);
   }
 
   await updateStripeSubscription(doc, { pause_collection: null });
@@ -1066,27 +1061,27 @@ router.put('/:id/resume', auth, async (req, res) => {
     .then(() => logger.info('subscription resume job is canceled'))
     .catch((err) => logger.error('subscription resume job failed to cancel', { error: err }));
 
-  return res.json(doc);
+  return c.json(doc);
 });
 
-router.put('/:id/return-stake', authPortal, async (req, res) => {
-  const doc = await Subscription.findByPk(req.params.id);
+app.put('/:id/return-stake', authPortal, async (c) => {
+  const doc = await Subscription.findByPk(c.req.param('id'));
   if (!doc) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   if (doc.status !== 'canceled') {
-    return res.status(400).json({ error: 'Subscription is not canceled' });
+    return c.json({ error: 'Subscription is not canceled' }, 400);
   }
 
   if (!doc.payment_details?.arcblock?.staking?.tx_hash) {
-    return res.status(400).json({ error: 'No staking transaction found in subscription' });
+    return c.json({ error: 'No staking transaction found in subscription' }, 400);
   }
   returnStakeQueue.push({ id: `return-stake-${doc.id}`, job: { subscriptionId: doc.id } });
   logger.info('Subscription return stake job scheduled', {
     jobId: `return-stake-${doc.id}`,
     subscription: doc.id,
   });
-  return res.json({ success: true, subscriptionId: doc.id });
+  return c.json({ success: true, subscriptionId: doc.id });
 });
 
 const isValidSubscriptionItemChange = (item: SubscriptionUpdateItem) => {
@@ -1114,28 +1109,23 @@ const isValidSubscriptionItemChange = (item: SubscriptionUpdateItem) => {
 };
 
 const validateSubscriptionUpdateRequest = async (subscription: Subscription, items: SubscriptionUpdateItem[]) => {
-  // validate
   items.every(isValidSubscriptionItemChange);
 
-  // ensure no duplicate id
   const ids = items.filter((x: any) => x.id).map((x: any) => x.id);
   if (uniq(ids).length !== ids.length) {
     throw new Error('Subscription item should not have duplicate id');
   }
 
-  // ensure no duplicate price_id
   const priceIds = items.filter((x: any) => x.price_id).map((x: any) => x.price_id);
   if (uniq(priceIds).length !== priceIds.length) {
     throw new Error('Subscription item should not have duplicate price_id');
   }
 
-  // split items into added, deleted
   const existingItems = await SubscriptionItem.findAll({ where: { subscription_id: subscription.id } });
   const addedItems = items.filter((x: any) => x.price_id && !x.id);
   const deletedItems = items.filter((x: any) => x.deleted && x.id);
   const updatedItems = items.filter((x: any) => !x.deleted && x.id && existingItems.some((i) => i.id === x.id));
 
-  // try handle cross-sell with different interval, just replace with new price that have same interval
   let addedExpanded = await Price.expand(addedItems as LineItem[]);
   let existingExpanded = await Price.expand(
     existingItems.filter((x) => deletedItems.some((y) => y.id === x.id) === false).map((x) => x.toJSON())
@@ -1225,7 +1215,6 @@ const validateSubscriptionUpdateRequest = async (subscription: Subscription, ite
   };
 };
 
-// TODO: @wangshijun forward changes to stripe
 const updateSchema = Joi.object<{
   description?: string;
   metadata?: Record<string, any>;
@@ -1269,24 +1258,23 @@ const updateSchema = Joi.object<{
     )
     .optional(),
 });
-// eslint-disable-next-line consistent-return
-router.put('/:id', authPortal, async (req, res) => {
-  logger.debug('subscription update request', { subscription: req.params.id, body: req.body });
+
+app.put('/:id', authPortal, async (c) => {
+  const body = c.get('sanitizedBody') ?? {};
+  logger.debug('subscription update request', { subscription: c.req.param('id'), body });
   try {
-    const { error, value } = updateSchema.validate(req.body);
+    const { error, value } = updateSchema.validate(body);
     if (error) {
-      return res.status(400).json({ error: `Subscription update request invalid: ${error.message}` });
+      return c.json({ error: `Subscription update request invalid: ${error.message}` }, 400);
     }
 
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
 
-    // handle updates
     const updates: Partial<TSubscription> = {};
 
-    // only metadata + description can be updated when not active
     if (value.metadata) {
       updates.metadata = formatMetadata(value.metadata);
     }
@@ -1298,10 +1286,9 @@ router.put('/:id', authPortal, async (req, res) => {
     }
     if (subscription.isActive() === false) {
       await subscription.update(updates);
-      return res.json(subscription);
+      return c.json(subscription);
     }
 
-    // other updates are allowed
     if (value.payment_behavior) {
       updates.payment_behavior = value.payment_behavior;
     }
@@ -1323,7 +1310,6 @@ router.put('/:id', authPortal, async (req, res) => {
       throw new Error('Subscription should have customer');
     }
 
-    // handle subscription item changes
     let connectAction = '';
     if (Array.isArray(value.items) && value.items.length > 0) {
       const prorationBehavior = updates.proration_behavior || subscription.proration_behavior || 'none';
@@ -1340,7 +1326,6 @@ router.put('/:id', authPortal, async (req, res) => {
         throw new Error('Updating subscription item not allowed now until next billing cycle');
       }
 
-      // validate the request
       const { addedItems, updatedItems, deletedItems, newItems } = await validateSubscriptionUpdateRequest(
         subscription,
         value.items
@@ -1380,7 +1365,7 @@ router.put('/:id', authPortal, async (req, res) => {
 
         const stripeItems = [...addedStripeItems, ...updatedStripeItems, ...deletedStripeItems].filter(Boolean);
         logger.info('stripe subscription update attempt', {
-          subscription: req.params.id,
+          subscription: c.req.param('id'),
           stripeSubscriptionId,
           addedStripeItems,
           updatedStripeItems,
@@ -1389,7 +1374,7 @@ router.put('/:id', authPortal, async (req, res) => {
 
         await subscription.update({
           pending_update: {
-            expires_at: dayjs().unix() + 30 * 60, // after 30 minutes
+            expires_at: dayjs().unix() + 30 * 60,
             updates,
             addedItems,
             deletedItems,
@@ -1410,25 +1395,17 @@ router.put('/:id', authPortal, async (req, res) => {
           items: stripeItems,
         });
         logger.info('stripe subscription update done', {
-          subscription: req.params.id,
+          subscription: c.req.param('id'),
           stripeSubscriptionId,
           prorationBehavior,
           result,
         });
       } else {
-        // update subscription period settings
-        // HINT: if we are adding new items, we need to reset the anchor to now
-        // For change-plan (proration), we need exact amounts, not authorization amounts with slippage buffer.
-        // So we don't pass minAcceptableRate or slippage percent here.
-        // The custom_amount we set below will be used as-is.
         const slippageOptions: SlippageOptions = {
-          percent: 0, // No slippage multiplier for actual payment
-          // Don't include minAcceptableRate - it would override custom_amount calculation
+          percent: 0,
           currencyDecimal: paymentCurrency.decimal,
         };
 
-        // For dynamic pricing items, calculate custom_amount using current exchange rate
-        // This ensures the total is calculated with current rate, not the stale unit_amount
         const hasDynamicPricing = newItems.some((x) => (x.upsell_price || x.price).pricing_type === 'dynamic');
         if (hasDynamicPricing) {
           const currencyPaymentMethod =
@@ -1440,20 +1417,16 @@ router.put('/:id', authPortal, async (req, res) => {
             if (rateResult?.rate) {
               const USD_DECIMALS = 8;
               const currentRate = rateResult.rate;
-              // Set custom_amount for each dynamic pricing item
               newItems.forEach((item: any) => {
                 const price = item.upsell_price || item.price;
                 if (price.pricing_type === 'dynamic' && price.base_amount) {
-                  // Calculate: base_amount / rate * 10^decimal
-                  // Use trimDecimals to avoid "too many decimal places" error
                   const baseAmountBN = fromTokenToUnit(trimDecimals(price.base_amount, USD_DECIMALS), USD_DECIMALS);
                   const rateBN = fromTokenToUnit(trimDecimals(currentRate, USD_DECIMALS), USD_DECIMALS);
                   if (rateBN.gt(new BN(0))) {
                     const amountBN = baseAmountBN
                       .mul(new BN(10).pow(new BN(paymentCurrency.decimal)))
-                      .add(rateBN.sub(new BN(1))) // Round up
+                      .add(rateBN.sub(new BN(1)))
                       .div(rateBN);
-                    // Apply same precision limiting as quote service (10 significant decimal places)
                     const totalAmountBN = amountBN.mul(new BN(item.quantity));
                     item.custom_amount = limitTokenPrecision(totalAmountBN, paymentCurrency.decimal, 10).toString();
                     logger.info('Set custom_amount for dynamic pricing item in subscription update', {
@@ -1476,7 +1449,6 @@ router.put('/:id', authPortal, async (req, res) => {
         }
 
         const setup = getSubscriptionCreateSetup(newItems, paymentCurrency.id, 0, 0, slippageOptions);
-        // Check if the subscription is currently in trial
         const isInTrial =
           subscription.status === 'trialing' && subscription.trial_end && subscription.trial_end > dayjs().unix();
         if (newItems.some((x) => x.price.type === 'recurring' && addedItems.find((y) => y.price_id === x.price_id))) {
@@ -1486,19 +1458,16 @@ router.put('/:id', authPortal, async (req, res) => {
             updates.current_period_end = setup.period.end;
           }
           updates.billing_cycle_anchor = setup.cycle.anchor;
-          logger.info('subscription updates on reset anchor', { subscription: req.params.id, updates });
+          logger.info('subscription updates on reset anchor', { subscription: c.req.param('id'), updates });
         }
 
-        // handle proration
         if (prorationBehavior === 'create_prorations') {
-          // 0. cleanup open invoices
           if (subscription.pending_update?.updates?.latest_invoice_id) {
             await cleanupInvoiceAndItems(subscription.pending_update?.updates?.latest_invoice_id);
             // @ts-ignore
             await subscription.update({ pending_update: null });
           }
 
-          // 1. create proration
           const { lastInvoice, due, newCredit, appliedCredit, prorations, total } = await createProration(
             subscription,
             setup,
@@ -1506,7 +1475,6 @@ router.put('/:id', authPortal, async (req, res) => {
           );
 
           if ((total === '0' && isInTrial) || newCredit !== '0') {
-            // 0 amount or new credit means no need to create invoice
             await subscription.update(updates);
             await finalizeSubscriptionUpdate({
               subscription,
@@ -1520,11 +1488,10 @@ router.put('/:id', authPortal, async (req, res) => {
               updatedItems,
               updates,
             });
-            await createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(console.error);
-            return res.json({ ...subscription.toJSON(), connectAction });
+            await createEvent('Subscription', 'customer.subscription.upgraded', subscription).catch(reportAuditFailure);
+            return c.json({ ...subscription.toJSON(), connectAction });
           }
-          // 2. create new invoice: amount according to new subscription items
-          // 3. create new invoice items: amount according to new subscription items
+
           const result = await ensureInvoiceAndItems({
             customer,
             currency: paymentCurrency,
@@ -1551,9 +1518,8 @@ router.put('/:id', authPortal, async (req, res) => {
           });
           const { invoice } = result;
           updates.latest_invoice_id = invoice.id;
-          logger.info('subscription update invoice created', { subscription: req.params.id, invoice: invoice.id });
+          logger.info('subscription update invoice created', { subscription: c.req.param('id'), invoice: invoice.id });
 
-          // 4. create proration invoice items: amount according to proration amount
           const prorationInvoiceItems = await Promise.all(
             prorations.map((x: any) =>
               InvoiceItem.create({
@@ -1573,15 +1539,13 @@ router.put('/:id', authPortal, async (req, res) => {
             )
           );
           logger.info('subscription proration invoice items created', {
-            subscription: req.params.id,
+            subscription: c.req.param('id'),
             items: prorationInvoiceItems.map((x) => x.id),
           });
 
-          // 5. check do we need to connect
           let hasNext = true;
           let needsNewStake = false;
 
-          // Check if stake is required and if we need a new one
           const requiresStake = paymentMethod.type === 'arcblock' && !subscription.billing_thresholds?.no_stake;
           if (requiresStake) {
             const existingStakeAddress = subscription.payment_details?.arcblock?.staking?.address;
@@ -1603,8 +1567,6 @@ router.put('/:id', authPortal, async (req, res) => {
             hasNext = false;
           } else {
             const payer = getSubscriptionPaymentAddress(subscription, paymentMethod.type);
-            // For change-plan, we should check if delegation is sufficient for the due amount,
-            // not the full new plan price. The due amount is what user actually needs to pay.
             const delegation = await isDelegationSufficientForPayment({
               paymentMethod,
               paymentCurrency,
@@ -1622,30 +1584,26 @@ router.put('/:id', authPortal, async (req, res) => {
               needsNewStake,
             });
             if (delegation.sufficient && !needsNewStake) {
-              // Both delegation is sufficient and no new stake needed
               hasNext = false;
             } else if (['NO_DID_WALLET'].includes(delegation.reason as string)) {
               throw new Error('Subscription update can only be done when you do have connected DID Wallet');
             } else if (['NO_TOKEN', 'NO_ENOUGH_TOKEN'].includes(delegation.reason as string)) {
-              // FIXME: this is not supported at frontend
               connectAction = 'collect';
             } else {
               connectAction = 'change-plan';
             }
           }
 
-          // 6. adjust invoice total
           await invoice.update({
             status: 'open',
             amount_due: due,
             amount_remaining: due,
           });
 
-          // 7. wait for succeed
           if (hasNext) {
             await subscription.update({
               pending_update: {
-                expires_at: dayjs().unix() + 30 * 60, // after 30 minutes
+                expires_at: dayjs().unix() + 30 * 60,
                 updates,
                 appliedCredit,
                 newCredit,
@@ -1678,7 +1636,6 @@ router.put('/:id', authPortal, async (req, res) => {
               invoice: invoice.id,
             });
 
-            // check if we have succeeded
             await Promise.all([invoice.reload(), subscription.reload()]);
 
             if (invoice.status === 'paid') {
@@ -1703,9 +1660,9 @@ router.put('/:id', authPortal, async (req, res) => {
           }
         }
       }
-    } else if (req.body.billing_cycle_anchor === 'now') {
+    } else if (body.billing_cycle_anchor === 'now') {
       if (paymentMethod?.type === 'stripe') {
-        return res.status(400).json({ error: 'Update billing_cycle_anchor not supported for stripe subscriptions' });
+        return c.json({ error: 'Update billing_cycle_anchor not supported for stripe subscriptions' }, 400);
       }
 
       if (subscription.isActive() === false) {
@@ -1715,7 +1672,6 @@ router.put('/:id', authPortal, async (req, res) => {
         throw new Error('Updating billing_cycle_anchor not allowed for scheduled-to-cancel subscriptions');
       }
 
-      // FIXME: handle billing cycle anchor change without any item change
       await subscription.update(updates);
     } else {
       const now = dayjs().unix();
@@ -1787,15 +1743,14 @@ router.put('/:id', authPortal, async (req, res) => {
       updatedFields: Object.keys(updates),
       newStatus: subscription.status,
     });
-    return res.json({ ...subscription.toJSON(), connectAction });
-  } catch (err) {
+    return c.json({ ...subscription.toJSON(), connectAction });
+  } catch (err: any) {
     logger.error(err);
-    return res.status(500).json({ code: err.code, error: err.message });
+    return c.json({ code: err.code, error: err.message }, 500);
   }
 });
 
 const getUpdateTable = async (subscription: Subscription) => {
-  // If we are from a pricing table
   if (subscription.metadata.pricing_table_id) {
     const table = await PricingTable.findByPk(subscription.metadata.pricing_table_id);
     if (table) {
@@ -1804,7 +1759,6 @@ const getUpdateTable = async (subscription: Subscription) => {
     }
   }
 
-  // if we are from upsell
   const items = await SubscriptionItem.findAll({ where: { subscription_id: subscription.id } });
   if (items.length === 1) {
     const expanded = await Price!.expand(
@@ -1813,14 +1767,12 @@ const getUpdateTable = async (subscription: Subscription) => {
     );
     const exist = expanded.find((x) => x.price.type === 'recurring' && x.price.upsell?.upsells_to_id);
     if (exist && exist.price.upsell?.upsells_to) {
-      // Fake a pricing table here
       return {
         active: true,
         livemode: subscription.livemode,
         name: 'Fake Pricing Table',
         items: [
           {
-            // Current item should always be the first
             ...PricingTable.formatItem({
               price_id: exist.price.id,
               product_id: exist.price.product_id,
@@ -1829,7 +1781,6 @@ const getUpdateTable = async (subscription: Subscription) => {
             product: exist.price.product,
           },
           {
-            // Upsell item comes next
             ...PricingTable.formatItem({
               price_id: exist.price.upsell.upsells_to_id,
               product_id: exist.price.product_id,
@@ -1846,69 +1797,65 @@ const getUpdateTable = async (subscription: Subscription) => {
 };
 
 // Check that the subscription is upgradable
-router.get('/:id/change-plan', authPortal, async (req, res) => {
+app.get('/:id/change-plan', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
     if (subscription.isActive() === false) {
-      return res.status(400).json({ error: 'Subscription is not active' });
+      return c.json({ error: 'Subscription is not active' }, 400);
     }
     if (subscription.isScheduledToCancel()) {
-      return res.status(400).json({ error: 'Subscription is scheduled to cancel' });
+      return c.json({ error: 'Subscription is scheduled to cancel' }, 400);
     }
     const locked = await Lock.isLocked(`${subscription.id}-change-plan`);
     if (locked) {
-      return res.status(400).json({ error: 'Subscription plan change is not allowed until next billing cycle' });
+      return c.json({ error: 'Subscription plan change is not allowed until next billing cycle' }, 400);
     }
 
     const table = await getUpdateTable(subscription);
-    return res.json(table);
+    return c.json(table);
   } catch (err) {
     logger.error(err);
-    return res.json(null);
+    return c.json(null);
   }
 });
 
 // Simulate subscription plan change
-router.post('/:id/change-plan', authPortal, async (req, res) => {
+app.post('/:id/change-plan', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
     if (subscription.isActive() === false) {
-      return res.status(400).json({ error: 'Subscription is not active' });
+      return c.json({ error: 'Subscription is not active' }, 400);
     }
     if (subscription.isScheduledToCancel()) {
-      return res.status(400).json({ error: 'Subscription is scheduled to cancel' });
+      return c.json({ error: 'Subscription is scheduled to cancel' }, 400);
     }
     const locked = await Lock.isLocked(`${subscription.id}-change-plan`);
     if (locked) {
-      return res.status(400).json({ error: 'Subscription plan change is not allowed until next billing cycle' });
+      return c.json({ error: 'Subscription plan change is not allowed until next billing cycle' }, 400);
     }
 
-    const { error } = updateSchema.validate(req.body);
+    const body = c.get('sanitizedBody') ?? {};
+    const { error } = updateSchema.validate(body);
     if (error) {
-      return res.status(400).json({ error: `Subscription update request invalid: ${error.message}` });
+      return c.json({ error: `Subscription update request invalid: ${error.message}` }, 400);
     }
 
-    // handle subscription item changes
-    if (!Array.isArray(req.body.items) || !req.body.items.length) {
-      return res.status(400).json({ error: 'Subscription update request invalid: items are empty' });
+    if (!Array.isArray(body.items) || !body.items.length) {
+      return c.json({ error: 'Subscription update request invalid: items are empty' }, 400);
     }
 
-    // validate the request
-    const { newItems } = await validateSubscriptionUpdateRequest(subscription, req.body.items);
+    const { newItems } = await validateSubscriptionUpdateRequest(subscription, body.items);
 
-    // do the simulation
-    // Note: For dynamic pricing, the actual amount is calculated by frontend using current exchange rate
-    // Backend only provides the base structure, frontend handles display with real-time rates
     const setup = getSubscriptionCreateSetup(newItems, subscription.currency_id, 0);
     const result = await createProration(subscription, setup, dayjs().unix());
 
-    return res.json({
+    return c.json({
       setup,
       total: result.total,
       newCredit: result.newCredit,
@@ -1918,21 +1865,21 @@ router.post('/:id/change-plan', authPortal, async (req, res) => {
       prorations: result.prorations,
       items: newItems,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
 // Simulate subscription cancel
-router.get('/:id/proration', authPortal, async (req, res) => {
+app.get('/:id/proration', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
     if (subscription.isActive() === false) {
-      return res.status(400).json({ error: 'Subscription is not active' });
+      return c.json({ error: 'Subscription is not active' }, 400);
     }
 
     const invoice = await Invoice.findOne({
@@ -1944,18 +1891,19 @@ router.get('/:id/proration', authPortal, async (req, res) => {
       order: [['created_at', 'DESC']],
     });
 
-    const anchor = req.query.time ? dayjs(req.query.time as any).unix() : dayjs().unix();
+    const timeQuery = c.req.query('time');
+    const anchor = timeQuery ? dayjs(timeQuery as any).unix() : dayjs().unix();
     const result = await getSubscriptionRefundSetup(subscription, anchor, invoice?.currency_id);
     if (result.remaining === '0') {
-      return res.json(null);
+      return c.json(null);
     }
     const paymentCurrency = await PaymentCurrency.findByPk(result.lastInvoice?.currency_id);
     const paymentMethod = await PaymentMethod.findByPk(paymentCurrency?.payment_method_id);
     if (paymentMethod?.type === 'stripe') {
-      return res.status(400).json({ error: 'Not supported for subscriptions paid with stripe' });
+      return c.json({ error: 'Not supported for subscriptions paid with stripe' }, 400);
     }
 
-    return res.json({
+    return c.json({
       total: result.remaining,
       latest: invoice?.total,
       unused: result.remainingUnused,
@@ -1963,67 +1911,68 @@ router.get('/:id/proration', authPortal, async (req, res) => {
       prorations: result.prorations,
       paymentCurrency,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
 // Simulate stake return when subscription is canceled
-router.get('/:id/staking', authPortal, async (req, res) => {
+app.get('/:id/staking', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
 
     const paymentMethod = await PaymentMethod.findByPk(subscription.default_payment_method_id);
     if (paymentMethod?.type !== 'arcblock') {
-      return res
-        .status(400)
-        .json({ error: `Stake return not supported for subscription with payment method ${paymentMethod?.type}` });
+      return c.json(
+        { error: `Stake return not supported for subscription with payment method ${paymentMethod?.type}` },
+        400
+      );
     }
     const address = subscription?.payment_details?.arcblock?.staking?.address ?? undefined;
     if (!address) {
-      return res.status(400).json({ error: 'Staking not found on subscription payment detail' });
+      return c.json({ error: 'Staking not found on subscription payment detail' }, 400);
     }
     const returnResult = await getSubscriptionStakeReturnSetup(subscription, address, paymentMethod);
     const slashResult = await getSubscriptionStakeSlashSetup(subscription, address, paymentMethod);
-    return res.json({
+    return c.json({
       return_amount: returnResult.return_amount,
       total: returnResult.total,
       slash_amount: slashResult.return_amount,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error('subscription staking simulation failed', { error: err });
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
 // Check payment change status
-router.get('/:id/change-payment', authPortal, async (req, res) => {
-  const subscription = await Subscription.findByPk(req.params.id);
+app.get('/:id/change-payment', authPortal, async (c) => {
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   const context = subscription.metadata.changePayment || {};
   if (!context.setup_intent_id) {
-    return res.status(404).json({ error: 'Subscription change payment context not found' });
+    return c.json({ error: 'Subscription change payment context not found' }, 404);
   }
 
   const setupIntent = await SetupIntent.findByPk(context.setup_intent_id);
-  return res.json({ subscription, setupIntent });
+  return c.json({ subscription, setupIntent });
 });
 
-router.get('/:id/exchange-rate', authPortal, async (req, res) => {
+app.get('/:id/exchange-rate', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
 
-    const currencyId = (req.query.currency_id as string) || subscription.currency_id;
+    const currencyId = c.req.query('currency_id') || subscription.currency_id;
     const paymentCurrency = (await PaymentCurrency.findByPk(currencyId, {
       include: [
         {
@@ -2034,24 +1983,24 @@ router.get('/:id/exchange-rate', authPortal, async (req, res) => {
     })) as PaymentCurrency & { payment_method: PaymentMethod };
 
     if (!paymentCurrency) {
-      return res.status(400).json({ error: 'Currency not found' });
+      return c.json({ error: 'Currency not found' }, 400);
     }
 
     const paymentMethod =
       paymentCurrency.payment_method || (await PaymentMethod.findByPk(paymentCurrency.payment_method_id));
     if (!paymentMethod) {
-      return res.status(400).json({ error: 'Payment method not found' });
+      return c.json({ error: 'Payment method not found' }, 400);
     }
 
     if (paymentMethod.type === 'stripe') {
-      return res.status(400).json({ error: 'Stripe currency does not require exchange rate.' });
+      return c.json({ error: 'Stripe currency does not require exchange rate.' }, 400);
     }
 
     const rateSymbol = getExchangeRateSymbol(paymentCurrency.symbol, paymentMethod.type as any);
     const rateResult = await exchangeRateService.getRate(rateSymbol);
     const serverNow = Date.now();
 
-    return res.json({
+    return c.json({
       server_now: serverNow,
       rate: rateResult.rate,
       timestamp_ms: rateResult.timestamp_ms,
@@ -2067,32 +2016,31 @@ router.get('/:id/exchange-rate', authPortal, async (req, res) => {
     });
   } catch (err: any) {
     logger.error('Failed to fetch exchange rate for subscription change payment', {
-      subscriptionId: req.params.id,
+      subscriptionId: c.req.param('id'),
       error: err.message,
     });
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-router.put('/:id/slippage', authPortal, async (req, res) => {
+app.put('/:id/slippage', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
 
-    const { slippage_percent: slippagePercent } = req.body;
-    const rawConfig = req.body?.slippage_config || req.body?.slippage || null;
+    const body = c.get('sanitizedBody') ?? {};
+    const { slippage_percent: slippagePercent } = body;
+    const rawConfig = body?.slippage_config || body?.slippage || null;
     const normalizePercent = (value: any) => {
       const normalized = typeof value === 'string' ? Number(value) : value;
-      // Only validate that it's a non-negative finite number, no upper limit
       if (!Number.isFinite(normalized) || normalized < 0) {
         return null;
       }
       return normalized;
     };
 
-    // Helper: get current exchange rate for subscription currency
     const getCurrentRate = async (): Promise<{ rate: string; baseCurrency: string } | null> => {
       const currency = (await PaymentCurrency.findByPk(subscription.currency_id, {
         include: [{ model: PaymentMethod, as: 'payment_method' }],
@@ -2106,13 +2054,11 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
       return { rate: rateResult.rate, baseCurrency: 'USD' };
     };
 
-    // Helper: calculate min_acceptable_rate from percent
     const calcMinRateFromPercent = (percent: number, currentRate: string): string => {
       const rateNum = Number(currentRate);
       if (!Number.isFinite(rateNum) || rateNum <= 0) {
         return '0';
       }
-      // min_acceptable_rate = current_rate / (1 + percent/100)
       const minRate = rateNum / (1 + percent / 100);
       return minRate.toFixed(8);
     };
@@ -2122,12 +2068,10 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
       const mode = rawConfig.mode === 'rate' ? 'rate' : 'percent';
       const minRate = rawConfig.min_acceptable_rate ?? rawConfig.minAcceptableRate;
 
-      // For rate mode, min_acceptable_rate is required; percent is derived
       if (mode === 'rate') {
         if (minRate === undefined || minRate === null || minRate === '') {
-          return res.status(400).json({ error: 'min_acceptable_rate is required for rate mode' });
+          return c.json({ error: 'min_acceptable_rate is required for rate mode' }, 400);
         }
-        // Accept any non-negative percent value for rate mode (calculated from rate)
         const percent = normalizePercent(rawConfig.percent);
         const baseCurrency = rawConfig.base_currency ?? rawConfig.baseCurrency ?? 'USD';
         const rateInfo = await getCurrentRate();
@@ -2140,21 +2084,17 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
           updated_at_ms: Date.now(),
         };
       } else {
-        // Percent mode: validate percent
         const percent = normalizePercent(rawConfig.percent);
         if (percent === null) {
-          return res.status(400).json({ error: 'slippage_percent must be a non-negative number' });
+          return c.json({ error: 'slippage_percent must be a non-negative number' }, 400);
         }
         const baseCurrency = rawConfig.base_currency ?? rawConfig.baseCurrency ?? 'USD';
-        // Use min_acceptable_rate from frontend if provided, otherwise calculate it
         const frontendMinRate = rawConfig.min_acceptable_rate ?? rawConfig.minAcceptableRate;
         let minAcceptableRate: string | undefined;
         let rateAtConfigTime: string | undefined;
         if (frontendMinRate) {
-          // Frontend already calculated it - use directly
           minAcceptableRate = String(frontendMinRate);
         } else {
-          // Frontend didn't provide - calculate using same algorithm
           const rateInfo = await getCurrentRate();
           if (rateInfo) {
             minAcceptableRate = calcMinRateFromPercent(percent, rateInfo.rate);
@@ -2173,7 +2113,7 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
     } else if (slippagePercent !== undefined && slippagePercent !== null) {
       const value = normalizePercent(slippagePercent);
       if (value === null) {
-        return res.status(400).json({ error: 'slippage_percent must be a non-negative number' });
+        return c.json({ error: 'slippage_percent must be a non-negative number' }, 400);
       }
       const rateInfo = await getCurrentRate();
       const minAcceptableRate = rateInfo ? calcMinRateFromPercent(value, rateInfo.rate) : undefined;
@@ -2186,7 +2126,7 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
         updated_at_ms: Date.now(),
       };
     } else {
-      return res.status(400).json({ error: 'slippage config is required' });
+      return c.json({ error: 'slippage config is required' }, 400);
     }
 
     await subscription.update({ slippage_config: config });
@@ -2195,7 +2135,6 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
       slippageConfig: config,
     });
 
-    // Check if authorization is sufficient with the new slippage config
     let delegationWarning: {
       sufficient: boolean;
       reason?: string;
@@ -2208,18 +2147,15 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
         include: [{ model: PaymentMethod, as: 'payment_method' }],
       })) as PaymentCurrency & { payment_method: PaymentMethod };
 
-      // Only check delegation for non-Stripe payment methods
       if (paymentCurrency && paymentCurrency.payment_method?.type !== 'stripe') {
         const paymentMethod = paymentCurrency.payment_method;
         const payer = getSubscriptionPaymentAddress(subscription, paymentMethod.type);
 
-        // Get subscription items and expand them
         const subscriptionItems = await SubscriptionItem.findAll({
           where: { subscription_id: subscription.id },
         });
         const lineItems = await Price.expand(subscriptionItems.map((x) => x.toJSON()));
 
-        // Calculate the required amount with the new slippage
         const requiredAmount = await getFastCheckoutAmount({
           items: lineItems,
           mode: 'subscription',
@@ -2227,7 +2163,6 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
           trialing: subscription.status === 'trialing',
         });
 
-        // Check if delegation is sufficient
         const delegation = await isDelegationSufficientForPayment({
           paymentMethod,
           paymentCurrency,
@@ -2251,73 +2186,70 @@ router.put('/:id/slippage', authPortal, async (req, res) => {
         }
       }
     } catch (delegationError: any) {
-      // Don't fail the slippage update if delegation check fails
       logger.warn('Failed to check delegation after slippage update', {
         subscriptionId: subscription.id,
         error: delegationError.message,
       });
     }
 
-    return res.json({
+    return c.json({
       ...subscription.toJSON(),
       ...(delegationWarning ? { delegation_warning: delegationWarning } : {}),
     });
   } catch (err: any) {
     logger.error('Failed to update subscription slippage', {
-      subscriptionId: req.params.id,
+      subscriptionId: c.req.param('id'),
       error: err.message,
     });
-    return res.status(500).json({ error: err.message });
+    return c.json({ error: err.message }, 500);
   }
 });
 
 // Prepare setupIntent for payment change
-router.post('/:id/change-payment', authPortal, async (req, res) => {
+app.post('/:id/change-payment', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: `Subscription ${req.params.id} not found when change payment` });
+      return c.json({ error: `Subscription ${c.req.param('id')} not found when change payment` }, 404);
     }
     if (['active', 'trialing', 'past_due'].includes(subscription.status) === false) {
-      return res.status(400).json({ error: `Subscription ${req.params.id} not active when change payment` });
+      return c.json({ error: `Subscription ${c.req.param('id')} not active when change payment` }, 400);
     }
-    const paymentCurrency = await PaymentCurrency.findByPk(req.body.payment_currency);
+
+    const body = c.get('sanitizedBody') ?? {};
+    const paymentCurrency = await PaymentCurrency.findByPk(body.payment_currency);
     if (!paymentCurrency) {
-      return res
-        .status(400)
-        .json({ error: `Payment currency ${req.body.payment_currency} not found when change payment` });
+      return c.json({ error: `Payment currency ${body.payment_currency} not found when change payment` }, 400);
     }
     const paymentMethod = await PaymentMethod.findByPk(paymentCurrency.payment_method_id);
     if (!paymentMethod) {
-      return res
-        .status(400)
-        .json({ error: `Payment method ${paymentCurrency.payment_method_id} not found when change payment` });
+      return c.json(
+        { error: `Payment method ${paymentCurrency.payment_method_id} not found when change payment` },
+        400
+      );
     }
 
     const customer = await Customer.findByPk(subscription.customer_id);
     if (paymentMethod.type === 'stripe') {
-      await customer?.update({ address: Object.assign({}, customer.address, req.body.billing_address) });
+      await customer?.update({ address: Object.assign({}, customer.address, body.billing_address) });
     }
 
     if (subscription.currency_id === paymentCurrency.id) {
-      return res.status(400).json({ error: 'Payment currency not changed when change payment' });
+      return c.json({ error: 'Payment currency not changed when change payment' }, 400);
     }
 
     const previousPaymentMethod = await PaymentMethod.findByPk(subscription.default_payment_method_id);
     if (previousPaymentMethod?.type === 'stripe') {
       if (!subscription.payment_details?.stripe?.subscription_id) {
-        return res.status(400).json({ error: 'Can not change from stripe without stripe subscription id' });
+        return c.json({ error: 'Can not change from stripe without stripe subscription id' }, 400);
       }
     }
 
-    // ensure setupIntent
     const context = subscription.metadata.changePayment || {};
     let setupIntent: SetupIntent | null = null;
     if (context.setup_intent_id) {
-      // should be cleared after success
       setupIntent = await SetupIntent.findByPk(context.setup_intent_id);
     }
-    // Reuse existing setupIntent if not succeeded
     if (setupIntent && setupIntent.status !== 'succeeded') {
       await setupIntent.update({
         status: 'requires_capture',
@@ -2352,7 +2284,6 @@ router.post('/:id/change-payment', authPortal, async (req, res) => {
         },
       });
 
-      // persist setup intent id
       await subscription.update({
         metadata: { ...subscription.metadata, changePayment: { setup_intent_id: setupIntent.id } },
       });
@@ -2363,7 +2294,6 @@ router.post('/:id/change-payment', authPortal, async (req, res) => {
       });
     }
 
-    // if we can complete purchase without any wallet interaction
     const subscriptionItems = await SubscriptionItem.findAll({ where: { subscription_id: subscription.id } });
     const lineItems = await Price.expand(
       subscriptionItems.map((x) => ({ id: x.id, price_id: x.price_id, quantity: x.quantity }))
@@ -2393,7 +2323,7 @@ router.post('/:id/change-payment', authPortal, async (req, res) => {
             publishable_key: settings.stripe?.publishable_key,
             status: exist.status,
           };
-          return res.json({
+          return c.json({
             setupIntent,
             stripeContext,
             subscription,
@@ -2434,7 +2364,6 @@ router.post('/:id/change-payment', authPortal, async (req, res) => {
       } else {
         const settings = PaymentMethod.decryptSettings(paymentMethod.settings);
 
-        // changing from crypto to stripe: create/resume stripe subscription, pause crypto subscription
         const stripeSubscription = await ensureStripeSubscription(
           subscription,
           paymentMethod,
@@ -2477,10 +2406,8 @@ router.post('/:id/change-payment', authPortal, async (req, res) => {
         });
       }
     } else {
-      // changing from crypto to crypto: just update the subscription
       const payer = getSubscriptionPaymentAddress(subscription, paymentMethod.type);
 
-      // Calculate required amount considering slippage_config for dynamic pricing
       const slippageConfig = subscription?.slippage_config;
       let requiredAmount: string;
       if (slippageConfig?.min_acceptable_rate) {
@@ -2535,8 +2462,6 @@ router.post('/:id/change-payment', authPortal, async (req, res) => {
         });
       }
 
-      // NOTE: this should only happen when local subscription is updated
-      // changing from stripe to crypto: pause stripe subscription
       if (previousPaymentMethod!.type === 'stripe' && setupIntent.status === 'succeeded') {
         const client = await previousPaymentMethod?.getStripeClient();
         const stripeSubscriptionId = subscription.payment_details?.stripe?.subscription_id as string;
@@ -2553,25 +2478,25 @@ router.post('/:id/change-payment', authPortal, async (req, res) => {
       }
     }
 
-    return res.json({
+    return c.json({
       setupIntent,
       stripeContext,
       subscription,
       customer,
       delegation,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error(err);
-    return res.status(500).json({ code: err.code, error: err.message });
+    return c.json({ code: err.code, error: err.message }, 500);
   }
 });
+
 // FIXME: this should be removed in future
 // Clean up subscriptions that have invalid invoices and payments
-router.delete('/cleanup', auth, async (req, res) => {
-  const status = String(req.query.status || 'uncollectible');
+app.delete('/cleanup', auth, async (c) => {
+  const status = String(c.req.query('status') || 'uncollectible');
   if (['open', 'uncollectible'].includes(status) === false) {
-    res.json({ error: 'status must be either open or uncollectible' });
-    return;
+    return c.json({ error: 'status must be either open or uncollectible' });
   }
 
   const subscriptions = await Subscription.findAll();
@@ -2609,19 +2534,19 @@ router.delete('/cleanup', auth, async (req, res) => {
     })
   );
 
-  res.json(canceled);
+  return c.json(canceled);
 });
 
 // Delete subscription and all related data
-router.delete('/:id', auth, async (req, res) => {
-  if (process.env.BLOCKLET_MODE === 'production') {
-    return res.status(404).json({ error: 'Subscription delete not allowed in production' });
+app.delete('/:id', auth, async (c) => {
+  if (isProduction()) {
+    return c.json({ error: 'Subscription delete not allowed in production' }, 404);
   }
 
-  const doc = await Subscription.findByPk(req.params.id);
+  const doc = await Subscription.findByPk(c.req.param('id'));
 
   if (!doc) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
 
   await InvoiceItem.destroy({ where: { subscription_id: doc.id } });
@@ -2631,29 +2556,68 @@ router.delete('/:id', auth, async (req, res) => {
   await SubscriptionItem.destroy({ where: { subscription_id: doc.id } });
   await doc.destroy();
   logger.info('Subscription deleted successfully', {
-    subscriptionId: req.params.id,
+    subscriptionId: c.req.param('id'),
     deletedRelatedRecords: {
       invoiceItems: await InvoiceItem.count({ where: { subscription_id: doc.id } }),
       invoices: await Invoice.count({ where: { subscription_id: doc.id } }),
       usageRecords: await UsageRecord.count({ where: { subscription_item_id: items.map((x) => x.id) } }),
       subscriptionItems: items.length,
     },
-    requestedBy: req.user?.did,
+    requestedBy: c.get('user')?.did,
   });
-  return res.json(doc);
+  return c.json(doc);
 });
 
-// Get usage records
-router.get('/:id/usage-records', authPortal, (req, res) => {
-  createUsageRecordQueryFn(req.doc)(req, res);
+// Get usage records — inline since usage-records.ts is not yet a hono module
+const UsageRecordScheme = Joi.object({
+  subscription_item_id: Joi.string().required(),
+  start: Joi.number().optional(),
+  end: Joi.number().optional(),
+  livemode: Joi.boolean().empty('').optional(),
+  q: Joi.string().empty('').optional(),
+  o: Joi.string().empty('').optional(),
+}).unknown(true);
+
+app.get('/:id/usage-records', authPortal, async (c) => {
+  const doc = c.get('doc') as Subscription | undefined;
+  const { error, value: query } = UsageRecordScheme.validate(c.req.query(), { stripUnknown: true });
+  if (error) {
+    return c.json({ error: `usage record request query invalid: ${error.message}` }, 400);
+  }
+  try {
+    const item = await SubscriptionItem.findByPk(query.subscription_item_id);
+    if (!item) {
+      return c.json({ error: `SubscriptionItem not found: ${query.subscription_item_id}` }, 400);
+    }
+    const subscription = doc || (await Subscription.findByPk(item.subscription_id));
+    if (!subscription) {
+      return c.json({ error: `Subscription not found: ${item.subscription_id}` }, 400);
+    }
+
+    const { rows: list, count } = await UsageRecord.findAndCountAll({
+      where: {
+        subscription_item_id: query.subscription_item_id,
+        timestamp: {
+          [Op.gt]: query.start || subscription.current_period_start,
+          [Op.lte]: query.end || subscription.current_period_end,
+        },
+      },
+      order: [['created_at', 'ASC']],
+    });
+
+    return c.json({ count, list });
+  } catch (err) {
+    logger.error(err);
+    return c.json({ count: 0, list: [] });
+  }
 });
 
 // Get invoice summary
-router.get('/:id/summary', authPortal, async (req, res) => {
+app.get('/:id/summary', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
 
     const [summary] = await Invoice.getUncollectibleAmount({
@@ -2661,96 +2625,95 @@ router.get('/:id/summary', authPortal, async (req, res) => {
       currencyId: subscription.currency_id,
       customerId: subscription.customer_id,
     });
-    return res.json(summary);
-  } catch (err) {
+    return c.json(summary);
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
 // Get upcoming invoice amount
-router.get('/:id/upcoming', authPortal, async (req, res) => {
+app.get('/:id/upcoming', authPortal, async (c) => {
   try {
-    const result = await getUpcomingInvoiceAmount(req.params.id as string);
-    return res.json(result);
-  } catch (err) {
+    const result = await getUpcomingInvoiceAmount(c.req.param('id') as string);
+    return c.json(result);
+  } catch (err: any) {
     logger.error(err);
-    return res.json({ error: err.message });
+    return c.json({ error: err.message });
   }
 });
 
-router.get('/:id/cycle-amount', authPortal, async (req, res) => {
-  const subscription = await Subscription.findByPk(req.params.id);
+app.get('/:id/cycle-amount', authPortal, async (c) => {
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   const currency = await PaymentCurrency.findByPk(subscription.currency_id);
   if (!currency) {
-    return res.status(404).json({ error: 'Currency not found' });
+    return c.json({ error: 'Currency not found' }, 404);
   }
   try {
-    // get upcoming invoice
     const result = await getUpcomingInvoiceAmount(subscription.id);
-    // get past invoices
     const pastMaxAmount = await getPastInvoicesAmount(subscription.id, 'max');
 
-    // return max amount
     const nextAmount = new BN(result.amount === '0' ? result.minExpectedAmount : result.amount).toString();
 
     const maxAmount = new BN(pastMaxAmount.amount).lte(new BN(nextAmount)) ? nextAmount : pastMaxAmount.amount;
 
-    if (req.query?.overdraftProtection) {
+    if (c.req.query('overdraftProtection')) {
       const { price } = await ensureOverdraftProtectionPrice(subscription.livemode);
       const invoicePrice = (price?.currency_options || []).find(
         (x: any) => x.currency_id === subscription?.currency_id
       );
       const gas = invoicePrice?.unit_amount;
-      return res.json({
+      return c.json({
         amount: new BN(maxAmount).add(new BN(gas)).toString(),
         gas,
         currency,
       });
     }
-    return res.json({
+    return c.json({
       amount: maxAmount,
       currency,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
 // slash stake
-router.put('/:id/slash-stake', auth, async (req, res) => {
-  const { error: slashReasonError } = SlashStakeSchema.validate(req.body?.slashReason);
+app.put('/:id/slash-stake', auth, async (c) => {
+  const body = c.get('sanitizedBody') ?? {};
+  const { error: slashReasonError } = SlashStakeSchema.validate(body?.slashReason);
   if (slashReasonError) {
-    return res.status(400).json({ error: `slash reason invalid: ${slashReasonError.message}` });
+    return c.json({ error: `slash reason invalid: ${slashReasonError.message}` }, 400);
   }
-  const subscription = await Subscription.findByPk(req.params.id);
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
 
   if (subscription.status !== 'canceled') {
-    return res.status(400).json({ error: `Subscription for ${subscription.id} not canceled` });
+    return c.json({ error: `Subscription for ${subscription.id} not canceled` }, 400);
   }
 
   const paymentMethod = await PaymentMethod.findByPk(subscription.default_payment_method_id);
   if (paymentMethod?.type !== 'arcblock') {
-    return res
-      .status(400)
-      .json({ error: `Stake slash not supported for subscription with payment method ${paymentMethod?.type}` });
+    return c.json(
+      { error: `Stake slash not supported for subscription with payment method ${paymentMethod?.type}` },
+      400
+    );
   }
   const address = subscription?.payment_details?.arcblock?.staking?.address ?? undefined;
   if (!address) {
-    return res.status(400).json({ error: 'Staking not found on subscription payment detail' });
+    return c.json({ error: 'Staking not found on subscription payment detail' }, 400);
   }
   try {
     logger.warn('Stake slash initiated', {
       subscriptionId: subscription.id,
-      slashReason: req.body.slashReason,
-      requestedBy: req.user?.did,
+      slashReason: body.slashReason,
+      requestedBy: c.get('user')?.did,
     });
 
     await subscription.update({
@@ -2758,7 +2721,7 @@ router.put('/:id/slash-stake', auth, async (req, res) => {
       cancelation_details: {
         ...subscription.cancelation_details,
         slash_stake: true,
-        slash_reason: req.body.slashReason,
+        slash_reason: body.slashReason,
       },
     });
     const result = await slashStakeQueue.pushAndWait({
@@ -2768,41 +2731,41 @@ router.put('/:id/slash-stake', auth, async (req, res) => {
     logger.info('Stake slash scheduled successfully', {
       subscriptionId: subscription.id,
       result,
-      slashReason: req.body.slashReason,
-      requestedBy: req.user?.did,
+      slashReason: body.slashReason,
+      requestedBy: c.get('user')?.did,
       stakingAddress: address,
     });
-    return res.json(result);
-  } catch (err) {
+    return c.json(result);
+  } catch (err: any) {
     logger.error('subscription slash stake failed', { subscription: subscription.id, error: err });
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
 // get payer token
-router.get('/:id/payer-token', authMine, async (req, res) => {
-  const subscription = await Subscription.findByPk(req.params.id);
+app.get('/:id/payer-token', authMine, async (c) => {
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(400).json({ error: `Subscription(${req.params.id}) not found` });
+    return c.json({ error: `Subscription(${c.req.param('id')}) not found` }, 400);
   }
   const paymentMethod = await PaymentMethod.findByPk(subscription.default_payment_method_id);
   if (!paymentMethod) {
-    return res.status(400).json({ error: `Payment method(${subscription.default_payment_method_id}) not found` });
+    return c.json({ error: `Payment method(${subscription.default_payment_method_id}) not found` }, 400);
   }
 
   const paymentCurrency = await PaymentCurrency.findByPk(subscription.currency_id);
   if (!paymentCurrency) {
-    return res.status(400).json({ error: `Payment currency(${subscription.currency_id}) not found` });
+    return c.json({ error: `Payment currency(${subscription.currency_id}) not found` }, 400);
   }
 
   // @ts-ignore
   const paymentAddress = getSubscriptionPaymentAddress(subscription, paymentMethod.type);
   if (!paymentAddress && CHARGE_SUPPORTED_CHAIN_TYPES.includes(paymentMethod.type)) {
-    return res.status(400).json({ error: `Payer not found on subscription payment detail: ${subscription.id}` });
+    return c.json({ error: `Payer not found on subscription payment detail: ${subscription.id}` }, 400);
   }
 
   const token = await getTokenByAddress(paymentAddress, paymentMethod, paymentCurrency);
-  return res.json({ token, paymentAddress });
+  return c.json({ token, paymentAddress });
 });
 
 const rechargeSchema = createListParamSchema<{
@@ -2814,12 +2777,13 @@ const rechargeSchema = createListParamSchema<{
   customer_did: Joi.string().empty(''),
   currency_id: Joi.string().empty(''),
 });
-router.get('/:id/recharge', authMine, async (req, res) => {
-  const subscription = await Subscription.findByPk(req.params.id);
+
+app.get('/:id/recharge', authMine, async (c) => {
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(404).json({ error: `Subscription(${req.params.id}) not found` });
+    return c.json({ error: `Subscription(${c.req.param('id')}) not found` }, 404);
   }
-  const { page, pageSize, ...query } = await rechargeSchema.validateAsync(req.query, {
+  const { page, pageSize, ...query } = await rechargeSchema.validateAsync(c.req.query(), {
     stripUnknown: false,
     allowUnknown: true,
   });
@@ -2835,31 +2799,32 @@ router.get('/:id/recharge', authMine, async (req, res) => {
       },
       offset: (page - 1) * pageSize,
       limit: pageSize,
-      order: getOrder(req.query, [['created_at', 'DESC']]),
+      order: getOrder(c.req.query(), [['created_at', 'DESC']]),
       include: [
         { model: PaymentCurrency, as: 'paymentCurrency' },
         { model: PaymentMethod, as: 'paymentMethod' },
       ],
     });
 
-    return res.json({ count, list: invoices, subscription, paging: { page, pageSize } });
-  } catch (err) {
+    return c.json({ count, list: invoices, subscription, paging: { page, pageSize } });
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-router.get('/:id/overdue/invoices', authPortal, async (req, res) => {
+app.get('/:id/overdue/invoices', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id, {
+    const subscription = await Subscription.findByPk(c.req.param('id'), {
       include: [{ model: Customer, as: 'customer' }],
     });
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
+    const user = c.get('user');
     // @ts-ignore
-    if (subscription.customer?.did !== req.user?.did && !['admin', 'owner'].includes(req.user?.role)) {
-      return res.status(403).json({ error: 'You are not allowed to access this subscription' });
+    if (subscription.customer?.did !== user?.did && !['admin', 'owner'].includes(user?.role)) {
+      return c.json({ error: 'You are not allowed to access this subscription' }, 403);
     }
     const { rows: invoices, count } = await Invoice.findAndCountAll({
       where: {
@@ -2873,7 +2838,7 @@ router.get('/:id/overdue/invoices', authPortal, async (req, res) => {
       ],
     });
     if (count === 0) {
-      return res.json({ subscription, invoices: [], summary: null });
+      return c.json({ subscription, invoices: [], summary: null });
     }
     const summary: Record<string, { amount: string; currency: PaymentCurrency; method: PaymentMethod }> = {};
     invoices.forEach((invoice) => {
@@ -2894,27 +2859,27 @@ router.get('/:id/overdue/invoices', authPortal, async (req, res) => {
           .toString();
       }
     });
-    return res.json({
+    return c.json({
       subscription,
       summary,
       invoices,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-router.get('/:id/delegation', authPortal, async (req, res) => {
+app.get('/:id/delegation', authPortal, async (c) => {
   try {
-    const subscription = (await Subscription.findByPk(req.params.id, {
+    const subscription = (await Subscription.findByPk(c.req.param('id'), {
       include: [
         { model: PaymentCurrency, as: 'paymentCurrency' },
         { model: PaymentMethod, as: 'paymentMethod' },
       ],
     })) as (Subscription & { paymentMethod: PaymentMethod; paymentCurrency: PaymentCurrency }) | null;
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
     const payer = getSubscriptionPaymentAddress(subscription, subscription.paymentMethod?.type);
     const delegator = await isDelegationSufficientForPayment({
@@ -2935,28 +2900,28 @@ router.get('/:id/delegation', authPortal, async (req, res) => {
         'NO_ENOUGH_TOKEN',
       ].includes(delegator?.reason || '')
     ) {
-      return res.json(delegator);
+      return c.json(delegator);
     }
-    return res.json(null);
+    return c.json(null);
   } catch (err) {
     logger.error(err);
-    return res.json(null);
+    return c.json(null);
   }
 });
 
-router.get('/:id/overdraft-protection', authPortal, async (req, res) => {
-  const subscription = await Subscription.findByPk(req.params.id);
+app.get('/:id/overdraft-protection', authPortal, async (c) => {
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   try {
     const { enabled, remaining, unused, used, shouldPay } =
       await isSubscriptionOverdraftProtectionEnabled(subscription);
-    const upcoming = await getUpcomingInvoiceAmount(req.params.id as string);
+    const upcoming = await getUpcomingInvoiceAmount(c.req.param('id') as string);
     const { price } = await ensureOverdraftProtectionPrice(subscription.livemode);
     const invoicePrice = (price?.currency_options || []).find((x: any) => x.currency_id === subscription?.currency_id);
     const gas = invoicePrice?.unit_amount;
-    return res.json({
+    return c.json({
       enabled,
       remaining,
       unused,
@@ -2965,9 +2930,9 @@ router.get('/:id/overdraft-protection', authPortal, async (req, res) => {
       gas,
       shouldPay,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
@@ -2976,36 +2941,37 @@ const overdraftProtectionSchema = Joi.object({
   enabled: Joi.boolean().required(),
   return_stake: Joi.boolean().empty(false).optional(),
 }).unknown(true);
+
 // 订阅保护
-router.post('/:id/overdraft-protection', authPortal, async (req, res) => {
+app.post('/:id/overdraft-protection', authPortal, async (c) => {
   try {
+    const body = c.get('sanitizedBody') ?? {};
     const {
       error: overdraftProtectionError,
       value: { amount, return_stake: returnStake, enabled },
-    } = overdraftProtectionSchema.validate(req.body);
+    } = overdraftProtectionSchema.validate(body);
     if (overdraftProtectionError) {
-      return res.status(400).json({ error: `Overdraft protection invalid: ${overdraftProtectionError.message}` });
+      return c.json({ error: `Overdraft protection invalid: ${overdraftProtectionError.message}` }, 400);
     }
 
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
     const previousOverdraftProtection = {
       enabled: subscription.overdraft_protection?.enabled || false,
       payment_method_id: subscription.overdraft_protection?.payment_method_id || null,
       payment_details: subscription.overdraft_protection?.payment_details || null,
     };
-    const customer = await Customer.findByPkOrDid(req.user?.did as string);
+    const customer = await Customer.findByPkOrDid(c.get('user')?.did as string);
     if (!customer) {
-      return res.status(404).json({ error: 'Customer not found' });
+      return c.json({ error: 'Customer not found' }, 404);
     }
     const { remaining, used, unused } = await isSubscriptionOverdraftProtectionEnabled(subscription);
     if (unused === '0' && !amount && enabled) {
-      return res.status(400).json({ error: 'Please add stake to enable SubGuard™' });
+      return c.json({ error: 'Please add stake to enable SubGuard™' }, 400);
     }
     if (returnStake && remaining !== '0' && !enabled) {
-      // disable overdraft protection
       await subscription.update({
         // @ts-ignore
         overdraft_protection: {
@@ -3019,22 +2985,21 @@ router.post('/:id/overdraft-protection', authPortal, async (req, res) => {
       });
       logger.info('Return overdraft protection stake scheduled', {
         subscriptionId: subscription.id,
-        requestedBy: req.user?.did,
+        requestedBy: c.get('user')?.did,
       });
-      return res.json({
+      return c.json({
         open: false,
         overdraft_protection: subscription.overdraft_protection,
       });
     }
     if (remaining !== '0' && used !== '0' && !enabled) {
-      // slash stake
       slashOverdraftProtectionQueue.push({
         id: `slash-overdraft-protection-${subscription.id}`,
         job: { subscriptionId: subscription.id },
       });
       logger.info('Slash overdraft protection stake scheduled', {
         subscriptionId: subscription.id,
-        requestedBy: req.user?.did,
+        requestedBy: c.get('user')?.did,
       });
     }
     await subscription.update({
@@ -3045,47 +3010,46 @@ router.post('/:id/overdraft-protection', authPortal, async (req, res) => {
       },
     });
     if (enabled && Number(amount) > 0) {
-      return res.json({
+      return c.json({
         open: true,
         amount,
         overdraft_protection: subscription.overdraft_protection,
       });
     }
     if (enabled) {
-      // release the exhausted lock, so that the notification can be sent again if overdraft protection exhausted
       await Lock.release(`${subscription.id}-${subscription.currency_id}-overdraft-protection-exhausted`);
     }
-    return res.json({
+    return c.json({
       open: false,
       overdraft_protection: subscription.overdraft_protection,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error(err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-router.get('/:id/unpaid-invoices', authPortal, async (req, res) => {
-  const subscription = await Subscription.findByPk(req.params.id);
+app.get('/:id/unpaid-invoices', authPortal, async (c) => {
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   const count = await getSubscriptionUnpaidInvoicesCount(subscription);
-  return res.json({ count });
+  return c.json({ count });
 });
 
-router.get('/:id/change-payment/migrate-invoice', auth, async (req, res) => {
-  const subscription = await Subscription.findByPk(req.params.id);
+app.get('/:id/change-payment/migrate-invoice', auth, async (c) => {
+  const subscription = await Subscription.findByPk(c.req.param('id'));
   if (!subscription) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
   const context = subscription.metadata.changePayment || {};
   if (!context.setup_intent_id) {
-    return res.status(404).json({ error: 'Subscription change payment context not found' });
+    return c.json({ error: 'Subscription change payment context not found' }, 404);
   }
   const setupIntent = await SetupIntent.findByPk(context.setup_intent_id);
   if (!setupIntent) {
-    return res.status(404).json({ error: 'Setup intent not found' });
+    return c.json({ error: 'Setup intent not found' }, 404);
   }
   try {
     const migrationResult = await migrateSubscriptionPaymentMethodInvoice(
@@ -3093,37 +3057,37 @@ router.get('/:id/change-payment/migrate-invoice', auth, async (req, res) => {
       setupIntent.metadata?.from_currency,
       setupIntent.metadata?.to_currency
     );
-    return res.json(migrationResult);
-  } catch (error) {
+    return c.json(migrationResult);
+  } catch (error: any) {
     logger.error(error);
-    return res.status(400).json({ error: error.message });
+    return c.json({ error: error.message }, 400);
   }
 });
 
-router.post('/:id/update-stripe-payment-method', authPortal, async (req, res) => {
+app.post('/:id/update-stripe-payment-method', authPortal, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
 
     if (!['active', 'trialing', 'past_due'].includes(subscription.status)) {
-      return res.status(400).json({ error: 'Subscription is not active' });
+      return c.json({ error: 'Subscription is not active' }, 400);
     }
 
     const paymentMethod = await PaymentMethod.findByPk(subscription.default_payment_method_id);
     if (!paymentMethod || paymentMethod.type !== 'stripe') {
-      return res.status(400).json({ error: 'Subscription is not using Stripe payment method' });
+      return c.json({ error: 'Subscription is not using Stripe payment method' }, 400);
     }
 
     const stripeSubscriptionId = subscription.payment_details?.stripe?.subscription_id;
     if (!stripeSubscriptionId) {
-      return res.status(400).json({ error: 'Stripe subscription not found' });
+      return c.json({ error: 'Stripe subscription not found' }, 400);
     }
 
     const customer = await Customer.findByPk(subscription.customer_id);
     if (!customer) {
-      return res.status(404).json({ error: 'Customer not found' });
+      return c.json({ error: 'Customer not found' }, 404);
     }
 
     await ensureStripeCustomer(customer, paymentMethod);
@@ -3146,63 +3110,51 @@ router.post('/:id/update-stripe-payment-method', authPortal, async (req, res) =>
       setupIntent: setupIntent.id,
     });
 
-    return res.json({
+    return c.json({
       client_secret: setupIntent.client_secret,
       publishable_key: settings.stripe?.publishable_key,
       setup_intent_id: setupIntent.id,
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error('Failed to create setup intent for updating payment method', {
       error: err,
-      subscriptionId: req.params.id,
+      subscriptionId: c.req.param('id'),
     });
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
 /**
  * Fix subscription after payment method migration from Stripe to non-Stripe
- * This API is used to fix legacy subscriptions that were migrated but the migration
- * was incomplete (missing payment_settings/payment_details updates)
- *
- * This API will:
- * 1. Pause the Stripe subscription (if not already paused)
- * 2. Update payment_settings to use arcblock
- * 3. Update payment_details to add arcblock info
- * 4. Recalculate cancel_at if needed
  */
-router.put('/:id/fix-stripe-migration', auth, async (req, res) => {
+app.put('/:id/fix-stripe-migration', auth, async (c) => {
   try {
-    const subscription = await Subscription.findByPk(req.params.id);
+    const subscription = await Subscription.findByPk(c.req.param('id'));
     if (!subscription) {
-      return res.status(404).json({ error: 'Subscription not found' });
+      return c.json({ error: 'Subscription not found' }, 404);
     }
 
     const stripeSubscriptionId = subscription.payment_details?.stripe?.subscription_id;
     if (!stripeSubscriptionId) {
-      return res.status(400).json({ error: 'Subscription does not have Stripe subscription_id' });
+      return c.json({ error: 'Subscription does not have Stripe subscription_id' }, 400);
     }
 
-    // Get customer for payer DID
     const customer = await Customer.findByPk(subscription.customer_id);
     if (!customer) {
-      return res.status(404).json({ error: 'Customer not found' });
+      return c.json({ error: 'Customer not found' }, 404);
     }
 
-    // Find arcblock payment method
     const arcblockMethod = await PaymentMethod.findOne({
       where: { type: 'arcblock', livemode: subscription.livemode },
     });
     if (!arcblockMethod) {
-      return res.status(400).json({ error: 'ArcBlock payment method not found' });
+      return c.json({ error: 'ArcBlock payment method not found' }, 400);
     }
 
-    // Find Stripe payment method to pause subscription
     const stripeMethod = await PaymentMethod.findOne({
       where: { type: 'stripe', livemode: subscription.livemode },
     });
 
-    // 1. Pause Stripe subscription if not already paused
     let stripePaused = false;
     if (stripeMethod) {
       try {
@@ -3232,9 +3184,9 @@ router.put('/:id/fix-stripe-migration', auth, async (req, res) => {
       }
     }
 
+    const body = c.get('sanitizedBody') ?? {};
     const updates: Partial<TSubscription> = {};
 
-    // 2. Update payment_settings to use arcblock (matching change-payment behavior)
     updates.payment_settings = {
       payment_method_types: ['arcblock'],
       payment_method_options: {
@@ -3242,7 +3194,6 @@ router.put('/:id/fix-stripe-migration', auth, async (req, res) => {
       },
     };
 
-    // 3. Update payment_details.arcblock.payer if not already present
     if (!subscription.payment_details?.arcblock?.payer) {
       const existingArcblock = subscription.payment_details?.arcblock;
       updates.payment_details = {
@@ -3256,15 +3207,13 @@ router.put('/:id/fix-stripe-migration', auth, async (req, res) => {
       };
     }
 
-    // 4. Update default_payment_method_id to arcblock
     updates.default_payment_method_id = arcblockMethod.id;
 
-    // 5. Recalculate cancel_at if subscription has cancelation_details but no cancel_at
-    if (req.body.recalculate_cancel_at !== false) {
+    if (body.recalculate_cancel_at !== false) {
       if (subscription.cancelation_details && !subscription.cancel_at) {
         const daysUntilCancel = subscription.days_until_cancel || 0;
         if (daysUntilCancel > 0) {
-          const dueUnit = 24 * 60 * 60; // 1 day in seconds
+          const dueUnit = 24 * 60 * 60;
           updates.cancel_at = subscription.current_period_start + daysUntilCancel * dueUnit;
         } else {
           updates.cancel_at_period_end = true;
@@ -3273,9 +3222,8 @@ router.put('/:id/fix-stripe-migration', auth, async (req, res) => {
       }
     }
 
-    // Allow manual override of cancel_at
-    if (typeof req.body.cancel_at === 'number') {
-      updates.cancel_at = req.body.cancel_at;
+    if (typeof body.cancel_at === 'number') {
+      updates.cancel_at = body.cancel_at;
     }
 
     await subscription.update(updates);
@@ -3291,10 +3239,9 @@ router.put('/:id/fix-stripe-migration', auth, async (req, res) => {
       stripeSubscriptionId,
     });
 
-    // Reload subscription to return updated data
     await subscription.reload();
 
-    return res.json({
+    return c.json({
       success: true,
       stripePaused,
       subscription: pick(subscription, [
@@ -3312,13 +3259,13 @@ router.put('/:id/fix-stripe-migration', auth, async (req, res) => {
         'current_period_end',
       ]),
     });
-  } catch (err) {
+  } catch (err: any) {
     logger.error('Failed to fix subscription stripe migration', {
       error: err,
-      subscriptionId: req.params.id,
+      subscriptionId: c.req.param('id'),
     });
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: err.message }, 400);
   }
 });
 
-export default router;
+export default app;