tenseleyflow/shithub / 0f243b6

+	"github.com/tenseleyFlow/shithub/internal/billing"

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+// profilePinLimit is the org-side cap; PRO01 keeps orgs at gh's

+// visible 6. User-side caps are resolved per-principal via

+// entitlements (Free=6, Pro=100).

+	repoIDs, err := selectedProfilePinIDs(r.PostForm["repo_id"], candidates, profilePinLimit)

+	maxPins, beyondFreeAllowed := h.userProfilePinCap(ctx, user.ID)

+	repoIDs, err := selectedProfilePinIDs(r.PostForm["repo_id"], candidates, maxPins)

+	if errors.Is(err, errTooManyPins) {

+		h.handleUserPinOverflow(w, r, user.ID, beyondFreeAllowed)

+		return

+	}

+// userProfilePinCap resolves the entitled pin cap for a user. Returns

+// (cap, beyondFreeAllowed). Falls back to the Free cap if entitlement

+// resolution errors so a degraded billing path can't silently raise

+// the limit. beyondFreeAllowed mirrors CanUse(FeatureProfilePinsBeyondFree)

+// — the caller uses it to flavor the upgrade-banner copy and tells

+// the report-only logger whether the deny would have triggered.

+func (h *Handlers) userProfilePinCap(ctx context.Context, userID int64) (int64, bool) {

+	set, err := entitlements.ForPrincipal(ctx, entitlements.Deps{Pool: h.d.Pool}, billing.PrincipalForUser(userID))

+	if err != nil {

+		h.d.Logger.WarnContext(ctx, "profile pins: load entitlements", "user_id", userID, "error", err)

+		return entitlements.FreeProfilePinsCap, false

+	}

+	decision := set.CanUse(entitlements.FeatureProfilePinsBeyondFree)

+	if decision.Allowed {

+		return entitlements.ProProfilePinsCap, true

+	}

+	return entitlements.FreeProfilePinsCap, false

+}

+

+// handleUserPinOverflow renders the over-cap response for a personal

+// profile pin submission. When the operator hasn't flipped the enforce

+// flag (PRO05 report-only default), logs the would-deny and falls back

+// to the pre-PRO07 400 response. With enforce on, returns 402 + an

+// upgrade banner pointing at /settings/billing.

+func (h *Handlers) handleUserPinOverflow(w http.ResponseWriter, r *http.Request, userID int64, beyondFreeAllowed bool) {

+	// Pro users that hit this branch are over the Pro cap (100) — that's

+	// a DB-sanity 400 regardless of enforcement.

+	if beyondFreeAllowed {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "")

+		return

+	}

+	if !h.d.BillingEnforce.UserProfilePinsBeyondFree {

+		h.d.Logger.InfoContext(r.Context(), "entitlements.report_only_deny",

+			"principal", billing.PrincipalForUser(userID).String(),

+			"principal_kind", string(billing.SubjectKindUser),

+			"principal_id", userID,

+			"feature", string(entitlements.FeatureProfilePinsBeyondFree),

+			"reason", string(entitlements.ReasonUpgradeRequired),

+			"required_plan", "pro")

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "")

+		return

+	}

+	decision := entitlements.Decision{

+		Feature:      entitlements.FeatureProfilePinsBeyondFree,

+		RequiredPlan: billing.Plan("pro"),

+		Reason:       entitlements.ReasonUpgradeRequired,

+	}

+	banner := decision.PrincipalUpgradeBanner("Pinned repositories", billing.PrincipalForUser(userID), "")

+	http.Error(w, banner.Message, banner.StatusCode)

+}

+

+func selectedProfilePinIDs(values []string, candidates []profilePinCandidate, maxPins int64) ([]int64, error) {

+	if int64(len(out)) > maxPins {

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package profile_test

+

+import (

+	"context"

+	"io"

+	"net/http"

+	"strconv"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	billingdb "github.com/tenseleyFlow/shithub/internal/billing/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	"github.com/tenseleyFlow/shithub/internal/infra/config"

+)

+

+// PRO07 — profile pin cap enforcement.

+//

+// The cap is resolved per-principal via entitlements (Free=6, Pro=100).

+// Operators flip BillingEnforce.UserProfilePinsBeyondFree to make a

+// Free user's 7th-pin attempt return 402 with an upgrade banner;

+// otherwise the gate is report-only (logs the deny + returns the

+// pre-PRO07 400 BadRequest).

+

+func TestProfilePins_FreeUserBlockedAtCapWithEnforce(t *testing.T) {

+	t.Parallel()

+	env := setupProfileEnvWithBillingEnforce(t, config.EnforceConfig{

+		UserProfilePinsBeyondFree: true,

+	})

+	alice := env.insertUser(t, "freealice", "Alice", "")

+	repos := makeUserPinCandidates(t, env, alice.ID, 7)

+

+	resp := env.postPins(t, "/freealice/pins", alice, repos...)

+	if resp.StatusCode != http.StatusPaymentRequired {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("Free user 7th pin: status=%d, want 402; body=%s", resp.StatusCode, body)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Pinned repositories") {

+		t.Errorf("upgrade banner missing feature label: %s", body)

+	}

+}

+

+func TestProfilePins_FreeUserReportOnlyWithoutEnforce(t *testing.T) {

+	t.Parallel()

+	env := setupProfileEnvWithBillingEnforce(t, config.EnforceConfig{

+		UserProfilePinsBeyondFree: false,

+	})

+	alice := env.insertUser(t, "softalice", "Alice", "")

+	repos := makeUserPinCandidates(t, env, alice.ID, 7)

+

+	resp := env.postPins(t, "/softalice/pins", alice, repos...)

+	// Report-only: the over-cap submission falls through to the same

+	// 400 the user got pre-PRO07. The would-deny lands in the logger.

+	if resp.StatusCode != http.StatusBadRequest {

+		t.Fatalf("report-only over-cap status=%d, want 400", resp.StatusCode)

+	}

+}

+

+func TestProfilePins_FreeUserUnderCapSavesWithEnforce(t *testing.T) {

+	t.Parallel()

+	env := setupProfileEnvWithBillingEnforce(t, config.EnforceConfig{

+		UserProfilePinsBeyondFree: true,

+	})

+	alice := env.insertUser(t, "fitalice", "Alice", "")

+	repos := makeUserPinCandidates(t, env, alice.ID, int(entitlements.FreeProfilePinsCap))

+

+	resp := env.postPins(t, "/fitalice/pins", alice, repos...)

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("Free user at-cap save: status=%d body=%s", resp.StatusCode, body)

+	}

+}

+

+func TestProfilePins_ProUserCanExceedFreeCap(t *testing.T) {

+	t.Parallel()

+	env := setupProfileEnvWithBillingEnforce(t, config.EnforceConfig{

+		UserProfilePinsBeyondFree: true,

+	})

+	alice := env.insertUser(t, "proalice", "Alice", "")

+	upgradeUserToProForTest(t, env, alice.ID)

+	repos := makeUserPinCandidates(t, env, alice.ID, int(entitlements.FreeProfilePinsCap)+3)

+

+	resp := env.postPins(t, "/proalice/pins", alice, repos...)

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("Pro user over-Free-cap save: status=%d body=%s", resp.StatusCode, body)

+	}

+}

+

+func TestProfilePins_ProUserBlockedAboveProCap(t *testing.T) {

+	t.Parallel()

+	env := setupProfileEnvWithBillingEnforce(t, config.EnforceConfig{

+		UserProfilePinsBeyondFree: true,

+	})

+	alice := env.insertUser(t, "manyalice", "Alice", "")

+	upgradeUserToProForTest(t, env, alice.ID)

+	repos := makeUserPinCandidates(t, env, alice.ID, int(entitlements.ProProfilePinsCap)+1)

+

+	resp := env.postPins(t, "/manyalice/pins", alice, repos...)

+	// Pro user over the Pro cap is a DB-sanity 400, NOT a 402 — the

+	// upgrade banner doesn't help here.

+	if resp.StatusCode != http.StatusBadRequest {

+		t.Fatalf("Pro user >100 pins: status=%d, want 400", resp.StatusCode)

+	}

+}

+

+// makeUserPinCandidates inserts `count` public user-owned repos and

+// returns their IDs. Names are r0, r1, ... so the test can keep them

+// distinct without colliding with any other fixture.

+func makeUserPinCandidates(t *testing.T, env *profileEnv, userID int64, count int) []int64 {

+	t.Helper()

+	out := make([]int64, 0, count)

+	for i := 0; i < count; i++ {

+		id := env.insertUserRepo(t, userID, "r"+strconv.Itoa(i), "pin", "public", "Go", 0, 0)

+		out = append(out, id)

+	}

+	return out

+}

+

+func upgradeUserToProForTest(t *testing.T, env *profileEnv, userID int64) {

+	t.Helper()

+	now := time.Now().UTC()

+	suffix := strconv.FormatInt(userID, 10)

+	_, err := billingdb.New().ApplyUserSubscriptionSnapshot(context.Background(), env.pool, billingdb.ApplyUserSubscriptionSnapshotParams{

+		UserID:               userID,

+		Plan:                 billingdb.UserPlanPro,

+		SubscriptionStatus:   billingdb.BillingSubscriptionStatusActive,

+		StripeSubscriptionID: pgtype.Text{String: "sub_pin_pro_" + suffix, Valid: true},

+		CurrentPeriodStart:   pgtype.Timestamptz{Time: now.Add(-time.Hour), Valid: true},

+		CurrentPeriodEnd:     pgtype.Timestamptz{Time: now.Add(30 * 24 * time.Hour), Valid: true},

+		LastWebhookEventID:   "evt_pin_pro_" + suffix,

+	})

+	if err != nil {

+		t.Fatalf("upgrade user to Pro: %v", err)

+	}

+}

+	"github.com/tenseleyFlow/shithub/internal/infra/config"

+	// BillingEnforce carries PRO07's per-feature enforcement flags.

+	// Zero value (all false) keeps profile-pin gating in report-only mode:

+	// Free users over the cap continue to hit a generic 400, the would-deny

+	// is logged for the soak. When UserProfilePinsBeyondFree flips true

+	// the same overflow returns 402 with an upgrade banner.

+	BillingEnforce config.EnforceConfig

+	"github.com/tenseleyFlow/shithub/internal/infra/config"

+// setupProfileEnvWithBillingEnforce is the PRO07 entry point: same

+// scaffold as setupProfileEnv but with operator-configured per-feature

+// enforce flags. Zero-value enforce (all false) matches the default

+// helper and keeps report-only behavior.

+func setupProfileEnvWithBillingEnforce(t *testing.T, enforce config.EnforceConfig) *profileEnv {

+	return setupProfileEnvWithDepsAndEnforce(t, nil, nil, enforce)

+}

+

+	return setupProfileEnvWithDepsAndEnforce(t, objectStore, repoFS, config.EnforceConfig{})

+}

+

+func setupProfileEnvWithDepsAndEnforce(t *testing.T, objectStore storage.ObjectStore, repoFS *storage.RepoFS, enforce config.EnforceConfig) *profileEnv {

+		RepoFS:         repoFS,

+		ObjectStore:    objectStore,

+		BillingEnforce: enforce,