tenseleyflow/shithub / 394c6e9

+	// MetadataOrgID and MetadataOrgSlug are the legacy SP03 keys.

+	// PRO04 introduces MetadataSubjectKind and MetadataSubjectID;

+	// new subscriptions stamp both for forward compatibility, the

+	// webhook resolver falls back to the legacy keys for org rows

+	// created before PRO04 deployed.

+	MetadataOrgID        = "shithub_org_id"

+	MetadataOrgSlug      = "shithub_org_slug"

+	MetadataSubjectKind  = "shithub_subject_kind"

+	MetadataSubjectID    = "shithub_subject_id"

+	MetadataSubjectLabel = "shithub_subject_label" // human-readable, e.g. org slug or username

+)

+

+// SubjectKind mirrors billing.SubjectKind without taking a hard

+// dependency on the billing package (avoid import cycle).

+// Conversions live in the webhook handler.

+type SubjectKind string

+

+const (

+	SubjectKindUser SubjectKind = "user"

+	SubjectKindOrg  SubjectKind = "org"

+	ErrProPriceRequired      = errors.New("stripe billing: pro price id is required")

+	ErrInvalidSubjectKind    = errors.New("stripe billing: invalid subject kind")

+	ProPriceID    string // PRO04: required once user-tier path is enabled

+	proPriceID    string

+// CustomerInput carries enough subject context to populate Stripe

+// metadata for new customer records. The legacy `OrgID`/`OrgSlug`

+// pair stays for backward compatibility with SP03 callers; PRO04

+// callers populate `Kind` + `SubjectID` + `Label`, and the

+// metadata stamps both old and new keys.

+

+	Kind      SubjectKind // PRO04: "user" | "org"

+	SubjectID int64       // PRO04: user id or org id

+	Label     string      // PRO04: human-readable (org slug or username)

+

+	Kind      SubjectKind // PRO04: routes to TeamPriceID (org) or ProPriceID (user)

+	SubjectID int64       // PRO04: user id or org id

+	Label     string      // PRO04: human-readable for metadata.shithub_subject_label

+	cfg.ProPriceID = strings.TrimSpace(cfg.ProPriceID)

+	// ProPriceID is optional at construction (operators on the

+	// SP-only path don't have it). Pro-path callers will get

+	// ErrProPriceRequired at CheckoutSession time if they try to

+	// route a user-kind checkout against a client that lacks the

+	// price id.

+		proPriceID:    cfg.ProPriceID,

+// SupportsPro reports whether the client was configured with a Pro

+// price. Wiring code uses this to decide whether to register the

+// user-tier checkout/portal routes; refusing the routes when Pro

+// isn't configured keeps the operator-disabled path consistent.

+func (c *Client) SupportsPro() bool { return c.proPriceID != "" }

+

+	// PRO04: subject-aware customer creation. When `in.Kind` is set

+	// the new metadata keys + idempotency-key prefix include the

+	// kind; legacy SP03 callers (no Kind set) keep the org-only

+	// behavior so existing org customers don't get duplicated.

+	kind, subjectID, label, err := normalizeSubject(in.Kind, in.SubjectID, in.Label, in.OrgID, in.OrgSlug)

+	if err != nil {

+		return Customer{}, err

+	}

+		name = label

+	descriptor := fmt.Sprintf("shithub %s %s", kind, label)

+		Description: stripeapi.String(descriptor),

+		Metadata:    subjectMetadata(kind, subjectID, label, in.OrgID, in.OrgSlug),

+	params.SetIdempotencyKey(idempotencyKey("customer", string(kind), subjectID, "v1"))

+	kind, subjectID, label, err := normalizeSubject(in.Kind, in.SubjectID, in.Label, in.OrgID, in.OrgSlug)

+	if err != nil {

+		return CheckoutSession{}, err

+	}

+	// Route price + quantity by kind. Pro is single-seat; Team

+	// quantity equals the caller-provided seat count.

+	var priceID string

+	var quantity int64

+	switch kind {

+	case SubjectKindOrg:

+		priceID = c.teamPriceID

+		quantity = in.SeatCount

+		if quantity < 1 {

+			quantity = 1

+		}

+	case SubjectKindUser:

+		if c.proPriceID == "" {

+			return CheckoutSession{}, ErrProPriceRequired

+		}

+		priceID = c.proPriceID

+		quantity = 1

+	default:

+		return CheckoutSession{}, fmt.Errorf("%w: %q", ErrInvalidSubjectKind, kind)

+	metadata := subjectMetadata(kind, subjectID, label, in.OrgID, in.OrgSlug)

+		ClientReferenceID:        stripeapi.String(strconv.FormatInt(subjectID, 10)),

+			Price:    stripeapi.String(priceID),

+			Quantity: stripeapi.Int64(quantity),

+	params.SetIdempotencyKey(idempotencyKey("checkout", string(kind), subjectID, planLabelForKind(kind), strconv.FormatInt(quantity, 10)))

+// normalizeSubject resolves the (kind, id, label) tuple from a

+// CheckoutInput / CustomerInput. Legacy SP03 callers populate only

+// OrgID/OrgSlug and zero Kind — those default to SubjectKindOrg

+// for backward compatibility. PRO04 callers populate Kind +

+// SubjectID + Label and may leave OrgID/OrgSlug zero (user kind).

+//

+// Cross-checks: if both legacy OrgID and explicit user-kind

+// SubjectID are set, the explicit Kind wins; the OrgID stays in

+// the metadata for audit but the routing key is Kind+SubjectID.

+func normalizeSubject(kind SubjectKind, subjectID int64, label string, orgID int64, orgSlug string) (SubjectKind, int64, string, error) {

+	if kind == "" {

+		// Legacy path: org-only.

+		if orgID <= 0 {

+			return "", 0, "", fmt.Errorf("%w: %q", ErrInvalidSubjectKind, kind)

+		}

+		return SubjectKindOrg, orgID, strings.TrimSpace(orgSlug), nil

+	}

+	if kind != SubjectKindOrg && kind != SubjectKindUser {

+		return "", 0, "", fmt.Errorf("%w: %q", ErrInvalidSubjectKind, kind)

+	}

+	if subjectID <= 0 {

+		// Fall back to OrgID for org kind when caller forgot to set

+		// SubjectID explicitly; tightens the API without breaking

+		// the SP03→PRO04 transition.

+		if kind == SubjectKindOrg && orgID > 0 {

+			subjectID = orgID

+		} else {

+			return "", 0, "", fmt.Errorf("%w: subject id required for kind %q", ErrInvalidSubjectKind, kind)

+		}

+	}

+	label = strings.TrimSpace(label)

+	if label == "" && kind == SubjectKindOrg {

+		label = strings.TrimSpace(orgSlug)

+	}

+	return kind, subjectID, label, nil

+}

+

+// subjectMetadata returns the Stripe metadata map stamped on

+// customers, checkout sessions, and subscription objects. Both the

+// new MetadataSubject* keys and the legacy MetadataOrg* keys are

+// emitted when the kind is org — this keeps SP03-deployed webhook

+// resolvers working through the transition. User-kind metadata

+// omits the legacy keys (no legacy resolver expected them).

+func subjectMetadata(kind SubjectKind, subjectID int64, label string, orgID int64, orgSlug string) map[string]string {

+	m := map[string]string{

+		MetadataSubjectKind:  string(kind),

+		MetadataSubjectID:    strconv.FormatInt(subjectID, 10),

+		MetadataSubjectLabel: label,

+	}

+	if kind == SubjectKindOrg {

+		if orgID == 0 {

+			orgID = subjectID

+		}

+		if orgSlug == "" {

+			orgSlug = label

+		}

+		m[MetadataOrgID] = strconv.FormatInt(orgID, 10)

+		m[MetadataOrgSlug] = strings.TrimSpace(orgSlug)

+	}

+	return m

+}

+

+// planLabelForKind returns the marketing label baked into the

+// idempotency key. Keeps Pro and Team checkouts from colliding on

+// the same idempotency string even if a single subject ID exists

+// on both subject_kind tables (which the schema prohibits, but

+// defense-in-depth).

+func planLabelForKind(kind SubjectKind) string {

+	switch kind {

+	case SubjectKindUser:

+		return "pro"

+	case SubjectKindOrg:

+		return "team"

+	return string(kind)

+func TestSupportsProReflectsConfig(t *testing.T) {

+	t.Parallel()

+	teamOnly, err := New(Config{

+		SecretKey:     "sk_test_123",

+		WebhookSecret: "whsec_123",

+		TeamPriceID:   "price_team",

+	})

+	if err != nil {

+		t.Fatalf("New team-only: %v", err)

+	}

+	if teamOnly.SupportsPro() {

+		t.Errorf("SupportsPro should be false when ProPriceID empty")

+	}

+

+	withPro, err := New(Config{

+		SecretKey:     "sk_test_123",

+		WebhookSecret: "whsec_123",

+		TeamPriceID:   "price_team",

+		ProPriceID:    "price_pro",

+	})

+	if err != nil {

+		t.Fatalf("New with pro: %v", err)

+	}

+	if !withPro.SupportsPro() {

+		t.Errorf("SupportsPro should be true when ProPriceID set")

+	}

+}

+

+func TestNormalizeSubjectLegacyOrgOnly(t *testing.T) {

+	t.Parallel()

+	kind, id, label, err := normalizeSubject("", 0, "", 42, "acme")

+	if err != nil {

+		t.Fatalf("legacy org-only: %v", err)

+	}

+	if kind != SubjectKindOrg || id != 42 || label != "acme" {

+		t.Errorf("legacy normalize: kind=%s id=%d label=%q", kind, id, label)

+	}

+}

+

+func TestNormalizeSubjectExplicitUser(t *testing.T) {

+	t.Parallel()

+	kind, id, label, err := normalizeSubject(SubjectKindUser, 7, "alice", 0, "")

+	if err != nil {

+		t.Fatalf("explicit user: %v", err)

+	}

+	if kind != SubjectKindUser || id != 7 || label != "alice" {

+		t.Errorf("user normalize: kind=%s id=%d label=%q", kind, id, label)

+	}

+}

+

+func TestNormalizeSubjectRejectsBogusKind(t *testing.T) {

+	t.Parallel()

+	if _, _, _, err := normalizeSubject("alien", 1, "x", 0, ""); !errors.Is(err, ErrInvalidSubjectKind) {

+		t.Fatalf("expected ErrInvalidSubjectKind, got %v", err)

+	}

+}

+

+func TestNormalizeSubjectRequiresIDOrOrgFallback(t *testing.T) {

+	t.Parallel()

+	// User kind without an ID is invalid.

+	if _, _, _, err := normalizeSubject(SubjectKindUser, 0, "", 0, ""); !errors.Is(err, ErrInvalidSubjectKind) {

+		t.Fatalf("user without id: expected ErrInvalidSubjectKind, got %v", err)

+	}

+	// Org kind with zero SubjectID but OrgID set falls back.

+	kind, id, _, err := normalizeSubject(SubjectKindOrg, 0, "acme", 99, "acme")

+	if err != nil {

+		t.Fatalf("org fallback: %v", err)

+	}

+	if kind != SubjectKindOrg || id != 99 {

+		t.Errorf("org fallback: kind=%s id=%d", kind, id)

+	}

+}

+

+func TestSubjectMetadataOrgKindIncludesLegacyKeys(t *testing.T) {

+	t.Parallel()

+	m := subjectMetadata(SubjectKindOrg, 42, "acme", 42, "acme")

+	if m[MetadataSubjectKind] != "org" || m[MetadataSubjectID] != "42" {

+		t.Errorf("PRO04 keys missing for org: %+v", m)

+	}

+	if m[MetadataOrgID] != "42" || m[MetadataOrgSlug] != "acme" {

+		t.Errorf("legacy keys missing for org: %+v", m)

+	}

+}

+

+func TestSubjectMetadataUserKindOmitsLegacyOrgKeys(t *testing.T) {

+	t.Parallel()

+	m := subjectMetadata(SubjectKindUser, 7, "alice", 0, "")

+	if m[MetadataSubjectKind] != "user" || m[MetadataSubjectID] != "7" {

+		t.Errorf("PRO04 keys missing for user: %+v", m)

+	}

+	if _, ok := m[MetadataOrgID]; ok {

+		t.Errorf("user metadata should omit MetadataOrgID; got %+v", m)

+	}

+	if _, ok := m[MetadataOrgSlug]; ok {

+		t.Errorf("user metadata should omit MetadataOrgSlug; got %+v", m)

+	}

+}

+