(SP: 2) [Backend/CI/DX]: Unify order paymentStatus transitions under guard; add legacy coverage + tripwire; silence webhook contract stderr

Author: liudmylasovetovs

frontend/lib/services/orders/checkout.ts

@@ -18,7 +18,7 @@ import {
   type OrderSummaryWithMinor,
 } from '@/lib/types/shop';
 import { coercePriceFromDb } from '@/db/queries/shop/orders';
-import { type PaymentStatus } from '@/lib/shop/payments';
+import { type PaymentProvider, type PaymentStatus } from '@/lib/shop/payments';
 
 import {
   InsufficientStockError,
@@ -44,6 +44,7 @@ import {
 
 import { getOrderById, getOrderByIdempotencyKey } from './summary';
 import { restockOrder } from './restock';
+import { guardedPaymentStatusUpdate } from './payment-state';
 
 async function reconcileNoPaymentOrder(
   orderId: string
@@ -144,13 +145,26 @@ async function reconcileNoPaymentOrder(
       .set({
         status: 'PAID',
         inventoryStatus: 'reserved',
-        paymentStatus: 'paid',
         failureCode: null,
         failureMessage: null,
         updatedAt: new Date(),
       })
       .where(eq(orders.id, orderId));
 
+    const payRes = await guardedPaymentStatusUpdate({
+      orderId,
+      paymentProvider: 'none',
+      to: 'paid',
+      source: 'checkout',
+    });
+
+    if (!payRes.applied && payRes.reason !== 'ALREADY_IN_STATE') {
+      throw new OrderStateInvalidError(
+        'Order paymentStatus transition blocked after reservation.',
+        { orderId, details: { reason: payRes.reason, from: payRes.from } }
+      );
+    }
+
     return getOrderById(orderId);
   } catch (e) {
     const failAt = new Date();
@@ -176,7 +190,6 @@ async function reconcileNoPaymentOrder(
       .set({
         status: 'INVENTORY_FAILED',
         inventoryStatus: 'released',
-        paymentStatus: 'failed',
         failureCode: isOos ? 'OUT_OF_STOCK' : 'INTERNAL_ERROR',
         failureMessage: isOos
           ? e.message
@@ -187,6 +200,20 @@ async function reconcileNoPaymentOrder(
       })
       .where(eq(orders.id, orderId));
 
+    const payRes = await guardedPaymentStatusUpdate({
+      orderId,
+      paymentProvider: 'none',
+      to: 'failed',
+      source: 'checkout',
+    });
+
+    if (!payRes.applied && payRes.reason !== 'ALREADY_IN_STATE') {
+      logError(
+        `[reconcileNoPaymentOrder] paymentStatus transition to failed blocked orderId=${orderId} reason=${payRes.reason}`,
+        new Error('payment_transition_blocked')
+      );
+    }
+
     throw e;
   }
 }
@@ -367,7 +394,8 @@ export async function createOrderWithItems({
 }): Promise<CheckoutResult> {
   const currency: Currency = resolveCurrencyFromLocale(locale);
   const paymentsEnabled = isPaymentsEnabled();
-  const paymentProvider = paymentsEnabled ? 'stripe' : 'none';
+  const paymentProvider: PaymentProvider = paymentsEnabled ? 'stripe' : 'none';
+
   // IMPORTANT: DB CHECK requires provider=none => payment_status in ('paid','failed')
   const paymentStatus = paymentsEnabled ? 'requires_payment' : 'paid';
 
@@ -678,12 +706,37 @@ export async function createOrderWithItems({
       .set({
         status: paymentsEnabled ? 'INVENTORY_RESERVED' : 'PAID',
         inventoryStatus: 'reserved',
-        paymentStatus: paymentsEnabled ? 'pending' : 'paid',
         failureCode: null,
         failureMessage: null,
         updatedAt: new Date(),
       })
       .where(eq(orders.id, orderId));
+
+    const targetPaymentStatus: PaymentStatus = paymentsEnabled
+      ? 'pending'
+      : 'paid';
+
+    const payRes = await guardedPaymentStatusUpdate({
+      orderId,
+      paymentProvider,
+      to: targetPaymentStatus,
+      source: 'checkout',
+    });
+
+    if (!payRes.applied && payRes.reason !== 'ALREADY_IN_STATE') {
+      throw new OrderStateInvalidError(
+        'Order paymentStatus transition blocked after inventory reservation.',
+        {
+          orderId,
+          details: {
+            reason: payRes.reason,
+            from: payRes.from,
+            to: targetPaymentStatus,
+            paymentProvider,
+          },
+        }
+      );
+    }
   } catch (e) {
     const failAt = new Date();
     await db
@@ -709,7 +762,6 @@ export async function createOrderWithItems({
       .set({
         status: 'INVENTORY_FAILED',
         inventoryStatus: 'released',
-        paymentStatus: 'failed',
         failureCode: isOos ? 'OUT_OF_STOCK' : 'INTERNAL_ERROR',
         failureMessage: isOos
           ? e.message
@@ -720,6 +772,20 @@ export async function createOrderWithItems({
       })
       .where(eq(orders.id, orderId));
 
+    const payRes = await guardedPaymentStatusUpdate({
+      orderId,
+      paymentProvider,
+      to: 'failed',
+      source: 'checkout',
+    });
+
+    if (!payRes.applied && payRes.reason !== 'ALREADY_IN_STATE') {
+      logError(
+        `[createOrderWithItems] paymentStatus transition to failed blocked orderId=${orderId} provider=${paymentProvider} reason=${payRes.reason}`,
+        new Error('payment_transition_blocked')
+      );
+    }
+
     throw e;
   }
 

frontend/lib/services/orders/payment-intent.ts

@@ -8,6 +8,7 @@ import { type OrderSummaryWithMinor } from '@/lib/types/shop';
 import { InvalidPayloadError, OrderNotFoundError } from '../errors';
 import { resolvePaymentProvider } from './_shared';
 import { getOrderItems, parseOrderSummary } from './summary';
+import { guardedPaymentStatusUpdate } from './payment-state';
 
 export async function setOrderPaymentIntent({
   orderId,
@@ -52,19 +53,34 @@ export async function setOrderPaymentIntent({
     return parseOrderSummary(existing, items);
   }
 
-  const [updated] = await db
-    .update(orders)
-    .set({
+  const res = await guardedPaymentStatusUpdate({
+    orderId,
+    paymentProvider: 'stripe',
+    to: 'requires_payment',
+    source: 'payment_intent',
+    allowSameStateUpdate: true,
+    set: {
       paymentIntentId,
-      paymentStatus: 'requires_payment',
       updatedAt: new Date(),
-    })
+    },
+  });
+
+  if (!res.applied) {
+    // Keep error semantics consistent with previous validation rules.
+    // This also guarantees we won't ever do failed/refunded -> requires_payment.
+    throw new InvalidPayloadError(
+      `Order payment intent update blocked (${res.reason}).`
+    );
+  }
+
+  const [updated] = await db
+    .select()
+    .from(orders)
     .where(eq(orders.id, orderId))
-    .returning();
+    .limit(1);
 
-  if (!updated) throw new Error('Failed to update order payment intent');
+  if (!updated) throw new OrderNotFoundError('Order not found');
 
   const items = await getOrderItems(orderId);
   return parseOrderSummary(updated, items);
 }
-

frontend/lib/services/orders/refund.ts

@@ -2,7 +2,6 @@ import { eq } from 'drizzle-orm';
 
 import { db } from '@/db';
 import { orders } from '@/db/schema/shop';
-import { type PaymentStatus } from '@/lib/shop/payments';
 import { type OrderSummaryWithMinor } from '@/lib/types/shop';
 import { InvalidPayloadError, OrderNotFoundError } from '../errors';
 import { resolvePaymentProvider } from './_shared';
@@ -32,17 +31,9 @@ export async function refundOrder(
       'Refunds are only supported for stripe orders.'
     );
   }
-
-  const refundableStatuses: PaymentStatus[] = ['paid'];
-  if (!refundableStatuses.includes(order.paymentStatus as PaymentStatus)) {
-    throw new InvalidPayloadError(
-      'Order cannot be refunded from the current status.'
-    );
-  }
-
   const res = await guardedPaymentStatusUpdate({
     orderId,
-    paymentProvider: order.paymentProvider,
+    paymentProvider: provider, // <-- замість order.paymentProvider
     to: 'refunded',
     source: 'admin',
     note: 'refundOrder()',

frontend/lib/services/orders/restock.ts

@@ -5,8 +5,9 @@ import { applyReleaseMove } from '../inventory';
 import { db } from '@/db';
 import { inventoryMoves, orders } from '@/db/schema/shop';
 import { type PaymentStatus } from '@/lib/shop/payments';
-
+import { guardedPaymentStatusUpdate } from './payment-state';
 import { OrderNotFoundError, OrderStateInvalidError } from '../errors';
+import { resolvePaymentProvider } from './_shared';
 
 export type RestockReason = 'failed' | 'refunded' | 'canceled' | 'stale';
 export type RestockOptions = {
@@ -63,6 +64,7 @@ export async function restockOrder(
       id: orders.id,
       paymentProvider: orders.paymentProvider,
       paymentStatus: orders.paymentStatus,
+      paymentIntentId: orders.paymentIntentId,
       inventoryStatus: orders.inventoryStatus,
       stockRestored: orders.stockRestored,
       restockedAt: orders.restockedAt,
@@ -76,6 +78,8 @@ export async function restockOrder(
   if (!order) throw new OrderNotFoundError('Order not found');
 
   const isNoPayment = order.paymentProvider === 'none';
+  const provider = resolvePaymentProvider(order);
+  const transitionSource = options?.alreadyClaimed ? 'janitor' : 'system';
 
   // already released / legacy idempotency
   if (
@@ -106,12 +110,12 @@ export async function restockOrder(
       (reason === 'failed' || reason === 'canceled' || reason === 'stale')
     ) {
       const now = new Date();
-      await db
+
+      const [touched] = await db
         .update(orders)
         .set({
           status: 'INVENTORY_FAILED',
           inventoryStatus: 'released',
-          paymentStatus: 'failed',
           failureCode: order.failureCode ?? 'STALE_ORPHAN',
           failureMessage:
             order.failureMessage ??
@@ -120,19 +124,33 @@ export async function restockOrder(
           restockedAt: now,
           updatedAt: now,
         })
-        .where(eq(orders.id, orderId));
+        .where(and(eq(orders.id, orderId), eq(orders.stockRestored, false)))
+        .returning({ id: orders.id });
+
+      if (!touched) return;
+
+      // paymentStatus transition only via guard
+      await guardedPaymentStatusUpdate({
+        orderId,
+        paymentProvider: provider,
+        to: 'failed',
+        source: transitionSource,
+        // tie to this exact finalize marker (prevents races)
+        extraWhere: eq(orders.restockedAt, now),
+      });
+
       return;
     }
 
     // Stripe (or any non-none provider): stale orphan must become terminal
     if (reason === 'stale') {
       const now = new Date();
-      await db
+
+      const [touched] = await db
         .update(orders)
         .set({
           status: 'INVENTORY_FAILED',
           inventoryStatus: 'released',
-          paymentStatus: 'failed',
           failureCode: order.failureCode ?? 'STALE_ORPHAN',
           failureMessage:
             order.failureMessage ??
@@ -141,7 +159,20 @@ export async function restockOrder(
           restockedAt: now,
           updatedAt: now,
         })
-        .where(eq(orders.id, orderId));
+        .where(and(eq(orders.id, orderId), eq(orders.stockRestored, false)))
+        .returning({ id: orders.id });
+
+      if (!touched) return;
+
+      // paymentStatus transition only via guard (provider from DB)
+      await guardedPaymentStatusUpdate({
+        orderId,
+        paymentProvider: provider,
+        to: 'failed',
+        source: transitionSource,
+        extraWhere: eq(orders.restockedAt, now),
+      });
+
       return;
     }
 
@@ -195,19 +226,30 @@ export async function restockOrder(
   if (!finalized) return;
 
   let normalizedStatus: PaymentStatus | undefined;
-  if (reason === 'refunded') normalizedStatus = 'refunded';
+  if (reason === 'refunded' && !isNoPayment) normalizedStatus = 'refunded';
   else if (reason === 'failed' || reason === 'canceled' || reason === 'stale')
     normalizedStatus = 'failed';
+
   const shouldCancel = reason === 'canceled';
   const shouldFail = reason === 'failed' || reason === 'stale';
   await db
     .update(orders)
     .set({
       inventoryStatus: 'released',
       updatedAt: now,
-      ...(normalizedStatus ? { paymentStatus: normalizedStatus } : {}),
       ...(shouldFail ? { status: 'INVENTORY_FAILED' } : {}),
       ...(shouldCancel ? { status: 'CANCELED' } : {}),
     })
     .where(eq(orders.id, orderId));
+
+  if (normalizedStatus) {
+    await guardedPaymentStatusUpdate({
+      orderId,
+      paymentProvider: provider,
+      to: normalizedStatus,
+      source: transitionSource,
+      // bind to finalize-once marker
+      extraWhere: eq(orders.restockedAt, finalizedAt),
+    });
+  }
 }