feat(stripe): capture early fraud warnings for review (#3554)

* feat(stripe): capture early fraud warnings for review

* fix(stripe): harden early fraud warning admin listing

* fix(stripe): avoid relinking deleted fraud warning owners

* fix(stripe): synchronize EFW owner linking with deletion

Author: RSO

.specs/stripe-early-fraud-warnings.md

@@ -38,6 +38,12 @@ BCP 14 [RFC 2119] [RFC 8174] keywords apply only when they appear in all capital
 3. Existing dispute, refund, and fraud-mark handling MUST continue to operate independently, subject to idempotency rules that prevent duplicated EFW side effects.
 4. The persistence-only foundation MAY exist before processing is enabled; until ingestion is deployed, it MUST remain unwritten by EFW automation.
 
+### Observation-Only Rollout Interval
+
+- Before automatic enforcement is deployed and enabled, newly delivered EFWs MUST be persisted as `review_required` cases for operator visibility only, including warnings that resolve to a canonical personal owner.
+- A case captured during the observation-only interval MUST remain manual-review work and MUST NOT later be promoted into automatic enforcement merely because enforcement is enabled for newly arriving warnings.
+- Observation-only ingestion MUST NOT create action-ledger work, block users, disable automatic top-up, refund payments, reverse value, modify subscriptions or compute, reverse payouts or rewards, or send enforcement notices.
+
 ### Ownership Resolution and Review Boundary
 
 5. Automatic enforcement MUST occur only when the warned payment resolves to one canonical personal owner and does not resolve to an organization.

apps/web/src/app/admin/components/AppSidebar.tsx

@@ -109,6 +109,11 @@ const financialItems: MenuItem[] = [
     url: '/admin/kilo-pass/bulk-cancel',
     icon: () => <Coins />,
   },
+  {
+    title: () => 'Early Fraud Warnings',
+    url: '/admin/early-fraud-warnings',
+    icon: () => <Shield />,
+  },
   {
     title: () => 'Revenue KPI',
     url: '/admin/revenue',

apps/web/src/app/admin/early-fraud-warnings/EarlyFraudWarningsContent.test.ts

@@ -0,0 +1,66 @@
+import React from 'react';
+import { describe, expect, it } from '@jest/globals';
+import { renderToStaticMarkup } from 'react-dom/server';
+
+import { EarlyFraudWarningsTable, type EarlyFraudWarningRow } from './EarlyFraudWarningsContent';
+
+const rows = [
+  {
+    id: '11111111-1111-4111-8111-111111111111',
+    stripeEarlyFraudWarningId: 'issfr_personal',
+    stripeEventId: 'evt_personal',
+    stripeChargeId: 'ch_personal',
+    stripePaymentIntentId: 'pi_personal',
+    stripeCustomerId: 'cus_personal',
+    amountMinorUnits: 1900,
+    currency: 'usd',
+    ownerClassification: 'personal',
+    status: 'review_required',
+    reason: 'Observation only: canonical personal owner matched; manual review required',
+    failureContext: null,
+    warningCreatedAt: '2026-05-28T10:00:00.000Z',
+    reviewRequiredAt: '2026-05-28T10:00:01.000Z',
+    createdAt: '2026-05-28T10:00:01.000Z',
+    user: { id: 'user-personal', email: 'personal@example.com', name: 'Personal User' },
+    organization: null,
+  },
+  {
+    id: '22222222-2222-4222-8222-222222222222',
+    stripeEarlyFraudWarningId: 'issfr_organization',
+    stripeEventId: 'evt_organization',
+    stripeChargeId: null,
+    stripePaymentIntentId: null,
+    stripeCustomerId: 'cus_organization',
+    amountMinorUnits: null,
+    currency: null,
+    ownerClassification: 'organization',
+    status: 'review_required',
+    reason: 'Organization-owned warning; manual review required',
+    failureContext: null,
+    warningCreatedAt: null,
+    reviewRequiredAt: '2026-05-28T10:00:01.000Z',
+    createdAt: '2026-05-28T10:00:01.000Z',
+    user: null,
+    organization: { id: 'organization-id', name: 'Review Organization' },
+  },
+] satisfies EarlyFraudWarningRow[];
+
+describe('EarlyFraudWarningsTable', () => {
+  it('renders stored review cases with operational context and safe account links', () => {
+    const html = renderToStaticMarkup(
+      React.createElement(EarlyFraudWarningsTable, { rows, isLoading: false })
+    );
+
+    expect(html).toContain('Personal observation');
+    expect(html).toContain('Review required');
+    expect(html).toContain('$19.00');
+    expect(html).toContain('personal@example.com');
+    expect(html).toContain('Review Organization');
+    expect(html).toContain('issfr_personal');
+    expect(html).toContain('ch_personal');
+    expect(html).toContain('payments/ch_personal');
+    expect(html).toContain(
+      'Observation only: canonical personal owner matched; manual review required'
+    );
+  });
+});

apps/web/src/app/admin/early-fraud-warnings/EarlyFraudWarningsContent.tsx

@@ -0,0 +1,256 @@
+'use client';
+
+import React, { useState } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import type { inferRouterOutputs } from '@trpc/server';
+import { ExternalLink } from 'lucide-react';
+import Link from 'next/link';
+
+import type { RootRouter } from '@/routers/root-router';
+import { useTRPC } from '@/lib/trpc/utils';
+import { formatCents } from '@/lib/utils';
+import { Badge } from '@/components/ui/badge';
+import { Button } from '@/components/ui/button';
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card';
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from '@/components/ui/table';
+
+const PAGE_SIZE = 25;
+type RouterOutputs = inferRouterOutputs<RootRouter>;
+export type EarlyFraudWarningRow =
+  RouterOutputs['admin']['earlyFraudWarnings']['list']['rows'][number];
+
+export function EarlyFraudWarningsContent() {
+  const trpc = useTRPC();
+  const [page, setPage] = useState(1);
+  const casesQuery = useQuery(
+    trpc.admin.earlyFraudWarnings.list.queryOptions({ page, limit: PAGE_SIZE })
+  );
+  const rows = casesQuery.data?.rows ?? [];
+  const pagination = casesQuery.data?.pagination;
+
+  return (
+    <div className="flex w-full flex-col gap-6">
+      <div className="space-y-2">
+        <h2 className="text-2xl font-bold">Early Fraud Warnings</h2>
+        <p className="text-muted-foreground max-w-4xl">
+          Review new Stripe warnings captured during the observation rollout. This view is
+          read-only; captured cases do not restrict access, refund payments, or schedule automated
+          actions.
+        </p>
+      </div>
+
+      <Card>
+        <CardHeader>
+          <CardTitle>Captured warnings</CardTitle>
+          <CardDescription>
+            One row is stored per newly delivered warning. Personal matches remain manual-review
+            cases during observation.
+          </CardDescription>
+        </CardHeader>
+        <CardContent className="flex flex-col gap-4">
+          {casesQuery.isError ? (
+            <p className="text-destructive text-sm" role="alert">
+              Warning cases could not be loaded. Refresh the page to try again.
+            </p>
+          ) : (
+            <>
+              <EarlyFraudWarningsTable rows={rows} isLoading={casesQuery.isLoading} />
+              <div className="flex flex-col items-start justify-between gap-3 text-sm sm:flex-row sm:items-center">
+                <p className="text-muted-foreground">
+                  {pagination
+                    ? `${pagination.total} captured warning${pagination.total === 1 ? '' : 's'}`
+                    : 'Loading warning count...'}
+                </p>
+                <div className="flex gap-2">
+                  <Button
+                    variant="secondary"
+                    size="sm"
+                    onClick={() => setPage(current => Math.max(1, current - 1))}
+                    disabled={page <= 1 || casesQuery.isFetching}
+                  >
+                    Previous
+                  </Button>
+                  <Button
+                    variant="secondary"
+                    size="sm"
+                    onClick={() => setPage(current => current + 1)}
+                    disabled={!pagination || page >= pagination.totalPages || casesQuery.isFetching}
+                  >
+                    Next
+                  </Button>
+                </div>
+              </div>
+            </>
+          )}
+        </CardContent>
+      </Card>
+    </div>
+  );
+}
+
+export function EarlyFraudWarningsTable({
+  rows,
+  isLoading,
+}: {
+  rows: EarlyFraudWarningRow[];
+  isLoading: boolean;
+}) {
+  return (
+    <div className="overflow-x-auto rounded-lg border">
+      <Table>
+        <TableHeader>
+          <TableRow>
+            <TableHead>Received</TableHead>
+            <TableHead>Status</TableHead>
+            <TableHead>Owner</TableHead>
+            <TableHead>Amount</TableHead>
+            <TableHead>Linked account</TableHead>
+            <TableHead>Stripe identifiers</TableHead>
+            <TableHead>Review reason</TableHead>
+          </TableRow>
+        </TableHeader>
+        <TableBody>
+          {rows.length === 0 ? (
+            <TableRow>
+              <TableCell colSpan={7} className="text-muted-foreground h-24 text-center">
+                {isLoading
+                  ? 'Loading captured warnings...'
+                  : 'No early fraud warnings captured yet.'}
+              </TableCell>
+            </TableRow>
+          ) : (
+            rows.map(row => (
+              <TableRow key={row.id}>
+                <TableCell className="whitespace-nowrap text-sm">
+                  {formatTimestamp(row.warningCreatedAt ?? row.createdAt)}
+                </TableCell>
+                <TableCell>
+                  <Badge variant={row.status === 'failed' ? 'destructive' : 'secondary'}>
+                    {formatStatus(row.status)}
+                  </Badge>
+                </TableCell>
+                <TableCell>
+                  <Badge
+                    variant={row.ownerClassification === 'ambiguous' ? 'destructive' : 'outline'}
+                  >
+                    {formatOwnerClassification(row.ownerClassification)}
+                  </Badge>
+                </TableCell>
+                <TableCell className="whitespace-nowrap font-mono text-sm tabular-nums">
+                  {formatAmount(row.amountMinorUnits, row.currency)}
+                </TableCell>
+                <TableCell className="min-w-48 text-sm">{renderLinkedAccount(row)}</TableCell>
+                <TableCell className="min-w-64 text-xs">
+                  <StripeIdentifiers row={row} />
+                </TableCell>
+                <TableCell className="text-muted-foreground min-w-64 text-sm">
+                  {row.reason ?? 'Manual review required'}
+                  {row.failureContext ? (
+                    <div className="text-destructive mt-1">{row.failureContext}</div>
+                  ) : null}
+                </TableCell>
+              </TableRow>
+            ))
+          )}
+        </TableBody>
+      </Table>
+    </div>
+  );
+}
+
+function StripeIdentifiers({ row }: { row: EarlyFraudWarningRow }) {
+  return (
+    <div className="flex flex-col gap-1 font-mono">
+      <span>{row.stripeEarlyFraudWarningId}</span>
+      {row.stripeChargeId ? (
+        <a
+          href={stripePaymentUrl(row.stripeChargeId)}
+          target="_blank"
+          rel="noopener noreferrer"
+          className="text-blue-400 hover:text-blue-300 inline-flex items-center gap-1"
+        >
+          {row.stripeChargeId}
+          <ExternalLink className="size-3 shrink-0" />
+        </a>
+      ) : null}
+      {row.stripePaymentIntentId ? <span>{row.stripePaymentIntentId}</span> : null}
+      {row.stripeCustomerId ? (
+        <a
+          href={stripeCustomerUrl(row.stripeCustomerId)}
+          target="_blank"
+          rel="noopener noreferrer"
+          className="text-blue-400 hover:text-blue-300 inline-flex items-center gap-1"
+        >
+          {row.stripeCustomerId}
+          <ExternalLink className="size-3 shrink-0" />
+        </a>
+      ) : null}
+    </div>
+  );
+}
+
+function renderLinkedAccount(row: EarlyFraudWarningRow) {
+  if (row.user) {
+    return (
+      <Link
+        className="text-blue-400 hover:text-blue-300"
+        href={`/admin/users/${encodeURIComponent(row.user.id)}`}
+      >
+        {row.user.email}
+      </Link>
+    );
+  }
+
+  if (row.organization) {
+    return (
+      <Link
+        className="text-blue-400 hover:text-blue-300"
+        href={`/admin/organizations/${encodeURIComponent(row.organization.id)}`}
+      >
+        {row.organization.name}
+      </Link>
+    );
+  }
+
+  return <span className="text-muted-foreground">No owner linked</span>;
+}
+
+function formatStatus(status: string): string {
+  return status.replaceAll('_', ' ').replace(/^./, value => value.toUpperCase());
+}
+
+function formatOwnerClassification(classification: string): string {
+  return classification === 'personal'
+    ? 'Personal observation'
+    : classification.replace(/^./, value => value.toUpperCase());
+}
+
+function formatTimestamp(value: string | null): string {
+  if (!value) return 'Not available';
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? 'Not available' : date.toLocaleString();
+}
+
+function formatAmount(amountMinorUnits: number | null, currency: string | null): string {
+  if (amountMinorUnits === null || !currency) return 'Not available';
+  return formatCents(amountMinorUnits, currency);
+}
+
+function stripeDashboardPrefix(): string {
+  return process.env.NODE_ENV === 'development' ? 'test/' : '';
+}
+
+function stripePaymentUrl(chargeId: string): string {
+  return `https://dashboard.stripe.com/${stripeDashboardPrefix()}payments/${chargeId}`;
+}
+
+function stripeCustomerUrl(customerId: string): string {
+  return `https://dashboard.stripe.com/${stripeDashboardPrefix()}customers/${customerId}`;
+}

apps/web/src/app/admin/early-fraud-warnings/page.tsx

@@ -0,0 +1,17 @@
+import AdminPage from '@/app/admin/components/AdminPage';
+import { BreadcrumbItem, BreadcrumbPage } from '@/components/ui/breadcrumb';
+import { EarlyFraudWarningsContent } from './EarlyFraudWarningsContent';
+
+const breadcrumbs = (
+  <BreadcrumbItem>
+    <BreadcrumbPage>Early Fraud Warnings</BreadcrumbPage>
+  </BreadcrumbItem>
+);
+
+export default function EarlyFraudWarningsPage() {
+  return (
+    <AdminPage breadcrumbs={breadcrumbs}>
+      <EarlyFraudWarningsContent />
+    </AdminPage>
+  );
+}