fix(stripe): avoid relinking deleted fraud warning owners

RSO · RSO · commit 33eb8ecd0025 · 2026-05-28T12:56:30.000+02:00
diff --git a/apps/web/src/lib/stripe/early-fraud-warning.ts b/apps/web/src/lib/stripe/early-fraud-warning.ts
@@ -11,7 +11,7 @@ import {
   StripeEarlyFraudWarningOwnerClassification,
   type StripeEarlyFraudWarningOwnerClassification as OwnerClassification,
 } from '@kilocode/db/schema-types';
-import { and, eq, isNull } from 'drizzle-orm';
+import { and, eq, isNull, like, not, or } from 'drizzle-orm';
 import type Stripe from 'stripe';
 
 import { db } from '@/lib/drizzle';
@@ -74,7 +74,15 @@ async function resolveOwner(customerId: string | null): Promise<OwnerResolution>
     db
       .select({ id: kilocode_users.id })
       .from(kilocode_users)
-      .where(eq(kilocode_users.stripe_customer_id, customerId))
+      .where(
+        and(
+          eq(kilocode_users.stripe_customer_id, customerId),
+          or(
+            isNull(kilocode_users.blocked_reason),
+            not(like(kilocode_users.blocked_reason, 'soft-deleted at %'))
+          )
+        )
+      )
       .limit(2),
     db
       .select({ id: organizations.id })
diff --git a/apps/web/src/lib/stripe/index.test.ts b/apps/web/src/lib/stripe/index.test.ts
@@ -81,6 +81,7 @@ import {
 } from '@kilocode/db/schema';
 import { db, auto_deleted_at } from '@/lib/drizzle';
 import { insertTestUser } from '@/tests/helpers/user.helper';
+import { softDeleteUser } from '@/lib/user';
 import { createTestPaymentMethod } from '@/tests/helpers/payment-method.helper';
 import { eq, and, count } from 'drizzle-orm';
 import type Stripe from 'stripe';
@@ -882,6 +883,43 @@ describe('processStripePaymentEventHook', () => {
     retrieveSpy.mockRestore();
   });
 
+  test('radar.early_fraud_warning.created does not link a new case to a soft-deleted user', async () => {
+    await cleanupDbForTest();
+    testUser = await insertTestUser();
+    await softDeleteUser(testUser.id);
+    const { client } = await import('@/lib/stripe-client');
+    const retrieveSpy = jest.spyOn(client.charges, 'retrieve').mockResolvedValue(
+      sampleStripeChargeResponse(
+        sampleStripeCharge({
+          id: 'ch_deleted_customer',
+          customer: testUser.stripe_customer_id,
+        })
+      )
+    );
+
+    await processStripePaymentEventHook(
+      sampleEarlyFraudWarningEvent({
+        eventId: 'evt_deleted_customer',
+        warningId: 'issfr_deleted_customer',
+        charge: 'ch_deleted_customer',
+      })
+    );
+
+    const [fraudCase] = await db.select().from(stripe_early_fraud_warning_cases);
+    expect(fraudCase).toEqual(
+      expect.objectContaining({
+        stripe_customer_id: testUser.stripe_customer_id,
+        owner_classification: 'unmatched',
+        kilo_user_id: null,
+        status: 'review_required',
+        reason: 'No canonical customer owner matched; manual review required',
+      })
+    );
+    expect(await db.select().from(stripe_early_fraud_warning_actions)).toHaveLength(0);
+
+    retrieveSpy.mockRestore();
+  });
+
   test('radar.early_fraud_warning.created deduplicates repeated delivery without creating actions', async () => {
     await cleanupDbForTest();
     testUser = await insertTestUser();
