feat(kilo-pass): disallow duplicate card fingerprints across Kilo Pass subscriptions

[jrf0110]

Summary

Enforce that a single credit card fingerprint can be attached to at most one active Kilo Pass subscription across all Kilo users at any time. This blocks a fraud vector where multiple accounts purchase Kilo Pass using the same physical card.

What's new

• findActiveKiloPassByCardFingerprint helper in apps/web/src/lib/stripe.ts — queries payment methods for a matching fingerprint on a different user, then checks whether that user has an active Kilo Pass subscription.
• checkDuplicateCardFingerprintGate in apps/web/src/lib/kilo-pass/card-fingerprint-gate.ts — runs in the invoice.paid webhook handler after the Stripe charge succeeds. If a duplicate is found: cancels the subscription on Stripe, refunds the invoice, writes an audit log, and sends a customer-facing email notification.
• DuplicateCardSubscriptionCanceled audit log action — added to the KiloPassAuditLogAction enum for tracking duplicate-card cancellations.
• Email notification — new kiloPassDuplicateCardCanceled template and sendKiloPassDuplicateCardCanceledEmail sender function, using transactional_email_log for idempotent dedup.
• App Store / Google Play path skipped — the gate only runs in the Stripe invoice.paid path. Store purchases have their own subscription model (appAccountToken) and don't go through Stripe invoices. A code comment documents this.

Edge cases handled

• Same user re-subscribing with the same card → NOT blocked (excluded by excludingUserId).
• Other user has ended Kilo Pass with same fingerprint → NOT blocked (query pivots off active subscription status).
• No fingerprint available → gate passes open (fails open rather than blocking legitimate purchases).
• Race condition / webhook replay → email dedup via transactional_email_log unique index; audit logs are idempotent via the existing Stripe event ID tracking.

Verification

Manually ran through the flow and made sure that duplicate card users got their sub canceled and account blocked:

Visual Changes

N/A

Reviewer Notes

• The gate fires in stripe-handlers-invoice-paid.ts after the subscription upsert but before credit issuance — if blocked, the subscription row is marked canceled with ended_at set, and no credits are issued.
• The findActiveKiloPassByCardFingerprint query joins payment_methods to kilo_pass_subscriptions, filtering for active subscriptions (not in canceled/unpaid/incomplete_expired, and ended_at IS NULL).
• Migration 0135_duplicate_card_gate.sql adds the DuplicateCardSubscriptionCanceled enum value to the check constraint.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

The incremental commit adds only migration 0150_typical_scorpion.sql, which extends the kilo_pass_audit_log.action CHECK constraint to include 'duplicate_card_subscription_canceled' — following the exact same drop-and-re-add pattern already established in migration 0125. All previously identified issues remain resolved.

Resolved Issues

File	Line	Issue	Status
apps/web/src/lib/kilo-pass/card-fingerprint-gate.ts	273	transactional_email_log marker inserted but never cleaned up when user?.google_user_email is falsy	✅ Fixed in d4ebe65
apps/web/src/lib/kilo-pass/stripe-handlers-invoice-paid.ts	520	Blocked subscription still triggers an affiliate sale event	✅ Fixed in d8fc024
apps/web/src/lib/stripe.ts	N/A	Raw SQL NOT IN string instead of Drizzle's notInArray	✅ Fixed in d46cf5f
apps/web/src/lib/kilo-pass/card-fingerprint-gate.ts	N/A	dbOrTx not threaded through checkDuplicateCardFingerprint	✅ Fixed
apps/web/src/lib/kilo-pass/card-fingerprint-gate.ts	N/A	FK violation: audit log and user-blocking run inside gate with dbOrTx param	✅ Fixed in a6e71caf5 — moved into handler tx

Files Reviewed (14 files)

• apps/web/src/emails/kiloPassDuplicateCardCanceled.html — clean
• apps/web/src/lib/email.ts — clean
• apps/web/src/lib/kilo-pass/card-fingerprint-gate.ts — clean; gate now purely handles Stripe API calls; DB writes moved to handler
• apps/web/src/lib/kilo-pass/card-fingerprint-gate.test.ts — clean; covers block, no-overwrite, re-sub same user, ended-sub, no-fingerprint, email dedup, and race-condition cases
• apps/web/src/lib/kilo-pass/stripe-handlers-invoice-paid.ts — clean; audit log, user-blocking, and subscription cancellation all within tx; failure audit wrapped in try-catch; blockedEmailParams correctly gated before email send
• packages/db/src/schema-types.ts — clean
• packages/db/src/schema.test.ts — clean
• packages/db/src/migrations/0148_worthless_aaron_stack.sql — clean
• packages/db/src/migrations/meta/0148_snapshot.json — generated, skipped
• packages/db/src/migrations/meta/_journal.json — generated, skipped
• packages/db/src/schema.ts (via grep) — blocked_at uses mode: 'string'; new Date().toISOString() matches convention
• apps/web/src/lib/user/index.ts (via grep) — softDeleteUser sets blocked_reason = 'soft-deleted at ...'; no GDPR concern
• apps/web/src/lib/stripe.ts (via grep) — notInArray used correctly; no raw SQL
• packages/db/src/migrations/0150_typical_scorpion.sql — clean; extends kilo_pass_audit_log.action CHECK constraint to include 'duplicate_card_subscription_canceled'; follows the same drop-and-re-add pattern established in migration 0125; generated snapshot/journal skipped

---

_{Reviewed by claude-sonnet-4.6 · 607,768 tokens}

_{Review guidance: REVIEW.md from base branch main}

[jrf0110]

Alright new requirement - we're also going to block the user that tried to buy a kilo pass with a duplicate credit card

[jrf0110]

Also, now that #3526 is merged, we need to make sure this PR properly supersedes that work

[jrf0110]

Implemented in commit 3360519. When the card fingerprint gate detects a duplicate card, the offending user's account is now blocked (blocked_reason = 'kilo_pass_duplicate_card', blocked_at set to current timestamp). This follows the same pattern as cancel-and-refund.ts — if the user is already blocked (blocked_reason IS NOT NULL), the existing block is preserved. The auth middleware already enforces blocked users at sign-in and API access points, so no additional enforcement code is needed.

[jrf0110]

Rebased onto main (which now includes PR #3526). The rebase was clean — no conflicts. The two features are complementary and work correctly together:

• PR feat(kilo-pass): guard welcome promo by payment fingerprint #3526 (welcome-promo fingerprint guard): prevents the introductory 50% promo from being claimed more than once per payment fingerprint. Operates at the promo/bonus level.
• This PR (card fingerprint gate): blocks duplicate card usage entirely — cancels the subscription, refunds the invoice, blocks the user, sends notification email.

When this PR's gate triggers (duplicate card detected), the subscription is canceled before the issuance/promo code runs, so #3526's welcome-promo logic is never reached for that invoice. When the gate does not trigger, #3526's code correctly applies the welcome-promo guard as before. No additional integration work was needed.