feat(stripe): add early fraud warning persistence foundation

[RSO]

Summary

• Define the Stripe Early Fraud Warning enforcement contract and align KiloClaw, Impact, and organization-billing policies around personal-only enforcement and review-only organization cases.
• Add inert stripe_early_fraud_warning_cases and stripe_early_fraud_warning_actions persistence with a generated Drizzle migration for the later automated enforcement rollout.
• Preserve retained enforcement audit history during user soft deletion while nulling direct user linkage, with regression coverage for the new state.

Verification

N/A - this PR intentionally introduces an inactive persistence and specification foundation with no user-facing or enforcement behavior to exercise manually.

Visual Changes

N/A

Reviewer Notes

• This is PR 1 of the planned two-step delivery. It does not ingest EFWs or execute blocks, refunds, cancellations, notices, payout reversals, cron work, or admin UI behavior.
• Review the generated migration and GDPR null-link behavior closely; PR 2 will depend on these table and lifecycle contracts after deployment.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Well-structured persistence foundation for Stripe Early Fraud Warning enforcement: new tables, schema types, migration, GDPR lifecycle update, and spec changes are all consistent and correct.

Files Reviewed (11 files)

• .specs/stripe-early-fraud-warnings.md — new spec, clean definitions and invariants
• .specs/impact-affiliate-tracking.md — EFW reversal rules correctly integrated
• .specs/impact-referrals.md — EFW adverse payment classification added
• .specs/kiloclaw-billing.md — fraud-enforcement cancellation exception documented
• .specs/kiloclaw-datamodel.md — fraud-enforcement mutation invariants added
• .specs/team-enterprise-seat-billing.md — organization EFW review-only boundary defined
• packages/db/src/schema.ts — two new tables with correct constraints, FK onDelete: 'restrict' on actions→cases prevents orphaned action records
• packages/db/src/schema-types.ts — four new const/type pairs for all enum columns
• packages/db/src/migrations/0145_awesome_wild_child.sql — generated migration is correct; all CREATE INDEX are on new empty tables so no CONCURRENTLY concern; FK add order is safe
• apps/web/src/lib/user/index.ts — softDeleteUser correctly nulls kilo_user_id FK while retaining audit/fraud-correlation fields (consistent with how kilocode_users.stripe_customer_id is handled)
• apps/web/src/lib/user/index.test.ts — GDPR regression test verifies case and action retention with user link nulled and confirms unaffected user is unchanged

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 2,136,257 tokens}

_{Review guidance: REVIEW.md from base branch main}