fix(billing): treat incomplete subscriptions as fail-closed (#3624)

* fix(billing): treat incomplete subscriptions as fail-closed for quota

Adds 'incomplete' to failClosedStatuses in requireQuota meter-mode gate.
Previously, a status='incomplete' sub (initial payment failed, ~24h Stripe window)
fell through to the meter check, which read the paid plan quota from subscription.plan
when no BillingUsage doc existed — giving users full paid resources for free.
Now routes to free-plan quota like paused/unpaid/incomplete_expired. V8 audit C2.

* fix(billing): add canceled to fail-closed statuses + pin getMeter short-circuit

CodeRabbit pass 1 (PR #3624):
- Add 'canceled' to failClosedStatuses in meter mode — mirrors legacy-mode
  behavior (activeStatuses check) so canceled subs can't bleed paid quota
- Update comment: list all 5 statuses, clarify "routes to default/free-plan quota"
- Add getMeter.not.toHaveBeenCalled() assertion to pin fail-closed short-circuit
- Remove hard-coded quota number reference from test comment

Author: PierreBrisorgueil

modules/billing/middlewares/billing.requireQuota.js

@@ -58,11 +58,11 @@ function requireQuota(resource, action) {
         // ── Degraded-mode gate (past_due grace period) ─────────────────────
         const subscription = await SubscriptionRepository.findByOrganization(req.organization._id);
 
-        // Fail-closed statuses: paused, unpaid, incomplete_expired → always route to free quota.
+        // Fail-closed statuses: paused, unpaid, incomplete_expired, incomplete, canceled → always route to free quota.
         // These statuses fire as customer.subscription.updated (status field changes), so they
         // arrive here while the subscription doc may still hold a paid-tier meterQuota.
-        // Resetting to zero prevents paid-quota bleed-through on lapsed subscriptions.
-        const failClosedStatuses = ['paused', 'unpaid', 'incomplete_expired'];
+        // Routes to default/free-plan quota to prevent paid-quota bleed-through on lapsed/failed subscriptions.
+        const failClosedStatuses = ['paused', 'unpaid', 'incomplete_expired', 'incomplete', 'canceled'];
         if (subscription && failClosedStatuses.includes(subscription.status)) {
           const planId = getDefaultPlanId();
           const freePlan = BillingPlanService.getActivePlan(planId);

modules/billing/tests/billing.quota.unit.tests.js

@@ -594,5 +594,32 @@ describe('requireQuota middleware:', () => {
       const errData = JSON.parse(payload.error);
       expect(errData.type).toBe('METER_EXHAUSTED');
     });
+
+    // ── V8 audit C2: incomplete subscription must be fail-closed ─────────────
+
+    test('V8-C2: incomplete subscription + no BillingUsage doc → 402 METER_EXHAUSTED with free quota (not pro)', async () => {
+      // Org has status='incomplete' (initial payment failed, Stripe ~24h auto-cancel window).
+      // No BillingUsage doc exists yet for this brand-new subscription.
+      // The paid plan (pro) must NOT bleed through — fail-closed branch routes to free plan.
+      mockSubscriptionRepository.findByOrganization.mockResolvedValue({ plan: 'pro', status: 'incomplete' });
+      mockBillingUsageService.getMeter.mockResolvedValue(null);
+      mockBillingExtraBalanceRepository.getBalance.mockResolvedValue(0);
+      mockBillingPlanService.getActivePlan.mockReturnValue({ meterQuota: 0, version: 'v1' });
+
+      await requireQuota('scraps', 'create')(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(402);
+      const payload = res.json.mock.calls[0][0];
+      const errData = JSON.parse(payload.error);
+      expect(errData.type).toBe('METER_EXHAUSTED');
+      // Free plan quota (0), not the pro paid quota
+      expect(errData.meterQuota).toBe(0);
+      // getActivePlan called with the free/default plan id, not 'pro'
+      expect(mockBillingPlanService.getActivePlan).toHaveBeenCalledWith('free');
+      expect(mockBillingPlanService.getActivePlan).not.toHaveBeenCalledWith('pro');
+      // Fail-closed branch must short-circuit before the meter check
+      expect(mockBillingUsageService.getMeter).not.toHaveBeenCalled();
+    });
   });
 });