fix(billing): address DeepSeek gate findings on cron lock

- HIGH: restore (errors || desyncErrors) condition in dunningSweep exit code
  (regression introduced when wrapping with lock — would make K8s alerts silent)
- MEDIUM: wrap releaseLock in try/catch within finally to preserve original
  work error if both throw
- LOW: guard acquireLock against invalid ttlMs (must be positive finite)
- NIT: drop redundant setDefaultsOnInsert (all fields explicitly $set)

Addresses gate iteration 1 BLOCK.

Author: PierreBrisorgueil

lib/distributedLock.js

@@ -50,13 +50,16 @@ export const CronLock = mongoose.models.CronLock ?? mongoose.model('CronLock', L
  * @returns {Promise<boolean>}
  */
 export async function acquireLock({ name, ttlMs, holder }) {
+  if (!Number.isFinite(ttlMs) || ttlMs <= 0) {
+    throw new Error(`acquireLock: ttlMs must be a positive number, received ${ttlMs}`);
+  }
   const now = new Date();
   const lockedUntil = new Date(now.getTime() + ttlMs);
   try {
     const result = await CronLock.findOneAndUpdate(
       { _id: name, lockedUntil: { $lt: now } },
       { $set: { lockedAt: now, lockedUntil, holder } },
-      { upsert: true, returnDocument: 'after', setDefaultsOnInsert: true },
+      { upsert: true, returnDocument: 'after' },
     );
     return result?.holder === holder;
   } catch (err) {

lib/tests/distributedLock.unit.tests.js

@@ -83,6 +83,20 @@ describe('distributedLock — acquireLock:', () => {
     await expect(acquireLock({ name: 'job-d', ttlMs: 60_000, holder: 'pod-1' })).rejects.toThrow('network timeout');
   });
 
+  test.each([
+    [0, 'zero'],
+    [-1, 'negative'],
+    [Number.NaN, 'NaN'],
+    [Infinity, 'Infinity'],
+    [undefined, 'undefined'],
+    [null, 'null'],
+  ])('throws when ttlMs is %s (%s)', async (ttlMs) => {
+    await expect(acquireLock({ name: 'job-guard', ttlMs, holder: 'pod-1' })).rejects.toThrow(
+      'acquireLock: ttlMs must be a positive number',
+    );
+    expect(mockFindOneAndUpdate).not.toHaveBeenCalled();
+  });
+
   test('lockedUntil is set to now + ttlMs', async () => {
     const before = Date.now();
     mockFindOneAndUpdate.mockResolvedValue({ holder: 'pod-1' });

modules/billing/crons/billing.dunningSweep.js

@@ -109,13 +109,18 @@ try {
       }
 
       logger.info('[cron.dunningSweep] complete', { processed, errors, desyncErrors, durationMs: Date.now() - startMs });
-      process.exitCode = errors > 0 ? 1 : 0;
+      process.exitCode = errors > 0 || desyncErrors > 0 ? 1 : 0;
     } finally {
       // releaseLock failure is non-fatal: lock auto-expires on TTL.
-      // If this throws, the outer catch logs "failed" and sets exitCode=1
-      // (misleading — the cron's actual work succeeded). Operators can grep
-      // for "failed to release lock" to distinguish.
-      await releaseLock({ name: LOCK_NAME, holder: lockHolder });
+      // Log separately to preserve any original work error.
+      try {
+        await releaseLock({ name: LOCK_NAME, holder: lockHolder });
+      } catch (releaseErr) {
+        logger.error(
+          { err: releaseErr, cron: LOCK_NAME },
+          '[cron.dunningSweep] failed to release lock — will auto-expire on TTL',
+        );
+      }
     }
   }
 } catch (err) {

modules/billing/crons/billing.extrasExpiration.js

@@ -82,10 +82,15 @@ try {
       process.exitCode = errors > 0 ? 1 : 0;
     } finally {
       // releaseLock failure is non-fatal: lock auto-expires on TTL.
-      // If this throws, the outer catch logs "failed" and sets exitCode=1
-      // (misleading — the cron's actual work succeeded). Operators can grep
-      // for "failed to release lock" to distinguish.
-      await releaseLock({ name: LOCK_NAME, holder: lockHolder });
+      // Log separately to preserve any original work error.
+      try {
+        await releaseLock({ name: LOCK_NAME, holder: lockHolder });
+      } catch (releaseErr) {
+        logger.error(
+          { err: releaseErr, cron: LOCK_NAME },
+          '[cron.extrasExpiration] failed to release lock — will auto-expire on TTL',
+        );
+      }
     }
   }
 } catch (err) {

modules/billing/crons/billing.weeklyReset.js

@@ -62,10 +62,15 @@ try {
       process.exitCode = result.errors > 0 ? 1 : 0;
     } finally {
       // releaseLock failure is non-fatal: lock auto-expires on TTL.
-      // If this throws, the outer catch logs "failed" and sets exitCode=1
-      // (misleading — the cron's actual work succeeded). Operators can grep
-      // for "failed to release lock" to distinguish.
-      await releaseLock({ name: LOCK_NAME, holder: lockHolder });
+      // Log separately to preserve any original work error.
+      try {
+        await releaseLock({ name: LOCK_NAME, holder: lockHolder });
+      } catch (releaseErr) {
+        logger.error(
+          { err: releaseErr, cron: LOCK_NAME },
+          '[cron.weeklyReset] failed to release lock — will auto-expire on TTL',
+        );
+      }
     }
   }
 } catch (err) {