feat(pentest): subscription billing + GitHub repo selector (#2212)

* feat(pentest): subscription-based billing model

Replaces the mock checkout redirect with an inline subscription billing
model. Organizations subscribe to a monthly plan (3 runs included) and
overage runs are charged immediately via Stripe PaymentIntent at run
creation time — no redirect required.

- Add PentestSubscription DB model (organization relation, period tracking)
- Add billing server actions: subscribeToPentestPlan, handleSubscriptionSuccess,
  checkAndChargePentestBilling (blocks run creation on billing failure)
- Add /[orgId]/security/penetration-tests/subscription management page
- Add /api/webhooks/stripe-pentest webhook handler (subscription updated/deleted)
- Remove mockCheckout from API DTO and client types
- Update useCreatePenetrationTest to call billing check before API post
- Update page client: remove checkout redirect/search-param handling,
  navigate directly to report detail on success
- Add STRIPE_PENTEST_SUBSCRIPTION_PRICE_ID, STRIPE_PENTEST_OVERAGE_PRICE_ID,
  STRIPE_PENTEST_WEBHOOK_SECRET env vars
- Delete mock checkout page
- Update all tests to reflect new flow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(billing): use SubscriptionItem for period dates in Stripe SDK v20+

In stripe@20.x with API version 2025-12-15.clover, current_period_start
and current_period_end were moved from the root Subscription type to
SubscriptionItem. Read them via subscription.items.data[0] instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(security): add Pentest Billing tab and Stripe billing portal

- Add "Pentest Billing" as a second tab in SecuritySidebar, pointing to
  the existing subscription management page
- Fix active-tab detection so Penetration Tests doesn't stay highlighted
  when on the Billing sub-page
- Add createBillingPortalSession server action so active subscribers can
  manage their payment method via Stripe's hosted portal
- Fix return URL to use NEXT_PUBLIC_BETTER_AUTH_URL (was using
  NEXT_PUBLIC_APP_URL which isn't defined)
- Fix subscribe button copy to reflect actual price ($99/month)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(pentest): address PR review findings

P1 — billing auth: validate session and org membership in
checkAndChargePentestBilling before any DB/Stripe calls, so a caller
cannot trigger billing against an org they don't belong to.

P1 — billing order: move checkAndChargePentestBilling to after successful
run creation so a transient provider failure never charges the customer
without delivering a run. Threshold adjusted from `<` to `<=` so the
included-run count is still respected once the new run is counted in DB.

P2 — GitHub token key: integration-platform GitHub connections use OAuth2
and store the token under `access_token`; fix getGithubTokenForOrg to
read that field instead of the legacy PAT key `GITHUB_TOKEN`.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(billing): lift stripeCustomerId to OrganizationBilling + Settings > Billing hub

- Add OrganizationBilling model (one per org, owns stripeCustomerId) so
  future subscription products share a single Stripe customer
- PentestSubscription now relates to OrganizationBilling via FK instead
  of owning stripeCustomerId directly
- New Settings > Billing page as the single hub for all app subscriptions
- Remove Pentest Billing tab from Security sidebar
- Delete old /security/penetration-tests/subscription page
- Update "Manage subscription" link to /settings/billing
- Add requireOrgMember() guard to all four billing server actions
  (subscribeToPentestPlan, handleSubscriptionSuccess, createBillingPortalSession
  were previously missing the cross-tenant auth check)
- Validate Stripe session ownership in handleSubscriptionSuccess:
  reject if session customer doesn't match existing org billing record

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(webhook): handle checkout.session.completed to activate subscription server-side

Previously, PentestSubscription was only created when the user returned to
the /settings/billing success URL. If they closed the tab or the browser
crashed after Stripe Checkout, the subscription would never activate.

The webhook is now the primary activation path:
- checkout.session.completed → look up OrganizationBilling by stripeCustomerId,
  retrieve full subscription, upsert PentestSubscription
- handleSubscriptionSuccess on the return URL becomes an idempotent fallback
  (safe to call again since both paths use upsert)

Note: checkout.session.completed must be added to the Stripe webhook's
event subscriptions in the dashboard.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(billing): harden Stripe customer binding and URL construction

- Remove findStripeCustomerByDomain fallback in subscribeToPentestPlan:
  organization.website is tenant-controlled so domain-based customer
  reuse could let a malicious org bind to another company's Stripe
  customer. Always create a fresh customer when no billing row exists.

- Strengthen handleSubscriptionSuccess session ownership check:
  previously only rejected mismatched customers when an OrganizationBilling
  row already existed. Now if no row exists (edge case — subscribeToPentestPlan
  always creates one first), verify the Stripe customer's metadata.organizationId
  matches before accepting the session.

- Fix Stripe return URLs to always be absolute: derive origin from
  NEXT_PUBLIC_BETTER_AUTH_URL with a request-header fallback so Stripe
  never receives a relative URL when the env var is unset.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(billing): deduplicate concurrent overage charges + preserve manual repo URL input

- Add Stripe idempotency key to paymentIntents.create scoped to
  orgId + period start + run number; concurrent creates at the quota
  boundary now deduplicate to a single charge instead of double-billing

- Show manual URL input alongside the GitHub repo selector so users
  with more than 100 repos (beyond the first-page fetch) can still
  paste a repo URL directly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(billing): use per-run ID for overage charge idempotency key

The previous key used `runsThisPeriod` (an aggregate count), meaning
two concurrent creates could observe the same count and share the same
key — Stripe would deduplicate to a single PaymentIntent even when two
separate overage runs were billed.

Replace with `pentest-overage-{orgId}-{runId}` so each run gets a
globally unique idempotency key, eliminating the underbilling race.

Also include Codex-added tests for the GitHub connection UI flow.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: claudfuen

apps/api/src/security-penetration-tests/dto/create-penetration-test.dto.ts

@@ -51,16 +51,6 @@ export class CreatePenetrationTestDto {
   @IsString()
   workspace?: string;
 
-  @ApiPropertyOptional({
-    description:
-      'Set false to reject non-mocked checkout flows for strict behavior',
-    required: false,
-    default: true,
-  })
-  @IsOptional()
-  @IsBoolean()
-  mockCheckout?: boolean;
-
   @ApiPropertyOptional({
     description: 'Optional webhook URL to notify when report generation completes',
     required: false,

apps/api/src/security-penetration-tests/security-penetration-tests.controller.ts

@@ -76,6 +76,21 @@ export class SecurityPenetrationTestsController {
     return this.service.createReport(organizationId, body);
   }
 
+  @Get('github/repos')
+  @UseGuards(HybridAuthGuard)
+  @ApiOperation({
+    summary: 'List accessible GitHub repositories',
+    description:
+      'Returns GitHub repositories accessible with the connected GitHub integration.',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Repository list returned',
+  })
+  async listGithubRepos(@OrganizationId() organizationId: string) {
+    return this.service.listGithubRepos(organizationId);
+  }
+
   @Get(':id')
   @UseGuards(HybridAuthGuard)
   @ApiOperation({

apps/api/src/security-penetration-tests/security-penetration-tests.module.ts

@@ -1,10 +1,11 @@
 import { Module } from '@nestjs/common';
 import { AuthModule } from '../auth/auth.module';
+import { IntegrationPlatformModule } from '../integration-platform/integration-platform.module';
 import { SecurityPenetrationTestsController } from './security-penetration-tests.controller';
 import { SecurityPenetrationTestsService } from './security-penetration-tests.service';
 
 @Module({
-  imports: [AuthModule],
+  imports: [AuthModule, IntegrationPlatformModule],
   controllers: [SecurityPenetrationTestsController],
   providers: [SecurityPenetrationTestsService],
 })

apps/api/src/security-penetration-tests/security-penetration-tests.service.spec.ts

@@ -1,9 +1,14 @@
 import { HttpException, HttpStatus } from '@nestjs/common';
 import { db } from '@trycompai/db';
 import { createHash } from 'node:crypto';
+import type { CredentialVaultService } from '../integration-platform/services/credential-vault.service';
 import type { CreatePenetrationTestDto } from './dto/create-penetration-test.dto';
 import { SecurityPenetrationTestsService } from './security-penetration-tests.service';
 
+const mockCredentialVaultService: jest.Mocked<Pick<CredentialVaultService, 'getDecryptedCredentials'>> = {
+  getDecryptedCredentials: jest.fn(),
+};
+
 jest.mock('@trycompai/db', () => ({
   db: {
     securityPenetrationTestRun: {
@@ -16,6 +21,12 @@ jest.mock('@trycompai/db', () => ({
       findUnique: jest.fn(),
       update: jest.fn(),
     },
+    integrationProvider: {
+      findUnique: jest.fn(),
+    },
+    integrationConnection: {
+      findFirst: jest.fn(),
+    },
   },
 }));
 
@@ -30,6 +41,12 @@ type MockDb = {
     findUnique: jest.Mock;
     update: jest.Mock;
   };
+  integrationProvider: {
+    findUnique: jest.Mock;
+  };
+  integrationConnection: {
+    findFirst: jest.Mock;
+  };
 };
 
 describe('SecurityPenetrationTestsService', () => {
@@ -58,7 +75,9 @@ describe('SecurityPenetrationTestsService', () => {
 
   beforeEach(() => {
     process.env.MACED_API_KEY = 'test-maced-api-key';
-    service = new SecurityPenetrationTestsService();
+    service = new SecurityPenetrationTestsService(
+      mockCredentialVaultService as unknown as CredentialVaultService,
+    );
     fetchMock.mockReset();
     global.fetch = fetchMock as unknown as typeof fetch;
     mockedDb.securityPenetrationTestRun.upsert.mockResolvedValue({});
@@ -77,6 +96,10 @@ describe('SecurityPenetrationTestsService', () => {
       }),
     });
     mockedDb.secret.update.mockResolvedValue({});
+    // Default: no GitHub integration connected — getGithubTokenForOrg returns null
+    mockedDb.integrationProvider.findUnique.mockResolvedValue(null);
+    mockedDb.integrationConnection.findFirst.mockResolvedValue(null);
+    mockCredentialVaultService.getDecryptedCredentials.mockResolvedValue(null);
     jest.clearAllMocks();
   });
 

apps/api/src/security-penetration-tests/security-penetration-tests.service.ts

@@ -9,6 +9,7 @@ import {
 import { db } from '@trycompai/db';
 import { createHash, timingSafeEqual } from 'node:crypto';
 
+import { CredentialVaultService } from '../integration-platform/services/credential-vault.service';
 import type { CreatePenetrationTestDto } from './dto/create-penetration-test.dto';
 import {
   MacedClient,
@@ -17,6 +18,14 @@ import {
   type MacedPentestRun,
 } from './maced-client';
 
+export interface GithubRepo {
+  id: number;
+  name: string;
+  fullName: string;
+  private: boolean;
+  htmlUrl: string;
+}
+
 export type PentestReportStatus =
   | 'provisioning'
   | 'cloning'
@@ -84,6 +93,9 @@ interface PersistedWebhookHandshake {
 export class SecurityPenetrationTestsService {
   private readonly logger = new Logger(SecurityPenetrationTestsService.name);
   private readonly macedClient = new MacedClient();
+
+  constructor(private readonly credentialVaultService: CredentialVaultService) {}
+
   private readonly canonicalWebhookPath = '/v1/security-penetration-tests/webhook';
   private readonly defaultWebhookBaseUrl = 'https://api.trycomp.ai';
   private readonly defaultCompWebhookHosts = new Set([
@@ -118,7 +130,16 @@ export class SecurityPenetrationTestsService {
   ): Promise<SecurityPenetrationTest> {
     const resolvedWebhookUrl = this.resolveWebhookUrl(payload.webhookUrl);
 
-    const sanitizedPayload = {
+    const sanitizedPayload: {
+      targetUrl: string;
+      repoUrl?: string;
+      githubToken?: string;
+      configYaml?: string;
+      pipelineTesting?: boolean;
+      testMode?: boolean;
+      workspace?: string;
+      webhookUrl?: string;
+    } = {
       targetUrl: payload.targetUrl,
       repoUrl: payload.repoUrl,
       githubToken: payload.githubToken,
@@ -129,6 +150,14 @@ export class SecurityPenetrationTestsService {
       webhookUrl: resolvedWebhookUrl,
     };
 
+    if (
+      payload.repoUrl?.startsWith('https://github.com/') &&
+      !sanitizedPayload.githubToken
+    ) {
+      sanitizedPayload.githubToken =
+        (await this.getGithubTokenForOrg(organizationId)) ?? undefined;
+    }
+
     const createdReport = await this.macedClient.createPentest(sanitizedPayload);
 
     const providerRunId = createdReport.id;
@@ -193,6 +222,51 @@ export class SecurityPenetrationTestsService {
     return this.mapMacedRunToSecurityPenetrationTest(createdReport);
   }
 
+  async listGithubRepos(
+    organizationId: string,
+  ): Promise<{ repos: GithubRepo[]; connected: boolean }> {
+    const token = await this.getGithubTokenForOrg(organizationId);
+    if (!token) {
+      return { repos: [], connected: false };
+    }
+
+    try {
+      const response = await fetch(
+        'https://api.github.com/user/repos?per_page=100&sort=updated&affiliation=owner,collaborator,organization_member',
+        {
+          headers: {
+            Authorization: `Bearer ${token}`,
+            Accept: 'application/vnd.github+json',
+          },
+        },
+      );
+
+      if (!response.ok) {
+        this.logger.warn(
+          `GitHub repos API returned ${response.status} for org=${organizationId}`,
+        );
+        return { repos: [], connected: true };
+      }
+
+      const raw = (await response.json()) as Array<Record<string, unknown>>;
+      const repos: GithubRepo[] = raw.map((r) => ({
+        id: r.id as number,
+        name: r.name as string,
+        fullName: r.full_name as string,
+        private: r.private as boolean,
+        htmlUrl: r.html_url as string,
+      }));
+
+      return { repos, connected: true };
+    } catch (error) {
+      this.logger.error(
+        `Failed to fetch GitHub repos for org=${organizationId}`,
+        error instanceof Error ? error.message : String(error),
+      );
+      return { repos: [], connected: true };
+    }
+  }
+
   async getReport(organizationId: string, id: string): Promise<SecurityPenetrationTest> {
     await this.assertRunOwnership(organizationId, id);
     const report = await this.macedClient.getPentest(id);
@@ -320,6 +394,45 @@ export class SecurityPenetrationTestsService {
     };
   }
 
+  private async getGithubTokenForOrg(organizationId: string): Promise<string | null> {
+    try {
+      const provider = await db.integrationProvider.findUnique({
+        where: { slug: 'github' },
+        select: { id: true },
+      });
+
+      if (!provider) {
+        return null;
+      }
+
+      const connection = await db.integrationConnection.findFirst({
+        where: {
+          providerId: provider.id,
+          organizationId,
+          status: 'active',
+        },
+        select: { id: true },
+      });
+
+      if (!connection) {
+        return null;
+      }
+
+      const credentials = await this.credentialVaultService.getDecryptedCredentials(
+        connection.id,
+      );
+
+      const token = credentials?.access_token;
+      return typeof token === 'string' && token.length > 0 ? token : null;
+    } catch (error) {
+      this.logger.warn(
+        `Could not retrieve GitHub token for org=${organizationId}`,
+        error instanceof Error ? error.message : String(error),
+      );
+      return null;
+    }
+  }
+
   private trimTrailingSlashes(value: string): string {
     let end = value.length;
     while (end > 1 && value.charCodeAt(end - 1) === 47) {

apps/app/.env.example

@@ -63,4 +63,12 @@ NOVU_API_KEY=
 NEXT_PUBLIC_NOVU_APPLICATION_IDENTIFIER=
 
 # Internal API Authentication
-INTERNAL_API_TOKEN= # Shared secret for internal API calls (must match API's)
+INTERNAL_API_TOKEN= # Shared secret for internal API calls (must match API's)
+
+# Stripe
+STRIPE_SECRET_KEY= # Stripe secret key (sk_live_... or sk_test_...)
+
+# Pentest Subscription Billing
+STRIPE_PENTEST_SUBSCRIPTION_PRICE_ID= # Monthly subscription price ID (price_...)
+STRIPE_PENTEST_OVERAGE_PRICE_ID= # Per-run overage price ID (price_...)
+STRIPE_PENTEST_WEBHOOK_SECRET= # Webhook signing secret (whsec_...) from Stripe dashboard or CLI

apps/app/src/app/(app)/[orgId]/components/AppShellWrapper.tsx

@@ -282,7 +282,7 @@ function AppShellWrapperContent({
                 }
               />
               {isSettingsActive ? (
-                <SettingsSidebar orgId={organization.id} showBrowserTab={isWebAutomationsEnabled} />
+                <SettingsSidebar orgId={organization.id} showBrowserTab={isWebAutomationsEnabled} showBillingTab={isSecurityEnabled} />
               ) : isTrustActive ? (
                 <TrustSidebar orgId={organization.id} />
               ) : isSecurityActive && isSecurityEnabled ? (

apps/app/src/app/(app)/[orgId]/security/components/SecuritySidebar.tsx

@@ -8,26 +8,18 @@ interface SecuritySidebarProps {
   orgId: string;
 }
 
-type SecurityNavItem = {
-  id: string;
-  label: string;
-  path: string;
-};
-
 export function SecuritySidebar({ orgId }: SecuritySidebarProps) {
   const pathname = usePathname() ?? '';
 
-  const items: SecurityNavItem[] = [
+  const items = [
     {
       id: 'penetration-tests',
       label: 'Penetration Tests',
       path: `/${orgId}/security/penetration-tests`,
     },
   ];
 
-  const isPathActive = (path: string) => {
-    return pathname.startsWith(path);
-  };
+  const isPathActive = (path: string) => pathname.startsWith(path);
 
   return (
     <AppShellNav>