Refactor billing module

backend/spec/billing.md

@@ -2,29 +2,26 @@
 
 Billing encapsulates logic related to synchronizing state with Stripe, processing payments via NWC, and managing subscription lifecycle.
 
+It owns the domain logic only: every raw Stripe REST call goes through the `Stripe` wrapper (see `spec/stripe.md`), and every Lightning (NWC) wallet operation and the fiat-minor-units → millisatoshi conversion go through the helpers in `spec/bitcoin.md`.
+
 Members:
 
-- `nwc_url: String` - a nostr wallet connect URL used to **create** bolt11 invoices (i.e. receive payments), from `NWC_URL`
-- `stripe_secret_key: String` - Stripe API key used for billing API operations, from `STRIPE_SECRET_KEY`
-- `stripe_webhook_secret: String` - secret for verifying Stripe webhook signatures, from `STRIPE_WEBHOOK_SECRET`
+- `stripe: Stripe` - thin wrapper around the Stripe REST API (see `spec/stripe.md`), built from `STRIPE_SECRET_KEY` / `STRIPE_WEBHOOK_SECRET`
+- `bitcoin: Bitcoin` - the Bitcoin-facing config: system NWC wallet (`NWC_URL`) plus the BTC price-feed HTTP client (see `spec/bitcoin.md`)
 - `query: Query`
 - `command: Command`
 - `robot: Robot`
 
 ## `pub fn new(query: Query, command: Command, robot: Robot) -> Self`
 
-- Reads environment and populates members
-- Panics if `STRIPE_SECRET_KEY` is missing/empty
-- Panics if `STRIPE_WEBHOOK_SECRET` is missing/empty
+- Builds `stripe` via `Stripe::from_env()` and `bitcoin` via `Bitcoin::from_env()`
+- Panics if `STRIPE_SECRET_KEY` or `STRIPE_WEBHOOK_SECRET` is missing/empty (`NWC_URL` is optional)
 
 ## `pub fn start(&self)`
 
 - Subscribes to `command.notify.subscribe()`
-- On `create_relay`, `update_relay`, `activate_relay`, `deactivate_relay`, `fail_relay_sync`, and `complete_relay_sync`, call `self.sync_relay_subscription`.
-
-## `pub fn sync_relay_subscription(&self, activity: &Activity)`
-
-Resolves the relay associated with `activity` and reconciles that relay's tenant via `sync_tenant_subscription`. The startup/lagged reconcile loop calls `sync_tenant_subscription` for every tenant.
+- On `create_relay`, `update_relay`, `activate_relay`, `deactivate_relay`, `fail_relay_sync`, and `complete_relay_sync`: resolve the relay named by the activity (skip if it no longer exists) and reconcile its tenant via `sync_tenant_subscription`.
+- The startup/lagged reconcile loop calls `sync_tenant_subscription` for every tenant.
 
 ## `fn sync_tenant_subscription(&self, tenant_pubkey: &str)`
 
@@ -44,8 +41,8 @@ Stripe uses **pay-in-advance** by default: when a subscription is first created,
 
 ## `pub fn handle_webhook(&self, payload: &str, signature: &str) -> Result<()>`
 
-- Verify the webhook signature using `self.stripe_webhook_secret`
-- Parse the event and dispatch by type:
+- Verify and parse the event via `self.stripe.construct_event(payload, signature)` (checks the `Stripe-Signature` HMAC and timestamp tolerance — see `spec/stripe.md`)
+- Dispatch by type:
   - `invoice.created` -> `self.handle_invoice_created`
   - `invoice.paid` -> `self.handle_invoice_paid`
   - `invoice.payment_failed` -> `self.handle_invoice_payment_failed`
@@ -55,56 +52,69 @@ Stripe uses **pay-in-advance** by default: when a subscription is first created,
   - `payment_method.attached` -> `self.handle_payment_method_attached`
 - Unknown event types are ignored (return Ok)
 
+## `pub async fn stripe_create_customer(&self, tenant_pubkey: &str) -> Result<String>`
+
+- Resolves a display name via `robot.fetch_nostr_name(tenant_pubkey)`, falling back to the first 8 chars of the pubkey
+- Creates the Stripe customer via `stripe.create_customer(display_name, tenant_pubkey)` and returns its id
+
 ## `pub async fn stripe_list_invoices(&self, customer_id: &str) -> Result<Value>`
 
-- Fetches invoices from Stripe API for the given customer
-- Returns the `data` array from the Stripe response
+- Delegates to `stripe.list_invoices` — returns the `data` array of the customer's invoices
 
-## `pub async fn stripe_get_invoice(&self, invoice_id: &str) -> Result<Value>`
+## `pub async fn stripe_create_portal_session(&self, customer_id: &str, return_url: Option<&str>) -> Result<String>`
 
-- Fetches a single invoice from Stripe API by ID
-- Returns the full Stripe invoice object
+- Delegates to `stripe.create_portal_session` — returns the Customer Portal session URL
 
-## `pub async fn create_bolt11(&self, amount_due_cents: i64) -> Result<String>`
+## `pub async fn get_invoice_with_tenant(&self, invoice_id: &str) -> Result<(Value, Tenant), InvoiceLookupError>`
 
-- Creates a bolt11 Lightning invoice for the given amount using the system NWC wallet (`self.nwc_url`)
+- Fetches the invoice via `stripe.get_invoice` (a Stripe 4xx surfaces as `InvoiceLookupError::StripeClient`)
+- Looks up the tenant by the invoice's `customer` field; errors if the invoice has no customer or no tenant matches
+
+## `pub async fn reconcile_manual_lightning_invoice(&self, invoice_id: &str, invoice: &Value) -> Result<Value, InvoiceLookupError>`
+
+If `invoice.status == "open"` and a manual-Lightning bolt11 was previously issued for it (`query.get_invoice_manual_lightning_bolt11`), check whether that bolt11 has settled (`bitcoin.system_wallet().invoice_settled(...)`). If it has, mark the Stripe invoice paid out of band (`stripe.pay_invoice_out_of_band`) and return the refreshed invoice. On any lookup/settlement failure, log and return the invoice unchanged.
+
+## `pub async fn get_or_create_manual_lightning_bolt11(&self, invoice_id: &str, tenant_pubkey: &str, amount_due_minor: i64, currency: &str) -> Result<String>`
+
+- Returns the existing bolt11 if one is already recorded for the invoice
+- Otherwise creates one via `create_bolt11`, records it with `command.insert_manual_lightning_invoice_payment`, and returns it (re-reading the stored row if the insert lost a race)
+
+## `pub async fn create_bolt11(&self, amount_due_minor: i64, currency: &str) -> Result<String>`
+
+- Converts the fiat amount to msats via `bitcoin.fiat_minor_to_msats` (fetches the live BTC spot price — see `spec/bitcoin.md`)
+- Issues a bolt11 invoice for that amount on the system NWC wallet (`bitcoin.system_wallet().make_invoice(...)`)
 - Returns the bolt11 invoice string
 
-## `pub async fn stripe_create_portal_session(&self, customer_id: &str) -> Result<String>`
-
-- Creates a Stripe Customer Portal session for the given customer
-- Returns the portal session URL
-
 ## `pub async fn pay_outstanding_nwc_invoices(&self, tenant: &Tenant) -> Result<()>`
 
 Called when a tenant first sets their NWC URL (via `PUT /tenants/:pubkey`). Attempts to pay any currently open invoices for the tenant using their NWC wallet, so that invoices created before NWC was configured are not left unpaid.
 
 - If `tenant.nwc_url` is empty, return early.
-- List all Stripe invoices for `tenant.stripe_customer_id` via `stripe_list_invoices`.
+- List all Stripe invoices for `tenant.stripe_customer_id` via `stripe.list_invoices`.
 - For each invoice with `status == "open"` and `amount_due > 0`:
   - Attempt NWC payment via `nwc_pay_invoice`.
-  - On success: call `stripe_pay_invoice_out_of_band` and `command.clear_tenant_nwc_error`.
+  - On success: mark the Stripe invoice paid out of band (`stripe.pay_invoice_out_of_band`) and call `command.clear_tenant_nwc_error`.
   - On failure: call `command.set_tenant_nwc_error` and log the error; continue to the next invoice.
 
 ## `pub async fn pay_outstanding_card_invoices(&self, tenant: &Tenant) -> Result<()>`
 
 Attempts Stripe-side collection for open invoices when the tenant has a card on file.
 
-- If tenant has no card payment method, return early.
-- List all Stripe invoices for `tenant.stripe_customer_id`.
+- If tenant has no card payment method (`stripe.has_payment_method`), return early.
+- List all Stripe invoices for `tenant.stripe_customer_id` via `stripe.list_invoices`.
 - For each invoice with `status == "open"` and `amount_due > 0`:
-  - Call Stripe `POST /v1/invoices/:id/pay` to retry collection using the card on file.
+  - Call `stripe.pay_invoice` to retry collection using the card on file.
   - Log and continue on failures.
 
 ## `fn handle_invoice_created(&self, invoice: &Invoice)`
 
 Attempts to pay a new subscription invoice. Because Stripe defaults to pay-in-advance, this webhook fires immediately when a subscription is created (i.e. when a paid relay is added or a plan is upgraded). Payment priority:
 
-1. **NWC auto-pay**: If the tenant has a `nwc_url`:
-   - Create a bolt11 Lightning invoice for the invoice amount using `self.nwc_url` (the receiving/system wallet)
-   - Pay the bolt11 invoice using the tenant's `nwc_url` (the spending/tenant wallet)
-   - If payment succeeds: call Stripe `POST /v1/invoices/:id/pay` with `paid_out_of_band: true`. Clear `nwc_error` via `command.clear_tenant_nwc_error`.
-   - If payment fails: set `nwc_error` on tenant via `command.set_tenant_nwc_error`. Fall through to next option.
+1. **NWC auto-pay**: If the tenant has a `nwc_url`, run `nwc_pay_invoice` (decrypting the tenant's stored `nwc_url` first):
+   - The system wallet (`bitcoin.system_wallet()`) issues a bolt11 invoice for the fiat amount; the tenant's wallet (`Wallet::parse` of the decrypted URL) pays it. A `pending` row in `invoice_nwc_payment` guards against double-charging across retries.
+   - If payment succeeds: mark the Stripe invoice paid out of band (`stripe.pay_invoice_out_of_band`) and clear `nwc_error` via `command.clear_tenant_nwc_error`. Done.
+   - If it fails before any charge could have gone out: set `nwc_error` on the tenant via `command.set_tenant_nwc_error`, and fall through to the next option (carrying a short summary of the error into the eventual DM).
+   - If it fails after a charge may have gone out (needs reconciliation): set `nwc_error` and return the error without falling through — a human must reconcile before any retry.
 2. **Card on file**: If the tenant has a payment method on the Stripe customer, do nothing here — Stripe will charge automatically for this invoice attempt.
 3. **Manual payment**: If neither NWC nor card is available, send a DM via `robot.send_dm` notifying the tenant that payment is due with a link to the application for manual Lightning payment.
 

backend/spec/bitcoin.md

@@ -0,0 +1,62 @@
+# `bitcoin` — Bitcoin / Lightning helpers
+
+Small wrappers around the Bitcoin-facing services the app talks to: Nostr Wallet Connect (NWC) wallets for Lightning invoices/payments, and a fiat↔BTC spot price feed, plus the fiat-minor-units → millisatoshi conversion that ties them together. The billing-specific orchestration (which wallet pays which invoice, double-charge guards, DMs, etc.) lives in `spec/billing.md`.
+
+## `pub struct Bitcoin`
+
+Owns the app's Bitcoin-facing configuration: the system NWC wallet URL (the wallet used to *receive* payments — issue and look up bolt11 invoices) and the HTTP client used for the fiat↔BTC spot price feed.
+
+Members:
+
+- `system_nwc_url: String` - from `NWC_URL`
+- `http: reqwest::Client`
+
+### `pub fn from_env() -> Self`
+
+Reads `NWC_URL` (the system / receiving wallet) and constructs a fresh `reqwest::Client`. Unlike the Stripe keys, `NWC_URL` is **optional**: if it's unset, Lightning operations fail at use time with a clear error rather than panicking at startup. This is what `Billing::new` calls.
+
+### `pub fn system_wallet(&self) -> Result<Wallet>`
+
+Returns the system `Wallet` (parsed from `system_nwc_url` with label `"system"`). Errors if `NWC_URL` is unset or malformed.
+
+### `pub async fn fiat_minor_to_msats(&self, amount_due_minor: i64, currency: &str) -> Result<u64>`
+
+Fetches the live BTC spot price (via `btc_spot_price_from_base` against Coinbase) for `currency` and converts `amount_due_minor` to millisatoshis via `fiat_minor_to_msats_from_quote`. `currency` is upper-cased before use.
+
+## `pub struct Wallet`
+
+A handle to a single NWC wallet. Each operation opens a fresh NWC connection and tears it down (`shutdown`) afterwards.
+
+Member:
+
+- `uri: NostrWalletConnectURI` - the parsed `nostr+walletconnect://…` URI
+
+### `pub fn parse(uri: &str, label: &str) -> Result<Self>`
+
+Parses an `nostr+walletconnect://` URI. `label` (e.g. `"system"` / `"tenant"`) only flavours the error message — `invalid {label} NWC URL` — so callers can tell which wallet was misconfigured.
+
+### `pub async fn make_invoice(&self, amount_msats: u64, description: &str) -> Result<String>`
+
+Issues a bolt11 invoice for `amount_msats` with the given description. Returns the bolt11 string.
+
+### `pub async fn pay_invoice(&self, bolt11: String) -> Result<()>`
+
+Pays a bolt11 invoice.
+
+### `pub async fn invoice_settled(&self, bolt11: &str) -> Result<bool>`
+
+Looks up a bolt11 invoice (previously issued by this wallet) and returns whether it has settled — true if the transaction state is `Settled` or `settled_at` is present.
+
+## `pub async fn btc_spot_price_from_base(http: &reqwest::Client, api_base: &str, currency: &str) -> Result<f64>`
+
+Fetches the BTC spot price denominated in `currency` (an ISO-4217 code) from a Coinbase-shaped API at `api_base` (`{api_base}/BTC-{currency}/spot`); production callers reach it via `Bitcoin::fiat_minor_to_msats` with the real Coinbase base, while tests can point it at a stub. Errors if the quote is missing, unparseable, or non-positive.
+
+## `pub fn fiat_minor_to_msats_from_quote(amount_due_minor: i64, currency: &str, btc_price_in_fiat: f64) -> Result<u64>`
+
+Converts a fiat amount expressed in minor units (cents, etc.) to millisatoshis, given a BTC price quote in that currency.
+
+- Errors if `amount_due_minor <= 0` or `btc_price_in_fiat <= 0`
+- Converts minor units to a major-unit amount using the currency's decimal exponent (most currencies 2; `JPY`/`KRW`/… 0; `BHD`/`KWD`/… 3 — following Stripe's currency conventions; an unrecognized or malformed code is an error)
+- `msats = (amount_fiat / btc_price_in_fiat) * 100_000_000_000`
+- Rounds **up** so we never under-charge, but snaps to the nearest integer when within `1e-6` of one to avoid floating-point artifacts at integer boundaries
+- Errors if the result is non-finite, non-positive, or exceeds `u64::MAX`

backend/spec/stripe.md

@@ -0,0 +1,113 @@
+# `pub struct Stripe`
+
+A thin async wrapper around the subset of the Stripe REST API this service uses. It knows nothing about relays, tenants, or the database — it just speaks HTTP to Stripe and returns `serde_json::Value` (or small typed results). The domain logic that drives it lives in `spec/billing.md`.
+
+Members:
+
+- `secret_key: String` - Stripe API key, used as the bearer token and as the HMAC key for idempotency keys
+- `webhook_secret: String` - secret for verifying Stripe webhook signatures
+- `http: reqwest::Client`
+
+All requests authenticate with `secret_key` via `Authorization: Bearer`. Write requests that must not be retried twice (customer/subscription/item creation, invoice payment) send a deterministic `Idempotency-Key` derived by HMAC-ing the operation name and its arguments with `secret_key`. Reconcile-to-desired-state writes (e.g. setting an item quantity) intentionally omit the idempotency key, since re-applying the same target is a no-op.
+
+On any 4xx/5xx response, the wrapper reads the body and folds Stripe's JSON error payload (`error.message` / `error.type` / `error.code` / `error.param`) into the returned error so callers get an actionable message instead of a bare status line.
+
+## `pub fn from_env() -> Self`
+
+Reads `STRIPE_SECRET_KEY` and `STRIPE_WEBHOOK_SECRET` (both required) and constructs the client. Panics if either is missing or blank. This is what `Billing::new` calls.
+
+## `pub fn new(secret_key: String, webhook_secret: String) -> Self`
+
+Constructs the client with a fresh `reqwest::Client` from explicit keys (does not touch the environment).
+
+## `pub async fn create_customer(&self, name: &str, tenant_pubkey: &str) -> Result<String>`
+
+- `POST /v1/customers` with `name` and `metadata[tenant_pubkey]`
+- Idempotent on `tenant_pubkey`
+- Returns the new customer id; errors if it isn't a `cus_…` id
+
+## `pub async fn get_subscription(&self, subscription_id: &str) -> Result<Option<Value>>`
+
+- `GET /v1/subscriptions/:id`
+- Returns `None` if Stripe responds `404` (so callers can recover from a stale subscription id), otherwise the subscription object
+
+## `pub async fn create_subscription(&self, customer_id: &str, items: &BTreeMap<String, i64>) -> Result<(String, BTreeMap<String, String>)>`
+
+- `POST /v1/subscriptions` with `collection_method: charge_automatically` and one `items[n][price]` / `items[n][quantity]` pair per entry
+- Idempotent on the customer and the `(price, quantity)` set
+- Returns the subscription id and a map from price id to the created subscription item id
+
+## `pub async fn create_subscription_item(&self, subscription_id: &str, price_id: &str, quantity: i64) -> Result<String>`
+
+- `POST /v1/subscription_items`
+- Idempotent on `(subscription_id, price_id)`
+- Returns the new subscription item id
+
+## `pub async fn set_subscription_item_quantity(&self, item_id: &str, quantity: i64) -> Result<()>`
+
+- `POST /v1/subscription_items/:id` with `quantity`
+- No idempotency key (reconcile-to-target write)
+
+## `pub async fn delete_subscription_item(&self, item_id: &str) -> Result<()>`
+
+- `DELETE /v1/subscription_items/:id`
+
+## `pub async fn cancel_subscription(&self, subscription_id: &str) -> Result<()>`
+
+- `DELETE /v1/subscriptions/:id`
+
+## `pub async fn list_invoices(&self, customer_id: &str) -> Result<Value>`
+
+- `GET /v1/invoices?customer=…`
+- Returns the `data` array
+
+## `pub async fn get_invoice(&self, invoice_id: &str) -> Result<Value, InvoiceLookupError>`
+
+- `GET /v1/invoices/:id`
+- On a 4xx response, returns `InvoiceLookupError::StripeClient { status }` (callers usually surface this as a client error, e.g. `404` "no such invoice"); other failures are `InvoiceLookupError::Internal`
+- Returns the full invoice object
+
+## `pub async fn pay_invoice(&self, invoice_id: &str) -> Result<()>`
+
+- `POST /v1/invoices/:id/pay` (retries collection using the customer's default payment method)
+- Idempotent on `invoice_id`
+
+## `pub async fn pay_invoice_out_of_band(&self, invoice_id: &str) -> Result<()>`
+
+- `POST /v1/invoices/:id/pay` with `paid_out_of_band: true` — used when payment was collected over Lightning rather than through Stripe
+- Idempotent on `invoice_id`
+
+## `pub async fn preview_upcoming_invoice(&self, customer_id: &str, subscription_id: Option<&str>) -> Result<Value>`
+
+- `GET /v1/invoices/upcoming?customer=…[&subscription=…]`
+- Used to validate proration when a subscription is downgraded
+
+## `pub async fn has_payment_method(&self, customer_id: &str) -> Result<bool>`
+
+- `GET /v1/payment_methods?customer=…&type=card`
+- Returns whether the customer has at least one card on file
+
+## `pub async fn create_portal_session(&self, customer_id: &str, return_url: Option<&str>) -> Result<String>`
+
+- `POST /v1/billing_portal/sessions` with `customer` and optional `return_url`
+- Returns the portal session URL
+
+## `pub fn construct_event(&self, payload: &str, sig_header: &str) -> Result<Event>`
+
+Verifies the `Stripe-Signature` header against `webhook_secret` and parses the body.
+
+- Parse `t=` (timestamp) and `v1=` (signature) from the header
+- Compute `HMAC-SHA256(webhook_secret, "{t}.{payload}")`, hex-encode it, and compare to `v1=`; error on mismatch
+- Error if the timestamp is more than 300 seconds from now
+- Returns the deserialized `Event` (`{ event_type, data: { object } }`)
+
+# `pub enum InvoiceLookupError`
+
+- `StripeClient { status: reqwest::StatusCode }` - Stripe returned a 4xx for an invoice lookup
+- `Internal(anyhow::Error)` - any other failure
+
+Implements `Display`/`Error` and `From<anyhow::Error>` / `From<reqwest::Error>` (both mapping to `Internal`).
+
+# `pub struct Event` / `pub struct EventData`
+
+The verified, parsed webhook event: `Event { event_type: String, data: EventData }`, `EventData { object: serde_json::Value }`.