fix(credits): atomic Stripe webhook fulfillment + idempotency + privilege guard

.claude/KNOWN_ISSUES.md

@@ -0,0 +1,30 @@
+# Known Issues — Fynvita
+
+## Mobile Test Coverage at 14% (Target: 80%)
+- **Issue:** mobile-app/jest.config.js global threshold is 14% (branches 10%)
+- **Impact:** Mobile regressions not caught by coverage gates
+- **Fix:** Update thresholds to match web standards (80% global)
+- **Status:** NEEDS FIX
+
+## 841 ESLint Warnings (Legacy)
+- **Issue:** Mostly no-explicit-any, no-unused-vars, display-name in legacy code
+- **Impact:** New warnings hidden in noise
+- **Workaround:** 7 actual errors are low priority; warnings are non-blocking
+- **Status:** TRACKING
+
+## Mobile Not in CI/CD
+- **Issue:** .github/workflows/ci.yml only runs web tests
+- **Impact:** Mobile regressions not caught at PR time
+- **Fix:** Add mobile-test job (Jest + type-check)
+- **Status:** NEEDS FIX
+
+## Playwright E2E Non-Blocking
+- **Issue:** Playwright job has `continue-on-error: true` in CI
+- **Impact:** E2E failures don't block merges
+- **Workaround:** Review E2E results manually in PR checks
+- **Status:** BY DESIGN (flaky tests being stabilized)
+
+## Detox E2E Not in CI
+- **Issue:** Detox scripts defined in mobile-app/package.json but not wired into GitHub Actions
+- **Impact:** Mobile E2E not automated
+- **Status:** DEFERRED (requires iOS/Android runners in CI)

.claude/README.md

@@ -0,0 +1,33 @@
+# Project-Level Claude Config
+
+Generic baseline shared across projects. This directory pairs with the user's global config at `~/.claude/`.
+
+## Layout
+
+```
+.claude/
+├── agents/         5 generic agents (bug-fixer, test-writer, documentation, security-auditor, performance-tuner)
+├── skills/         3 workflow skills (pre-investigation, implement-task, verify-and-ship)
+├── hooks/          post-edit-lint.sh (stack-aware: TS/JS/Py/Rust/Go/Dart)
+├── rules/          Project-specific overrides (fill in or delete)
+├── commands/       Project-specific slash commands (from original template)
+└── settings.json   Wires the lint hook
+```
+
+## Global vs project responsibilities
+
+- **Global (`~/.claude/`)** owns: verification protocol, coding standards, anti-overengineering rules, anti-hallucination, git workflow, testing standards, security baseline.
+- **Project (`.claude/`)** owns: stack-specific commands, project-specific conventions, domain glossary, project-specific agents and skills.
+
+Do NOT duplicate global rules at the project level. If a rule applies to all projects, it belongs in `~/.claude/rules/`.
+
+## When forking this template
+
+1. Fill in the `<fill in>` placeholders in `rules/01-verification.md`.
+2. Delete `rules/02-project-conventions.md` and `rules/03-domain-glossary.md` if not needed.
+3. Add project-specific agents to `agents/` only when a generic agent doesn't fit.
+4. Add project-specific skills to `skills/` only when the 3 generic ones don't cover the workflow.
+
+## Settings
+
+`settings.json` wires the post-edit lint hook. It does NOT grant any tool permissions — those come from `~/.claude/settings.json` plus `settings.local.json` (per-project, gitignored).

.claude/agent-memory/architect/MEMORY.md

@@ -0,0 +1 @@
+- [Wave 7 Remediation Roadmap](project_wave7_remediation.md) — 8-phase plan (~60 tasks) addressing 33 CRITICAL findings; reference fix template is commit d64e8d5

.claude/agent-memory/architect/project_wave7_remediation.md

@@ -0,0 +1,13 @@
+---
+name: Wave 7 Remediation Roadmap
+description: Wave 7 remediation plan structure for the 33 CRITICAL findings — phases, task ID prefixes, gate criteria
+type: project
+---
+
+Wave 7 (Remediation) was scoped on 2026-05-01 to address 33 CRITICAL findings clustered into 4 themes (auth/RBAC, webhook idempotency + tier mapping, money correctness, mock-data-as-production) plus compliance, mobile, and IDOR sweeps.
+
+**Why:** Prior 125/125 DONE claim in MASTER-IMPLEMENTATION-PLAN.md was invalidated by live security review proving CRITICAL bypasses across 9 domains. CLAUDE.md and SSOT must be updated before further feature work.
+
+**How to apply:** When asked about Wave 7 status, reference the 8 phases (PRE, AUTH, WBH, MNY, MOK, CMP, MOB, IDR) and ~60 tasks. Phase 0 (PRE-01..05) is the prereq gate — re-baseline + branch freeze + flags + lint guards must land first. Reference fix template is commit d64e8d5 (atomic Postgres RPC + UNIQUE constraint + REVOKE/GRANT). Phase exit gates are documented per phase. Total estimate: 4 weeks, parallelizable across SEC/BE/MOB/DEVOPS streams.
+
+Verify before recommending any specific task ID exists — these were proposed, not yet committed to MASTER-IMPLEMENTATION-PLAN.md.

.claude/agent-memory/architecture-reviewer/MEMORY.md

@@ -0,0 +1,4 @@
+# Architecture Reviewer Memory Index
+
+- [User Profile](user_profile.md) — Honour, principal engineer on Fynvita (Next.js 15 + Expo), prefers sub-600-word focused reviews with file:line citations
+- [Project: Fynvita Stack](project_fynvita.md) — Next.js 15 App Router + Supabase RLS + Expo SDK 52, singleton-service pattern, 846K LOC

.claude/agent-memory/architecture-reviewer/user_profile.md

@@ -0,0 +1,9 @@
+---
+name: User Profile — Honour
+description: Owner of Fynvita repo, principal engineer, prefers concise architectural reviews with exact file:line citations and under-600-word output
+type: user
+---
+
+Honour (kimhons@gmail.com / khonour@yahoo.com). Principal engineer and product owner of Fynvita.
+Primary stacks: Next.js 15 + Supabase + Expo SDK 52. Deep full-stack experience.
+Review preference: factual, citation-grounded, under 600 words, no padding.

.claude/agent-memory/code-reviewer/MEMORY.md

@@ -0,0 +1,4 @@
+# Code Reviewer Memory Index
+
+- [user_profile.md](user_profile.md) — Owner is Honour; senior fullstack, Next.js 15/Supabase/Stripe/Expo stack, strict TypeScript
+- [project_credit_system.md](project_credit_system.md) — Credit system architecture: app-currency credits vs FCRA consumer credit, deduct_credits RPC is atomic, addCredits is not

.claude/agent-memory/code-reviewer/project_credit_system.md

@@ -0,0 +1,21 @@
+---
+name: project_credit_system
+description: Credit system design decisions relevant to future reviews — atomic RPC vs non-atomic addCredits, webhook fulfillment pattern
+type: project
+---
+
+Two "credit" concepts coexist: app-currency credits (balance/purchase/deduct) and FCRA consumer credit (disputes, adverse action).
+
+**Deduction is atomic** via `deduct_credits` Postgres RPC (FOR UPDATE row lock + INSERT in one transaction). Safe under concurrency.
+
+**addCredits is now atomic** (fixed 2026-05-01) via `add_credits` Postgres RPC (migration 20260501000000_credit_purchase_idempotency.sql). Previously was a non-atomic read-modify-write in application code.
+
+**Stripe fulfillment (post-fix)**: purchase route now creates a Checkout Session and returns `checkoutUrl`. Credits granted in `fulfillCreditPurchase` (stripe-service.ts ~line 728) on `payment_intent.succeeded` webhook. Idempotency via UNIQUE constraint on `credit_purchases.stripe_payment_intent_id`; 23505 Postgres error is caught and suppressed (dedup). Any other DB error is thrown so Stripe retries.
+
+**Known open issue (found 2026-05-01 review)**: `handlePaymentIntentSucceeded` catches all errors from `fulfillCreditPurchase` and logs them instead of rethrowing. This means Stripe receives HTTP 200 even on transient DB failures, and will NOT retry. Credits could be permanently lost. The `throw` in `fulfillCreditPurchase` is swallowed at the caller level (stripe-service.ts:712-719).
+
+**Schema**: `credit_purchases` columns are `amount_paid_cents`, `stripe_payment_intent_id` (nullable TEXT, now UNIQUE). No `status` column. Column names are now correct in webhook handler.
+
+Why: migration (20260427000002_credit_system.sql) and webhook handler were written independently without cross-checking column names (fixed in this diff).
+
+How to apply: When reviewing any code that inserts into credit_purchases, verify against the migration DDL column names. When reviewing webhook error handling, confirm errors propagate past the outer try/catch in handlePaymentIntentSucceeded.

.claude/agent-memory/code-reviewer/user_profile.md

@@ -0,0 +1,7 @@
+---
+name: user_profile
+description: Owner identity, stack, and review preferences
+type: user
+---
+
+Owner is Honour (kimhons@gmail.com). Senior fullstack engineer. Primary stack on this project: Next.js 15 App Router, TypeScript strict, Supabase PostgreSQL + RLS, Stripe webhooks, Expo/React Native. Expects terse, citation-precise reviews. No trailing summaries. No emojis.

.claude/agent-memory/security-reviewer/MEMORY.md

@@ -0,0 +1,4 @@
+# Security Reviewer Memory Index
+
+## Project
+- [project_fynvita_security.md](project_fynvita_security.md) — Fynvita security posture, audit findings 2026-04-16, dependency CVEs, recurring patterns to watch