feat: kit hosted backend (webhooks + state + products sync + MCP + dashboard)

.claude/commands/review-pr.md

@@ -35,6 +35,10 @@ See [CLAUDE.md](../../CLAUDE.md) and [knowledge/internal/](../../knowledge/inter
 
 **NEVER respond with "will address in a follow-up" or "will fix later".** Fix ALL review comments NOW in the current PR. Every comment must be addressed with a code fix and committed before replying. No exceptions.
 
+**This rule applies to architectural / refactor / "out of scope" findings too.** Phrases like "tracked as a follow-up", "is its own refactor", "belongs in a dedicated PR", "real architectural change", "future enhancement", or "tracking as follow-up rather than landing in this PR" are NOT acceptable replies — they are deferrals dressed up. If the reviewer flagged a real correctness or operational gap, implement the fix in this PR, however much code it takes. Pagination, schema additions, new validators, API rewrites, scheduler-chained mutations — all in scope. Push back ONLY when the finding is wrong on the merits (e.g. a stylistic preference contradicting an existing schema convention), and back the pushback with concrete repo evidence.
+
+If you are tempted to write "tracking as follow-up", stop and implement the fix instead.
+
 For each comment:
 1. **Read the code** mentioned in the comment
 2. **Fix it** immediately

.github/workflows/ci.yml

@@ -64,7 +64,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Install dependencies
         run: |
@@ -129,7 +129,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Install dependencies
         run: |
@@ -173,7 +173,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Install dependencies
         run: |
@@ -209,7 +209,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Install dependencies
         run: |
@@ -249,7 +249,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Install dependencies
         working-directory: scripts/agent

.github/workflows/dependabot-bun-lockfile.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Run bun install
         id: install

.github/workflows/deploy-kit.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Install dependencies (workspace root)
         working-directory: ${{ github.workspace }}
@@ -138,7 +138,7 @@ jobs:
         if: ${{ env.KIT_CONVEX_DEPLOY_KEY != '' }}
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.0
+          bun-version: 1.3.13
 
       - name: Deploy Convex functions
         if: ${{ env.KIT_CONVEX_DEPLOY_KEY != '' }}

.gitignore

@@ -42,6 +42,27 @@ coverage/
 .env.local
 .env.*.local
 
+# IAPKit credential files downloaded from prod for local testing.
+# Apple .p8 keys + Google service-account JSONs must never be
+# committed — they'd grant attackers App Store Server API / Play
+# Developer API access on the corresponding project.
+*.p8
+**/service-account*.json
+# Catch-all for Google Cloud project keys downloaded as
+# `<project-id>-<hash>.json` (the default name from the GCP console).
+# Replaces the per-project `martie-c0b27-*.json` pattern that only
+# helped one developer's local setup. We cover the two real formats
+# the IAM console produces:
+#   1. `<project-id>-<5-hex suffix>-<12-hex key id>.json`
+#      (project IDs with the GCP-auto-generated 5-char uniqueness suffix)
+#   2. `<project-id>-<12-hex key id>.json`
+#      (project IDs the operator named themselves, no GCP suffix)
+# Pinning the trailing key-id to exactly 12 hex chars keeps legitimate
+# config files (`tsconfig-base.json`, `eslint-config.json`, etc.) out
+# of the match while still catching every key the console emits.
+**/*-[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]-[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].json
+**/*-[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].json
+
 # Temp
 tmp/
 temp/

.husky/pre-commit

@@ -4,6 +4,47 @@ set -e
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 cd "$REPO_ROOT"
 
+# Bun version pin guard. CI's Docker image uses the version declared in
+# `package.json`'s `packageManager` field (currently bun@1.3.13). bun
+# lockfiles are not stable across major-minor versions — a lockfile
+# generated by an older local bun will pass `--frozen-lockfile` here
+# but fail in Docker. Before doing anything else, refuse to commit
+# from a mismatched bun.
+#
+# The guard must be fail-closed: if `node` isn't on PATH or the
+# package.json read fails, do not silently bypass — the whole point of
+# the gate is preventing lockfile drift, and a stealth bypass defeats it.
+#
+# Use `bun -e` instead of `node -p`. Bun is the project's required
+# runtime (the gate's whole purpose is to enforce a pinned bun
+# version), so requiring node here just to parse the JSON would add a
+# second mandatory toolchain. `bun -e` reads JSON via the same
+# require() shim Node does and exits with the parse error if the file
+# is malformed, matching the previous failure mode without the extra
+# dep.
+if ! command -v bun >/dev/null 2>&1; then
+  echo "❌ pre-commit gate: \`bun\` not on PATH — required to read packageManager pin from package.json."
+  echo "   install bun (https://bun.sh) and re-commit."
+  exit 1
+fi
+EXPECTED_BUN="$(bun -e "console.log(require('./package.json').packageManager.split('@')[1])")"
+if [ -z "$EXPECTED_BUN" ]; then
+  echo "❌ pre-commit gate: could not read \`packageManager\` from package.json."
+  echo "   the bun version pin is missing or malformed — fix package.json before committing."
+  exit 1
+fi
+ACTUAL_BUN="$(bun --version 2>/dev/null || echo unknown)"
+if [ "$EXPECTED_BUN" != "$ACTUAL_BUN" ]; then
+  echo "❌ bun version mismatch:"
+  echo "   package.json packageManager: bun@$EXPECTED_BUN"
+  echo "   local bun --version:         $ACTUAL_BUN"
+  echo "   run \`bun upgrade\` (or install bun@$EXPECTED_BUN) and re-commit."
+  echo "   (Lockfiles drift across bun versions — CI's Docker uses"
+  echo "    the pinned version and will fail with"
+  echo "    'lockfile had changes, but lockfile is frozen' otherwise.)"
+  exit 1
+fi
+
 # Paths-aware kit pre-commit gate. Only runs when staged changes touch
 # packages/kit/**, so unrelated edits to apple/google/gql/docs/libraries
 # aren't blocked.
@@ -57,6 +98,35 @@ if git diff --cached --name-only --diff-filter=ACMR | grep -q '^packages/kit/';
   bun run --filter @hyodotdev/openiap-kit smoke:server
 fi
 
+# Paths-aware Flutter analyze. Triggers on any libraries/flutter_inapp_purchase
+# edit. Catches the `ambiguous_export` class of failure that took out
+# CI on PR #124 — locally `flutter analyze` runs in <2s with a warm
+# pub cache.
+if git diff --cached --name-only --diff-filter=ACMR \
+  | grep -qE '^libraries/flutter_inapp_purchase/(lib|test)/'; then
+  if command -v flutter >/dev/null 2>&1; then
+    echo "🐦 flutter-touched commit — running flutter analyze…"
+    (cd libraries/flutter_inapp_purchase && flutter analyze)
+  else
+    echo "⚠️  flutter not on PATH — skipping flutter analyze (CI will catch any issues)."
+  fi
+fi
+
+# Paths-aware KMP compile check. Uses the existing `:library:compileDebugKotlinAndroid`
+# task because that's the same target CI runs. With a warm gradle daemon
+# this finishes in 5-10s; first run after `./gradlew --stop` can take 30-40s.
+# Catches the redeclaration / interface-method-missing class of failure
+# that hit PR #124.
+if git diff --cached --name-only --diff-filter=ACMR \
+  | grep -qE '^(libraries/kmp-iap/library/src|packages/gql/src/)' ; then
+  if [ -x libraries/kmp-iap/gradlew ]; then
+    echo "🎯 kmp/gql-touched commit — running ./gradlew :library:compileDebugKotlinAndroid…"
+    (cd libraries/kmp-iap && ./gradlew :library:compileDebugKotlinAndroid -q)
+  else
+    echo "⚠️  libraries/kmp-iap/gradlew not executable — skipping KMP compile."
+  fi
+fi
+
 # Paths-aware docs typecheck. The kit integration brought React 19 into
 # the workspace alongside docs's React 18, which previously caused
 # @types/react hoisting to break docs's tsc only in CI. Both are now on