Skip to content

feat(mobile): add Apple Kilo Pass purchases#3079

Open
iscekic wants to merge 76 commits intomainfrom
feat/apple-iap-personal-credit-purchases
Open

feat(mobile): add Apple Kilo Pass purchases#3079
iscekic wants to merge 76 commits intomainfrom
feat/apple-iap-personal-credit-purchases

Conversation

@iscekic
Copy link
Copy Markdown
Contributor

@iscekic iscekic commented May 6, 2026
edited
Loading

Summary

This PR replaces the original one-time Apple credit purchase experiment with App Store-managed Kilo Pass subscriptions across the data model, backend APIs, web management surfaces, and mobile purchase flow.

  • Adds provider-aware Kilo Pass persistence for Stripe vs store-managed subscriptions, including store purchase/event tables, provider subscription IDs, App Store account tokens, monthly App Store product metadata, and Google Play placeholders for the shared catalog.
  • Adds App Store server-side handling for signed transaction verification, idempotent purchase completion, renewals, cancellation state, failed renewals, upgrades/proration, refunds/revocations, credit clawbacks, and mobile-facing Kilo Pass store product/completion router methods.
  • Adds the iOS mobile Kilo Pass subscription experience: native modal presentation, App Store product loading, purchase/recovery hooks, account-token matching, ownership and cancellation states, App Store management routing, and profile dismissal/routing behavior after purchase.
  • Updates web Kilo Pass management so store-managed subscriptions route to App Store management instead of Stripe-only actions, and updates /device-auth to show the signed-in account plus a sign-out path before approving a device.
  • Adds Expo IAP/App Store server dependencies, env placeholders, generated DB migration artifacts, and focused tests around the new store subscription, notification, mobile purchase, and management flows.

Verification

  • App Store sandbox upgrade/downgrade sequence was manually checked against DB rows for subscription, store event, and credit ledger behavior in earlier branch validation.
  • Not manually re-verified during this PR-description update.

Visual Changes

Visual changes exist for the mobile Kilo Pass/profile purchase flow and web account-management surfaces, but screenshots are not attached in this description update.

Reviewer Notes

  • App Store behavior depends on production/sandbox config: root certificates, private key, key ID, issuer ID, Apple app ID, bundle ID, product IDs, subscription group, sandbox testers, and APPLE_IAP_ENVIRONMENT.
  • The current store catalog is monthly-only for App Store. Google Play product/base-plan metadata is present as a placeholder, but Google Play verification and notifications are not implemented here.
  • Store-managed subscriptions intentionally bypass Stripe portal, cancel, schedule, payment-method, and billing-history paths; please check those provider guards preserve existing Stripe behavior.
  • Purchase completion finishes StoreKit transactions only after backend completion so failed completions can be recovered on app start.
  • Refund/revocation handling reverses App Store base and bonus credits as negative ledger entries and depends on usable transaction price data from Apple.

iscekic added 30 commits May 6, 2026 14:36
@iscekic
docs(billing): specify Apple credit purchases
ec19041
@iscekic
feat(db): add Apple IAP purchase tables
348bf02
@iscekic
feat(web): define Apple credit products
724094f
@iscekic
feat(web): add Apple signed data verifier
cd05810
@iscekic
feat(web): process Apple credit purchases
f0681cb
@iscekic
feat(web): expose Apple credit purchase APIs
f877f8f
@iscekic
feat(web): handle Apple IAP notifications
ca2c87b
@iscekic
feat(mobile): add Apple credit purchase hooks
00f815e
@iscekic
feat(mobile): add Apple credit purchase UI
e3b14c3
@iscekic
fix(mobile): stabilize Apple credit purchase hooks
34ca77a
@iscekic
docs(mobile): document Apple credit purchase setup
72128b2
@iscekic
fix: stabilize Apple credit purchase verification
471bbc0
@iscekic
fix: address Apple IAP review feedback
d658a90
@iscekic
fix(mobile): remove home welcome headline
1a57af8
@iscekic
fix(mobile): remove kilo chat debug logs
1ef7981
@iscekic
fix(mobile): enable expo iap config plugin
1124806
@iscekic
fix(mobile): handle apple purchases from storekit events
147dc4c
@iscekic
chore(mobile): align expo sdk dependencies
a140354
@iscekic
fix(mobile): recover unfinished apple credit purchases
5070823
@iscekic
fix(kilo-pass): remove one-time apple credit purchases
0fc605a
@iscekic
feat(kilo-pass): add app store subscriptions
18aaf73
@iscekic
fix(kilo-pass): order app store subscriptions
8d3fa34
@iscekic
fix(mobile): make Kilo Pass purchase sheet native
33f1fa5
@iscekic
fix(mobile): remove web parity Kilo Pass copy
b77479a
@iscekic
fix(mobile): add Kilo Pass explainer link
a3438c4
@iscekic
fix(mobile): update Kilo Pass teaser copy
4b8c7dc
@iscekic
fix(mobile): route web Kilo Pass management
5b2a063
@iscekic
fix(mobile): recover Kilo Pass store purchases
39a64b3
@iscekic
fix(mobile): sign out on unauthorized tRPC queries
88d0a49
@iscekic
fix(mobile): move KiloClaw skeleton to top
0c5228a
iscekic added 26 commits May 7, 2026 18:13
@iscekic
fix(kilo-pass): attach App Store purchases to users
def25f3
@iscekic
fix(mobile): keep Kilo Pass purchase on profile
6b883db
@iscekic
fix(kilo-pass): handle App Store auto-renew cancellation
f0899d8
@iscekic
chore(web): update Apple server SDK
b9e0390
@iscekic
refactor(web): centralize Apple Store SDK setup
d6a3f63
@iscekic
refactor(web): use Apple notification enums
be65b99
@iscekic
fix(web): ignore App Store consumption requests
daedd75
@iscekic
fix(web): keep failed App Store renewals active
a240269
@iscekic
fix(kilo-pass): apply App Store upgrades
faed523
@iscekic
fix(kilo-pass): prorate App Store upgrades
0dca3e9
@iscekic
Merge remote-tracking branch 'origin/main' into feat/apple-iap-person…
216db4e 
…al-credit-purchases

# Conflicts:
#	packages/db/src/migrations/meta/0115_snapshot.json
#	packages/db/src/migrations/meta/0116_snapshot.json
#	packages/db/src/migrations/meta/0117_snapshot.json
#	packages/db/src/migrations/meta/_journal.json
#	pnpm-lock.yaml
@iscekic
fix(mobile): dismiss Kilo Pass sheet after purchase
812ac4d
@iscekic
feat(kilo-pass): add dev App Store refund request
7ad755c
@iscekic
fix(mobile): coalesce Kilo Pass purchase completion
0cd199d
@iscekic
fix(kilo-pass): decline App Store refund requests
3412154
@iscekic
fix(mobile): recover Kilo Pass purchases on app start
b4230e4
@iscekic
fix(kilo-pass): reverse app store refund credits
83cd484
@iscekic
fix(kilo-pass): route store-managed pass actions
ae12aec
@iscekic
fix(mobile): show pending Kilo Pass cancellation
d8123dd
@iscekic
fix(mobile): show Kilo Pass cancellation date
6a31f99
@iscekic
fix(mobile): hide canceled Kilo Pass as active
421b2a6
@iscekic
fix(kilo-pass): keep purchase sheet open after completion
93fdcbe
@iscekic
fix(mobile): quiet Kilo Pass ownership recovery
8e63496
@iscekic
fix(mobile): show App Store Kilo Pass ownership
4fa4f29
@iscekic
fix(kilo-pass): reset to profile after purchase
bd0eddf
@iscekic
fix(kilo-pass): make profile top route after purchase
d9baead
@iscekic iscekic marked this pull request as ready for review May 8, 2026 18:49
@iscekic
Merge remote-tracking branch 'origin/main' into feat/apple-iap-person…
54135fd 
…al-credit-purchases

# Conflicts:
#	apps/web/package.json
#	apps/web/src/routers/kilo-pass-router.ts
#	packages/db/src/migrations/meta/0123_snapshot.json
#	packages/db/src/migrations/meta/_journal.json
#	pnpm-lock.yaml
#	pnpm-workspace.yaml
kilo-code-bot[bot]
kilo-code-bot Bot reviewed May 8, 2026
View reviewed changes
Comment thread apps/mobile/src/components/kilo-pass/kilo-pass-subscription-card.tsx
try {
await showManageSubscriptionsIOS();
await invalidateKiloPassState();
setTimeout(() => {
Copy link
Copy Markdown
Contributor

@kilo-code-bot kilo-code-bot Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Uncleared setTimeout causes a potential memory leak / stale state update

If the component unmounts within 2 seconds of the user returning from the App Store sheet, invalidateKiloPassState() will fire on an unmounted component. This is a classic leak pattern in React Native.

Consider using a ref to track mount state, or simply rely on the useEffect invalidation in useStoreKiloPassPurchase / react-query's own window-focus refetch instead of a delayed re-check:

Suggested change
setTimeout(() => {
void invalidateKiloPassState();

Comment thread apps/mobile/src/lib/kilo-pass/use-store-kilo-pass-purchase.ts
showError: (message: string) => void;
};

const sharedPurchaseCompletions = new Map<string, Promise<boolean>>();
Copy link
Copy Markdown
Contributor

@kilo-code-bot kilo-code-bot Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Module-level mutable state is a potential memory leak in React Native

sharedPurchaseCompletions and lastPurchaseErrorToast are module-level singletons that accumulate state across the app's lifetime and are never cleaned up. In React Native's Metro bundler, modules persist across hot reloads (Fast Refresh), so test/dev scenarios can see stale entries. More critically, sharedPurchaseCompletions holds Promise<boolean> references that may keep closures alive.

This is intentional cross-instance deduplication, but consider documenting this explicitly and ensuring entries are always deleted after completion (they are, via .delete(purchaseId)), and confirm no error paths skip the delete.

@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot Bot commented May 8, 2026
edited
Loading

Code Review Summary

Status: 4 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 1
WARNING 2
SUGGESTION 1
Issue Details (click to expand)

CRITICAL

File Line Issue
apps/web/src/lib/user.ts 810–835 GDPR softDeleteUser not updated for new app_store_account_token column and new kilo_pass_store_purchases / kilo_pass_store_events tables — see AGENTS.md rule

WARNING

File Line Issue
apps/mobile/src/components/kilo-pass/kilo-pass-subscription-card.tsx 81 Uncleared setTimeout fires invalidateKiloPassState on a potentially unmounted component
apps/mobile/src/lib/kilo-pass/use-store-kilo-pass-purchase.ts 42–43 Module-level mutable sharedPurchaseCompletions and lastPurchaseErrorToast — state persists across Fast Refresh reloads; lastPurchaseErrorToast is never reset on sign-out

SUGGESTION

File Line Issue
apps/web/src/lib/kilo-pass/state.ts 149 stripeSubscriptionId fallback silently coerces App Store providerSubscriptionId into a Stripe field, masking the conceptual mismatch
Other Observations (not in diff)

CRITICAL — GDPR soft-delete gap (apps/web/src/lib/user.ts:810)

The AGENTS.md rules explicitly require: "When adding PII … to the database — whether as a new table or a new column — you MUST also update the GDPR soft-delete flow in softDeleteUser (apps/web/src/lib/user.ts)".

This PR adds:

  1. kilocode_users.app_store_account_token — a UUID unique to each user that directly links them to their App Store purchase history. The softDeleteUser anonymization block (lines 810–835) does not rotate or nullify this token, leaving the deleted user's App Store identity traceable after soft-delete.
  2. kilo_pass_store_purchases — contains app_account_token, purchase_token (JWS), provider_transaction_id, provider_subscription_id, and raw_payload_json per user. None of this is deleted or anonymized by softDeleteUser.
  3. kilo_pass_store_events — also linked by app_account_token and holds payload JSON.

Recommendation:

  • In the softDeleteUser anonymization block, rotate app_store_account_token to a new crypto.randomUUID() so the token no longer maps to the original account.
  • Decide whether kilo_pass_store_purchases / kilo_pass_store_events rows should be hard-deleted or anonymized (the app_account_token columns are FK-less and retain the old UUID even after the user row is rotated).
  • Add a test in apps/web/src/lib/user.test.ts per the spec.

SUGGESTION — stripeSubscriptionId field overloading (apps/web/src/lib/kilo-pass/state.ts:149)

stripeSubscriptionId: selected.stripeSubscriptionId ?? selected.providerSubscriptionId ?? '',

This silently reuses a Stripe-named field to carry an Apple originalTransactionId for App Store subscriptions. All downstream callers that actually use this value for Stripe API calls are now gated behind assertStripeManagedSubscription, so there's no runtime error today. But the field name is misleading and could trip up future callers. Consider either (a) documenting the intent with a comment, or (b) keeping stripeSubscriptionId as string | null in the public type and letting callers assert non-null only when they've already confirmed Stripe ownership.

Files Reviewed (56 files)
  • .env.local.example
  • apps/mobile/AGENTS.md
  • apps/mobile/README.md
  • apps/mobile/app.config.ts
  • apps/mobile/metro.config.js
  • apps/mobile/package.json
  • apps/mobile/src/app/(app)/(tabs)/(1_kiloclaw)/index.tsx
  • apps/mobile/src/app/(app)/(tabs)/_layout.tsx
  • apps/mobile/src/app/(app)/_layout.tsx
  • apps/mobile/src/app/(app)/kilo-pass.tsx
  • apps/mobile/src/components/agents/session-list-content.tsx
  • apps/mobile/src/components/agents/session-list-routes.ts
  • apps/mobile/src/components/agents/session-list-screen.tsx
  • apps/mobile/src/components/home/greeting.tsx
  • apps/mobile/src/components/home/home-screen.tsx
  • apps/mobile/src/components/kilo-chat/conversation-screen.tsx
  • apps/mobile/src/components/kilo-chat/hooks/use-instance-event-subscription.ts
  • apps/mobile/src/components/kilo-pass/kilo-pass-subscription-card.tsx — 1 issue
  • apps/mobile/src/components/kilo-pass/kilo-pass-subscription-screen.tsx
  • apps/mobile/src/components/profile-avatar-button.tsx
  • apps/mobile/src/components/profile-credits-card.tsx
  • apps/mobile/src/components/profile-screen.tsx
  • apps/mobile/src/lib/auth/auth-context.tsx
  • apps/mobile/src/lib/auth/trpc-unauthorized.ts
  • apps/mobile/src/lib/kilo-pass/dev-storekit-refund.ts
  • apps/mobile/src/lib/kilo-pass/navigation.ts
  • apps/mobile/src/lib/kilo-pass/store-ownership.ts
  • apps/mobile/src/lib/kilo-pass/store-products-loader.ts
  • apps/mobile/src/lib/kilo-pass/store-products.ts
  • apps/mobile/src/lib/kilo-pass/subscription-card-state.ts
  • apps/mobile/src/lib/kilo-pass/use-store-kilo-pass-products.ts
  • apps/mobile/src/lib/kilo-pass/use-store-kilo-pass-purchase.ts — 1 issue
  • apps/mobile/src/lib/query-client.ts
  • apps/mobile/src/lib/tab-bar-layout.ts
  • apps/web/package.json
  • apps/web/src/app/api/kilo-pass/apple/notifications/route.ts
  • apps/web/src/app/device-auth/DeviceAuthClient.tsx
  • apps/web/src/app/device-auth/page.tsx
  • apps/web/src/components/profile/kilo-pass/KiloPassActiveSubscriptionCard.tsx
  • apps/web/src/components/profile/kilo-pass/kiloPassManagementAction.ts
  • apps/web/src/components/subscriptions/kilo-pass/KiloPassDetail.logic.ts
  • apps/web/src/components/subscriptions/kilo-pass/KiloPassDetail.tsx
  • apps/web/src/lib/kilo-pass/apple-store-notifications.ts
  • apps/web/src/lib/kilo-pass/apple-store-sdk.ts
  • apps/web/src/lib/kilo-pass/apple-store-verifier.ts
  • apps/web/src/lib/kilo-pass/enums.ts
  • apps/web/src/lib/kilo-pass/issuance.ts
  • apps/web/src/lib/kilo-pass/mobile-store-products.ts
  • apps/web/src/lib/kilo-pass/state.ts — 1 suggestion
  • apps/web/src/lib/kilo-pass/store-subscription-completion.ts
  • apps/web/src/lib/kilo-pass/stripe-handlers-invoice-paid.ts
  • apps/web/src/lib/kilo-pass/stripe-handlers-subscription-events.ts
  • apps/web/src/lib/kilo-pass/yearly-monthly-base-cron.ts
  • apps/web/src/routers/kilo-pass-router.ts
  • packages/db/src/migrations/0123_tricky_agent_brand.sql
  • apps/web/src/lib/user.ts (unchanged — GDPR gap flagged)

Fix these issues in Kilo Cloud

Reviewed by claude-sonnet-4.6 · 7,349,074 tokens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@iscekic iscekic

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iscekic