fix(billing): retry refund correlation backfill 3x + dead-letter

[PierreBrisorgueil]

Summary

• Wraps PaymentIntent metadata backfill in checkout.session.completed handler with retryWithBackoff (3 attempts, 200ms + 400ms exp delays)
• On exhaustion: log ERROR + write to new BillingFailedBackfill dead-letter collection (via minimal repository abstraction)
• Inner try/catch around dead-letter write — never silent
• RUNBOOK section 6 with mongo + Stripe CLI commands for manual reconciliation
• Closes silent refund correlation loss path identified in audit P1

Context — audit P1 (2026-05-21)

Devkit audit flagged billing.webhook.service.js:314-330 as P1 : the metadata backfill failed silently with logger.warn + continue. Later refund webhook fell into "unresolved" path → customer credit never applied, runbook-only recovery. This PR adds defense in depth.

Strategy : Option B (new model + repository, no existing dead-letter mechanism for this concern). PR #3603's ProcessedStripeEvent dead-letter covers event-delivery failures (exhausted webhook retries), which is a different class.

Reviews completed before push :

• Spec review : ✅ compliant + 1 cosmetic (RUNBOOK section ordering, fixed) + 1 followup filed as issue test(billing): use fake timers in checkout webhook unit test (slow regression) #3689 (slow-test pre-existing in billing.webhook.checkout.unit.tests.js:286)
• Code-quality review : 3 IMPORTANT (JSDoc delay math, lazy mongoose.model layer break, sparse-index no-op) + 3 MINOR → fixes in c39b9c3f
• DeepSeek pre-push gate : OK with nits — 2 low (err.stack dropped, no standalone retry tests) + 2 nits (failedAt triple-default, attempts<=0 unguarded) ; all deferrable

Test plan

• NODE_ENV=devkit npm run lint — clean
• NODE_ENV=test npm run test:unit -- billing.refund-correlation — 3/3 pass
• NODE_ENV=test npm run test:unit -- billing.webhook — 1530/1530 pass
• No silent .catch — inner DLQ catch logs at ERROR
• CI green
• CodeRabbit clean

Followup

• test(billing): use fake timers in checkout webhook unit test (slow regression) #3689 — fake-timers in billing.webhook.checkout.unit.tests.js:286 (pre-existing test, now slow due to retry — out of scope here)

Plan

docs/superpowers/plans/2026-05-21-devkit-audit-p0-p1-fixes.md Phase 2.

Summary by CodeRabbit

• New Features

  • Improved billing reliability with automatic retry and dead-letter recording for failed refund correlation backfills.

• Documentation

  • Added an operational runbook detailing triage and recovery steps for refund backfill failures and when to escalate.

• Tests

  • Added unit tests covering retry behavior, dead-letter recording, and related error-handling scenarios.

[coderabbitai]

Caution

Review failed

Failed to post review comments

Walkthrough

Adds an exponential backoff retry helper, a Mongoose dead-letter model and repository for PaymentIntent metadata backfill failures, integrates retries+dead-letter writes into the billing webhook, adds unit tests for retry/failed-write scenarios, and documents runbook triage steps.

Changes

PaymentIntent Backfill Resilience

Layer / File(s)	Summary
Exponential backoff retry utility modules/billing/lib/billing.retry.js	retryWithBackoff(fn, { attempts = 3, baseMs = 200 }) with input validation, exponential backoff, returns on first success or throws last error after attempts.
Dead-letter data model and repository modules/billing/models/billing.failedBackfill.model.mongoose.js, modules/billing/repositories/billing.failedBackfill.repository.js	BillingFailedBackfill Mongoose schema for unresolved backfill failures (identifiers, error, timestamps, resolution metadata) and record() repository to persist failures with defaulted fields.
PaymentIntent metadata backfill with retry and dead-letter modules/billing/services/billing.webhook.service.js	Replaces direct stripe.paymentIntents.update with retryWithBackoff in checkout.session.completed; on final failure logs an error and persists a failed-backfill record, logging again if persistence fails.
Refund correlation backfill retry scenario tests modules/billing/tests/billing.refund-correlation.unit.tests.js	Jest tests (fake timers) covering transient failures that succeed, persistent failures that record dead-letters and error logs, dead-letter write failures, and retryWithBackoff input guards.
Billing runbook for backfill failures modules/billing/RUNBOOKS.md	Appends Runbook #7 describing failure symptom, triage steps (query unresolved, patch PaymentIntent metadata, mark resolved, replay dead-letter refunds), and an escalation rule.

Sequence Diagram

sequenceDiagram
  participant CheckoutHandler as handleCheckoutPaymentCompleted
  participant RetryHelper as retryWithBackoff
  participant StripeAPI as stripe.paymentIntents.update
  participant DeadLetterRepo as BillingFailedBackfillRepository
  participant Logger as logger

  CheckoutHandler->>RetryHelper: call retryWithBackoff(() => StripeAPI(update metadata))
  RetryHelper->>StripeAPI: paymentIntents.update(...) attempt
  alt succeeds within attempts
    StripeAPI-->>RetryHelper: success
    RetryHelper-->>CheckoutHandler: resolve
  else all attempts fail
    StripeAPI-->>RetryHelper: error
    RetryHelper-->>CheckoutHandler: reject (last error)
    CheckoutHandler->>Logger: error("backfill failed after retries", paymentIntentId)
    CheckoutHandler->>DeadLetterRepo: record({ paymentIntentId, stripeSessionId, error })
    alt dead-letter write fails
      DeadLetterRepo-->>CheckoutHandler: error
      CheckoutHandler->>Logger: error("failed to persist backfill record", paymentIntentId)
    end
    CheckoutHandler-->>CheckoutHandler: handler resolves (no throw)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• test(billing): use fake timers in checkout webhook unit test (slow regression) #3689: Tests and fake-timer usage affected by introducing retryWithBackoff; relates to avoiding real backoff delays in webhook unit tests.
• fix(billing): refine retryWithBackoff — short-circuit on non-transient Stripe errors + restore err.stack #3691: Proposes refinements to retryWithBackoff and webhook integration (short-circuit on non-transient Stripe errors, preserve err.stack).

Possibly related PRs

• pierreb-devkit/Node#3601: Related billing webhook changes around PaymentIntent stripeSessionId backfill and refund-correlation handling.
• pierreb-devkit/Node#3537: Related webhook edits around checkout payment handling and idempotent dispatch surrounding backfill logic.
• pierreb-devkit/Node#3623: Related edits to handleCheckoutPaymentCompleted around backfill and retry/idempotency handling.

Suggested labels

Fix

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding retry logic with exponential backoff (3x) and dead-letter recording for refund correlation backfill, which is the core purpose of this PR.
Description check	✅ Passed	The PR description covers all required template sections: summary of changes, context with audit details, scope (billing module, low risk), validation (tests passing, linting clean), guardrails (no secrets, tests added), and notes for reviewers addressing security and mergeability.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/billing-refund-correlation-retry

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.70%. Comparing base (d397764) to head (da51b15).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3690      +/-   ##
==========================================
+ Coverage   89.66%   89.70%   +0.04%     
==========================================
  Files         140      142       +2     
  Lines        4759     4780      +21     
  Branches     1491     1498       +7     
==========================================
+ Hits         4267     4288      +21     
  Misses        385      385              
  Partials      107      107              

Flag	Coverage Δ
integration	59.49% <8.33%> (-0.23%)	⬇️
unit	66.15% <100.00%> (+0.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d397764...da51b15. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds retry + dead-letter handling for the Stripe PaymentIntent metadata backfill performed during checkout.session.completed, to prevent silent failures that later break refund correlation and require manual recovery.

Changes:

• Wrap PaymentIntent metadata backfill in retryWithBackoff (3 attempts, exponential backoff) and escalate on exhaustion.
• Persist exhausted backfill failures to a new BillingFailedBackfill dead-letter collection (repository + model) and document manual reconciliation steps in the billing runbook.
• Add targeted unit tests covering retry success, retry exhaustion → dead-letter, and dead-letter write failure handling.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
modules/billing/services/billing.webhook.service.js	Adds retry/backoff around PI metadata patch and records exhausted failures to a backfill DLQ with error logging.
modules/billing/lib/billing.retry.js	Introduces a shared retryWithBackoff helper used by the webhook backfill.
modules/billing/repositories/billing.failedBackfill.repository.js	Adds a minimal repository abstraction for recording backfill dead-letter entries.
modules/billing/models/billing.failedBackfill.model.mongoose.js	Defines the BillingFailedBackfill Mongoose model and unresolved-only index for ops queries.
modules/billing/tests/billing.refund-correlation.unit.tests.js	Adds unit coverage for retry behavior and DLQ escalation/robustness.
modules/billing/RUNBOOKS.md	Adds a new runbook section for manual remediation of backfill failures.

[PierreBrisorgueil]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/billing/lib/billing.retry.js`:
- Around line 17-30: The retryWithBackoff function should validate its options
before the loop: check that attempts is a finite positive integer (>=1) and
baseMs is a finite non-negative number; if not, throw a clear TypeError
describing the invalid option(s). Add this validation at the start of
retryWithBackoff (before using attempts or baseMs) so you never enter the loop
with attempts <= 0 or non-integer values and avoid throwing undefined via
lastErr; reference the retryWithBackoff function and the attempts/baseMs
parameters when implementing the checks.

In `@modules/billing/tests/billing.refund-correlation.unit.tests.js`:
- Around line 26-31: Add a JSDoc header above the standalone makeSession helper:
include a one-line description, a `@returns` tag describing the returned session
object shape (id, payment_status, payment_intent, metadata with organizationId,
packId, kind) and types (e.g., `@returns` {Object}), and if you prefer to be
explicit add an empty `@param` comment noting no parameters; attach this header
immediately above the makeSession function declaration.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ed6dfd15-0206-4beb-806d-e58f3fd851ce

📥 Commits

Reviewing files that changed from the base of the PR and between da02947 and c39b9c3.

📒 Files selected for processing (6)

• modules/billing/RUNBOOKS.md
• modules/billing/lib/billing.retry.js
• modules/billing/models/billing.failedBackfill.model.mongoose.js
• modules/billing/repositories/billing.failedBackfill.repository.js
• modules/billing/services/billing.webhook.service.js
• modules/billing/tests/billing.refund-correlation.unit.tests.js

Stale: this CHANGES_REQUESTED targets c39b9c3 (06:51:16Z). Both findings — (1) retryWithBackoff attempts/baseMs validation, (2) makeSession JSDoc — fixed in dbb9c25 (06:53:34Z, postdates this review) + 2 guard tests added, 1484/1484 unit tests green. CR's incremental engine did not auto-re-review the new commit. Dismissing per stale-review convention.