fix(minting): handle one-time-payment Checkout sessions + align tier slugs (PR D)

[blove]

Summary

End-to-end smoke after PR #508 + #510 surfaced two real gaps that blocked Stripe → license-email flow:

1. Minting service handler required subscription mode. PR B-Stripe locked one-time 12-month payments; handleCheckoutCompleted threw "session has no subscription" before minting.
2. Tier slug + metadata-key mismatch. PR B-Stripe's sync-products.ts writes metadata.ngaf_tier_slug = indie|developer_seat|app_deployment. The minting service tier.ts was reading metadata.cacheplane_tier with hyphenated values (developer-seat/app-deployment).

This PR fixes both.

Changes

libs/db — rename licenses.stripe_subscription_id → stripe_payment_id (TS + SQL + drizzle migration 0001_*.sql + journal + snapshot). The column was always "the unique Stripe-side reference"; the new name reflects that. DB is empty (SELECT count(*) FROM licenses → 0); migration is data-preserving regardless.

apps/minting-service — Strip handleSubscriptionUpdated/handleSubscriptionDeleted (committing to one-time-only per the brainstorm). Rewrite handleCheckoutCompleted for mode: 'payment':

• payment_intent as the unique Stripe-side reference (stored in stripe_payment_id).
• customer (always present thanks to PR D's customer_creation: 'always' setting).
• customer_details.email for the recipient.
• expiresAt = now + defaultTtlDays * 86400000 (365-day default from env).
• Subscription event types now fall through to the default no-op.
• Subscription-mode Checkout sessions are logged and skipped (defensive guard; shouldn't be received with PR B-Stripe's mode: 'payment').

Tier slug alignment — tier.ts reads metadata.ngaf_tier_slug. MintableTier = 'indie' | 'developer_seat' | 'app_deployment'. LicenseTier extended to include indie and switched to underscored convention (developer_seat, app_deployment). Test fixtures across libs/licensing and minting-service updated. computeSeats: developer_seat tracks Stripe quantity; indie/app_deployment are flat 1.

apps/website — /api/checkout/session passes customer_creation: 'always' so the resulting webhook event carries a customer ID (required by the minting handler).

eslint — Add **/.vercel/** to root ignore list (transpiled function bundles aren't source).

Test plan

• npx nx run db:test → success
• npx nx run licensing:test → success
• npx nx run minting-service:test → success (9 handler tests + existing licenses/tier/email/sign tests)
• cd apps/website && npx vitest run → 17 files, 72 tests passing
• npx nx run minting-service:build → success
• npx nx run website:build → success
• All three lints clean
• Scope: only libs/db/, libs/licensing/, apps/minting-service/, apps/website/src/app/api/checkout/, eslint.config.mjs, and docs/superpowers/ touched.

Operational steps for post-merge

The drizzle migration must run against the Neon DB. Two paths:

Option A — apply via Node directly (works now; no drizzle-kit setup):
```
set -a && source ~/repos/angular-agent-framework/.env && set +a
node -e "const {neon}=require('@neondatabase/serverless');const sql=neon(process.env.DATABASE_URL);(async()=>{
await sql\`ALTER TABLE licenses RENAME COLUMN stripe_subscription_id TO stripe_payment_id\`;
await sql\`ALTER TABLE licenses RENAME CONSTRAINT licenses_stripe_subscription_id_unique TO licenses_stripe_payment_id_unique\`;
console.log('migration applied');
})()"
```

Option B — drizzle-kit push (requires drizzle-kit configured): npx drizzle-kit push --config libs/db/drizzle.config.ts

After the migration runs:

1. CI's minting-deploy fires on this PR's merge → new minting build picks up handler changes.
2. Re-run smoke: stripe trigger checkout.session.completed --api-key $STRIPE_SECRET_KEY --override "checkout_session:metadata.ngaf_tier_slug=indie"
3. Confirm Resend send via API; confirm DB row written.

Risks

• Migration ordering. If the minting-service deploy beats the DB migration, the new code will fail on upsertLicense (column doesn't exist yet). Empty DB means no data loss either way; just an interim error window.
• Stripe products' price metadata. pricing/tiers.generated.ts is already populated with prices keyed on ngaf_tier_slug (PR chore(stripe): sync test-mode product + price IDs #513). The minting service now reads the same key. End-to-end aligned.
• Token verify in @ngaf/chat. Separate concern — needs the prod public key to be bundled, which is PR C's responsibility (already merged but the website's published @ngaf/chat won't ship the prod key until the next publish run). Not blocking this PR.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
threadplane	Ready	Preview, Comment	May 21, 2026 7:09pm