Allow direct suspension without requiring flagging first (#4364)

## Summary
- Expand the user risk state machine to allow suspending users directly
from `not_reviewed`, `compliant`, and cross-flag states (e.g.,
`flagged_for_tos_violation` → `suspended_for_fraud`)
- Simplify callers that previously did flag-then-suspend:
`suspend_due_to_stripe_risk`, `Iffy::User::BanService`,
`SuspendUsersWorker`, and `SuspendAccountsWithPaymentAddressWorker`
- Flag events (`flag_for_fraud`, `flag_for_tos_violation`) are preserved
for graduated response — they're now optional, not eliminated

Closes #4290

## Test plan
- [ ] Verify direct suspension from `not_reviewed` and `compliant`
states works
- [ ] Verify cross-flag suspension (e.g., `flagged_for_tos_violation` →
`suspended_for_fraud`) works
- [ ] Verify existing flag-then-suspend paths still work
- [ ] Verify mass suspension via admin still works
- [ ] Verify cascade suspension of related accounts (same payment
address/fingerprint) still works

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: gumclaw

app/models/user.rb

@@ -366,11 +366,11 @@ class User < ApplicationRecord
     end
 
     event :suspend_for_fraud do
-      transition %i[on_probation flagged_for_fraud] => :suspended_for_fraud
+      transition %i[not_reviewed compliant on_probation flagged_for_fraud flagged_for_tos_violation] => :suspended_for_fraud
     end
 
     event :suspend_for_tos_violation do
-      transition %i[on_probation flagged_for_tos_violation] => :suspended_for_tos_violation
+      transition %i[not_reviewed compliant on_probation flagged_for_tos_violation flagged_for_fraud] => :suspended_for_tos_violation
     end
 
     event :put_on_probation do

app/modules/user/risk.rb

@@ -87,7 +87,6 @@ def flag_for_explicit_nsfw_tos_violation!(options)
   def suspend_due_to_stripe_risk
     transaction do
       update!(tos_violation_reason: "Stripe reported high risk")
-      flag_for_tos_violation!(author_name: "stripe_risk", bulk: true) unless flagged_for_tos_violation? || on_probation? || suspended?
       suspend_for_tos_violation!(author_name: "stripe_risk", bulk: true) unless suspended?
       links.alive.find_each do |product|
         product.unpublish!(is_unpublished_by_admin: true)

app/services/iffy/user/ban_service.rb

@@ -12,7 +12,6 @@ def perform
       reason = "General non-compliance"
       user.update!(tos_violation_reason: reason)
       comment_content = "Banned for a policy violation on #{Time.current.to_fs(:formatted_date_full_month)} (#{reason})"
-      user.flag_for_tos_violation!(author_name: "Iffy", content: comment_content, bulk: true) unless user.flagged_for_tos_violation? || user.on_probation? || user.suspended?
       user.suspend_for_tos_violation!(author_name: "Iffy", content: comment_content, bulk: true) unless user.suspended?
     end
   end

app/sidekiq/suspend_accounts_with_payment_address_worker.rb

@@ -19,7 +19,7 @@ def suspend_users_with_same_payment_address(suspended_user)
         .where(payment_address: suspended_user.payment_address)
         .where.not(id: suspended_user.id)
         .find_each do |user|
-          flag_and_suspend_user(user, suspended_user, "payment address", suspended_user.payment_address)
+          suspend_user(user, suspended_user, "payment address", suspended_user.payment_address)
         end
     end
 
@@ -35,15 +35,11 @@ def suspend_users_with_same_stripe_fingerprint(suspended_user)
 
       User.not_suspended.where(id: user_ids_with_same_fingerprint).find_each do |user|
         matching_fingerprint = (fingerprints & user.alive_bank_accounts.pluck(:stripe_fingerprint)).first
-        flag_and_suspend_user(user, suspended_user, "bank account fingerprint", matching_fingerprint)
+        suspend_user(user, suspended_user, "bank account fingerprint", matching_fingerprint)
       end
     end
 
-    def flag_and_suspend_user(user, suspended_user, identifier_type, identifier_value)
-      user.flag_for_fraud(
-        author_name: "suspend_sellers_other_accounts",
-        content: "Flagged for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of #{identifier_type} #{identifier_value} (from User##{suspended_user.id})"
-      )
+    def suspend_user(user, suspended_user, identifier_type, identifier_value)
       user.suspend_for_fraud(
         author_name: "suspend_sellers_other_accounts",
         content: "Suspended for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of #{identifier_type} #{identifier_value} (from User##{suspended_user.id})",

app/sidekiq/suspend_users_worker.rb

@@ -6,7 +6,6 @@ class SuspendUsersWorker
 
   def perform(author_id, user_ids, reason, additional_notes)
     User.where(id: user_ids).or(User.where(external_id: user_ids)).find_each(batch_size: 100) do |user|
-      user.flag_for_tos_violation(author_id:, bulk: true)
       author_name = User.find(author_id).name_or_username
       content = "Suspended for a policy violation by #{author_name} on #{Time.current.to_fs(:formatted_date_full_month)} as part of mass suspension. Reason: #{reason}."
       content += "\nAdditional notes: #{additional_notes}" if additional_notes.present?

spec/models/user_spec.rb

@@ -1734,6 +1734,30 @@ def sample_string_of_length(n)
       expect(@user.suspend_for_fraud!(author_id: @admin_user.id)).to be(true)
     end
 
+    it "suspends the user directly from not_reviewed state" do
+      expect(@user.user_risk_state).to eq("not_reviewed")
+      expect(@user.suspend_for_fraud!(author_id: @admin_user.id)).to be(true)
+      expect(@user.reload.suspended_for_fraud?).to be(true)
+    end
+
+    it "suspends the user directly from compliant state" do
+      @user.update!(user_risk_state: "compliant")
+      expect(@user.suspend_for_tos_violation!(author_id: @admin_user.id)).to be(true)
+      expect(@user.reload.suspended_for_tos_violation?).to be(true)
+    end
+
+    it "suspends for fraud from flagged_for_tos_violation state" do
+      @user.flag_for_tos_violation!(author_id: @admin_user.id, product_id: @product_1.id)
+      expect(@user.suspend_for_fraud!(author_id: @admin_user.id)).to be(true)
+      expect(@user.reload.suspended_for_fraud?).to be(true)
+    end
+
+    it "suspends for tos_violation from flagged_for_fraud state" do
+      @user.flag_for_fraud!(author_id: @admin_user.id)
+      expect(@user.suspend_for_tos_violation!(author_id: @admin_user.id)).to be(true)
+      expect(@user.reload.suspended_for_tos_violation?).to be(true)
+    end
+
     it "is expected to call invalidate_active_sessions! if user is suspended_for_fraud" do
       expect(@user).to receive(:invalidate_active_sessions!)
 
@@ -1886,8 +1910,8 @@ def sample_string_of_length(n)
         @user.suspend_for_fraud(author_id: @admin_user.id)
         expect(user_3.reload.suspended?).to be(true)
         expect(@user_2.reload.suspended?).to be(true)
-        expect(user_3.comments.count).to eq(2)
-        expect(@user_2.comments.count).to eq(2)
+        expect(user_3.comments.count).to eq(1)
+        expect(@user_2.comments.count).to eq(1)
         expect(@user.reload.comments.count).to eq(2)
       end
 

spec/services/iffy/user/ban_service_spec.rb

@@ -8,12 +8,7 @@
     let(:service) { described_class.new(user.external_id) }
 
     context "when the user can be suspended" do
-      it "suspends the user and adds a comment" do
-        expect_any_instance_of(User).to receive(:flag_for_tos_violation!).with(
-          author_name: "Iffy",
-          content: "Banned for a policy violation on #{Time.current.to_fs(:formatted_date_full_month)} (General non-compliance)",
-          bulk: true
-        ).and_call_original
+      it "suspends the user directly and adds a comment" do
         expect_any_instance_of(User).to receive(:suspend_for_tos_violation!).with(
           author_name: "Iffy",
           content: "Banned for a policy violation on #{Time.current.to_fs(:formatted_date_full_month)} (General non-compliance)",

spec/sidekiq/suspend_accounts_with_payment_address_worker_spec.rb

@@ -13,12 +13,11 @@
         described_class.new.perform(@user.id)
 
         expect(@user_2.reload.suspended?).to be(true)
-        expect(@user_2.comments.first.content).to eq("Flagged for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of payment address #{@user.payment_address} (from User##{@user.id})")
-        expect(@user_2.comments.last.content).to eq("Suspended for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of payment address #{@user.payment_address} (from User##{@user.id})")
+        expect(@user_2.comments.count).to eq(1)
+        expect(@user_2.comments.first.content).to eq("Suspended for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of payment address #{@user.payment_address} (from User##{@user.id})")
       end
 
       it "does not suspend already suspended users with same payment address" do
-        @user_2.flag_for_fraud!(author_name: "test")
         @user_2.suspend_for_fraud!(author_name: "test")
         initial_comment_count = @user_2.comments.count
 
@@ -46,11 +45,11 @@
         expect(@user_3.reload.suspended?).to be(false)
       end
 
-      it "creates both flagged and suspended comments with fingerprint details" do
+      it "creates a suspended comment with fingerprint details" do
         described_class.new.perform(@user.id)
 
-        expect(@user_2.reload.comments.first.content).to eq("Flagged for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of bank account fingerprint same_fingerprint_123 (from User##{@user.id})")
-        expect(@user_2.comments.last.content).to eq("Suspended for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of bank account fingerprint same_fingerprint_123 (from User##{@user.id})")
+        expect(@user_2.reload.comments.count).to eq(1)
+        expect(@user_2.comments.first.content).to eq("Suspended for fraud automatically on #{Time.current.to_fs(:formatted_date_full_month)} because of usage of bank account fingerprint same_fingerprint_123 (from User##{@user.id})")
       end
 
       it "does not suspend if fingerprint is blank" do
@@ -70,7 +69,6 @@
       end
 
       it "does not suspend already suspended users" do
-        @user_2.flag_for_fraud!(author_name: "test")
         @user_2.suspend_for_fraud!(author_name: "test")
         initial_comment_count = @user_2.comments.count
 

spec/sidekiq/suspend_users_worker_spec.rb

@@ -20,11 +20,9 @@
       expect(user_not_to_suspend.reload.suspended?).to be(false)
 
       comments = not_reviewed_user.comments
-      expect(comments.count).to eq(2)
-      expect(comments.first.content).to eq("Flagged for a policy violation by #{admin_user.name_or_username} on #{Time.current.to_fs(:formatted_date_full_month)}")
+      expect(comments.count).to eq(1)
+      expect(comments.first.content).to eq("Suspended for a policy violation by #{admin_user.name_or_username} on #{Time.current.to_fs(:formatted_date_full_month)} as part of mass suspension. Reason: #{reason}.\nAdditional notes: #{additional_notes}")
       expect(comments.first.author_id).to eq(admin_user.id)
-      expect(comments.last.content).to eq("Suspended for a policy violation by #{admin_user.name_or_username} on #{Time.current.to_fs(:formatted_date_full_month)} as part of mass suspension. Reason: #{reason}.\nAdditional notes: #{additional_notes}")
-      expect(comments.last.author_id).to eq(admin_user.id)
     end
 
     it "suspends the users appropriately with external IDs" do