Handle subscription plan changes (upgrades & downgrades) #20

rameerez · 2025-12-28T03:50:33Z

Handle Subscription Plan Changes (Upgrades & Downgrades)

Fixes #12

🎯 Problem Statement

Original Issue

Users reported that after upgrading their subscription plan using Pay's .swap() method, they would receive an initial credit grant but subsequent recurring credits would not be awarded. The fulfillment system continued awarding credits based on the old plan.

Example scenario:

User subscribes to "starter" plan (100 credits/month)
Receives 10 trial credits
User upgrades to "premium" plan (500 credits/30 seconds for testing)
Receives initial 500 credits via manual give_credits()
Problem: Never receives recurring 500 credits every 30 seconds

Root Cause

The PaySubscriptionExtension module (which integrates Pay with UsageCredits) had a TODO comment indicating this was a known gap:

# TODO: handle plan changes (upgrades / downgrades)

When a subscription plan changed:

Pay's .swap() method updated the processor_plan field in the subscription record
The associated Fulfillment record's metadata still referenced the old plan ID
The FulfillmentService looked up the plan using fulfillment.metadata["plan"], which never changed
Result: Future fulfillments continued awarding credits from the old plan

🔍 Investigation & Research

Understanding Pay's Swap Behavior

Researched Pay gem documentation to understand how .swap() works:

Stripe/Paddle: Updates existing subscription record with new processor_plan
Braintree: Cancels old subscription and creates a new one (with proration)
The processor_plan field changes and Rails provides saved_change_to_processor_plan? for detection
Stripe sends customer.subscription.updated webhook with previous_attributes

Architecture Analysis

Examined the fulfillment system architecture:

Each Pay::Subscription has ONE Fulfillment record (enforced by uniqueness constraint)
Fulfillment stores plan metadata: { plan: "processor_plan_id", ... }
FulfillmentService#process looks up plan via: @fulfillment.metadata["plan"]
This metadata was never updated when subscriptions changed plans

Design Decisions Research

Investigated standard SaaS practices for plan changes:

Upgrades: Industry standard is immediate credit grant (best UX, matches user expectations)
Downgrades: Industry standard is end-of-period transition (matches Stripe's default behavior)
Credits handling:
- On upgrade: Grant new plan credits immediately (no proration needed for credits)
- On downgrade: Let user keep existing credits (no clawback - generous and clean)

✅ Solution Implemented

1. Plan Change Detection

Added after_commit callback to detect plan changes:

after_commit :handle_plan_change_wrapper

def plan_changed?
  saved_change_to_processor_plan? && status == "active" && provides_credits?
end

2. Upgrade Handling (Immediate)

When user upgrades to a plan with more credits per period:

def handle_plan_upgrade(new_plan, fulfillment)
  wallet = customer.owner.credit_wallet
  
  # Grant full new plan credits immediately
  wallet.add_credits(
    new_plan.credits_per_period,
    category: "subscription_upgrade",
    # ... metadata
  )
  
  # Update fulfillment to track new plan
  update_fulfillment_plan_metadata(fulfillment, processor_plan)
end

What happens:

✅ User immediately receives full credits from new plan
✅ Fulfillment metadata updated to new plan ID
✅ Future recurring fulfillments award credits from new plan
✅ Transaction logged with category "subscription_upgrade"

3. Downgrade Scheduling (End-of-Period)

When user downgrades to a plan with fewer credits per period:

def handle_plan_downgrade(new_plan, fulfillment)
  schedule_time = current_period_end || Time.current
  
  fulfillment.update!(
    metadata: fulfillment.metadata.merge(
      pending_plan_change: processor_plan,
      plan_change_at: schedule_time
    )
  )
end

What happens:

✅ User keeps current plan credits (no immediate change)
✅ Downgrade scheduled for current_period_end
✅ Stored in fulfillment metadata as pending_plan_change

4. Downgrade Application (On Renewal)

Enhanced renewal callback to apply scheduled downgrades:

def update_fulfillment_on_renewal
  # ... existing renewal logic ...
  
  if fulfillment.metadata["pending_plan_change"].present?
    apply_pending_plan_change(fulfillment)
  end
end

def apply_pending_plan_change(fulfillment)
  pending_plan = fulfillment.metadata["pending_plan_change"]
  
  fulfillment.update!(
    metadata: fulfillment.metadata
      .merge(plan: pending_plan)
      .except("pending_plan_change", "plan_change_at")
  )
end

What happens:

✅ On renewal, checks for pending plan change
✅ Applies the scheduled downgrade
✅ Clears pending change metadata
✅ Future fulfillments award credits from new plan

5. New Transaction Category

Added "subscription_upgrade" to allowed transaction categories in Transaction model to track upgrade credit grants separately from regular subscription credits.

🧪 Testing

Test Coverage

446 tests passing (added 4 new tests)
879 assertions - all green
85.09% line coverage (up from 84.82%)
73.24% branch coverage (up from 73.07%)

New Tests

test_plan_change_updates_fulfillment_metadata - Basic plan change detection
test_upgrade_to_higher_plan_grants_immediate_credits - Full upgrade flow
test_downgrade_schedules_plan_change_for_end_of_period - Downgrade scheduling
test_scheduled_downgrade_applies_on_subscription_renewal - Downgrade application

Test Scenarios Covered

✅ Upgrade from lower to higher credit plan
✅ Immediate credit grant on upgrade
✅ Fulfillment metadata updates correctly
✅ Transaction history tracks upgrades
✅ Downgrade scheduling (no immediate change)
✅ Downgrade application on renewal
✅ Credits retained during downgrade period
✅ Pending change metadata cleared after application

📊 User Experience

Upgrade Flow

# User on "starter" (500 credits/month)
user.credits #=> 600 (500 + 100 signup bonus)

# Upgrades to "premium" (2000 credits/month)
subscription.swap("premium_plan_monthly")

# Immediate result:
user.credits #=> 2600 (600 existing + 2000 from upgrade)

# Future fulfillments:
# FulfillmentJob runs monthly, awards 2000 credits each time

Downgrade Flow

# User on "premium" (2000 credits/month, period ends in 15 days)
user.credits #=> 2200 (2000 + 200 signup bonus)

# Downgrades to "starter" (500 credits/month)
subscription.swap("pro_plan_monthly")

# Immediate result:
user.credits #=> 2200 (unchanged! Keeps benefits until period ends)
fulfillment.metadata["pending_plan_change"] #=> "pro_plan_monthly"

# After 15 days (on renewal):
# Downgrade applied automatically
# Next fulfillment awards 500 credits

🚧 Future Work & Known Limitations

Not Yet Implemented

1. Paused Subscriptions

Status: TODO comment exists in code
Issue: Paused subscriptions may maintain "active" status but shouldn't fulfill credits
Impact: Low (paused subs are uncommon)
Recommendation: Add paused? check to fulfillment conditions

2. Multiple Plan Changes in Single Period

Scenario: User upgrades, then changes mind and downgrades within same billing period
Current behavior:
- First change (upgrade) grants credits immediately
- Second change (downgrade) schedules for period end
- User keeps all credits from upgrade until period ends
Potential issue: User could game the system by rapid plan switching
Recommendation: Add rate limiting or track plan change history

3. Plan Changes During Trial Period

Scenario: User on trial upgrades/downgrades before trial ends
Current behavior: Should work but untested
Recommendation: Add specific test cases for trial period plan changes

4. Proration Handling

Current: Credits are NOT prorated (user gets full amount from new plan)
Stripe: Handles billing proration automatically
Gap: Credit fulfillment doesn't match billing proration
Example: User pays 50% prorated amount but gets 100% credits
Recommendation: Consider if credit proration is desired for your business model

5. Downgrade to Non-Credit Plan

Scenario: User downgrades from credit plan to plan that doesn't provide credits
Current behavior: Likely gracefully handled (returns early from callbacks) but untested
Recommendation: Add explicit test case

6. Credit Expiration on Downgrade

Current: Users keep all existing credits when downgrading
Alternative: Could expire credits from higher plan at downgrade time
Consideration: Current behavior is more user-friendly but could be exploited
Recommendation: Add configuration option for credit expiration policy

Edge Cases to Monitor

1. Webhook Race Conditions

Scenario: Plan change and renewal webhooks arrive in rapid succession
Risk: Pending plan change might not be set before renewal applies it
Mitigation: Transaction blocks ensure atomicity
Status: Should be safe but monitor in production

2. Fulfillment Job Timing

Scenario: Fulfillment job runs between plan change and renewal
Current behavior: Awards credits from current plan (before downgrade applies)
Expected: This is correct behavior (user paid for full period)
Status: Working as intended

3. Manual Subscription Updates

Scenario: Admin manually updates processor_plan in database/console
Current behavior: Callbacks fire normally
Risk: Might grant unexpected credits if done incorrectly
Recommendation: Document proper plan change procedure for admins

4. Subscription Cancellation After Downgrade Scheduled

Scenario: User schedules downgrade, then cancels subscription before renewal
Current behavior: Cancellation stops fulfillment, pending downgrade becomes moot
Status: Likely works correctly but untested
Recommendation: Add test case

Testing Gaps

Manual Testing Needed

Test with actual Stripe test mode using .swap()
Verify webhook handling with real Stripe events
Test the exact scenario from issue How to manage update and fulfilment jobs #12
Test with different processors (Paddle, Braintree)

Additional Automated Tests Needed

Multiple plan changes in one period
Plan change during trial period
Downgrade to non-credit plan
Concurrent plan change and renewal
Cancellation with pending downgrade

Documentation Updates Needed

Update README with upgrade/downgrade behavior
Document new subscription_upgrade transaction category
Add example of handling plan changes in app code
Document fulfillment metadata structure
Add troubleshooting guide for plan change issues

🔄 Breaking Changes

None. This is a purely additive change that doesn't modify existing behavior for subscriptions that don't change plans.

📝 Related Issues

Fixes How to manage update and fulfilment jobs #12 - Users not receiving credits after plan upgrade
Addresses TODO comments in PaySubscriptionExtension (lines 39-40)
Implements TODO from README line 569: "Handle subscription upgrades and downgrades"

🎓 References

Ready for review! This implementation follows SaaS industry standards and matches Stripe's default behavior for plan changes. All tests passing with improved coverage.

- Detect when processor_plan changes on active subscriptions - Update fulfillment metadata with new plan ID - Add test for plan change detection - All 443 tests passing This is the first incremental step toward handling subscription upgrades and downgrades. The fulfillment now tracks plan changes so subsequent credit fulfillments will use the correct plan. Related to issue #12

This commit adds comprehensive support for subscription plan upgrades: ## What's New - Detects when users upgrade to a plan with more credits - Immediately grants full credits from the new plan - Updates fulfillment metadata to track the new plan - Adds 'subscription_upgrade' transaction category - All subsequent fulfillments will use the new plan's credit amount ## Implementation Details - Added after_commit callback for plan changes - Compares old vs new plan credits_per_period to detect upgrades - Transactions are atomic with proper error handling - Downgrades currently just update metadata (full impl coming next) ## Tests - Test for basic plan change detection and metadata update - Test for upgrade scenario with immediate credit grant - All 444 tests passing with 84.75% line coverage ## Related to Issue #12 This addresses the core problem where users upgrading plans weren't receiving credits from their new plan. The fulfillment system now properly tracks plan changes and awards credits accordingly. Next: Implement downgrade scheduling for end-of-period transitions

This commit adds full support for subscription plan downgrades: ## What's New - Detects when users downgrade to a plan with fewer credits - Schedules the downgrade for end of current billing period - Users keep current plan benefits until period ends - Automatically applies the scheduled downgrade on renewal - Credits are NOT deducted (users keep what they've earned) ## Implementation Details - Downgrades stored as pending_plan_change in fulfillment metadata - plan_change_at tracks when the change should occur - On renewal, apply_pending_plan_change executes the scheduled change - Clean separation between scheduling and application - All transitions are atomic with proper error handling ## User Experience User downgrades from premium (2000/month) to starter (500/month): 1. ✅ Keeps their 2000 credits until period ends 2. ✅ Downgrade scheduled for current_period_end 3. ✅ On next renewal, switches to 500 credits/month 4. ✅ No credit clawback or confusing deductions ## Tests - Test for downgrade scheduling (no immediate change) - Test for downgrade application on renewal - All 446 tests passing with 85.09% line coverage ## Related to Issue #12 Combined with the upgrade feature, this fully solves the subscription plan change problem. Users can now freely upgrade/downgrade and the fulfillment system handles it gracefully: - Upgrades: Immediate credits - Downgrades: End-of-period transition This matches standard SaaS expectations and Stripe's default behavior.

claude · 2025-12-28T03:53:56Z

Pull Request Review: Handle Subscription Plan Changes

Overall Assessment

This is a well-designed, thoroughly documented PR that addresses a critical gap in the gem's functionality. The implementation follows SaaS industry best practices and includes comprehensive test coverage. The PR description is exemplary.

✅ Strengths

Excellent Problem Analysis - Clear root cause identification and well-researched solution
Sound Architecture - Upgrade/downgrade flows follow industry standards
Strong Test Coverage - Coverage increased from 84.82% to 85.09%
Code Quality - Good separation of concerns and error handling

🔍 CRITICAL Issues

1. Credit Expiration Not Set on Upgrades ⚠️

Location: pay_subscription_extension.rb:303-312

The handle_plan_upgrade method does not set expires_at when the new plan has unused_credits :expire configured.

Impact: Users upgrading to plans with expiring credits will incorrectly receive non-expiring credits.

Fix needed: Add expires_at calculation like lines 111-112

2. Nil Old Plan Handling (HIGH)

Location: pay_subscription_extension.rb:282-290

When upgrading from a non-credit plan to a credit plan, old_plan is nil and the code falls through to the else branch without granting credits.

Suggested fix: Add explicit nil check before credit comparisons

3. plan_changed? Guard Issue (MEDIUM)

Location: pay_subscription_extension.rb:88-90

Only checks if NEW plan provides credits. Downgrade from credit plan to non-credit plan won't trigger handle_plan_change.

🧪 Testing Gaps

Missing test cases:

Upgrade from non-credit to credit plan
Downgrade from credit to non-credit plan
Lateral plan changes (same credits, different plan)
Multiple changes in one period

🚀 Recommendations

Must Fix Before Merge:

Add expires_at handling in handle_plan_upgrade (CRITICAL)
Handle nil old_plan case (HIGH)
Fix plan_changed? guard (MEDIUM)

Should Fix:

Add missing test cases
Add CHANGELOG entry
Update README with upgrade/downgrade behavior

📊 Final Score: 8.2/10

Status: REQUEST CHANGES

The credit expiration bug is critical. Once fixed, this will be an excellent addition! Great work on the comprehensive PR description.

rameerez · 2025-12-28T17:58:57Z

✅ Summary of Work Completed

This PR now fully implements subscription plan change handling with comprehensive safety checks and regression coverage. Below is a complete log of the issues we identified (starting from the original reviewer concerns), the additional pitfalls discovered during review, and the exact fixes applied.

🧩 Original Review Issues (Claude) and Fixes

1) Upgrade credits did not expire for expiring plans (CRITICAL)

Problem: handle_plan_upgrade added credits without expires_at, so upgrading to a plan with unused_credits :expire yielded non‑expiring credits.
Fix: handle_plan_upgrade now sets expires_at using current_period_end (billing‑aligned) + grace, or falls back to period‑based time when needed.
Code: lib/usage_credits/models/concerns/pay_subscription_extension.rb

2) Nil old plan when upgrading from non‑credit plan (HIGH)

Problem: Upgrading from a non‑credit plan resulted in old_plan == nil, causing the upgrade path to fall through and skip credit grants.
Fix: plan_changed? now only triggers when the old plan is a credit plan. Non‑credit → credit is handled by the initial award flow (no double‑award risk).
Code: lib/usage_credits/models/concerns/pay_subscription_extension.rb

3) `plan_changed?` guard missed credit → non‑credit transitions (MEDIUM)

Problem: Downgrading to a non‑credit plan did not trigger plan change handling, leaving Fulfillment active and continuing to award credits.
Fix: Added handle_downgrade_to_non_credit_plan, which schedules stops_at at end of period and preserves credits.
Code: lib/usage_credits/models/concerns/pay_subscription_extension.rb

🔍 Additional Issues Discovered During Review (and Fixes)

4) Double‑awarding on non‑credit → credit swap

Problem: Both handle_initial_award_and_fulfillment_setup and handle_plan_change could fire, awarding credits twice.
Fix: plan_changed? only fires when the old plan was a credit plan. Non‑credit → credit swaps are handled exclusively by initial award logic.

5) Credit → non‑credit → credit reactivation failed

Problem: A stopped Fulfillment still existed, so credits_already_fulfilled? returned true and blocked reactivation.
Fix: Fulfillments that are stopped (or scheduled to stop) are now treated as reactivatable. We reuse and reactivate that record.

6) Reactivation before stop date was blocked

Problem: If a user re‑enabled credits before stops_at, the Fulfillment still looked “active” and reactivation was skipped.
Fix: Fulfillment with stopped_reason is now considered reactivatable even if stops_at is in the future.

7) Reactivation could set expiration in the past

Problem: Using created_at + period caused immediate expiration for long‑lived subscriptions switching to credits later.
Fix: Initial/reactivation expiration uses current_period_start || Time.current.

8) Pending downgrade not cleared on upgrade

Problem: A user could schedule a downgrade, upgrade again, and still be downgraded on renewal.
Fix: Upgrade clears pending_plan_change and plan_change_at.

9) Reactivation metadata was overwritten

Problem: Reactivation replaced metadata entirely, losing custom keys.
Fix: Reactivation now merges metadata and removes only stop/pending keys.

10) Plan lookup was memoized and stale

Problem: credit_subscription_plan was memoized, so changes to processor_plan could use stale plans.
Fix: Removed memoization.

✅ Behavior Adjustments in Final Code

Plan Change Logic

plan_changed? only triggers when old plan was a credit plan.
Credit → non‑credit: schedules Fulfillment stop, no clawback.
Credit → credit: handles upgrade/downgrade with proper metadata and pending change logic.

Reactivation Logic

Reactivates if Fulfillment is stopped OR scheduled to stop.
Reactivation awards credits again (no signup bonus on reactivation).
Fulfillment metadata updated + cleaned safely.

Expiration Logic

Upgrade credits expire correctly when plan is expiring.
Rollover plans still get expires_at = nil.
Expiration base uses current period or Time.current to avoid past expiry.

🧪 Tests Added (Highlights)

Regression Tests (Reviewer issues)

Upgrade expiration on expiring plans
Upgrade expiration when rollover
Expiring→expiring upgrade
Non‑credit → credit does not double‑award
Guard on initial creation
Credit → non‑credit stops fulfillment
Credits preserved on downgrade

Plan Change Scenarios

Lateral plan change (same credits, different period)
Multiple upgrades in same period
Pending downgrade applied on renewal
Upgrade clears pending downgrade
Cancellation with pending downgrade

Reactivation Scenarios

Credit → non‑credit → credit (after stop date)
Credit → non‑credit → credit (before stop date)

Trial and Boundary Behaviors

Trial plan changes do not trigger plan change (documented)
Missing current_period_end
No wallet
Non‑credit → non‑credit no‑op

✅ Result

All plan‑change flows are now correctly handled: upgrades, downgrades, pending changes, and reactivations (both before and after stop date). Credits expire correctly on upgrades, rollovers remain non‑expiring, and Fulfillment metadata stays consistent.

Tests are green and we have explicit regression coverage for every issue above.

claude · 2025-12-28T17:59:59Z

Code Review: Handle Subscription Plan Changes (PR #20)

Summary

This PR implements a comprehensive solution for handling subscription plan changes (upgrades and downgrades). The implementation is well-architected with excellent test coverage and thorough documentation. The code quality is high, and the approach follows SaaS industry standards.

✅ Strengths

1. Excellent Architecture & Design

Separation of concerns: Upgrade and downgrade logic are cleanly separated with dedicated handler methods
Industry-standard behavior: Immediate upgrades, end-of-period downgrades matches Stripe's defaults
Metadata-driven state: Using pending_plan_change in fulfillment metadata is a clean, database-friendly approach
Reactivation support: Handles credit → non-credit → credit transitions elegantly

2. Strong Test Coverage

Added 4+ comprehensive tests covering main flows
Coverage increased from 84.82% → 85.09% (line) and 73.07% → 73.24% (branch)
Tests cover both happy paths and important edge cases
All 446 tests passing with 879 assertions

3. Code Quality

Clear, descriptive method names (handle_plan_upgrade, apply_pending_plan_change)
Comprehensive logging for debugging and audit trails
Proper use of transactions to ensure atomicity
Good inline comments explaining complex logic

4. Thorough Documentation

The PR description is exemplary - includes problem statement, investigation notes, design decisions, and known limitations
Code comments explain the "why" not just the "what"
Future work section shows awareness of edge cases

🐛 Potential Bugs & Issues

Critical

1. Race Condition: Plan Change During Fulfillment Job (Medium Priority)

# pay_subscription_extension.rb:296-299
if fulfillment.metadata["pending_plan_change"].present?
  apply_pending_plan_change(fulfillment)
end

Issue: If a user upgrades after scheduling a downgrade, but before the renewal applies it, the upgrade clears the pending change. However, if the FulfillmentJob runs between the downgrade scheduling and the renewal, it could award credits based on the wrong plan.

Recommendation: Consider adding a plan_changed_at timestamp and comparing it with last_fulfilled_at in the FulfillmentJob to ensure consistency.

2. Credit Expiration Calculation for Upgrades (Low-Medium Priority)

# pay_subscription_extension.rb:391
base_time = current_period_end || (Time.current + new_plan.parsed_fulfillment_period)

Issue: When current_period_end is nil (which shouldn't happen for active subscriptions, but could in edge cases), the fallback uses Time.current + period, which may not align with the actual billing cycle.

Recommendation: Add a guard clause or log a warning when current_period_end is nil for an active subscription.

Minor

3. Inconsistent Time Methods (Low Priority)

# Line 265: Time.now
# Line 243: Time.current

Issue: Mixed use of Time.now vs Time.current. In Rails, Time.current respects the application's configured time zone.

Recommendation: Standardize on Time.current throughout for consistency (line 265 in pay_subscription_extension.rb:265).

4. Memoization Removed Without Thread Safety Consideration (Low Priority)

# pay_subscription_extension.rb:44-46
# NOTE: Not memoized because processor_plan can change, and we need the current value
def credit_subscription_plan
  UsageCredits.configuration.find_subscription_plan_by_processor_id(processor_plan)
end

Issue: While removing memoization is correct for handling plan changes, this means every call performs a lookup. If find_subscription_plan_by_processor_id is expensive, this could impact performance.

Recommendation: Consider adding a note about the performance characteristics of find_subscription_plan_by_processor_id or optimizing it if needed.

🔒 Security Concerns

No significant security issues identified. The implementation properly:

Uses transactions for atomicity
Validates state transitions with guard clauses
Logs all operations for audit trails
Doesn't expose sensitive data in metadata

Minor consideration: The metadata stored includes plan IDs and subscription IDs. Ensure these don't contain sensitive information if the database is compromised.

⚡ Performance Considerations

Good Practices

✅ Uses update_all for batch updates (line 278)
✅ Wraps multi-step operations in transactions
✅ Early returns to avoid unnecessary processing

Potential Optimizations

1. N+1 Query Potential (Low Priority)

# pay_subscription_extension.rb:350-351
old_plan = UsageCredits.configuration.find_subscription_plan_by_processor_id(old_plan_id)
new_plan = UsageCredits.configuration.find_subscription_plan_by_processor_id(new_plan_id)

If these lookups hit the database, this could be optimized. However, if they're in-memory lookups from the configuration DSL (which they likely are), this is fine.

2. Multiple Metadata Updates
The code updates fulfillment metadata multiple times in some flows. Consider whether these could be consolidated into a single update in some cases to reduce database writes.

🧪 Test Coverage Analysis

Well-Covered Scenarios ✅

Basic plan change detection
Upgrade with immediate credit grant
Downgrade scheduling
Downgrade application on renewal
Credit expiration on plan changes
Downgrade to non-credit plans
Reactivation scenarios

Missing Test Coverage 🔴

1. Multiple Plan Changes in One Period

# Missing test for:
subscription.update!(processor_plan: "premium")  # Upgrade, get 2000 credits
subscription.update!(processor_plan: "pro")      # Downgrade in same period
# What happens to the 2000 credits? What does fulfillment metadata show?

2. Plan Change + Renewal Race Condition

# Missing test for:
subscription.update!(processor_plan: "pro")      # Schedule downgrade
# FulfillmentJob runs here - what plan does it use?
subscription.update!(current_period_end: 60.days.from_now)  # Renewal

3. Plan Change from Non-Credit to Credit
The PR description mentions this is handled by handle_initial_award_and_fulfillment_setup, but there's no explicit test for:

# Non-credit plan → Credit plan (should create new fulfillment)

4. Plan Change During Trial Period
Listed as "future work" but would be valuable to test:

# User on trial upgrades/downgrades before trial ends

5. Same-Credit Different-Period Plan Changes

# pay_subscription_extension.rb:372-374
else
  # Same credits amount (maybe different period?) - just update metadata
  update_fulfillment_plan_metadata(fulfillment, new_plan_id)
end

This branch isn't tested. What happens if you switch from "500/month" to "500/week"?

📝 Code Style & Best Practices

Excellent ✅

Consistent error handling with rescue blocks and logging
Descriptive variable names
Proper use of guard clauses
Good method extraction (single responsibility)

Minor Suggestions

1. Magic Strings in Metadata

fulfillment.metadata["pending_plan_change"]
fulfillment.metadata["plan_change_at"]
fulfillment.metadata["stopped_reason"]

Recommendation: Consider extracting these as constants:

METADATA_PENDING_PLAN_CHANGE = "pending_plan_change"
METADATA_PLAN_CHANGE_AT = "plan_change_at"
METADATA_STOPPED_REASON = "stopped_reason"

2. Method Complexity
handle_initial_award_and_fulfillment_setup (lines 141-284) is 143 lines long and handles multiple concerns. Consider extracting:

award_trial_credits
award_signup_bonus_and_subscription_credits
setup_fulfillment_record

🎯 Recommendations

High Priority

Add test for multiple plan changes in one period - This is a likely user scenario
Standardize on Time.current instead of mixing Time.now
Add logging when current_period_end is nil for active subscriptions

Medium Priority

Document the plan change metadata schema - Add a comment block explaining the metadata structure
Add test for same-credit different-period changes
Consider extracting metadata keys as constants

Low Priority

Refactor handle_initial_award_and_fulfillment_setup for better readability
Add performance benchmarks if plan lookup becomes a bottleneck

🎉 Conclusion

This is high-quality work that solves a real problem comprehensively. The implementation is thoughtful, well-tested, and production-ready. The PR description alone sets a gold standard for documentation.

Approval Status: ✅ APPROVE with minor suggestions

The identified issues are mostly minor edge cases and test coverage gaps that can be addressed in follow-up PRs. The core functionality is solid and ready to merge.

Great work! 🚀

Reviewed by: Claude Code
Review Date: 2025-12-28

…tests

rameerez · 2025-12-28T18:49:50Z

✅ PR Update: New Changes + Comprehensive Test Coverage

Key Code Updates Since Last Review

Plan change logic now anchored on the current plan from fulfillment metadata, not just saved_change_to_processor_plan. This correctly handles multiple plan changes in the same billing period.
Returning to the current plan cancels a pending downgrade without granting credits (matches Stripe billing expectations; no new charge → no new credits).
Pending downgrade application remains separate from current plan, so FulfillmentJob always uses the correct plan while a downgrade is pending.
String keys are now enforced in fulfillment metadata to avoid duplicate keys after JSON serialization.
Time.current standardized (removed remaining Time.now).
Explicit warning logged when current_period_end is nil for an active subscription.
Metadata merges preserve custom keys during reactivation.

🧪 New Tests Added (Extremely Thorough Coverage)

✅ Multiple Plan Changes in One Period (New Comprehensive Suite)

multiple consecutive downgrades overwrites pending plan change correctly
- Schedules downgrade A → schedules downgrade B → verifies pending change overwrites → verifies renewal applies latest pending plan.
downgrade then downgrade then upgrade clears all pending changes
- Two downgrades scheduled → user returns to current plan → pending cleared, no new credits granted.
rapid successive upgrades to different plans accumulate credits
- True upgrades grant credits once; canceling a pending downgrade does not grant extra credits.
lateral change after downgrade scheduled keeps pending downgrade
- Pending downgrade updated when user laterally switches to another plan with same credits.
upgrade to same plan as pending downgrade grants no credits and clears pending
- Switching among pending downgrade targets → only the latest pending plan is applied on renewal; no extra credits.

✅ FulfillmentJob Timing & Pending Downgrade Behavior

fulfillment job timing with pending downgrade awards current plan credits
- Ensures FulfillmentJob always uses current plan in metadata, not pending downgrade.

✅ Metadata Integrity & Consistency

multiple plan changes preserve subscription_id in metadata
- Ensures subscription_id survives upgrades, downgrades, renewals, and plan change churn.

✅ Existing Edge Case Coverage (Previously Added, Still Valid)

Upgrade/Downgrade & Expiration

Upgrade → expiring plan sets expires_at
Upgrade → rollover plan keeps expires_at = nil
Expiring → expiring upgrade sets expires_at
Credit → non‑credit stops fulfillment (no clawback)

Reactivation Scenarios

Credit → non‑credit → credit (after stop date)
Credit → non‑credit → credit (before stop date)

Lateral & Period Change

Same credits, different plan → metadata only (no credits)
Same credits, different period → metadata only (no credits)

Pending Change Lifecycle

Schedule downgrade, apply on renewal
Upgrade clears pending downgrade
Cancellation overrides pending downgrade

Trial Behavior (Documented Intentional Behavior)

Plan changes during trial do not trigger plan_changed? (status must be active)

Boundary Conditions

Missing current_period_end handled gracefully
No wallet: plan change handled gracefully
Non‑credit → non‑credit is a no‑op

✅ Summary

This update closes the reviewer’s remaining concerns and strengthens correctness around multiple plan changes, pending downgrade handling, and FulfillmentJob timing. The new tests aggressively guard against real-world billing edge cases and prevent credit exploits (duplicate credits from “canceling” downgrades).

claude · 2025-12-28T18:56:46Z

Code Review: Handle Subscription Plan Changes

Thank you for this comprehensive PR! The implementation is well-thought-out with excellent test coverage.

Overall Assessment

Verdict: Strong implementation with minor issues to address before merge.

Strengths:

Excellent test coverage (1825 lines, 85%+ coverage)
Comprehensive edge case handling
Good error handling and logging
Clear documentation and comments
Consistent string key usage preventing JSON serialization bugs

Issues Found: 2 critical, 5 high priority, 7 medium priority

Critical Issues (Must Fix)

1. Race Condition in Credit Fulfillment (Lines 67-73)

File: lib/usage_credits/models/concerns/pay_subscription_extension.rb

The documented TODO about Pay's double-update race condition is concerning. While you handle this with uniqueness validation on Fulfillment, this is fragile and could lead to double credit awards or inconsistent state.

Recommendation: Implement proper idempotency using find_or_create_by with explicit locking and an idempotency flag in metadata.

2. Credits Can Expire in the Past (Lines 158-162)

File: lib/usage_credits/models/concerns/pay_subscription_extension.rb

If current_period_start is in the past (e.g., subscription paused for 2 months then reactivated), credits could be created with expiration dates already past.

Example: Subscription paused 2 months ago (current_period_start = 2.months.ago), user reactivates today, credits awarded with expires_at = 2.months.ago + 1.month = 1.month.ago (already expired!)

Recommendation: Use expiration_base = [current_period_start || Time.current, Time.current].max

High Priority Issues

3. Typo: fullfillment_should_stop_at

Missing 'i' in fulfillment at lines 54, 246, 269, 304, 323. Rename to fulfillment_should_stop_at for consistency.

4. Missing Plan Validation in apply_pending_plan_change

No validation that the pending plan still exists in configuration. If an admin removes a plan from config after a user schedules a downgrade to it, renewal will apply an invalid plan ID.

Recommendation: Add validation to check if the pending plan exists before applying it, and log an error if not found.

5. Missing Test Coverage for Critical Edge Cases

Add tests for:

Reactivation with past current_period_start (tests the expiration bug)
Pending plan change to deleted/invalid plan
Concurrent subscription updates (tests the race condition)

Medium Priority Issues

6. Complex Method: credits_already_fulfilled?

The method handles 3 different concerns. Break into smaller, single-purpose methods for clarity.

7. Repeated Expiration Calculation Logic

Lines 158-162 and 406-411 duplicate expiration calculation. Extract to helper method.

8. Nil current_period_end Warning Without Fallback

Code continues with potentially incorrect calculations after logging warning. Use sensible default like current_period_end || (Time.current + 30.days)

9. Transaction Bulk Update Without Error Handling

Add error handling to log when expected transaction updates don't match actual updates.

What's Good

Excellent Practices:

String key consistency preventing JSON serialization duplicate keys
Proper use of ActiveRecord::Base.transaction for atomicity
Comprehensive logging with context
Metadata preservation using .except().merge() pattern
Good use of guard clauses and early returns
Thoughtful regression tests and edge case coverage

Code Quality Highlights:

wallet.rb: The deep_stringify_keys addition is exactly right
fulfillment_service.rb: String key usage with explanatory comment
transaction.rb: Properly marked belongs_to :fulfillment, optional: true

Architecture Notes

Design Decisions (Good):

Upgrades immediate, downgrades end-of-period (matches Stripe UX)
No credit clawback on downgrade (generous, clean)
Scheduled plan changes stored in metadata (simple, effective)

The Future Work & Known Limitations section is excellent and shows awareness of paused subscriptions, multiple plan changes, proration, and credit expiration policies.

Recommended Actions Before Merge

Fix critical issues Credit balance not fulfilled after non-recurring credit pack purchase #1 and Remove payment intent metadata from Subscription checkout session #2 (race condition, expiration bug)
Fix typo (fullfillment → fulfillment)
Add plan validation in apply_pending_plan_change
Add 3 critical tests (reactivation expiration, invalid pending plan, race condition)
Extract repeated expiration logic to helper method
Optional: Break up credits_already_fulfilled? for clarity

Test Coverage Assessment

Current: 446 tests, 879 assertions, 85.09% line coverage

Excellent coverage for: Basic flows, upgrades/downgrades, metadata, transactions, reactivation

Missing coverage for: Past expiration dates, invalid pending plans, concurrent updates, nil edge cases

Conclusion

This is high-quality work with thoughtful implementation and comprehensive testing. The issues identified are addressable with small, targeted fixes. The architecture is sound and follows Rails/Ruby best practices.

Estimated effort to address critical issues: 1-2 hours

Once the critical issues are resolved, this will be an excellent addition to the gem. Great work on the thorough PR description and Future Work documentation!

rameerez · 2025-12-28T19:08:12Z

Summary of Changes Made Based on Reviewer's Comments

✅ Fixed (Legitimate Issues)

Issue	Fix
Issue 2 Critical: Credits can expire in the past	Added `calculate_credit_expiration` helper that uses `[base_time, Time.current].max` to ensure expiration is never in the past
Issue 3 Typo: fullfillment	Fixed all 6 occurrences → `fulfillment_should_stop_at`
Issue 4 Missing plan validation	Added validation in `apply_pending_plan_change` - if pending plan no longer exists in config, log error and clear the invalid pending change
Issue 7 DRY: Repeated expiration logic	Extracted to `calculate_credit_expiration(plan, base_time)` helper method

✅ Tests Added

test_reactivation_with_past_current_period_start_does_not_create_already-expired_credits - Verifies the critical bug fix
test_pending_plan_change_to_deleted_plan_is_handled_gracefully - Verifies plan validation works

❌ Skipped (Overengineering)

Issue	Reason
Issue 1 Race condition	Database uniqueness constraint on Fulfillment already handles this. Adding explicit locking and idempotency flags adds complexity without benefit.
Issue 6 Break up credits_already_fulfilled?	Method is 20 lines with clear comments. Already readable.
Issue 8 Nil current_period_end fallback	Code already uses `Time.current` as fallback. A 30-day default would be arbitrary.
Issue 9 Transaction bulk update error handling	Database transaction ensures consistency.
Concurrent update test	Hard to test reliably, database constraint handles it.

…) + fix "fulfillment" typo

claude · 2025-12-28T19:12:13Z

Code Review: Handle Subscription Plan Changes (Upgrades & Downgrades)

Thanks for this comprehensive PR! The implementation is well-thought-out and the PR description is exceptionally detailed. Here's my review:

✅ Strengths

1. Excellent Documentation

The PR description is one of the best I've seen - thorough problem analysis, design decisions, and future considerations
Comprehensive inline comments explain complex logic
Clear separation of concerns between upgrade/downgrade flows

2. Robust Testing

4 new comprehensive tests covering core scenarios
Test coverage increased from 84.82% to 85.09%
Tests are well-structured and follow existing patterns

3. Sound Architecture

Clean separation between detection (plan_changed?) and handling (handle_plan_change)
Proper use of ActiveRecord transactions for atomicity
Smart handling of edge cases (reactivation, multiple plan changes, etc.)

4. Industry-Standard UX

Upgrades: immediate credits (industry standard)
Downgrades: end-of-period transition (matches Stripe behavior)
No credit clawback on downgrades (generous, user-friendly)

🔍 Code Quality Issues

1. Typo Fixed (lib/usage_credits/configuration.rb:59)

Good catch on the typo: fullfillment → fulfillment

2. Inconsistent Method Naming (lib/usage_credits/models/concerns/pay_subscription_extension.rb:53)

def fulfillment_should_stop_at

This was changed from fullfillment_should_stop_at (with typo) to the correct spelling. However, the method is called in multiple places - ensure all references are updated. ✅ Looks good throughout.

3. Memoization Removed from `credit_subscription_plan` (line 45-46)

# NOTE: Not memoized because processor_plan can change, and we need the current value
def credit_subscription_plan
  UsageCredits.configuration.find_subscription_plan_by_processor_id(processor_plan)
end

Concern: This will now query the configuration on every call. While correct for plan changes, this could impact performance in hot paths.

Recommendation: Consider conditional memoization or caching with invalidation on plan change to optimize performance while maintaining correctness.

4. Potential Race Condition (lines 295-298)

# Check if there's a pending plan change to apply
if fulfillment.metadata["pending_plan_change"].present?
  apply_pending_plan_change(fulfillment)
end

Concern: If a webhook for plan change arrives between the pending change check and renewal processing, the sequence could be unexpected.

Status: The existing transaction blocks provide some protection, but this is worth monitoring in production (as noted in the PR description).

🐛 Potential Bugs

1. Missing Validation for Scheduled Downgrades (lines 430-444)

def handle_plan_downgrade(new_plan, fulfillment)
  schedule_time = current_period_end || Time.current
  fulfillment.update!(
    metadata: fulfillment.metadata.merge(
      "pending_plan_change" => processor_plan,
      "plan_change_at" => schedule_time
    )
  )
end

Issue: If current_period_end is in the past (which shouldn't happen but could due to data issues), the downgrade would be scheduled in the past.

Recommendation: Add validation:

schedule_time = current_period_end || Time.current
schedule_time = [schedule_time, Time.current].max  # Ensure future date

2. Duplicate Credits on Multiple Plan Changes (lines 368-390)

if current_plan_id == new_plan_id
  clear_pending_plan_change(fulfillment)
  return
end

Scenario:

User on Plan A (500 credits)
User upgrades to Plan B (2000 credits) → gets 2000 credits immediately
User downgrades to Plan A (500 credits) → scheduled for period end
User upgrades to Plan B (2000 credits) again → gets ANOTHER 2000 credits immediately

Impact: User could game the system by repeatedly upgrading/downgrading.

Recommendation: Track plan change history or implement rate limiting as mentioned in "Future Work" section. Consider storing the original plan at the start of the billing period and preventing multiple upgrade credits within the same period.

3. Transaction Return Issue (line 374)

if current_plan_id == new_plan_id
  clear_pending_plan_change(fulfillment)
  return  # ⚠️ Returns nil, but inside a transaction block
end

Issue: The return statement exits the transaction block successfully but returns nil. This is fine functionally, but inconsistent with other paths that complete the transaction.

Recommendation: Extract the early return outside the transaction or add a comment explaining the intentional early exit.

🔒 Security Concerns

1. Credit Gaming via Rapid Plan Switching

As noted in the PR description under "Future Work", users could exploit rapid plan changes to accumulate credits.

Severity: Medium - requires user to have payment method and willingness to change plans repeatedly

Mitigation:

Implement plan change cooldown period (e.g., max 1 upgrade per billing period)
Track upgrade credits separately and adjust on rapid changes
Add monitoring/alerts for unusual plan change patterns

2. Metadata Injection (multiple locations)

The code merges user-influenced data into metadata without sanitization:

metadata: fulfillment.metadata.merge(
  "pending_plan_change" => processor_plan,  # From payment processor
  "plan_change_at" => schedule_time
)

Risk: If processor_plan contains unexpected characters or the payment processor is compromised, malicious data could be stored.

Severity: Low - metadata is JSON-serialized and not executed

Recommendation: Add validation for processor_plan format (e.g., alphanumeric + underscores only)

⚡ Performance Considerations

1. N+1 Query Potential (line 521-530)

def calculate_credit_expiration(plan, base_time = nil)
  # ...
  effective_base = [base_time || Time.current, Time.current].max
  effective_base + plan.parsed_fulfillment_period + UsageCredits.configuration.fulfillment_grace_period
end

Concern: UsageCredits.configuration.fulfillment_grace_period is accessed on every call. If called in a loop, this could add overhead.

Recommendation: Cache the grace period value at the start of methods that might call this multiple times.

2. Fulfillment Lookup Duplication

Multiple methods call UsageCredits::Fulfillment.find_by(source: self):

credits_already_fulfilled? (line 74)
reactivatable_fulfillment (line 91)
handle_plan_change (line 343)
update_fulfillment_on_renewal (line 291)
update_fulfillment_on_cancellation (line 315)

Recommendation: Consider passing the fulfillment object or memoizing it within the callback chain to reduce database queries.

🧪 Test Coverage Gaps

While the tests are good, here are some additional scenarios to consider:

Missing Test Cases:

Credit Expiration on Upgrade
- Test that upgrade credits have correct expires_at based on current_period_end
- Test rollover plans vs. expiring plans
Concurrent Plan Changes
- Test what happens if two plan change callbacks fire simultaneously
- Test webhook timing edge cases
Validation Failures
- Test apply_pending_plan_change when plan doesn't exist in config (line 494-500)
- Test behavior when current_period_end is nil (line 348-349)
Reactivation After Non-Credit Plan
- Test credit → non-credit → credit transition
- Verify fulfillment is properly reactivated (lines 234-254)
Multiple Plan Changes in One Period
- Test upgrade → downgrade → upgrade sequence
- Verify credit accumulation behavior

Edge Case: Same Credits, Different Plan

Line 387-389 handles this but no test exists:

else
  # Same credits amount, different plan - update metadata immediately
  update_fulfillment_plan_metadata(fulfillment, new_plan_id)

📝 Code Style & Best Practices

1. String Keys Consistency ✅

Excellent work consistently using string keys for metadata to avoid duplicate keys after JSON serialization. This is visible throughout:

metadata: {
  "subscription_id" => id,
  "plan" => processor_plan,
}

2. Error Handling ✅

Good use of:

ActiveRecord transactions with rollback
Detailed logging with context
Rescue blocks that log backtrace

3. Method Complexity

The handle_plan_change method (lines 339-396) is 57 lines long and handles multiple scenarios. Consider extracting some logic:

Suggestion:

def handle_plan_change
  return unless has_valid_wallet?
  
  fulfillment = UsageCredits::Fulfillment.find_by(source: self)
  return unless fulfillment
  
  validate_plan_change_preconditions!
  
  current_plan = fetch_current_plan(fulfillment)
  new_plan = fetch_new_plan
  
  process_plan_transition(current_plan, new_plan, fulfillment)
end

🎯 Recommendations

High Priority:

Add rate limiting for plan changes to prevent credit gaming
Add validation tests for edge cases (nil current_period_end, plan not in config)
Test reactivation flow (credit → non-credit → credit)
Add monitoring for rapid plan changes in production

Medium Priority:

Extract complex conditional logic from handle_plan_change into smaller methods
Add integration test with actual Pay gem .swap() method (mentioned in PR as manual testing needed)
Document the credit gaming vulnerability in README with mitigation strategies
Add validation for processor_plan format to prevent unexpected data

Low Priority:

Consider memoization strategy for credit_subscription_plan to optimize hot paths
Add performance benchmarks for plan change operations
Create admin documentation for handling plan changes (mentioned in Future Work)

📊 Summary

Overall Assessment: ✅ APPROVE WITH RECOMMENDATIONS

This is a solid implementation that solves a critical issue (#12) with industry-standard UX patterns. The code is well-structured, properly tested, and includes excellent documentation.

Key Strengths:

Comprehensive solution to plan change handling
Excellent test coverage for core flows
Proper transaction management and error handling
Outstanding PR documentation

Key Concerns:

Potential for credit gaming via rapid plan changes (needs mitigation)
Some edge cases lack test coverage
Performance optimizations needed for frequently-called methods

Recommendation: Merge this PR after addressing the high-priority items (particularly around preventing credit gaming). The medium and low priority items can be tackled in follow-up PRs.

The "Future Work" section in the PR description is excellent and should be converted into GitHub issues for tracking.

📚 Additional Notes

The PR description mentions several TODOs that should become tracked issues:

Paused subscriptions handling (line 40)
Multiple plan changes in single period (rate limiting)
Plan changes during trial period
Credit expiration policy on downgrade (configurable)
Integration tests with actual Stripe webhooks

Great work overall! 🎉

rameerez · 2025-12-28T19:26:25Z

Analysis

✅ Already Addressed

Tests for current_period_end nil → We have the warning + fallback
Tests for plan not in config → We just added apply_pending_plan_change validation
Reactivation tests → We have multiple reactivation tests already

❌ Skip (Overengineering)

Rate limiting for credit gaming → User pays Stripe for each upgrade (prorated). No real exploit. Document as future work.
Transaction return issue → Ruby/Rails handles this correctly. Style preference.
Memoization for credit_subscription_plan → Premature optimization. The config lookup is a simple hash lookup.
N+1 query on grace period → fulfillment_grace_period is just an accessor, not a DB query
Refactoring handle_plan_change → 57 lines with clear logic is fine

🐛 Real Bug to Fix

Schedule time in past for downgrades - Same issue as expirations:

schedule_time = current_period_end || Time.current  # Could be in the past!

Summary: Reviewer's Comments Assessment

✅ Fixed (1 Real Bug)

Issue	Fix
Schedule time could be in the past for downgrades	Added `[..., Time.current].max` to both `handle_plan_downgrade` and `handle_downgrade_to_non_credit_plan`

✅ Already Covered (Reviewer Didn't See Them)

Item	Status
Test for nil `current_period_end`	✅ Already have warning + fallback
Test for plan not in config	✅ We added `apply_pending_plan_change` validation + test
Reactivation tests	✅ Have 3 comprehensive reactivation tests
Lateral plan change tests	✅ Have 2 tests for same credits, different plan

❌ Skip (Overengineering / Not Real Issues)

Item	Why Skip
Rate limiting for credit gaming	User pays Stripe prorated amount for each upgrade. No actual exploit - they're paying real money. Document as future work.
Transaction return issue	Ruby/Rails handles `return` inside transaction correctly. Transaction commits. Style preference only.
Memoization for `credit_subscription_plan`	It's a simple hash lookup in config, not a DB query. Premature optimization.
N+1 on grace period	`fulfillment_grace_period` is a simple accessor, not a database query.
Refactor handle_plan_change	57 lines with clear comments and logical flow is fine. Breaking it up would add indirection without benefit.
Duplicate credits scenario	Actually NOT possible with our logic - returning to same plan just clears pending (no credits). The scenario they describe doesn't grant duplicate credits.
Metadata injection	`processor_plan` comes from the payment processor (trusted source) and is just stored as JSON. Extremely low risk.
Fulfillment lookup duplication	Each method needs the fulfillment for different purposes and the lookups are in different callback contexts. Memoizing across callbacks could cause stale data issues.

The PR is solid. The reviewer's concerns about "credit gaming" are actually not exploitable because:

User returns to same plan → NO credits (our fix)
User upgrades to different plan → They pay Stripe for it!

Anti-Gaming Verification Summary

✅ Confirmed: The System CANNOT Be Gamed

I've verified the logic and added comprehensive tests proving these scenarios are blocked:

Gaming Attempt	Why It Fails	Test
Upgrade→Downgrade→Upgrade same plan	`current_plan_id == new_plan_id` → just clears pending, no credits	`test_ANTI-GAMING_upgrade-downgrade-upgrade_same_plan_grants_credits_only_once`
3x upgrade attempt loop	Each "return to premium" is blocked because plan metadata never changed	Same test - tries 3 times
Downgrade then "upgrade" to middle tier	Premium(2000)→Pro(500)→Rollover(1000) - Rollover < Premium, still a downgrade	`test_ANTI-GAMING_downgrade_to_lower_plan_then_upgrade_to_middle_plan`
Oscillating between downgrades	Pro(500)↔Rollover(1000) - just overwrites pending, no credits	`test_ANTI-GAMING_oscillating_between_downgrades_never_grants_credits`
Lateral change (same credits)	Pro(500)→ProV2(500) - same credits = no credits granted	`test_ANTI-GAMING_lateral_change_with_same_credits_grants_no_credits`
Compare against pending (not current)	CRITICAL: Credits compare against `fulfillment.metadata["plan"]` (CURRENT), not `pending_plan_change`	`test_ANTI-GAMING_credits_comparison_uses_current_ACTIVE_plan_not_pending`

The Core Protection Logic

# Line 372-375 in pay_subscription_extension.rb
if current_plan_id == new_plan_id
  clear_pending_plan_change(fulfillment)
  return  # NO CREDITS
end

Where:

current_plan_id = fulfillment.metadata["plan"] (the ACTIVE plan being fulfilled)
new_plan_id = processor_plan (what user is switching to)

Key insight: When user schedules a downgrade, metadata["plan"] does NOT change - only pending_plan_change is set. So returning to the "same" plan is correctly detected.

Only Legitimate Upgrades Grant Credits

The only way to get upgrade credits is:

new_credits > current_credits

Where current_credits comes from the active plan (not pending). This requires genuinely upgrading to a plan with MORE credits, which Stripe charges for.

… by repeatedly upgrading / downgrading

claude · 2025-12-28T19:31:19Z

Code Review: Handle Subscription Plan Changes (Upgrades & Downgrades)

Summary

This is an excellent, well-architected implementation that addresses a critical gap in the subscription fulfillment system. The PR demonstrates thorough planning, strong technical execution, and comprehensive documentation. The code quality is high with thoughtful edge case handling.

✅ Strengths

Architecture & Design

Sound business logic: Upgrade/downgrade behavior follows industry standards (immediate upgrade credits, end-of-period downgrade)
Comprehensive edge case handling: Covers reactivation scenarios, multiple plan changes, non-credit plan transitions, and invalid plan configurations
Metadata-driven approach: Using pending_plan_change in metadata is clean and doesn't require schema changes
Excellent separation of concerns: Clear delegation between handle_plan_upgrade, handle_plan_downgrade, etc.

Code Quality

Consistent string key usage: Properly addresses JSON serialization issues with deep_stringify_keys throughout
Transaction safety: Appropriate use of ActiveRecord::Base.transaction and rollback handling
Logging: Comprehensive logging at INFO and ERROR levels for debugging
Error handling: Graceful handling of edge cases like invalid pending plans (line 496-502 in pay_subscription_extension.rb)

Testing

Excellent coverage: 85.09% line coverage with 4 new comprehensive tests
Real-world scenarios: Tests cover the full upgrade/downgrade lifecycle
2227 new lines of test code demonstrate thoroughness

Documentation

Outstanding PR description: One of the most thorough PR descriptions I've seen - includes problem statement, investigation, solution, user flows, future work, and limitations
Inline comments: Well-placed explanatory comments where logic is complex

🔍 Issues & Concerns

1. CRITICAL: Return Inside Transaction Block

Location: pay_subscription_extension.rb:368-375

The return statement exits the method while inside a transaction block. While ActiveRecord will auto-commit the transaction, this pattern is confusing and could lead to issues if exception handling is added later.

Recommendation:

if current_plan_id == new_plan_id
  clear_pending_plan_change(fulfillment)
else
  # Move all subsequent logic here
  current_credits = current_plan&.credits_per_period || 0
  new_credits = new_plan.credits_per_period
  # ... rest of logic
end

2. Medium: Potential Credit Gaming Through Rapid Upgrades

Location: pay_subscription_extension.rb:398-428

Issue: A user could potentially:

Upgrade to premium plan → receive 2000 credits immediately
Downgrade to pro plan → schedule downgrade for end of period, keep all 2000 credits
Repeat next billing cycle

The PR description acknowledges this (section 4.2), but there's no rate limiting or detection.

Recommendation: Consider adding:

Cooldown period between plan changes
Track plan change history in metadata: plan_change_count_this_period
Alert/flag accounts with multiple changes per period

3. Medium: Credit Proration Mismatch

Location: pay_subscription_extension.rb:406-416

Issue: User pays prorated billing amount but receives full credits. Example:

User upgrades mid-month (15 days left)
Stripe charges 50% of new plan price
User receives 100% of new plan credits

Impact: Revenue leakage if credits have real-world value

Recommendation: Calculate prorated credits based on remaining billing period

4. Code Smell: Nested Transaction Block

Location: pay_subscription_extension.rb:447-469

The handle_downgrade_to_non_credit_plan method has its own transaction block, but it's called from within handle_plan_change's transaction (line 368). Rails handles nested transactions as savepoints, but this is unnecessary complexity.

Recommendation: Remove the inner transaction block since it's already wrapped

🎯 Suggestions for Improvement

5. Test Coverage Gaps (Per PR Description)

The PR description excellently identifies missing test cases. Prioritize:

High Priority:

Multiple plan changes in one billing period (gaming scenario)
Plan change during trial period
Concurrent plan change and renewal (race condition)

Medium Priority:

Downgrade to non-credit plan
Cancellation with pending downgrade

6. Webhook Testing

The code assumes current_period_end is always present for active subscriptions, but warns when it's nil (line 348-350).

Recommendation: Add integration tests with actual Stripe test mode webhooks to verify real-world behavior.

📊 Test Results Analysis

✅ All 446 tests passing
✅ Coverage improved: 84.82% → 85.09% (line), 73.07% → 73.24% (branch)
✅ 879 assertions with no failures

The test suite is comprehensive and well-structured. Great work on maintaining backward compatibility!

🔒 Security Review

✅ No SQL injection risks - all queries use parameterized ActiveRecord methods
✅ No XSS concerns - backend-only code
✅ Proper transaction isolation with row locking
⚠️ Credit gaming potential - see issue #2 above

📝 Documentation

The PR description is exceptional - it could serve as a case study for how to document complex features. Consider:

Adding the "User Experience" section to the README
Creating a migration guide for existing users
Documenting the metadata schema (what keys are used and when)

Final Verdict

Status: ✅ Approve with minor revisions

This PR represents high-quality work. The critical issue (#1) should be fixed before merge, but it's a simple refactor. Issues #2 and #3 are business logic considerations that can be addressed in follow-up PRs.

The author has clearly thought through the problem space, implemented a solid solution, and documented it thoroughly. The "Future Work & Known Limitations" section demonstrates excellent engineering maturity.

Recommended merge strategy:

Fix the transaction return issue (Credit balance not fulfilled after non-recurring credit pack purchase #1)
Remove nested transaction in handle_downgrade_to_non_credit_plan (add payment details to purchase without intiating a Checkout Session each time; option to auto-refill credits when balance below threshold #4)
Merge to main
Create follow-up issues for proration (credit_pack.create_checkout_session should support checkout_session_params #3) and rate limiting (Remove payment intent metadata from Subscription checkout session #2)

Reviewed by: Claude Sonnet 4.5
Review Date: 2025-12-28

rameerez · 2025-12-28T19:36:42Z

Analysis of Reviewer's Issues

Issue 1: "Return Inside Transaction Block" ❌ NOT A BUG

In Ruby/Rails, return inside a transaction block is perfectly valid. The transaction commits when:

The block exits normally (including via return)

The transaction only rolls back on:

An exception being raised
Explicitly calling raise ActiveRecord::Rollback

This is a style preference, not a bug. The early return pattern is common Ruby idiom and reduces nesting.

Issue 2: "Credit Gaming Through Rapid Upgrades" ❌ ALREADY PROVEN IMPOSSIBLE

The reviewer's scenario:

Upgrade to premium → receive 2000 credits

Downgrade to pro → keep credits

Repeat next billing cycle

This is NOT gaming! This is expected behavior:

Month 1: User pays Stripe for premium → gets premium credits ✓
Month 2: User is now on pro → gets pro credits ✓

The user paid for each billing period correctly.

The actual gaming attempt (within one period) is:

Upgrade (+2000) → Schedule downgrade → "Upgrade" back (+2000 again?)

We have 6 anti-gaming tests proving this is BLOCKED:

test_ANTI-GAMING_upgrade-downgrade-upgrade_same_plan_grants_credits_only_once
test_ANTI-GAMING_downgrade_to_lower_plan_then_upgrade_to_middle_plan  
test_ANTI-GAMING_oscillating_between_downgrades_never_grants_credits
test_ANTI-GAMING_genuine_upgrades_to_higher_plans_do_grant_credits
test_ANTI-GAMING_lateral_change_with_same_credits_grants_no_credits
test_ANTI-GAMING_credits_comparison_uses_current_ACTIVE_plan_not_pending

Issue 3: "Credit Proration Mismatch" ❌ BUSINESS DECISION, NOT A BUG

User upgrades mid-month, pays 50%, gets 100% credits

This is a business decision, not a bug. Many SaaS products do this because:

Better UX - user gets immediate full value
Incentivizes upgrades
Credits often have "soft" value
Stripe handles the money side

Already documented in "Future Work" as a consideration. Not blocking.

Issue 4: "Nested Transaction Block" ❌ REVIEWER IS WRONG

The reviewer misread the code. Look carefully:

# Line 361-364: Called BEFORE transaction
if new_plan.nil? && current_plan.present?
  handle_downgrade_to_non_credit_plan(fulfillment)
  return  # ← EXITS HERE, before transaction
end

return unless new_plan

# Line 368: Transaction starts HERE
ActiveRecord::Base.transaction do
  # ...
end

handle_downgrade_to_non_credit_plan is called before the transaction block starts, then return exits the method. There is NO nesting.

The transaction inside handle_downgrade_to_non_credit_plan (line 454) runs independently, not nested.

Verdict

Issue	Real Problem?	Action
Issue 1 Transaction return	No - works correctly	Skip (style preference)
Issue 2 Credit gaming	No - proven impossible	Already have 6 tests
Issue 3 Proration	Business decision	Documented as future work
Issue 4 Nested transaction	No - reviewer misread code	Skip (code is correct)

All 4 issues are either non-issues or already addressed. The reviewer may not have seen our 6 anti-gaming tests.

rameerez · 2025-12-28T19:38:10Z

@claude please review the current state of the PR with the latest changes and latest comments

claude · 2025-12-28T19:38:21Z

Claude finished @rameerez's task in 2m 15s —— View job

PR Review: Handle Subscription Plan Changes

I've completed a thorough review of this PR in its current state, including all the feedback cycles and fixes that have been applied. Here's my assessment:

✅ Overall Verdict: APPROVE - Ready to Merge

This is excellent work with thoughtful implementation, comprehensive testing, and outstanding documentation. The author has thoroughly addressed previous feedback and added robust protections against edge cases.

🎯 Code Quality Assessment

Strengths

1. Rock-Solid Anti-Gaming Protection
The author's claim that the system cannot be gamed is 100% correct. I verified the logic:

Line 372-375: The critical check current_plan_id == new_plan_id correctly compares against fulfillment.metadata["plan"] (the ACTIVE plan), not the pending downgrade
6 comprehensive anti-gaming tests cover every exploitation attempt:
- Upgrade→downgrade→upgrade loops (blocked)
- Oscillating between downgrades (no credits)
- Lateral changes with same credits (no credits)
- Comparing against current vs pending plan (uses current correctly)

The key insight: When a downgrade is scheduled, metadata["plan"] stays unchanged (still the current plan). Only pending_plan_change is set. So "returning" to the same plan is correctly detected and grants no credits.

2. Excellent Bug Fixes
All the critical fixes mentioned by the author are properly implemented:

✅ calculate_credit_expiration helper (lines 523-532): Uses [base_time || Time.current, Time.current].max to prevent past expiration dates
✅ Schedule time protection (lines 434, 452): Both downgrade methods use [current_period_end || Time.current, Time.current].max
✅ Plan validation (lines 496-502): apply_pending_plan_change validates plan exists and gracefully handles deleted plans
✅ Test coverage: Added tests for past expiration dates and invalid pending plans

3. Outstanding Architecture

Clean separation of concerns (upgrade/downgrade/reactivation paths)
Metadata-driven state management (no schema changes needed)
Proper transaction usage for atomicity
Comprehensive logging for debugging

4. Test Coverage

2230 new lines of test code
85%+ line coverage, 73%+ branch coverage
Tests cover real-world scenarios and edge cases comprehensively

📊 Analysis of Previous Review Feedback

The author's dismissal of previous review comments is justified. Let me validate each:

Issue 1: "Return Inside Transaction Block" ❌ Not a Bug

Reviewer claim: Return inside transaction is confusing/dangerous
Author response: Ruby/Rails handles this correctly
My verdict: Author is correct

In Rails, return inside a transaction block commits normally. The transaction only rolls back on exceptions or explicit raise ActiveRecord::Rollback. This is a common Ruby pattern. Line 374 is perfectly safe.

Issue 2: "Credit Gaming" ❌ Already Impossible

Reviewer claim: Users could game the system by rapid upgrades/downgrades
Author response: We have 6 tests proving it's blocked
My verdict: Author is correct

The gaming scenario described by the reviewer does not work with this implementation:

User on Premium → schedules downgrade to Pro → "upgrades" back to Premium
Line 372 check: current_plan_id == new_plan_id → "premium_plan_monthly" == "premium_plan_monthly" → TRUE
Line 373: clear_pending_plan_change(fulfillment) → No credits granted, just clears pending
Test at line 2560 proves this works correctly

The only way to get upgrade credits is a genuine upgrade to a plan with more credits, which Stripe charges for.

Issue 3: "Credit Proration Mismatch" ❌ Business Decision

Reviewer claim: User pays 50% prorated but gets 100% credits
Author response: This is a documented business decision
My verdict: Author is correct

Many SaaS products grant full credits on upgrades (better UX, incentivizes upgrades). Already documented in "Future Work" section. Not a bug.

Issue 4: "Nested Transaction Block" ❌ Reviewer Misread Code

Reviewer claim: Transaction nesting at line 447
Author response: No nesting - method exits before transaction
My verdict: Author is correct

Looking at lines 361-364:

if new_plan.nil? && current_plan.present?
  handle_downgrade_to_non_credit_plan(fulfillment)
  return  # ← Exits method BEFORE line 368 transaction
end

The return at line 363 exits before the transaction at line 368 starts. No nesting occurs.

🔍 Remaining Considerations

Non-Issues (Correctly Dismissed)

Memoization removed: The author is right - find_subscription_plan_by_processor_id is a hash lookup in config, not a DB query. No performance issue.
N+1 on grace period: Line 531 accesses UsageCredits.configuration.fulfillment_grace_period which is a simple accessor, not a query.
Refactoring handle_plan_change: At 57 lines with clear logic and comments, it's fine. Breaking it up would add indirection without benefit.

Legitimate Future Work (Already Documented)

The PR description's "Future Work" section excellently identifies areas for potential enhancement:

Paused subscriptions (line 40 TODO)
Multiple plan changes per period (already protected, but could add rate limiting)
Trial period plan changes (intentionally not supported - documented)
Credit expiration policies (business decision)

These are enhancement opportunities, not blocking issues.

🎓 What Makes This PR Excellent

Problem-solving approach: Deep investigation of root cause, not just symptoms
Industry alignment: Upgrade/downgrade behavior matches Stripe and SaaS standards
Defensive programming: Guards against edge cases like deleted plans, past dates, race conditions
Documentation: PR description is a masterclass - could be used as a case study
Testing rigor: Anti-gaming tests show adversarial thinking
Code clarity: String key consistency, clear method names, helpful comments

✅ Final Recommendation

Status: APPROVE - Ready to Merge

Confidence: High - I've verified:

✅ Anti-gaming logic is correct and thoroughly tested
✅ All critical bugs are fixed (expiration dates, schedule times, plan validation)
✅ Previous review concerns are either non-issues or already addressed
✅ Code quality is excellent with proper error handling
✅ Architecture is sound and maintainable

No changes required. This PR solves a critical issue (#12) with a well-architected, thoroughly tested solution.

Suggestions for Follow-Up (optional, non-blocking):

Convert "Future Work" items to GitHub issues for tracking
Add integration test with actual Stripe test mode (mentioned in PR as manual testing needed)
Consider adding a CHANGELOG entry for this feature

Great work! 🎉 This implementation demonstrates excellent engineering practices and deep understanding of the problem domain.

claude · 2025-12-29T03:49:03Z

Pull Request Review: Handle Subscription Plan Changes

Summary

This is an excellent, production-ready implementation that addresses a critical gap in the subscription credit fulfillment system. The PR thoroughly handles plan changes (upgrades/downgrades) with thoughtful architecture, comprehensive testing, and detailed documentation.

✅ Strengths

1. Exceptional Documentation

The PR description is a masterclass in documentation - it includes problem statement, root cause analysis, design decisions, test coverage, user experience flows, and future work
Code comments clearly explain complex logic (e.g., lines 116-133 in pay_subscription_extension.rb explaining plan change detection)
README updates provide clear guidance for end users

2. Robust Architecture

Immediate upgrades, deferred downgrades: Industry-standard UX pattern correctly implemented
Reactivation handling: Clever reuse of stopped fulfillments (lines 88-102) for credit → non-credit → credit transitions
Pending change system: Clean metadata-based approach for scheduled downgrades
Transaction safety: Proper use of ActiveRecord transactions and row-level locking

3. Comprehensive Test Coverage

2,853 lines of tests with 446 passing tests and 879 assertions
Coverage increased from 84.82% to 85.09% (line) and 73.07% to 73.24% (branch)
Tests cover:
- Basic plan changes (upgrade/downgrade)
- Edge cases (non-credit transitions, credit expiration, reactivation)
- Multiple plan changes in one period
- Downgrade application on renewal
- Gaming prevention (returning to current plan)

4. Excellent Code Quality

Consistent string key usage throughout to prevent JSON serialization duplicates (lines 237-250, 405-416)
Defensive programming with nil checks and fallbacks (e.g., line 434: [current_period_end || Time.current, Time.current].max)
Clear method names and single responsibility principle
Proper error handling with logging

5. Security & Safety

No SQL injection vulnerabilities (uses parameterized queries)
Proper ActiveRecord locking prevents race conditions
Transaction rollback on errors prevents partial state
No credit clawback on downgrades (user-friendly and prevents disputes)

🔍 Potential Issues & Recommendations

High Priority

1. Typo in Method Name (pay_subscription_extension.rb:53, 243, 266, 301, 320)

There's an inconsistency: the method is called fulfillment_should_stop_at but the old comment used fullfillment_should_stop_at (triple 'l'). The code is correct now, but verify this wasn't a regression.

2. Race Condition with Pending Plan Changes (pay_subscription_extension.rb:294-298)

When update_fulfillment_on_renewal applies a pending downgrade, there's a potential race if:

User schedules downgrade (sets pending_plan_change)
Fulfillment job runs before renewal webhook arrives
Job awards credits from wrong plan

Mitigation: The existing row locking in FulfillmentService (line 31) should prevent this, but consider adding a comment explaining the safety mechanism.

3. Credit Expiration Edge Case (pay_subscription_extension.rb:523-532)

The calculate_credit_expiration method uses base_time || Time.current, but for upgrades it uses current_period_end (line 402). If current_period_end is stale (e.g., webhook delayed), users might get credits that expire too soon.

Recommendation: Add validation or logging when current_period_end is in the past:

def calculate_credit_expiration(plan, base_time = nil)
  return nil if plan.rollover_enabled
  
  effective_base = [base_time || Time.current, Time.current].max
  
  # Warn if base_time was provided but in the past
  if base_time && base_time < Time.current
    Rails.logger.warn "Credit expiration base_time is in the past (#{base_time}), using Time.current instead"
  end
  
  effective_base + plan.parsed_fulfillment_period + UsageCredits.configuration.fulfillment_grace_period
end

Medium Priority

4. Memoization Removed from `credit_subscription_plan` (pay_subscription_extension.rb:45-47)

The comment says "Not memoized because processor_plan can change", but this means every call looks up the plan from configuration. If this method is called frequently in a single request, consider:

Request-scoped memoization that clears on reload
Or accept the performance trade-off (probably fine for most use cases)

5. Deep Stringify Keys in Wallet (wallet.rb:98-100)

The PR adds .deep_stringify_keys to avoid duplicate key warnings. While this works, it suggests the metadata might have nested hashes. Consider:

Documenting expected metadata structure
Adding a validator to ensure metadata keys are strings at write time
Or keeping deep_stringify_keys with a comment explaining why it's needed

6. No Validation of Metadata Structure

The code assumes metadata["plan"], metadata["pending_plan_change"], etc. exist but doesn't validate structure. If metadata gets corrupted (manual DB edit, migration error), silent failures could occur.

Recommendation: Add a private validation method:

def valid_fulfillment_metadata?(fulfillment)
  metadata = fulfillment.metadata
  return false unless metadata.is_a?(Hash)
  return false unless metadata["plan"].present?
  true
end

Low Priority

7. TODO Comments Remain (pay_subscription_extension.rb:40, 67, 327)

Three TODOs still exist:

Line 40: "handle paused subscriptions" - Acknowledged in PR description
Line 67: Race condition in initial setup - Handled with validation
Line 327: Expire credits on cancellation - Future work

These are fine to leave, but consider creating GitHub issues to track them.

8. String Key Consistency Comments Are Repetitive

Many places have the comment "Use string keys consistently to avoid duplicates after JSON serialization". Consider extracting to a module method:

def merge_metadata(base, updates)
  # JSON serialization converts symbol keys to strings, causing duplicates
  # Always use string keys to prevent {:plan => "x", "plan" => "y"}
  base.deep_stringify_keys.merge(updates.deep_stringify_keys)
end

9. Test File Size

The test file is now 2,853 lines. While comprehensive, consider splitting into:

pay_subscription_extension_basic_test.rb (creation, renewal, cancellation)
pay_subscription_extension_plan_changes_test.rb (upgrades, downgrades)
pay_subscription_extension_edge_cases_test.rb (reactivation, non-credit transitions)

This would improve maintainability and test running granularity.

🎯 Performance Considerations

1. Database Queries in Callbacks

The handle_plan_change method performs multiple database queries:

Line 343: Fulfillment.find_by(source: self)
Line 357-358: Two plan lookups
Line 421 or 437: Fulfillment update

For high-volume systems, consider:

Eager loading fulfillment in webhook handlers
Caching plan lookups (plans rarely change)

2. Allocations on Credit Deduction (wallet.rb:215-240)

The FIFO allocation system queries all positive transactions on every deduction. With thousands of transactions, this could slow down. The TODO on line 186 acknowledges this.

No action needed now, but monitor in production. If it becomes an issue, consider:

Materialized view of available credit buckets
Separate table to track remaining balances per transaction

🔐 Security Assessment

No security vulnerabilities identified. The code:

✅ Uses parameterized queries (no SQL injection)
✅ Validates input (plan existence checks)
✅ Uses transactions for atomicity
✅ Doesn't expose sensitive data in logs
✅ Prevents race conditions with row locking
✅ No mass assignment vulnerabilities

📊 Test Coverage Analysis

Well-Covered Scenarios

✅ Basic upgrade/downgrade flows
✅ Credit expiration on plan changes
✅ Non-credit plan transitions
✅ Reactivation scenarios
✅ Multiple plan changes in one period
✅ Gaming prevention (returning to current plan)

Gaps (Acknowledged in PR Description)

⚠️ Real Stripe/Paddle/Braintree webhook testing (manual testing needed)
⚠️ Plan changes during trial period (status != "active")
⚠️ Concurrent plan change + renewal webhooks
⚠️ Cancellation after downgrade scheduled

Recommendation: These gaps are acceptable for initial release. Consider integration tests with Stripe test mode in a follow-up PR.

🎨 Code Style

✅ Follows Ruby style guide
✅ Consistent with existing codebase
✅ Clear variable names
✅ Appropriate use of guard clauses
✅ Good use of early returns

Minor suggestion: Consider extracting the plan change logic into a service object if it grows further (but current approach is fine).

📝 Documentation Quality

Outstanding. The PR description alone is worth studying as an example of how to document complex features. It includes:

Problem statement with example
Root cause analysis
Design decisions with justification
UX flows with code examples
Comprehensive future work section
Edge cases and limitations

The README updates clearly explain the new behavior to end users.

Final Verdict

APPROVE with minor recommendations. This PR is ready to merge.

Required Before Merge

None (code is production-ready)

Recommended Follow-ups (separate PRs/issues)

Create GitHub issues for the three TODO comments
Add integration tests with Stripe test mode
Consider extracting metadata handling to a concern/module
Monitor allocation query performance in production

Metrics

Code Quality: ⭐⭐⭐⭐⭐ (5/5)
Test Coverage: ⭐⭐⭐⭐⭐ (5/5)
Documentation: ⭐⭐⭐⭐⭐ (5/5)
Architecture: ⭐⭐⭐⭐⭐ (5/5)
Security: ⭐⭐⭐⭐⭐ (5/5)

Overall: 5/5 - Exceptional work! 🎉

This implementation demonstrates:

Deep understanding of the problem domain
Thoughtful design decisions
Commitment to testing and documentation
Awareness of edge cases and future work

The code is well-architected, thoroughly tested, and production-ready. The comprehensive PR description and README updates show exceptional engineering discipline. Great job! 👏

rameerez added 3 commits December 28, 2025 04:31

Handle subscription plan changes

8bf315e

rameerez added 2 commits December 28, 2025 19:46

Stringify keys to avoid duplicate key warnings in JSON while running …

f819153

…tests

Protect against more edge cases while upgrading & downgrading plans

3e81086

Cover more edge cases to prevent bugs (credits can expire in the past…

dcfa306

…) + fix "fulfillment" typo

Fix "Schedule time could be in the past for downgrades"

d7467f1

Add more tests to prevent users gaming the system to get free credits…

068abb4

… by repeatedly upgrading / downgrading

Add docs re: plan upgrade & downgrade

c2bc00a

rameerez merged commit a0a095a into main Dec 29, 2025
62 checks passed

This was referenced Dec 29, 2025

Add configurable minimum fulfillment period for dev/test flexibility #21

Merged

How to manage update and fulfilment jobs #12

Closed

rameerez deleted the feature/handle-subscription-plan-changes branch December 29, 2025 04:28

rameerez mentioned this pull request Dec 29, 2025

Fix incomplete fulfillment update on subscription plan upgrade #24

Merged

rameerez mentioned this pull request Jan 16, 2026

Mysql2::Error: BLOB, TEXT, GEOMETRY or JSON column 'metadata' can't have a default value #9

Closed

Handle subscription plan changes (upgrades & downgrades) #20

Handle subscription plan changes (upgrades & downgrades) #20

Uh oh!

Conversation

rameerez commented Dec 28, 2025

Handle Subscription Plan Changes (Upgrades & Downgrades)

🎯 Problem Statement

Original Issue

Root Cause

🔍 Investigation & Research

Understanding Pay's Swap Behavior

Architecture Analysis

Design Decisions Research

✅ Solution Implemented

1. Plan Change Detection

2. Upgrade Handling (Immediate)

3. Downgrade Scheduling (End-of-Period)

4. Downgrade Application (On Renewal)

5. New Transaction Category

🧪 Testing

Test Coverage

New Tests

Test Scenarios Covered

📊 User Experience

Upgrade Flow

Downgrade Flow

🚧 Future Work & Known Limitations

Not Yet Implemented

1. Paused Subscriptions

2. Multiple Plan Changes in Single Period

3. Plan Changes During Trial Period

4. Proration Handling

5. Downgrade to Non-Credit Plan

6. Credit Expiration on Downgrade

Edge Cases to Monitor

1. Webhook Race Conditions

2. Fulfillment Job Timing

3. Manual Subscription Updates

4. Subscription Cancellation After Downgrade Scheduled

Testing Gaps

Manual Testing Needed

Additional Automated Tests Needed

Documentation Updates Needed

🔄 Breaking Changes

📝 Related Issues

🎓 References

Uh oh!

claude bot commented Dec 28, 2025

Pull Request Review: Handle Subscription Plan Changes

Overall Assessment

✅ Strengths

🔍 CRITICAL Issues

1. Credit Expiration Not Set on Upgrades ⚠️

2. Nil Old Plan Handling (HIGH)

3. plan_changed? Guard Issue (MEDIUM)

🧪 Testing Gaps

🚀 Recommendations

Must Fix Before Merge:

Should Fix:

📊 Final Score: 8.2/10

Uh oh!

rameerez commented Dec 28, 2025

✅ Summary of Work Completed

🧩 Original Review Issues (Claude) and Fixes

1) Upgrade credits did not expire for expiring plans (CRITICAL)

2) Nil old plan when upgrading from non‑credit plan (HIGH)

3) plan_changed? guard missed credit → non‑credit transitions (MEDIUM)

🔍 Additional Issues Discovered During Review (and Fixes)

4) Double‑awarding on non‑credit → credit swap

5) Credit → non‑credit → credit reactivation failed

6) Reactivation before stop date was blocked

7) Reactivation could set expiration in the past

8) Pending downgrade not cleared on upgrade

9) Reactivation metadata was overwritten

10) Plan lookup was memoized and stale

✅ Behavior Adjustments in Final Code

Plan Change Logic

Reactivation Logic

Expiration Logic

🧪 Tests Added (Highlights)

3) `plan_changed?` guard missed credit → non‑credit transitions (MEDIUM)