fix(security): Sprint 1 — five critical debt fixes

C1: Await debitWallet() in usage-tracker and broadcast/campaign handlers
so billing failures are caught and logged, not silently swallowed.

C2+C3: Rewrite debitWallet() as a single Prisma interactive transaction:
balanceAfter now set atomically; isHardStopped flag set in the same
transaction as the balance decrement — no window between debit and stop.

C4: Add X-Hub-Signature-256 HMAC-SHA256 verification to POST /webhook.
Uses preParsing hook for raw body capture; fails open when
WHATSAPP_APP_SECRET is not configured.

H3: Fix payment webhook race condition — use updateMany(where: PENDING)
as atomic idempotency guard; only the request that flips PENDING→COMPLETED
proceeds to enrollment creation.

H7: Replace $queryRawUnsafe/$executeRawUnsafe with $queryRaw/$executeRaw
Prisma.sql template literals in indexing.ts; user-controlled values
(organizationId, limit) are properly parametrized.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/api/src/routes/payments.ts

@@ -97,12 +97,16 @@ async function handleWebhook(
         const payment = await prisma.payment.findUnique({ where: { id: event.reference } });
         if (!payment) return reply.code(200).send({ ok: true }); // idempotent — don't fail unknown refs
 
-        if (payment.status === 'COMPLETED') return reply.code(200).send({ ok: true }); // already processed
-
         if (event.status === 'SUCCESS') {
-            await prisma.payment.update({ where: { id: payment.id }, data: { status: 'COMPLETED' } });
+            // Atomic idempotency: only the request that flips PENDING → COMPLETED proceeds.
+            // Concurrent webhooks for the same payment will get count=0 and exit early.
+            const { count } = await prisma.payment.updateMany({
+                where: { id: payment.id, status: 'PENDING' },
+                data: { status: 'COMPLETED' },
+            });
+            if (count === 0) return reply.code(200).send({ ok: true });
 
-            // Auto-enroll the user in the track
+            // Only one request reaches here (guaranteed by updateMany above), so no race on create
             const existing = await prisma.enrollment.findFirst({
                 where: { userId: payment.userId, trackId: payment.trackId },
             });
@@ -116,10 +120,10 @@ async function handleWebhook(
                         currentDay: 1,
                     },
                 });
-                logger.info({ userId: payment.userId, trackId: payment.trackId }, '[PAYMENT-WEBHOOK] Auto-enrolled after payment');
             }
+            logger.info({ userId: payment.userId, trackId: payment.trackId }, '[PAYMENT-WEBHOOK] Auto-enrolled after payment');
         } else if (event.status === 'FAILED') {
-            await prisma.payment.update({ where: { id: payment.id }, data: { status: 'FAILED' } });
+            await prisma.payment.updateMany({ where: { id: payment.id, status: 'PENDING' }, data: { status: 'FAILED' } });
         }
 
         return reply.code(200).send({ ok: true });

apps/api/src/routes/whatsapp.ts

@@ -1,4 +1,5 @@
 import { FastifyInstance } from 'fastify';
+import crypto from 'crypto';
 import { logger } from '../logger';
 import { z } from 'zod';
 
@@ -28,6 +29,18 @@ const WebhookSchema = z.object({
 });
 
 export async function whatsappRoutes(fastify: FastifyInstance) {
+    // Capture raw body for X-Hub-Signature-256 verification on POST /webhook
+    fastify.addHook('preParsing', async (_request, _reply, payload) => {
+        const chunks: Buffer[] = [];
+        for await (const chunk of payload) {
+            chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk as string));
+        }
+        const raw = Buffer.concat(chunks);
+        (_request as any).rawBody = raw;
+        const { Readable } = await import('stream');
+        return Readable.from(raw);
+    });
+
     fastify.get('/webhook', async (request, reply) => {
         const query = request.query as Record<string, string | undefined>;
         const mode = query['hub.mode'];
@@ -52,6 +65,28 @@ export async function whatsappRoutes(fastify: FastifyInstance) {
      * Main entry point for incoming messages and events
      */
     fastify.post('/webhook', async (request, reply) => {
+        // Verify X-Hub-Signature-256 — fail-open if WHATSAPP_APP_SECRET is not configured
+        const APP_SECRET = process.env.WHATSAPP_APP_SECRET;
+        if (APP_SECRET) {
+            const sigHeader = request.headers['x-hub-signature-256'] as string | undefined;
+            const rawBody = (request as any).rawBody as Buffer | undefined;
+            if (!sigHeader || !rawBody) {
+                logger.warn('[WHATSAPP-WEBHOOK] Missing X-Hub-Signature-256 header');
+                return reply.code(401).send({ error: 'Unauthorized' });
+            }
+            const expected = `sha256=${crypto.createHmac('sha256', APP_SECRET).update(rawBody).digest('hex')}`;
+            try {
+                if (!crypto.timingSafeEqual(Buffer.from(sigHeader), Buffer.from(expected))) {
+                    logger.warn('[WHATSAPP-WEBHOOK] Invalid X-Hub-Signature-256 — rejecting');
+                    return reply.code(401).send({ error: 'Unauthorized' });
+                }
+            } catch {
+                // Buffer length mismatch (different signature format)
+                logger.warn('[WHATSAPP-WEBHOOK] Signature comparison failed — rejecting');
+                return reply.code(401).send({ error: 'Unauthorized' });
+            }
+        }
+
         const result = WebhookSchema.safeParse(request.body);
         
         if (!result.success) {

apps/whatsapp-worker/src/handlers/BroadcastHandler.ts

@@ -95,12 +95,16 @@ export class BroadcastHandler implements JobHandler {
         logger.info(`[BroadcastHandler] Broadcast finished for "${list.name}". Success: ${successCount}, Failed: ${failCount}`);
 
         if (successCount > 0) {
-            debitWallet({
-                organizationId,
-                amount: CREDIT_PRICE.BROADCAST_PER_USER * successCount,
-                type: 'DEBIT_BROADCAST',
-                description: `Broadcast "${list.name}" — ${successCount} recipients`,
-            }).catch(err => logger.warn({ err, organizationId }, '[BroadcastHandler] debitWallet failed'));
+            try {
+                await debitWallet({
+                    organizationId,
+                    amount: CREDIT_PRICE.BROADCAST_PER_USER * successCount,
+                    type: 'DEBIT_BROADCAST',
+                    description: `Broadcast "${list.name}" — ${successCount} recipients`,
+                });
+            } catch (err) {
+                logger.warn({ err, organizationId }, '[BroadcastHandler] debitWallet failed');
+            }
         }
     }
 }

apps/whatsapp-worker/src/handlers/CampaignHandler.ts

@@ -105,12 +105,16 @@ export class CampaignHandler implements JobHandler {
         logger.info(`[CampaignHandler] Finished. Success: ${successCount}, Failed: ${failCount}`);
 
         if (successCount > 0) {
-            debitWallet({
-                organizationId,
-                amount: CREDIT_PRICE.BROADCAST_PER_USER * successCount,
-                type: 'DEBIT_BROADCAST',
-                description: `Campaign — ${successCount} recipients`,
-            }).catch(err => logger.warn({ err, organizationId }, '[CampaignHandler] debitWallet failed'));
+            try {
+                await debitWallet({
+                    organizationId,
+                    amount: CREDIT_PRICE.BROADCAST_PER_USER * successCount,
+                    type: 'DEBIT_BROADCAST',
+                    description: `Campaign — ${successCount} recipients`,
+                });
+            } catch (err) {
+                logger.warn({ err, organizationId }, '[CampaignHandler] debitWallet failed');
+            }
         }
     }
 }

apps/whatsapp-worker/src/services/indexing.ts

@@ -2,6 +2,7 @@ import axios from 'axios';
 const pdf = require('pdf-parse');
 import * as XLSX from 'xlsx';
 import { convert } from 'html-to-text';
+import { Prisma } from '@repo/database';
 import { prisma } from './prisma';
 import { logger } from '../logger';
 
@@ -47,15 +48,11 @@ export class IndexingService {
                 for (let j = 0; j < batch.length; j++) {
                     const chunk = batch[j];
                     const embedding = embeddings[j];
-                    const vectorStr = `[${embedding.join(',')}]`;
-                    
-                    await prisma.$executeRawUnsafe(
-                        `INSERT INTO "KnowledgeBaseEntry" ("id", "organizationId", "content", "embedding", "createdAt") 
-                         VALUES (gen_random_uuid(), $1, $2, $3::vector, NOW())`,
-                        organizationId,
-                        chunk,
-                        vectorStr
-                    );
+                    const vecRaw = Prisma.raw(`'[${embedding.join(',')}]'::vector`);
+                    await prisma.$executeRaw(Prisma.sql`
+                        INSERT INTO "KnowledgeBaseEntry" ("id", "organizationId", "content", "embedding", "createdAt")
+                        VALUES (gen_random_uuid(), ${organizationId}, ${chunk}, ${vecRaw}, NOW())
+                    `);
                 }
                 
                 logger.info(`[INDEXING] Indexed ${Math.min(i + BATCH_SIZE, chunks.length)}/${chunks.length} chunks...`);
@@ -206,19 +203,17 @@ export class IndexingService {
     static async searchRelevantContext(organizationId: string, query: string, limit: number = 3): Promise<string> {
         try {
             const queryEmbedding = await this.generateEmbedding(query);
-            const vectorStr = `[${queryEmbedding.join(',')}]`;
+            // Prisma.raw is safe here: embedding is machine-generated floats from OpenAI, not user input
+            const vecRaw = Prisma.raw(`'[${queryEmbedding.join(',')}]'::vector`);
 
             // Cosine similarity search using pgvector
-            const results: any[] = await prisma.$queryRawUnsafe(
-                `SELECT content, 1 - (embedding <=> $1::vector) as similarity
-                 FROM "KnowledgeBaseEntry"
-                 WHERE "organizationId" = $2
-                 ORDER BY embedding <=> $1::vector
-                 LIMIT $3`,
-                vectorStr,
-                organizationId,
-                limit
-            );
+            const results: any[] = await prisma.$queryRaw(Prisma.sql`
+                SELECT content, 1 - (embedding <=> ${vecRaw}) as similarity
+                FROM "KnowledgeBaseEntry"
+                WHERE "organizationId" = ${organizationId}
+                ORDER BY embedding <=> ${vecRaw}
+                LIMIT ${limit}
+            `);
 
             return results.map(r => r.content).join('\n\n---\n\n');
         } catch (error) {

apps/whatsapp-worker/src/services/usage-tracker.ts

@@ -109,15 +109,14 @@ export async function trackAiUsage(params: TrackAiUsageParams): Promise<void> {
             }),
         ]);
 
-        // Debit wallet (fire-and-forget — usage tracking must never block message flow)
-        debitWallet({
+        await debitWallet({
             organizationId,
             amount: CREDIT_PRICE.AI_TEXT,
             type: 'DEBIT_AI',
             description: `AI text — ${feature}`,
             actorId: userId,
             byok: isByok,
-        }).catch(err => logger.warn({ err, organizationId }, '[USAGE-TRACKER] debitWallet AI_TEXT failed'));
+        });
 
         // Fire quota alert when crossing 85% threshold (fire-and-forget)
         maybeQueueQuotaAlert(organizationId, updatedOrg.aiCreditsUsed - 1);
@@ -151,15 +150,14 @@ export async function trackAudioUsage(params: TrackAudioUsageParams): Promise<vo
             }),
         ]);
 
-        // Debit wallet (fire-and-forget)
-        debitWallet({
+        await debitWallet({
             organizationId,
             amount: CREDIT_PRICE.AI_AUDIO,
             type: 'DEBIT_AI',
             description: 'Audio transcription',
             actorId: userId,
             byok,
-        }).catch(err => logger.warn({ err, organizationId }, '[USAGE-TRACKER] debitWallet AI_AUDIO failed'));
+        });
     } catch (err) {
         logger.error({ err }, '[USAGE-TRACKER] Failed to track audio usage');
     }
@@ -185,13 +183,12 @@ export async function trackWhatsAppSent(organizationId: string, count: number =
             }),
         ]);
 
-        // Debit wallet for WhatsApp conversation (fire-and-forget)
-        debitWallet({
+        await debitWallet({
             organizationId,
             amount: CREDIT_PRICE.WHATSAPP_CONVERSATION * count,
             type: 'DEBIT_WHATSAPP',
             description: `WhatsApp message${count > 1 ? ` x${count}` : ''}`,
-        }).catch(err => logger.warn({ err, organizationId }, '[USAGE-TRACKER] debitWallet WHATSAPP failed'));
+        });
     } catch (err) {
         logger.error({ err }, '[USAGE-TRACKER] Failed to track WhatsApp message');
     }

apps/whatsapp-worker/src/services/wallet.ts

@@ -140,44 +140,44 @@ export async function debitWallet(params: DebitWalletParams): Promise<void> {
     }
 
     try {
-        const [, updatedOrg] = await prisma.$transaction([
-            prisma.walletTransaction.create({
+        const newBalance = await prisma.$transaction(async tx => {
+            // Decrement balance atomically and capture new value
+            const updatedOrg = await tx.organization.update({
+                where: { id: organizationId },
+                data: { walletBalance: { decrement: amount } },
+                select: { walletBalance: true },
+            });
+
+            const balance = updatedOrg.walletBalance;
+
+            // Create ledger entry with correct balanceAfter in same transaction
+            await tx.walletTransaction.create({
                 data: {
                     organizationId,
                     amount: -amount,
-                    balanceAfter: 0, // will be updated below — placeholder
+                    balanceAfter: balance,
                     type,
                     description,
                     actorId,
                     byok: false,
                     metadata: (metadata ?? {}) as Prisma.InputJsonValue,
                 },
-            }),
-            prisma.organization.update({
-                where: { id: organizationId },
-                data: { walletBalance: { decrement: amount } },
-                select: { walletBalance: true },
-            }),
-        ]);
+            });
 
-        const newBalance = updatedOrg.walletBalance;
+            // Hard-stop flag set atomically — no window between debit and stop
+            if (balance <= 0) {
+                await tx.organization.update({
+                    where: { id: organizationId },
+                    data: { isHardStopped: true },
+                });
+            }
 
-        // Update balanceAfter on the transaction (best-effort — analytics only)
-        prisma.walletTransaction.updateMany({
-            where: { organizationId, balanceAfter: 0, type, byok: false },
-            data: { balanceAfter: newBalance },
-        }).catch(() => {});
+            return balance;
+        });
 
-        // Invalidate cache so the guard picks up the new balance immediately
+        // Cache invalidation outside transaction — best-effort, fail is logged
         await invalidateWalletCache(organizationId);
 
-        if (newBalance <= 0) {
-            await prisma.organization.update({
-                where: { id: organizationId },
-                data: { isHardStopped: true },
-            });
-        }
-
         // Fire alerts async — never block the main flow
         maybeQueueWalletAlert(organizationId, newBalance, newBalance + amount > 0);
     } catch (err) {