From c0830e3decbf3a6b824279d0588b373c0b21a59c Mon Sep 17 00:00:00 2001
From: saravanakumardb1 <saravanakumardb1@users.noreply.github.com>
Date: Sun, 15 Feb 2026 14:30:30 -0800
Subject: [PATCH] refactor(platform-service): remove BILLING_INTERNAL_KEY guard
 from server.ts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Billing routes (subscriptions, usage, plans, licenses) now registered directly
- No more X-Internal-Key header check — JWT-based productId auth is sufficient
- BILLING_INTERNAL_KEY removed from config schema and AKV secret resolution
- 166 tests pass, tsc clean
---
 services/platform-service/src/lib/config.ts |  1 -
 services/platform-service/src/server.ts     | 26 ++++-----------------
 2 files changed, 4 insertions(+), 23 deletions(-)

diff --git a/services/platform-service/src/lib/config.ts b/services/platform-service/src/lib/config.ts
index 84c4af70..a72e3274 100644
--- a/services/platform-service/src/lib/config.ts
+++ b/services/platform-service/src/lib/config.ts
@@ -22,7 +22,6 @@ const envSchema = z.object({
   STRIPE_WEBHOOK_SECRET: z.string().optional(),
   STRIPE_PRICE_PRO: z.string().optional(),
   STRIPE_PRICE_ENTERPRISE: z.string().optional(),
-  BILLING_INTERNAL_KEY: z.string().optional(),
   BACKEND_URL: z.string().default('http://localhost:8000'),
   PLAN_LIMITS_JSON: z.string().optional(),
   USAGE_WARN_THRESHOLD: z.coerce.number().default(0.8),
diff --git a/services/platform-service/src/server.ts b/services/platform-service/src/server.ts
index 06a01d5f..75daebe8 100644
--- a/services/platform-service/src/server.ts
+++ b/services/platform-service/src/server.ts
@@ -16,7 +16,6 @@ await resolveKeyVaultSecrets([
   LYSNR_SECRETS.JWT_SECRET,
   LYSNR_SECRETS.STRIPE_SECRET_KEY,
   LYSNR_SECRETS.STRIPE_WEBHOOK_SECRET,
-  LYSNR_SECRETS.BILLING_INTERNAL_KEY,
   LYSNR_SECRETS.AZURE_BLOB_CONNECTION_STRING,
   LYSNR_SECRETS.AZURE_BLOB_ACCOUNT_KEY,
 ]);
@@ -93,27 +92,10 @@ await app.register(invitationRoutes, { prefix: '/api' });
 await app.register(referralRoutes, { prefix: '/api' });
 await app.register(promoRoutes, { prefix: '/api' });
 // Billing modules (merged from billing-service)
-// Scoped with internal key auth guard when BILLING_INTERNAL_KEY is set (Gap 3)
-const BILLING_KEY = config.BILLING_INTERNAL_KEY;
-if (BILLING_KEY) {
-  await app.register(async billingScope => {
-    billingScope.addHook('onRequest', async (req, reply) => {
-      const key = req.headers['x-internal-key'];
-      if (key !== BILLING_KEY) {
-        reply.code(401).send({ error: 'Unauthorized — missing or invalid X-Internal-Key' });
-      }
-    });
-    await billingScope.register(subscriptionRoutes, { prefix: '/api' });
-    await billingScope.register(usageRoutes, { prefix: '/api' });
-    await billingScope.register(planRoutes, { prefix: '/api' });
-    await billingScope.register(licenseRoutes, { prefix: '/api' });
-  });
-} else {
-  await app.register(subscriptionRoutes, { prefix: '/api' });
-  await app.register(usageRoutes, { prefix: '/api' });
-  await app.register(planRoutes, { prefix: '/api' });
-  await app.register(licenseRoutes, { prefix: '/api' });
-}
+await app.register(subscriptionRoutes, { prefix: '/api' });
+await app.register(usageRoutes, { prefix: '/api' });
+await app.register(planRoutes, { prefix: '/api' });
+await app.register(licenseRoutes, { prefix: '/api' });
 // Stripe routes outside billing scope (webhook has its own signature verification)
 await app.register(stripeRoutes, { prefix: '/api' });
 // Tracker modules (merged from tracker-service)