fix(billing): resolve code-review findings (authz, cross-billing, validation, webhook integrity)

- C1/H4: rating cron only rates subs on the charge's own plan_id
- C1: _fc_rate_usage skips creating a line when amount is 0 (still updates existing)
- C2/C4: /usage authorizes each event (exists + is_subscription + linked customer)
- C3: API handlers validate input and return 4xx-shaped errors instead of raising;
       controller maps status=='error' to HTTP 400
- H1: cron uses real billing window [last_invoice_date or start_date, next_invoice_date)
- H2: _aggregate uses half-open window anchored on period_start
- H3: idempotency scoped to (subscription_id, metric_id, idempotency_key)
- H5: webhook stores canonical body, signs+POSTs it verbatim, adds X-Fusion-Event-Id,
       caps backoff at 2**min(attempts,10)
- H6: SSRF guard rejects non-https / localhost / private / link-local webhook_url
- M7: charge_model reduced to standard/package (dropped unimplemented graduated/volume)
- L1: currency_id required on charge + reconciliation
- L2: charge price non-negative + unit_batch positive DB constraints

Adds 17 regression tests (suite 22 -> 39, all green via fcb_test_on_trial.sh).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fusion_centralize_billing/models/charge.py

@@ -43,23 +43,30 @@ class FusionBillingCharge(models.Model):
     charge_model = fields.Selection(
         [
             ("standard", "Standard (per unit)"),
-            ("graduated", "Graduated"),
             ("package", "Package"),
-            ("volume", "Volume"),
         ],
         default="standard", required=True,
     )
     currency_id = fields.Many2one(
-        "res.currency", default=lambda self: self.env.company.currency_id,
+        "res.currency", required=True,
+        default=lambda self: self.env.company.currency_id,
     )
     active = fields.Boolean(default=True)
 
+    _price_non_negative = models.Constraint(
+        "CHECK (price_per_unit >= 0)", "Overage price per unit cannot be negative.",
+    )
+    _unit_batch_positive = models.Constraint(
+        "CHECK (unit_batch > 0)", "Unit batch must be greater than zero.",
+    )
+
     def _compute_billable(self, total_quantity):
         """Return (overage_units, amount) for total period usage under this charge.
 
         - overage_units = usage above included_quota (never negative)
-        - 'standard'/'package'/'volume': priced per `unit_batch` block, partial block rounds up.
-          (graduated tiers are out of scope for the core; treated as 'standard'.)
+        - 'standard': price the overage in (rounded-up) `unit_batch` blocks.
+        - 'package': price whole packages over the RAW quantity (quota ignored for
+          package counting); a partial package rounds up.
         """
         self.ensure_one()
         overage = max(0.0, (total_quantity or 0.0) - (self.included_quota or 0.0))
@@ -68,6 +75,6 @@ class FusionBillingCharge(models.Model):
             # whole packages over the RAW quantity (quota ignored for package counting)
             blocks = math.ceil((total_quantity or 0.0) / batch) if total_quantity else 0
             return overage, round(blocks * (self.price_per_unit or 0.0), 2)
-        # standard / volume / graduated-fallback: price the overage in (rounded-up) batches
+        # standard: price the overage in (rounded-up) batches
         blocks = math.ceil(overage / batch) if overage > 0 else 0
         return overage, round(blocks * (self.price_per_unit or 0.0), 2)

fusion_centralize_billing/models/reconciliation.py

@@ -25,7 +25,8 @@ class FusionBillingReconciliation(models.Model):
     external_amount = fields.Monetary(string="App-actual Amount")
     delta = fields.Monetary(help="odoo_amount - external_amount.")
     currency_id = fields.Many2one(
-        "res.currency", default=lambda self: self.env.company.currency_id,
+        "res.currency", required=True,
+        default=lambda self: self.env.company.currency_id,
     )
     status = fields.Selection(
         [

fusion_centralize_billing/models/sale_order.py

@@ -10,13 +10,19 @@ class SaleOrder(models.Model):
     def _fc_rate_usage(self, charge, period_start, period_end):
         """Aggregate this subscription's usage for `charge`'s metric in the period,
         compute the overage amount, and upsert a matching overage order line.
-        Returns the amount."""
+        Returns the amount.
+
+        A zero amount never *creates* a new line (no $0.00 overage clutter); if a
+        line already exists it is still updated so a dropped-to-zero overage clears.
+        """
         self.ensure_one()
         Usage = self.env['fusion.billing.usage']
         total = Usage._aggregate(self, charge.metric_id, period_start, period_end)
         _overage, amount = charge._compute_billable(total)
         if charge.product_id:
             line = self.order_line.filtered(lambda l: l.product_id == charge.product_id)
+            if not line and amount == 0:
+                return amount
             vals = {'product_uom_qty': 1, 'price_unit': amount}
             if line:
                 line.write(vals)

fusion_centralize_billing/models/service.py

@@ -2,9 +2,12 @@
 # Copyright 2026 Nexa Systems Inc.
 # License OPL-1
 import hashlib
+import ipaddress
 import secrets
+from urllib.parse import urlparse
 
 from odoo import api, fields, models
+from odoo.exceptions import ValidationError
 
 
 class FusionBillingService(models.Model):
@@ -45,6 +48,33 @@ class FusionBillingService(models.Model):
         for rec in self:
             rec.account_link_count = len(rec.account_link_ids)
 
+    @api.constrains("webhook_url")
+    def _check_webhook_url(self):
+        """Reject SSRF-prone webhook targets: a non-empty URL must be https and must
+        not point at localhost or a private / link-local / loopback IP literal. Empty
+        is allowed (no webhook configured)."""
+        for rec in self:
+            url = (rec.webhook_url or "").strip()
+            if not url:
+                continue
+            parsed = urlparse(url)
+            if parsed.scheme != "https":
+                raise ValidationError("Webhook URL must use https.")
+            host = parsed.hostname or ""
+            if not host or host.lower() in ("localhost", "ip6-localhost", "ip6-loopback"):
+                raise ValidationError(
+                    "Webhook URL must not target localhost or a private address.")
+            try:
+                ip = ipaddress.ip_address(host)
+            except ValueError:
+                ip = None
+            if ip is not None and (
+                ip.is_private or ip.is_loopback or ip.is_link_local
+                or ip.is_reserved or ip.is_unspecified or ip.is_multicast
+            ):
+                raise ValidationError(
+                    "Webhook URL must not target a private or loopback address.")
+
     def action_generate_api_key(self):
         """Generate a fresh bearer key, store only its hash, return the raw key.
 
@@ -64,7 +94,14 @@ class FusionBillingService(models.Model):
         return self.search([('api_key_hash', '=', key_hash), ('active', '=', True)], limit=1)
 
     def _api_upsert_customer(self, payload):
+        """Resolve/create the partner link for an external account.
+
+        Defensive: a non-dict payload or a missing/empty ``external_id`` returns a
+        4xx-shaped error instead of raising (C3).
+        """
         self.ensure_one()
+        if not isinstance(payload, dict):
+            return {'status': 'error', 'error': 'invalid payload'}
         ext = payload.get('external_id')
         if not ext:
             return {'status': 'error', 'error': 'external_id required'}
@@ -73,15 +110,53 @@ class FusionBillingService(models.Model):
         return {'status': 'ok', 'partner_id': link.partner_id.id, 'external_id': ext}
 
     def _api_record_usage(self, payload):
+        """Ingest a batch of usage events.
+
+        Authorization (C2/C4): each event must target a subscription sale.order that
+        (a) exists, (b) is actually a subscription, and (c) belongs to a customer THIS
+        service is linked to. Any failing event is rejected and stops processing for
+        that event without writing a usage row.
+
+        Validation (C3): a non-dict payload, a non-list ``events``, missing required
+        keys, or non-numeric ``quantity``/ids return a 4xx-shaped error instead of
+        raising (no 500s).
+        """
         self.ensure_one()
-        events = payload.get('events') or []
+        if not isinstance(payload, dict):
+            return {'status': 'error', 'error': 'invalid payload'}
+        events = payload.get('events')
+        if events is None:
+            events = []
+        if not isinstance(events, list):
+            return {'status': 'error', 'error': 'events must be a list'}
         Usage = self.env['fusion.billing.usage']
+        linked_partners = self.account_link_ids.mapped('partner_id')
         accepted = 0
         for ev in events:
-            sub = self.env['sale.order'].browse(int(ev['subscription_external_id']))
-            Usage._record_usage(
-                sub, ev['metric_code'], float(ev['quantity']),
-                ev['period_start'], ev['period_end'], idem=ev.get('idempotency_key'))
+            if not isinstance(ev, dict):
+                return {'status': 'error', 'error': 'invalid event'}
+            for key in ('subscription_external_id', 'metric_code', 'quantity',
+                        'period_start', 'period_end'):
+                if ev.get(key) in (None, ''):
+                    return {'status': 'error', 'error': 'missing %s' % key}
+            try:
+                sub_id = int(ev['subscription_external_id'])
+            except (TypeError, ValueError):
+                return {'status': 'error', 'error': 'invalid subscription_external_id'}
+            try:
+                quantity = float(ev['quantity'])
+            except (TypeError, ValueError):
+                return {'status': 'error', 'error': 'invalid quantity'}
+            sub = self.env['sale.order'].browse(sub_id)
+            if not sub.exists() or not sub.is_subscription \
+                    or sub.partner_id not in linked_partners:
+                return {'status': 'error', 'error': 'unknown subscription'}
+            try:
+                Usage._record_usage(
+                    sub, ev['metric_code'], quantity,
+                    ev['period_start'], ev['period_end'], idem=ev.get('idempotency_key'))
+            except ValueError as e:
+                return {'status': 'error', 'error': str(e)}
             accepted += 1
         return {'status': 'ok', 'accepted': accepted}
 
@@ -100,21 +175,49 @@ class FusionBillingService(models.Model):
         The product on each line must have recurring_invoice=True so that
         Odoo recognises the order as a subscription with has_recurring_line and
         action_confirm() reaches subscription_state='3_progress'.
+
+        Validation (C3): a non-dict payload, a missing/unknown customer, a missing
+        ``plan_id``, a non-list ``lines``, or a non-numeric product id/quantity
+        return a 4xx-shaped error instead of raising (no 500s).
         """
         self.ensure_one()
+        if not isinstance(payload, dict):
+            return {'status': 'error', 'error': 'invalid payload'}
+        if not payload.get('external_customer_id'):
+            return {'status': 'error', 'error': 'external_customer_id required'}
+        if not payload.get('plan_id'):
+            return {'status': 'error', 'error': 'plan_id required'}
+        try:
+            plan_id = int(payload['plan_id'])
+        except (TypeError, ValueError):
+            return {'status': 'error', 'error': 'invalid plan_id'}
         link = self.env['fusion.billing.account.link'].search([
             ('service_id', '=', self.id),
             ('external_id', '=', payload.get('external_customer_id')),
         ], limit=1)
         if not link:
             return {'status': 'error', 'error': 'unknown customer'}
-        order_lines = [(0, 0, {
-            'product_id': line['product_id'],
-            'product_uom_qty': line.get('quantity', 1),
-        }) for line in payload.get('lines', [])]
+        lines = payload.get('lines')
+        if lines is None:
+            lines = []
+        if not isinstance(lines, list):
+            return {'status': 'error', 'error': 'lines must be a list'}
+        order_lines = []
+        for line in lines:
+            if not isinstance(line, dict) or line.get('product_id') in (None, ''):
+                return {'status': 'error', 'error': 'invalid line'}
+            try:
+                product_id = int(line['product_id'])
+                quantity = float(line.get('quantity', 1))
+            except (TypeError, ValueError):
+                return {'status': 'error', 'error': 'invalid line'}
+            order_lines.append((0, 0, {
+                'product_id': product_id,
+                'product_uom_qty': quantity,
+            }))
         sub = self.env['sale.order'].sudo().create({
             'partner_id': link.partner_id.id,
-            'plan_id': payload['plan_id'],
+            'plan_id': plan_id,
             'order_line': order_lines,
         })
         sub.action_confirm()

fusion_centralize_billing/models/usage.py

@@ -35,12 +35,14 @@ class FusionBillingUsage(models.Model):
     )
 
     _idempotency_uniq = models.Constraint(
-        "unique(idempotency_key)", "Usage idempotency key must be unique.",
+        "unique(subscription_id, metric_id, idempotency_key)",
+        "Usage idempotency key must be unique per subscription and metric.",
     )
 
     @api.model
     def _record_usage(self, subscription, metric_code, quantity, period_start, period_end, idem=None):
-        """Upsert one aggregated usage row. Same idempotency key updates in place (no double-count)."""
+        """Upsert one aggregated usage row. Same idempotency key (scoped to the same
+        subscription + metric) updates in place (no double-count)."""
         metric = self.env['fusion.billing.metric'].search([('code', '=', metric_code)], limit=1)
         if not metric:
             raise ValueError("Unknown metric code: %s" % metric_code)
@@ -53,7 +55,11 @@ class FusionBillingUsage(models.Model):
             'idempotency_key': idem,
         }
         if idem:
-            existing = self.search([('idempotency_key', '=', idem)], limit=1)
+            existing = self.search([
+                ('subscription_id', '=', subscription.id),
+                ('metric_id', '=', metric.id),
+                ('idempotency_key', '=', idem),
+            ], limit=1)
             if existing:
                 existing.write({'quantity': quantity})
                 return existing
@@ -62,31 +68,42 @@ class FusionBillingUsage(models.Model):
     @api.model
     def _cron_rate_open_periods(self):
         """Hourly cron: for every active charge, aggregate usage and upsert overage lines
-        on all in-progress subscriptions whose next invoice date is set."""
+        on the in-progress subscriptions that are on the charge's own plan.
+
+        A charge only rates subscriptions whose ``plan_id`` matches the charge's
+        ``plan_id`` — never every subscription against every charge (C1/H4). The
+        billing-period window is the subscription's real open period
+        ``[last_invoice_date or start_date, next_invoice_date)`` (H1)."""
         Charge = self.env['fusion.billing.charge'].search([('active', '=', True)])
         SaleOrder = self.env['sale.order']
         for charge in Charge:
+            if not charge.plan_id:
+                continue
             subs = SaleOrder.search([
                 ('is_subscription', '=', True),
                 ('subscription_state', '=', '3_progress'),
-                ('plan_id.name', '!=', False),
+                ('plan_id', '=', charge.plan_id.id),
             ])
             for sub in subs:
                 if not sub.next_invoice_date:
                     continue
                 period_end = fields.Datetime.to_datetime(sub.next_invoice_date)
-                period_start = period_end.replace(day=1)
+                period_start = fields.Datetime.to_datetime(
+                    sub.last_invoice_date or sub.start_date)
+                if not period_start:
+                    continue
                 sub._fc_rate_usage(charge, period_start, period_end)
 
     @api.model
     def _aggregate(self, subscription, metric, period_start, period_end):
-        """Aggregate stored usage for a subscription+metric within [period_start, period_end)
+        """Aggregate stored usage for a subscription+metric over the half-open window
+        ``[period_start, period_end)``, anchored on each rollup's ``period_start``,
         using the metric's aggregation function."""
         rows = self.search([
             ('subscription_id', '=', subscription.id),
             ('metric_id', '=', metric.id),
             ('period_start', '>=', period_start),
-            ('period_end', '<=', period_end),
+            ('period_start', '<', period_end),
         ])
         qtys = rows.mapped('quantity')
         if not qtys:

fusion_centralize_billing/models/webhook.py

@@ -39,6 +39,10 @@ class FusionBillingWebhook(models.Model):
              "subscription.terminated / subscription.reactivated / usage.threshold_reached",
     )
     payload = fields.Json()
+    body = fields.Text(
+        help="Canonical JSON body that was signed and is POSTed verbatim "
+             "(so the signature always matches the bytes on the wire).",
+    )
     state = fields.Selection(
         [
             ("pending", "Pending"),
@@ -59,11 +63,14 @@ class FusionBillingWebhook(models.Model):
 
     @api.model
     def _enqueue(self, service, event_type, payload):
+        # Serialize the canonical body ONCE, store it, and sign that exact string so
+        # the dispatched bytes always match the signature (no re-serialization drift).
         body = json.dumps(payload, sort_keys=True, separators=(',', ':'))
         return self.create({
             'service_id': service.id,
             'event_type': event_type,
             'payload': payload,
+            'body': body,
             'signature': self._sign(service.webhook_secret, body),
             'state': 'pending',
             'next_retry_at': fields.Datetime.now(),
@@ -77,14 +84,18 @@ class FusionBillingWebhook(models.Model):
             ('next_retry_at', '<=', now),
         ], limit=100)
         for wh in due:
-            body = json.dumps(wh.payload, sort_keys=True, separators=(',', ':'))
+            # POST the exact bytes that were signed at enqueue time. Fall back to
+            # re-serializing the payload only for legacy rows enqueued before `body`
+            # existed (the signature was computed over the same canonical form).
+            body = wh.body or json.dumps(wh.payload, sort_keys=True, separators=(',', ':'))
             try:
                 resp = requests.post(
                     wh.service_id.webhook_url,
                     data=body,
                     headers={'Content-Type': 'application/json',
                              'X-Fusion-Signature': wh.signature,
-                             'X-Fusion-Event': wh.event_type},
+                             'X-Fusion-Event': wh.event_type,
+                             'X-Fusion-Event-Id': str(wh.id)},
                     timeout=10,
                 )
                 ok = 200 <= resp.status_code < 300
@@ -98,4 +109,5 @@ class FusionBillingWebhook(models.Model):
                 wh.state = 'dead'
             else:
                 wh.state = 'failed'
-                wh.next_retry_at = now + timedelta(minutes=2 ** wh.attempts)
+                # Cap the exponential backoff so the interval can't overflow.
+                wh.next_retry_at = now + timedelta(minutes=2 ** min(wh.attempts, 10))