Xendit webhook: metadata.app routing + survival audit log + rolling fallback file

Every Xendit invoice now carries metadata: { app: 'halobestie_v2' } so an
external webhook router (no DB access) can fan out v1/v2 traffic purely off
the echoed payload.

Every inbound webhook lands in a new webhook_logs table BEFORE auth or
business logic, so a forensic row survives 401/409/unknown/exception paths.
Primary fields are parsed as columns; raw_body keeps the full payload
verbatim. The handler captures outcome in closure-scoped vars and stamps
http_status/processing_result/processing_error in a single update before
the lone reply.send() — Fastify flushes reply.send() immediately, which
defeated the original finally-block stamp.

A non-UUID external_id no longer crashes the Postgres cast; it ACKs with
ignored_non_uuid_external_id so Xendit stops retrying legacy old-app IDs.

When the DB log itself fails, an optional rolling JSONL file sink absorbs
the event. Disabled by default — opt in via XENDIT_WEBHOOK_FALLBACK_ENABLED.
Naming: <NAME>-YYYY-MM-DD.jsonl in XENDIT_WEBHOOK_FALLBACK_DIR (default
./logs), basename XENDIT_WEBHOOK_FALLBACK_NAME (default
xendit-webhook-fallback). No stdout fallback by design.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/db/migrate.js

@@ -1086,6 +1086,65 @@ const migrate = async () => {
        AND product_type = 'chat_session'
   `
 
+  // 10. webhook_logs — survival/audit table for every inbound payment-provider
+  //     webhook. The route handler inserts a row BEFORE auth checks or business
+  //     logic so a forensic record exists even when the request is rejected,
+  //     the body is malformed, or processing throws.
+  //
+  //     Primary fields are extracted as columns (queryable in CC, indexed where
+  //     useful); the full body is kept in `raw_body` JSONB so we can replay or
+  //     diff later. `provider` is a string column (not enum) so adding a new
+  //     payment provider doesn't require a migration.
+  //
+  //     No FK to payment_requests — logs must survive even if the matching
+  //     payment row was wiped, never existed, or arrives for a product/event
+  //     type we don't yet model.
+  await sql`
+    CREATE TABLE IF NOT EXISTS webhook_logs (
+      id                    UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      provider              TEXT NOT NULL DEFAULT 'xendit',
+      received_at           TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+
+      -- Parsed primary fields (Xendit Invoice callback shape — NULL for other event types)
+      xendit_event_id       TEXT,
+      external_id           TEXT,
+      payment_request_id    UUID,
+      status                TEXT,
+      amount                BIGINT,
+      currency              TEXT,
+      payment_method        TEXT,
+      paid_at               TIMESTAMPTZ,
+      metadata_app          TEXT,
+
+      -- Integrity + verbatim record
+      callback_token_valid  BOOLEAN NOT NULL,
+      headers               JSONB NOT NULL,
+      raw_body              JSONB NOT NULL,
+
+      -- Outcome (filled by the handler after processing). Leaving these NULL
+      -- is itself a useful signal — it means the handler crashed before the
+      -- finally block could stamp the result.
+      http_status           SMALLINT,
+      processing_result     TEXT,
+      processing_error      TEXT,
+      processed_at          TIMESTAMPTZ
+    )
+  `
+  await sql`
+    CREATE INDEX IF NOT EXISTS idx_webhook_logs_received_at
+    ON webhook_logs (received_at DESC)
+  `
+  await sql`
+    CREATE INDEX IF NOT EXISTS idx_webhook_logs_external_id
+    ON webhook_logs (external_id)
+    WHERE external_id IS NOT NULL
+  `
+  await sql`
+    CREATE INDEX IF NOT EXISTS idx_webhook_logs_payment_request
+    ON webhook_logs (payment_request_id)
+    WHERE payment_request_id IS NOT NULL
+  `
+
   console.log('Migration complete.')
   await sql.end()
 }