feat(gateway-arch): move Stripe webhook handling to financial-gateway (#1391)

* feat(financial-gateway): define PaymentCapturedEvent and PaymentFailedEvent protos

Adds financial_gateway_events/v1 proto package with PaymentCapturedEvent and
PaymentFailedEvent message types. Registers corresponding Kafka topics and
HTTP port constant.

Part of 033-gateway-architecture task 9: Move webhook handling to financial-gateway.

* feat(gateway-arch): move Stripe webhook handling from payment-order to financial-gateway

Moves Stripe webhook reception from payment-order to financial-gateway,
the correct architectural home for payment provider integration.

financial-gateway changes:
- Add HTTP webhook handler (adapters/http/webhook_handler.go) that validates
  Stripe-Signature, maps payment_intent.succeeded → PaymentCapturedEvent and
  payment_intent.payment_failed → PaymentFailedEvent, and publishes via
  transactional outbox
- Extend ParsedWebhookEvent with AmountMinorUnits and Currency fields
- Add ManifestTenantConfigProvider and envTenantConfigProvider for per-tenant
  webhook secrets (control-plane or env-var fallback)
- Wire HTTP server on port 8095 (/webhooks/stripe) alongside existing gRPC server
- Add outbox worker for Kafka publish (KAFKA_BOOTSTRAP_SERVERS or KAFKA_BROKERS)
- Add event_outbox migration and Atlas config

payment-order changes:
- Remove StripeWebhookHandler, StripeEventProcessor, and related tests
- Remove /webhook/stripe route from HTTP server
- Add PaymentEventConsumer that subscribes to financial-gateway Kafka topics and
  calls UpdatePaymentOrder to transition orders to SETTLED or REJECTED

* fix(payment-order): rename unused ctx parameter in consumer test stub

Renames unused ctx parameter to _ to satisfy golangci-lint revive rule.

* fix: remove payment-order Stripe webhook e2e test referencing deleted types

The stripe e2e test file referenced StripeWebhookHandler, NewStripeEventProcessor,
and StripeWebhookHandlerConfig which were deleted as part of moving webhook
handling to financial-gateway. Since the Stripe webhook E2E tests no longer
apply to payment-order (which now receives events via Kafka from financial-gateway),
the file is removed.

* fix: remove unused withSagaOrchestration helper from payment-order e2e tests

withSagaOrchestration was only used by the deleted stripe_e2e_test.go.
Removing to fix golangci-lint unused function error.

* fix: register financial-gateway database mapping in migration runner

The migration runner's ServiceDatabases map did not include financial-gateway,
causing the unified binary --migrate flag to fail with "unknown service: no
database mapping" when encountering the new financial-gateway migrations.

* fix: add financial-gateway topics to topics.yaml and topics_test.go

TestAll_ContainsAllConstants and TestTopicsYAML_ConsistentWithGoConstants
both enforce that topics.go constants, topics.yaml, and topics.All() are
consistent. The new financial-gateway topics were added to the Go constants
and All() slice but were missing from topics.yaml and the test's knownConstants
list.

* fix: address CodeRabbit review comments for webhook migration

- Fix silent proto deserialization corruption: use two separate
  kafka.ProtoConsumer instances (one per topic) with the correct
  typed msgFactory, preventing PaymentFailedEvent bytes from being
  decoded as PaymentCapturedEvent

- Fix missing tenant context: change route to POST /webhooks/stripe/{tenantID}
  and extract tenant via r.PathValue("tenantID") instead of relying on
  middleware that was never wired; inject into ctx via tenant.WithTenant

- Fix nil OutboxPublisher not validated: panic in NewWebhookHandler
  when OutboxPublisher is nil, consistent with ClientFactory guard

- Fix gRPC listener resource leak: add listenerClosed flag with deferred
  close so listener is not abandoned on startup failures after bind

- Fix serverErrors channel buffer too small: increase from 2 to 3
  to accommodate gRPC + HTTP + payment event consumer goroutines

- Use static sentinel errors (ErrUnexpectedCapturedMessageType,
  ErrUnexpectedFailedMessageType) for type assertion failures in
  consumers to satisfy err113 linter

- Update webhook_handler_test.go to use r.SetPathValue("tenantID")
  instead of tenant.WithTenant context injection, matching new handler
  behaviour; remove unused tenant import

- Update payment-order/cmd/main.go to use new Start(capturedTopic,
  failedTopic string) signature for PaymentEventConsumer

* fix: address remaining CodeRabbit review comments

- Validate payment_order_id before publishing to outbox: events missing
  this metadata field (non-Meridian Stripe payments) are now acknowledged
  with a warning log instead of returning 500 and causing infinite retries

- Add HTTP server timeouts (ReadHeaderTimeout/ReadTimeout/WriteTimeout/
  IdleTimeout) to financial-gateway webhook server to prevent slowloris
  connection exhaustion attacks

- Guard against nil PaymentOrderUpdater in both PaymentEventConsumer
  constructors; NewPaymentEventConsumer panics, NewPaymentEventConsumerWithKafka
  returns ErrNilPaymentOrderUpdater

- Move NewPaymentEventConsumerWithKafka construction before server start
  goroutines so initialization failures return cleanly without leaving
  active listeners/goroutines behind

* docs: clarify intentional insecure gRPC credentials for inter-service calls

Inter-service gRPC connections use insecure.NewCredentials() by design
across the Meridian platform. Network-layer security (mTLS via service mesh)
handles encryption for cluster-internal traffic. This matches the pattern
used in position-keeping, reconciliation, tenant, and other services.

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

api/proto/meridian/financial_gateway_events/v1/events.proto

@@ -0,0 +1,101 @@
+syntax = "proto3";
+
+package meridian.financial_gateway_events.v1;
+
+import "buf/validate/validate.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/meridianhub/meridian/api/proto/meridian/financial_gateway_events/v1;financialgatewayeventsv1";
+
+// PaymentCapturedEvent is published when a Stripe payment_intent.succeeded webhook
+// is received and validated. It signals that a payment has been successfully captured
+// by the payment provider.
+message PaymentCapturedEvent {
+  // event_id uniquely identifies this event instance (UUID).
+  string event_id = 1 [(buf.validate.field).string.uuid = true];
+
+  // correlation_id links all events across services for a single user request.
+  string correlation_id = 2 [(buf.validate.field).string.max_len = 255];
+
+  // causation_id identifies the provider event that caused this domain event.
+  string causation_id = 3 [(buf.validate.field).string.max_len = 255];
+
+  // version is the event schema version for forward compatibility.
+  int32 version = 4 [(buf.validate.field).int32.gte = 1];
+
+  // payment_order_id is the Meridian payment order associated with this capture.
+  // May be empty if the Stripe payment was not created via Meridian (no payment_order_id in metadata).
+  string payment_order_id = 5 [(buf.validate.field).string.max_len = 255];
+
+  // provider_reference_id is the payment provider's identifier (e.g., Stripe PaymentIntent ID).
+  string provider_reference_id = 6 [(buf.validate.field).string = {
+    min_len: 1
+    max_len: 255
+  }];
+
+  // amount_minor_units is the captured amount in the smallest currency unit (e.g., cents for USD).
+  int64 amount_minor_units = 7 [(buf.validate.field).int64.gte = 0];
+
+  // currency is the ISO 4217 currency code (e.g., "USD", "GBP").
+  // May be empty if the provider did not include currency in the webhook payload.
+  string currency = 8 [(buf.validate.field).string.max_len = 3];
+
+  // captured_at is when the payment was captured by the provider.
+  google.protobuf.Timestamp captured_at = 9;
+
+  // provider_event_id is the payment provider's webhook event ID (e.g., Stripe evt_ ID).
+  // Used for idempotency and deduplication.
+  string provider_event_id = 10 [(buf.validate.field).string = {
+    min_len: 1
+    max_len: 255
+  }];
+
+  // metadata contains additional key-value pairs from the provider event.
+  map<string, string> metadata = 11 [(buf.validate.field).map = {
+    max_pairs: 64
+    keys: {string: {max_len: 128}}
+    values: {string: {max_len: 1024}}
+  }];
+}
+
+// PaymentFailedEvent is published when a Stripe payment_intent.payment_failed webhook
+// is received and validated. It signals that a payment attempt was rejected by the provider.
+message PaymentFailedEvent {
+  // event_id uniquely identifies this event instance (UUID).
+  string event_id = 1 [(buf.validate.field).string.uuid = true];
+
+  // correlation_id links all events across services for a single user request.
+  string correlation_id = 2 [(buf.validate.field).string.max_len = 255];
+
+  // causation_id identifies the provider event that caused this domain event.
+  string causation_id = 3 [(buf.validate.field).string.max_len = 255];
+
+  // version is the event schema version for forward compatibility.
+  int32 version = 4 [(buf.validate.field).int32.gte = 1];
+
+  // payment_order_id is the Meridian payment order associated with this failure.
+  // May be empty if the Stripe payment was not created via Meridian (no payment_order_id in metadata).
+  string payment_order_id = 5 [(buf.validate.field).string.max_len = 255];
+
+  // provider_reference_id is the payment provider's identifier (e.g., Stripe PaymentIntent ID).
+  string provider_reference_id = 6 [(buf.validate.field).string = {
+    min_len: 1
+    max_len: 255
+  }];
+
+  // failure_reason is a human-readable description of why the payment failed.
+  string failure_reason = 7 [(buf.validate.field).string.max_len = 1024];
+
+  // failure_code is the provider's machine-readable failure code (e.g., Stripe decline code).
+  string failure_code = 8 [(buf.validate.field).string.max_len = 255];
+
+  // provider_event_id is the payment provider's webhook event ID (e.g., Stripe evt_ ID).
+  // Used for idempotency and deduplication.
+  string provider_event_id = 9 [(buf.validate.field).string = {
+    min_len: 1
+    max_len: 255
+  }];
+
+  // failed_at is when the payment failure occurred.
+  google.protobuf.Timestamp failed_at = 10;
+}

internal/migrations/runner.go

@@ -79,6 +79,7 @@ var ServiceDatabases = map[string]ServiceDatabase{
 	"forecasting":          {Database: "meridian_forecasting", User: "meridian_forecasting_user", Password: ""},
 	"reference-data":       {Database: "meridian_reference_data", User: "meridian_reference_data_user", Password: ""},
 	"operational-gateway":  {Database: "meridian_operational_gateway", User: "meridian_operational_gateway_user", Password: ""},
+	"financial-gateway":    {Database: "meridian_financial_gateway", User: "meridian_financial_gateway_user", Password: ""},
 }
 
 // serviceMigration holds a single migration file for a service.