fix: address remaining CodeRabbit review comments

- Validate payment_order_id before publishing to outbox: events missing
  this metadata field (non-Meridian Stripe payments) are now acknowledged
  with a warning log instead of returning 500 and causing infinite retries

- Add HTTP server timeouts (ReadHeaderTimeout/ReadTimeout/WriteTimeout/
  IdleTimeout) to financial-gateway webhook server to prevent slowloris
  connection exhaustion attacks

- Guard against nil PaymentOrderUpdater in both PaymentEventConsumer
  constructors; NewPaymentEventConsumer panics, NewPaymentEventConsumerWithKafka
  returns ErrNilPaymentOrderUpdater

- Move NewPaymentEventConsumerWithKafka construction before server start
  goroutines so initialization failures return cleanly without leaving
  active listeners/goroutines behind

Author: bjcoombs

services/financial-gateway/adapters/http/webhook_handler.go

@@ -201,6 +201,19 @@ func (h *WebhookHandler) HandleStripeWebhook(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
+	// Require payment_order_id to be present in Stripe metadata.
+	// Events without it cannot be routed to a payment order — publishing
+	// would fail with ErrEmptyAggregateID and trigger infinite Stripe retries.
+	if parsed.PaymentOrderID == "" {
+		h.logger.Warn("stripe webhook missing payment_order_id in metadata — event acknowledged without processing",
+			"event_id", parsed.EventID,
+			"gateway_reference_id", parsed.GatewayReferenceID,
+			"tenant_id", tenantID.String(),
+		)
+		h.writeSuccess(w, "event acknowledged — no payment_order_id in metadata")
+		return
+	}
+
 	h.logger.Info("publishing stripe webhook domain event",
 		"event_id", parsed.EventID,
 		"gateway_reference_id", parsed.GatewayReferenceID,

services/financial-gateway/cmd/main.go

@@ -13,6 +13,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"time"
 
 	controlplanev1 "github.com/meridianhub/meridian/api/proto/meridian/control_plane/v1"
 	financialgatewayv1 "github.com/meridianhub/meridian/api/proto/meridian/financial_gateway/v1"
@@ -234,8 +235,12 @@ func run(logger *slog.Logger) error {
 
 	httpAddress := fmt.Sprintf(":%s", cfg.HTTPPort)
 	httpServer := &http.Server{
-		Addr:    httpAddress,
-		Handler: mux,
+		Addr:              httpAddress,
+		Handler:           mux,
+		ReadHeaderTimeout: 5 * time.Second,
+		ReadTimeout:       15 * time.Second,
+		WriteTimeout:      15 * time.Second,
+		IdleTimeout:       60 * time.Second,
 	}
 
 	// Channel to collect server errors.

services/payment-order/adapters/messaging/payment_event_consumer.go

@@ -18,6 +18,9 @@ import (
 // created without Kafka (use NewPaymentEventConsumerWithKafka for production).
 var ErrConsumerNotConfigured = errors.New("consumer not configured with Kafka — use NewPaymentEventConsumerWithKafka")
 
+// ErrNilPaymentOrderUpdater is returned when a nil PaymentOrderUpdater is passed to a constructor.
+var ErrNilPaymentOrderUpdater = errors.New("payment order updater is required")
+
 // ErrUnexpectedCapturedMessageType is returned when the payment-captured consumer receives a message that is not *PaymentCapturedEvent.
 var ErrUnexpectedCapturedMessageType = errors.New("unexpected message type for payment-captured topic")
 
@@ -50,6 +53,9 @@ type PaymentEventConsumer struct {
 
 // NewPaymentEventConsumer creates a consumer that handles domain events from financial-gateway.
 func NewPaymentEventConsumer(svc PaymentOrderUpdater) *PaymentEventConsumer {
+	if svc == nil {
+		panic(ErrNilPaymentOrderUpdater.Error())
+	}
 	return &PaymentEventConsumer{
 		svc:    svc,
 		logger: slog.Default(),
@@ -66,6 +72,9 @@ func NewPaymentEventConsumerWithKafka(
 	svc PaymentOrderUpdater,
 	logger *slog.Logger,
 ) (*PaymentEventConsumer, error) {
+	if svc == nil {
+		return nil, ErrNilPaymentOrderUpdater
+	}
 	if logger == nil {
 		logger = slog.Default()
 	}

services/payment-order/cmd/main.go

@@ -536,26 +536,10 @@ func run(logger *slog.Logger) error {
 		return fmt.Errorf("failed to listen on %s: %w", grpcAddress, err)
 	}
 
-	// Channel to collect server errors (gRPC + HTTP + payment event consumer).
-	serverErrors := make(chan error, 3)
-
-	// Start gRPC server in background
-	go func() {
-		logger.Info("starting gRPC server", "address", grpcAddress)
-		if err := grpcServer.Serve(grpcListener); err != nil {
-			serverErrors <- fmt.Errorf("gRPC server error: %w", err)
-		}
-	}()
-
-	// Start HTTP server in background
-	go func() {
-		logger.Info("starting HTTP server", "port", httpPort)
-		if err := httpServer.Start(); err != nil {
-			serverErrors <- fmt.Errorf("HTTP server error: %w", err)
-		}
-	}()
-
-	// Start financial-gateway payment event consumer (if Kafka is configured).
+	// Construct the financial-gateway payment event consumer before starting servers
+	// so that any initialization error causes an early return without leaving
+	// running goroutines/listeners behind.
+	//
 	// Subscribes to financial-gateway.payment-captured.v1 and
 	// financial-gateway.payment-failed.v1 topics and calls UpdatePaymentOrder
 	// to transition payment orders to SETTLED or REJECTED.
@@ -580,7 +564,31 @@ func run(logger *slog.Logger) error {
 				logger.Error("failed to close payment event consumer", "error", err)
 			}
 		}()
+	} else {
+		logger.Warn("payment event consumer disabled - KAFKA_BOOTSTRAP_SERVERS not set")
+	}
 
+	// Channel to collect server errors (gRPC + HTTP + payment event consumer).
+	serverErrors := make(chan error, 3)
+
+	// Start gRPC server in background
+	go func() {
+		logger.Info("starting gRPC server", "address", grpcAddress)
+		if err := grpcServer.Serve(grpcListener); err != nil {
+			serverErrors <- fmt.Errorf("gRPC server error: %w", err)
+		}
+	}()
+
+	// Start HTTP server in background
+	go func() {
+		logger.Info("starting HTTP server", "port", httpPort)
+		if err := httpServer.Start(); err != nil {
+			serverErrors <- fmt.Errorf("HTTP server error: %w", err)
+		}
+	}()
+
+	// Start payment event consumer after servers are up.
+	if paymentEventConsumer != nil {
 		go func() {
 			if err := paymentEventConsumer.Start(
 				"financial-gateway.payment-captured.v1",
@@ -590,8 +598,6 @@ func run(logger *slog.Logger) error {
 				serverErrors <- fmt.Errorf("payment event consumer error: %w", err)
 			}
 		}()
-	} else {
-		logger.Warn("payment event consumer disabled - KAFKA_BOOTSTRAP_SERVERS not set")
 	}
 
 	// Start billing workers in background (if enabled)