[Phase 0f] Shared infra + un-skip 86 E2E payment tests (~2h)

[TortoiseWolfe]

Part of epic #100.

Wraps up Phase 0 by adding shared helpers used across all 8 functions AND un-skipping the dormant E2E test suite.

Shared helpers to ship

Three files under supabase/functions/_shared/:

1. cors.ts

Standard CORS preflight + headers helper. Every function should import:

import { corsHeaders, handleCors } from '../_shared/cors.ts';

serve(async (req) => {
  const cors = handleCors(req);
  if (cors) return cors;  // returns preflight response, or null
  // ... function logic
  return new Response(JSON.stringify(...), { headers: corsHeaders });
});

2. auth.ts

Extract user_id from caller's JWT (the browser sends Authorization: Bearer <token> automatically via Supabase client).

export async function getUserId(req: Request): Promise<string> {
  const authHeader = req.headers.get('Authorization');
  if (!authHeader) throw new Error('Missing Authorization header');
  // Use supabase.auth.getUser(token) to verify + extract
  // Return user.id, or throw
}

3. idempotency.ts

Helper to compute / read idempotency_key from a payment_intents row:

export function getIdempotencyKey(intent: PaymentIntent): string {
  return intent.idempotency_key || crypto.randomUUID();
}

E2E test un-skip

The 7 files under tests/e2e/payment/ contain 86 test.skip()'d tests total:

File	Skipped tests
01-stripe-onetime.spec.ts	8
02-paypal-subscription.spec.ts	12
03-failed-payment-retry.spec.ts	12
04-gdpr-consent.spec.ts	2
05-offline-queue.spec.ts	18
06-realtime-dashboard.spec.ts	20
07-performance.spec.ts	14

Most have inline test.skip(!isStripeConfigured, '...') guards that the previous Phase 0a–0e sub-issues will partially un-block. This issue is for the FINAL pass: remove the outer test.skip() decorators so the suite runs against sandbox keys.

Acceptance

• supabase/functions/_shared/cors.ts exists and is used by at least one Phase 0a-0e function
• supabase/functions/_shared/auth.ts exists and is used by all 8 Phase 0 functions
• supabase/functions/_shared/idempotency.ts exists
• All 86 outer test.skip() decorators removed from tests/e2e/payment/*.spec.ts
• docker compose exec scripthammer pnpm exec playwright test tests/e2e/payment/ runs against sandbox: all tests either pass OR cleanly skip via the inner test.skip(!isStripeConfigured, ...) guard (for forks without keys)
• docs/PAYMENT-DEPLOYMENT.md Step 4.2 updated to remove "NOT YET SHIPPED" warning
• PR docs(payments): rewrite PAYMENT-DEPLOYMENT.md + add config verifier script #99's "Status of the integration" table updated to show Outbound Edge Functions as ✅ shipped

🤖 Created from audit on 2026-05-20

[TortoiseWolfe]

Status (2026-06-06): shared infra SHIPPED in #130 — leaving open until the test-unskip acceptance is met

The shared infrastructure deliverable is done (PR #130, dc1170e):

• supabase/functions/_shared/{cors.ts,auth.ts,idempotency.ts} all exist; cors+auth are imported by all 8 edge functions.
• edge_idempotency_keys table present in the monolithic migration.

Deliberately NOT closing — the headline acceptance ("un-skip the ~86 payment E2E tests") is NOT met and is blocked outside this issue's scope:

• Per docs/payment-e2e-skip-index.md ([Gap-Audit] tests/e2e/payment/: 84 test.skip — index by blocker #53), the skips are blocked by missing front-end routes (/payment/subscriptions shipped via [Eval-Backlog] SUBSCRIPTION-MGMT: subscription management route + 4 edge functions + grace-period wiring #5; a /payment/history surface and the offline-queue UI tracked in [Eval-Backlog] PAYMENT-OFFLINE-UI: UI layer for existing offline payment queue #4) and ~4 needing Stripe/PayPal sandbox creds — not by backend infra.
• Loose end worth tracking: _shared/idempotency.ts exists but is imported by zero functions (dead code) — wire it into create-paypal-order/capture-paypal-order as a follow-up.

Re-home the test-unskip work onto #4 (offline-queue UI) + a sandbox-creds task, then close this once the infra-dependent skips actually clear.