fix: harden tab expiry cron against silent capture failures

- Check PI state on Stripe before capture/cancel (requires_capture,
  canceled, requires_payment_method, etc.)
- Add application_fee_amount for Stripe Connect (was missing — all
  money went to connected account on auto-close)
- Re-verify tab StatusID=1 before processing (prevents race with
  user-initiated close)
- Add WHERE StatusID=1 to closing UPDATE (prevents overwriting
  concurrent user close)
- Log full Stripe response status and HTTP code for debugging
- Handle already-cancelled PIs gracefully (mark tab expired)
- Handle unconfirmed PIs (cancel and mark expired)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cron/expireTabs.cfm

@@ -10,8 +10,7 @@
  * Run every 5 minutes.
  *
  * 1. Expire idle tabs (no activity beyond business SessionLockMinutes)
- * 2. Auto-close tabs nearing 7-day auth expiry (Stripe hold limit)
+ * 2. Clean up stale presence records (>30 min old)
- * 3. Clean up stale presence records (>30 min old)
  */
 
 function apiAbort(required struct payload) {
@@ -28,13 +27,15 @@ try {
 
     expiredCount = 0;
     capturedCount = 0;
+    cancelledCount = 0;
     presenceCleaned = 0;
 
     // 1. Find open tabs that have been idle beyond their business lock duration
+    //    Re-check StatusID = 1 to prevent race with user-initiated close
     qIdleTabs = queryExecute("
         SELECT t.ID, t.StripePaymentIntentID, t.AuthAmountCents, t.RunningTotalCents,
                t.OwnerUserID, t.BusinessID,
-               b.SessionLockMinutes, b.PayfritFee
+               b.SessionLockMinutes, b.PayfritFee, b.StripeAccountID, b.StripeOnboardingComplete
         FROM Tabs t
         JOIN Businesses b ON b.ID = t.BusinessID
         WHERE t.StatusID = 1
@@ -43,6 +44,64 @@ try {
 
     for (tab in qIdleTabs) {
         try {
+            // Re-verify tab is still open (prevents race with user close)
+            qRecheck = queryExecute("
+                SELECT StatusID FROM Tabs WHERE ID = :tabID LIMIT 1
+            ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
+            if (qRecheck.recordCount == 0 || qRecheck.StatusID != 1) {
+                writeLog(file="tab_cron", text="Tab ##tab.ID## no longer open (status=#qRecheck.StatusID#), skipping.");
+                continue;
+            }
+
+            // Check PI state on Stripe before attempting capture/cancel
+            httpCheck = new http();
+            httpCheck.setMethod("GET");
+            httpCheck.setUrl("https://api.stripe.com/v1/payment_intents/#tab.StripePaymentIntentID#");
+            httpCheck.setUsername(stripeSecretKey);
+            httpCheck.setPassword("");
+            checkResult = httpCheck.send().getPrefix();
+            piData = deserializeJSON(checkResult.fileContent);
+
+            if (!structKeyExists(piData, "status")) {
+                writeLog(file="tab_cron", text="Tab ##tab.ID## cannot read PI status. Skipping.");
+                continue;
+            }
+
+            piStatus = piData.status;
+            writeLog(file="tab_cron", text="Tab ##tab.ID## PI status: #piStatus#");
+
+            // If PI is already canceled/succeeded/processing, handle accordingly
+            if (piStatus == "canceled") {
+                // PI was already cancelled (e.g., by Stripe, webhook, or manual action)
+                queryExecute("
+                    UPDATE Tabs SET StatusID = 5, ClosedOn = NOW(), PaymentStatus = 'cancelled',
+                        PaymentError = 'PI already cancelled on Stripe'
+                    WHERE ID = :tabID AND StatusID = 1
+                ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
+                cancelledCount++;
+                writeLog(file="tab_cron", text="Tab ##tab.ID## PI already cancelled. Marked expired.");
+                // Fall through to member/order cleanup below
+            } else if (piStatus != "requires_capture") {
+                // PI not in capturable state (requires_payment_method, requires_confirmation, etc.)
+                writeLog(file="tab_cron", text="Tab ##tab.ID## PI not capturable (status=#piStatus#). Cancelling.");
+                // Cancel the PI since it was never confirmed
+                httpCancel = new http();
+                httpCancel.setMethod("POST");
+                httpCancel.setUrl("https://api.stripe.com/v1/payment_intents/#tab.StripePaymentIntentID#/cancel");
+                httpCancel.setUsername(stripeSecretKey);
+                httpCancel.setPassword("");
+                httpCancel.send();
+
+                queryExecute("
+                    UPDATE Tabs SET StatusID = 5, ClosedOn = NOW(), PaymentStatus = 'cancelled',
+                        PaymentError = 'PI never confirmed (status: #piStatus#)'
+                    WHERE ID = :tabID AND StatusID = 1
+                ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
+                cancelledCount++;
+                // Fall through to member/order cleanup below
+            } else {
+                // PI is in requires_capture - proceed with capture or cancel
+
                 // Check if there are any approved orders
                 qOrders = queryExecute("
                     SELECT COALESCE(SUM(SubtotalCents), 0) AS TotalSubtotal,
@@ -52,8 +111,8 @@ try {
                     WHERE TabID = :tabID AND ApprovalStatus = 'approved'
                 ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
 
-            if (qOrders.OrderCount == 0) {
+                if (qOrders.OrderCount == 0 || val(qOrders.TotalSubtotal) == 0) {
-                // No orders - cancel the tab and release hold
+                    // No orders - cancel the PI and release hold
                     httpCancel = new http();
                     httpCancel.setMethod("POST");
                     httpCancel.setUrl("https://api.stripe.com/v1/payment_intents/#tab.StripePaymentIntentID#/cancel");
@@ -65,8 +124,9 @@ try {
                     if (structKeyExists(cancelData, "status") && cancelData.status == "canceled") {
                         queryExecute("
                             UPDATE Tabs SET StatusID = 5, ClosedOn = NOW(), PaymentStatus = 'cancelled'
-                        WHERE ID = :tabID
+                            WHERE ID = :tabID AND StatusID = 1
                         ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
+                        cancelledCount++;
                         writeLog(file="tab_cron", text="Tab ##tab.ID## cancelled (no orders, hold released).");
                     } else {
                         errMsg = structKeyExists(cancelData, "error") && structKeyExists(cancelData.error, "message") ? cancelData.error.message : "Cancel failed";
@@ -90,14 +150,27 @@ try {
                     cardFeeCents = round((totalBeforeCard + 30) / (1 - 0.029)) - totalBeforeCard;
                     captureCents = totalBeforeCard + cardFeeCents;
 
+                    // Stripe Connect: application_fee_amount = 2x payfritFee
+                    applicationFeeCents = platformFee * 2;
+
                     // Cap at authorized amount
                     if (captureCents > tab.AuthAmountCents) {
                         captureCents = tab.AuthAmountCents;
+                        if ((totalBeforeCard + cardFeeCents) > 0) {
+                            applicationFeeCents = round(applicationFeeCents * (captureCents / (totalBeforeCard + cardFeeCents)));
+                        }
                     }
 
-                // Mark as closing
+                    // Mark as closing (prevents race with user close)
-                queryExecute("UPDATE Tabs SET StatusID = 2 WHERE ID = :tabID",
+                    qClosing = queryExecute("
-                    { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
+                        UPDATE Tabs SET StatusID = 2 WHERE ID = :tabID AND StatusID = 1
+                    ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
+
+                    // Check if we actually updated (another process might have closed it)
+                    if (val(qClosing.recordCount ?: 0) == 0) {
+                        writeLog(file="tab_cron", text="Tab ##tab.ID## already being closed by another process. Skipping.");
+                        continue;
+                    }
 
                     httpCapture = new http();
                     httpCapture.setMethod("POST");
@@ -105,11 +178,17 @@ try {
                     httpCapture.setUsername(stripeSecretKey);
                     httpCapture.setPassword("");
                     httpCapture.addParam(type="formfield", name="amount_to_capture", value=captureCents);
+                    // Add application_fee_amount for Stripe Connect
+                    if (len(trim(tab.StripeAccountID)) && val(tab.StripeOnboardingComplete) == 1) {
+                        httpCapture.addParam(type="formfield", name="application_fee_amount", value=applicationFeeCents);
+                    }
                     httpCapture.addParam(type="formfield", name="metadata[type]", value="tab_auto_close");
                     httpCapture.addParam(type="formfield", name="metadata[tab_id]", value=tab.ID);
                     captureResult = httpCapture.send().getPrefix();
                     captureData = deserializeJSON(captureResult.fileContent);
 
+                    writeLog(file="tab_cron", text="Tab ##tab.ID## capture response: status=#structKeyExists(captureData, 'status') ? captureData.status : 'N/A'# http=#captureResult.statusCode#");
+
                     if (structKeyExists(captureData, "status") && captureData.status == "succeeded") {
                         queryExecute("
                             UPDATE Tabs
@@ -128,9 +207,9 @@ try {
                         ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
 
                         capturedCount++;
-                    writeLog(file="tab_cron", text="Tab ##tab.ID## auto-closed. Captured #captureCents# cents.");
+                        writeLog(file="tab_cron", text="Tab ##tab.ID## auto-closed. Captured #captureCents# cents (fee=#applicationFeeCents#).");
                     } else {
-                    errMsg = structKeyExists(captureData, "error") && structKeyExists(captureData.error, "message") ? captureData.error.message : "Capture failed";
+                        errMsg = structKeyExists(captureData, "error") && structKeyExists(captureData.error, "message") ? captureData.error.message : "Capture failed (http #captureResult.statusCode#)";
                         queryExecute("
                             UPDATE Tabs SET StatusID = 1, PaymentStatus = 'capture_failed', PaymentError = :err
                             WHERE ID = :tabID
@@ -142,8 +221,9 @@ try {
                         continue;
                     }
                 }
+            }
 
-            // Release all members
+            // Release all members (runs for all successful close/cancel/expire paths)
             queryExecute("
                 UPDATE TabMembers SET StatusID = 3, LeftOn = NOW()
                 WHERE TabID = :tabID AND StatusID = 1
@@ -156,7 +236,6 @@ try {
             ", { tabID: { value: tab.ID, cfsqltype: "cf_sql_integer" } }, { datasource: "payfrit" });
 
             expiredCount++;
-            writeLog(file="tab_cron", text="Tab ##tab.ID## expired (idle). Orders=#qOrders.OrderCount#");
         } catch (any tabErr) {
             writeLog(file="tab_cron", text="Error expiring tab ##tab.ID##: #tabErr.message#");
         }
@@ -174,6 +253,7 @@ try {
         "MESSAGE": "Tab cron complete",
         "EXPIRED_TABS": expiredCount,
         "CAPTURED_TABS": capturedCount,
+        "CANCELLED_TABS": cancelledCount,
         "PRESENCE_CLEANED": presenceCleaned
     });