fix: close cross-tenant billing/tenant security holes + string-enum API contract

[iammukeshm]

Deep audit of the billing / subscription / tenant-management system across the backend and both React apps, plus the fixes. Every backend bug has a failing-first test.

Security (P0 — cross-tenant)

BillingDbContext extends a raw, non-tenant-filtered DbContext (for operator cross-tenant visibility), so every handler must scope explicitly. Several didn't:

Handler / area	Before	After
Invoice read / PDF / list by id	any tenant could read others'	root-gated (operator cross-tenant; tenants pinned to self)
Invoice mutations (issue/pay/void)	any tenant admin could mutate others'	404 cross-tenant
AssignSubscription / CaptureUsageSnapshots	could target any tenant via body tenantId	pinned to caller
GetUsageSnapshots	read every tenant's usage	scoped to caller
GenerateInvoices	any admin triggered platform-wide billing	root-only (403)
RoleService.FilterRootPermissions	privilege escalation — stripped a "Permissions.Root." prefix that matched no real root permission, so a non-root admin could grant their role root permissions	filtered by the IsRoot permission catalog

All gated on MultitenancyConstants.Root.Id. Existing isolation tests missed this because they always authenticate with a matching tenant header — they never tested tenant-A's token acting on tenant-B's data.

Verified non-issue: the tenant-header-vs-JWT-claim concern is not exploitable — Finbuckle's ClaimStrategy is registered first and binds the resolved tenant to the JWT claim for non-root callers (proven by the existing TenantAdmin_HeaderOverride_Should_BeIgnored). No "fix" added.

Correctness

• Usage/overage invoice was silently skipped when a subscription invoice shared the month (GenerateInvoiceForPeriodAsync idempotency lacked Purpose==Usage) — lost revenue.
• Same-plan renewal advanced ValidUpto but not Subscription.EndUtc — fixed via Subscription.Extend (the dashboard term drift).
• IdentityDbInitializer ignored the admin CreateAsync result — a silent failure marked a tenant "provisioned" with no usable admin login.
• Invoice.Void is now idempotent; invoice pageSize clamped ≤100; AdjustTenantValidity blocks the root tenant.

API contract

• Enums now serialize as string names globally (JsonStringEnumConverter via ConfigureHttpJsonOptions). [Flags] AuditTag/BodyCapture stay numeric via a NumericEnumConverter. Both frontends mirror the contract as string unions (AuditTag stays numeric/bitwise).

Frontend

• Admin: permission-gate every plan/invoice/tenant action affordance (previously shown to View-only users and 403-ing); fix invoice-detail stuck "Loading…" on error.
• Dashboard: "Valid for"/validity reads grace/expired from tenant status; persistent Expired banner; overview no longer masks API errors as a no-plan first-run; real invoice pagination; removed dead Suspended/Cancelled rendering; subscription term tracks start→end (not the calendar month).

Tests

• Integration: 699 passed, 0 failed, 2 skipped (pre-existing).
• Unit: Architecture 49 · Billing 91 · Multitenancy 87 · Identity 310.
• Playwright: admin specs green · dashboard 136 green.
• New: BillingTenantIsolationTests (5 cross-tenant mutation/usage/generate cases + usage-skip), RolePrivilegeEscalationTests, RenewTenant_Should_Advance_SubscriptionEndUtc, AdjustValidity_Should_Return400_When_TargetIsRootTenant, Void_Should_Be_Idempotent.

Deferred (documented — features/edge cases, not bugs)

ConnectionString in the tenant-list DTO (operator-only; contract change), WebSocket teardown on expiry (protected realtime infra, edge case), manual-issue notification (tenant-context nuance). Out of scope: payment gateway, proration, dunning, refunds, tenant suspend/delete, self-serve upgrade.

🤖 Generated with Claude Code