fix(kiloclaw): invalidate destruction deadlines on renewal

[jeanduplessis]

Summary

Prevent successful KiloClaw credit renewals from retaining stale instance-destruction schedules.

Why this change is needed

A suspended credit-funded subscription could renew to active while keeping its old destruction deadline when async instance startup was accepted but readiness never completed. This left misleading warning state and allowed a stale destruction candidate to race with renewal.

How this is addressed

• Clear any previous destruction deadline inside every successful active credit-renewal transaction, including duplicate/idempotent reconciliation.
• Retain suspension and auto-resume retry state until actual readiness so interrupted startup continues retrying.
• Revalidate personal warning and destruction candidates against current database state before sending warnings or requesting platform destruction.
• Preserve suspension-cycle email deduplication until readiness completes, then reset it for future suspension lifecycles.
• Document the renewal invariant and final destruction revalidation requirements.

Human Verification

• Billing lifecycle regression suite passed: 165 tests.
• Instance lifecycle readiness suite passed: 11 tests.
• Independent security, logic, type, data, resource, style, and React review passes found no issues.

Reviewer Notes

Human Reviewer Flags

• Renewal now invalidates the destruction deadline without clearing suspended_at; readiness remains the completion signal for suspension and email-dedupe reset.
• Final database revalidation closes the stale in-memory candidate race, but a small gap remains between revalidation and the external destroy request.
• KiloClaw billing and lifecycle specifications are updated with the new invariants.

Code Reviewer Agent

Code Reviewer Notes

• Normal renewal and duplicate reconciliation share post-advance suspended-recovery behavior.
• Change-log snapshots include the cleared destruction deadline.
• Personal destruction revalidation checks current subscription identity, status, suspension, elapsed deadline, instance identity, personal ownership, and live-instance state.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

The PR correctly closes a stale-destruction-deadline race condition by clearing destruction_deadline atomically in the renewal transaction and adding per-row DB revalidation before both personal destruction warnings and instance destruction — no logic bugs, security issues, or memory leaks found.

Files Reviewed (5 files)

• .specs/kiloclaw-billing-lifecycle.md — spec updates for renewal invariant and pre-destroy revalidation requirement
• .specs/kiloclaw-billing.md — spec updates for duplicate-boundary reconciliation side effects and suspension timestamp/auto-resume retention semantics
• services/kiloclaw-billing/src/lifecycle.ts — core implementation: buildCreditRenewalAdvanceUpdateSet clears deadline, handleCreditRenewalRecoveryAfterAdvance extracted for reuse, loadCurrentPersonalDestructionRow and loadCurrentPersonalDestructionWarningRow revalidation functions added, personal branch integrated in runInstanceDestructionSweep and runDestructionWarningSweep
• services/kiloclaw-billing/src/lifecycle.test.ts — comprehensive new test cases covering the renewed-duplicate suspended recovery, personal revalidation skip paths, and updated fixtures using personalDestructionCandidateRow
• apps/web/src/lib/kiloclaw/instance-lifecycle.test.ts — updated async-resume test to verify email log scope and correct before_state/after_state shape after readiness

Fix issues in Kilo Cloud

---

_{Reviewed by claude-sonnet-4.6 · 1,430,006 tokens}

_{Review guidance: REVIEW.md from base branch main}