feat(pro): disabled-by-default Pro monetization layer (open-core)#562
Open
devswha wants to merge 1 commit into
Open
feat(pro): disabled-by-default Pro monetization layer (open-core)#562devswha wants to merge 1 commit into
devswha wants to merge 1 commit into
Conversation
Add the hosted Pro tier infrastructure behind PATINA_PRO_ENABLED (disabled by default; no regression to free/BYOK, the rate limiter, or the deterministic src/features/* layer). Open-core boundary: the public repo ships only the contract plus a deterministic stub engine; the private enhanced ko engine and payment checkout stay out of this change. - contract: pro tier + isProEnabled gate, license/session/signature redaction, oversized-token bound (src/web-rewrite-contract.js) - shared KV store contract: memory + REST get/set/incr/expire, string-only values, secrets never in URLs (api/rewrite.js) - entitlement state machine: idempotency, out-of-order/stale reject, terminal-resurrection prevention, fail-closed expiry (src/pro-entitlements.js) - opaque Pro session token exchange: license key presented once, sliding + absolute TTL, raw key/token never stored (src/pro-session.js, api/pro-session.js) - Lemon Squeezy webhook mirror: timing-safe signature, idempotency, refund/cancel subscription scoping (src/lemon-webhook.js, api/lemon-webhook.js) - EnhancedRewriteEngine contract + public deterministic stub (src/enhanced-rewrite-engine-contract.js) - Pro metering + Pro rewrite path: session -> entitlement -> metering -> engine, explicit 401/402/429/503, never falls back to free/BYOK (src/pro-metering.js, api/rewrite.js) - client license->token exchange + single-source ko legal copy (playground/rewrite-client.js, src/pro-legal-copy.js) - leak gate: case-insensitive globs, **/server/** any depth, monetization fixtures (scripts/check-no-private-assets.mjs) - docs: PRO.md (open-core boundary + Vercel deploy runbook), RELEASE-CHECKLIST.md (payment-open order-inversion gates); NOTICE trademark Tests: monetization unit + red-team suites added; full suite green, leak gate clean, lint clean. Payment-open requires the private engine quality gate (see docs/RELEASE-CHECKLIST.md), which is out of scope here.
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the disabled-by-default hosted Pro monetization layer (open-core) on top
of the existing free/BYOK web surface. Pro is gated behind
PATINA_PRO_ENABLED(off by default), so this is a no-op for the live free playground until the gate
and secrets are explicitly set.
Scope (G001–G008)
src/web-rewrite-contract.js):protier +isProEnabledgate, license/session/signature redaction, oversized-token bound.api/rewrite.js): shared memory + RESTget/set/incr/expire, string-only values, secrets never in URLs.src/pro-entitlements.js): idempotency, out-of-order/stale reject, terminal-resurrection prevention, fail-closed expiry.src/pro-session.js,api/pro-session.js): license key presented once, sliding + absolute TTL, raw key/token never stored.src/lemon-webhook.js,api/lemon-webhook.js): timing-safe signature, idempotency, refund/cancel subscription scoping.src/enhanced-rewrite-engine-contract.js).session -> entitlement -> metering -> engine, explicit 401/402/429/503, never falls back to free/BYOK.playground/rewrite-client.js,src/pro-legal-copy.js).scripts/check-no-private-assets.mjs): case-insensitive globs,**/server/**any depth, monetization fixtures.docs/PRO.md(open-core boundary + Vercel deploy runbook),docs/RELEASE-CHECKLIST.md(payment-open order-inversion gates);NOTICEtrademark.Verification
npm test: 1178 pass / 0 fail / 1 skipnpm run check:no-private-assets: 0 forbidden (360 packed + 951 tracked)npm run lint: clean (syntax/eslint/typecheck/spellcheck)Out of scope (do NOT enable on prod from this PR)
PATINA_PRO_ENABLED=true+ secrets) — premature: the engine is a deterministic stub (no quality gain) and checkout stays hidden.docs/RELEASE-CHECKLIST.md(gate 12 + KIPO trademark).Merging this only ships dormant, gated code. Free/BYOK behavior is unchanged.