Skip to content

feat(pro): disabled-by-default Pro monetization layer (open-core)#562

Open
devswha wants to merge 1 commit into
mainfrom
feat/monetization-pro
Open

feat(pro): disabled-by-default Pro monetization layer (open-core)#562
devswha wants to merge 1 commit into
mainfrom
feat/monetization-pro

Conversation

@devswha

@devswha devswha commented Jun 30, 2026

Copy link
Copy Markdown
Owner

What

Adds the disabled-by-default hosted Pro monetization layer (open-core) on top
of the existing free/BYOK web surface. Pro is gated behind PATINA_PRO_ENABLED
(off by default), so this is a no-op for the live free playground until the gate
and secrets are explicitly set.

Scope (G001–G008)

  • Contract (src/web-rewrite-contract.js): pro tier + isProEnabled gate, license/session/signature redaction, oversized-token bound.
  • KV store contract (api/rewrite.js): shared memory + REST get/set/incr/expire, string-only values, secrets never in URLs.
  • Entitlement state machine (src/pro-entitlements.js): idempotency, out-of-order/stale reject, terminal-resurrection prevention, fail-closed expiry.
  • Opaque Pro session token (src/pro-session.js, api/pro-session.js): license key presented once, sliding + absolute TTL, raw key/token never stored.
  • Lemon Squeezy webhook mirror (src/lemon-webhook.js, api/lemon-webhook.js): timing-safe signature, idempotency, refund/cancel subscription scoping.
  • EnhancedRewriteEngine contract + public stub (src/enhanced-rewrite-engine-contract.js).
  • Pro metering + Pro rewrite path: session -> entitlement -> metering -> engine, explicit 401/402/429/503, never falls back to free/BYOK.
  • Client + ko legal copy (playground/rewrite-client.js, src/pro-legal-copy.js).
  • Leak gate (scripts/check-no-private-assets.mjs): case-insensitive globs, **/server/** any depth, monetization fixtures.
  • Docs: docs/PRO.md (open-core boundary + Vercel deploy runbook), docs/RELEASE-CHECKLIST.md (payment-open order-inversion gates); NOTICE trademark.

Verification

  • npm test: 1178 pass / 0 fail / 1 skip
  • npm run check:no-private-assets: 0 forbidden (360 packed + 951 tracked)
  • npm run lint: clean (syntax/eslint/typecheck/spellcheck)

Out of scope (do NOT enable on prod from this PR)

  • Activating Pro on production (PATINA_PRO_ENABLED=true + secrets) — premature: the engine is a deterministic stub (no quality gain) and checkout stays hidden.
  • The private enhanced ko engine (CROSS-TRACK) and public checkout — gated by docs/RELEASE-CHECKLIST.md (gate 12 + KIPO trademark).

Merging this only ships dormant, gated code. Free/BYOK behavior is unchanged.

Add the hosted Pro tier infrastructure behind PATINA_PRO_ENABLED
(disabled by default; no regression to free/BYOK, the rate limiter, or
the deterministic src/features/* layer). Open-core boundary: the public
repo ships only the contract plus a deterministic stub engine; the
private enhanced ko engine and payment checkout stay out of this change.

- contract: pro tier + isProEnabled gate, license/session/signature
  redaction, oversized-token bound (src/web-rewrite-contract.js)
- shared KV store contract: memory + REST get/set/incr/expire,
  string-only values, secrets never in URLs (api/rewrite.js)
- entitlement state machine: idempotency, out-of-order/stale reject,
  terminal-resurrection prevention, fail-closed expiry (src/pro-entitlements.js)
- opaque Pro session token exchange: license key presented once,
  sliding + absolute TTL, raw key/token never stored (src/pro-session.js, api/pro-session.js)
- Lemon Squeezy webhook mirror: timing-safe signature, idempotency,
  refund/cancel subscription scoping (src/lemon-webhook.js, api/lemon-webhook.js)
- EnhancedRewriteEngine contract + public deterministic stub
  (src/enhanced-rewrite-engine-contract.js)
- Pro metering + Pro rewrite path: session -> entitlement -> metering ->
  engine, explicit 401/402/429/503, never falls back to free/BYOK
  (src/pro-metering.js, api/rewrite.js)
- client license->token exchange + single-source ko legal copy
  (playground/rewrite-client.js, src/pro-legal-copy.js)
- leak gate: case-insensitive globs, **/server/** any depth, monetization
  fixtures (scripts/check-no-private-assets.mjs)
- docs: PRO.md (open-core boundary + Vercel deploy runbook),
  RELEASE-CHECKLIST.md (payment-open order-inversion gates); NOTICE trademark

Tests: monetization unit + red-team suites added; full suite green, leak
gate clean, lint clean. Payment-open requires the private engine quality
gate (see docs/RELEASE-CHECKLIST.md), which is out of scope here.
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
patina Ready Ready Preview, Comment Jun 30, 2026 5:25am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant