Security and Constraints
Non-negotiable behavior rules for correctness, safety, and release scope control.
Hard constraints
- Money is always integer cents.
- Group create flow is transactional.
- Webhook verification requires raw body.
- Webhooks must be idempotent.
- Membership uniqueness is DB-enforced.
- Join code format is 6-char uppercase alphanumeric.
Stripe safety requirements
- Reject unsigned or invalidly signed webhook requests.
- Use environment-isolated keys and webhook secrets.
- Store Stripe identifiers for replay protection and reconciliation.
Auth and authorization requirements
- Treat session authentication and group authorization as separate checks.
- Require member context before exposing group details.
- Restrict subscription assignment and billing actions to allowed group roles.
Current release boundaries
The current release intentionally excludes:
- Recurring billing orchestration
- Distributed workers or queue infrastructure
- Redis-backed state coordination
- Stripe Connect multi-party payout model
- Complex rate limiting middleware
Monitoring and auditability
At minimum, log:
- Checkout creation attempts and outcomes
- Webhook signature failures
- Idempotency skips for duplicate events
- Payment status transitions with relevant IDs