tenseleyflow/shithub / b39d4ca

+### Fixed

+

+- **PRO08 Pro tier GA audit remediation.** Thirteen audit findings

+  across the Stripe webhook layer, subscription state machine, and

+  Pro v1 feature gates: webhook receipts now record (subject_kind,

+  subject_id) for operator queries; the cross-kind price guard

+  refuses subscription events with empty `Items.Data`; concurrent

+  webhook replays serialize via a session-scoped advisory lock; the

+  snapshot CTE preserves grace-lock columns under `past_due`

+  transitions instead of wiping them; subscription-overwrite guard

+  refuses to repoint a principal's bound subscription id at a

+  different one; reverse-ordered (stale) Stripe events are dropped

+  via a new `last_event_at` column; `customer.subscription.deleted`

+  for unknown subjects is now a 200 no-op so Stripe stops retrying.

+  Charge refunds flip invoices to `status='refunded'` with UI

+  surfacing on both user and org billing pages (new

+  `billing_invoice_status='refunded'` enum value + `refunded_at`

+  column). Advanced branch protection gate rewired to fire on the

+  PRO01-ratified inputs (`prevent_force_push`, `prevent_deletion`,

+  `require_signed_commits`) rather than only on required status

+  checks — `require_signed_commits` is now exposed in the rule

+  form (visible toggle; underlying enforcement ships with commit

+  signing). Multi-reviewer denies carry a distinct upgrade copy

+  (`required-reviewers-multi-upgrade(-pro)`) and user-tier denies

+  point at `/settings/billing` instead of the org settings page.

+  `profilePinsRemaining` now respects the entitled cap for Pro users.

+  Migrations 0077 (`last_event_at`) and 0078 (`refunded` enum +

+  `refunded_at` column) ship with the fix. Audit closure in

+  `docs/internal/billing.md`; runbook updates in

+  `docs/internal/runbooks/stripe-billing.md`.

+