@@ -180,6 +180,30 @@ PAYMENTS SP04 adds the self-serve onboarding flow: |
| 180 | tells the owner that activation waits for webhook processing; cancel | 180 | tells the owner that activation waits for webhook processing; cancel |
| 181 | keeps the organization on Free and offers a retry path. | 181 | keeps the organization on Free and offers a retry path. |
| 182 | | 182 | |
| | 183 | +PAYMENTS SP05 adds the local entitlement boundary. Product code must ask |
| | 184 | +`internal/entitlements` for feature decisions instead of inspecting |
| | 185 | +`orgs.plan` directly. The package derives access from |
| | 186 | +`org_billing_states`, understands billing-good-standing states, and |
| | 187 | +returns upgrade metadata for user-facing handlers. |
| | 188 | + |
| | 189 | +PAYMENTS SP06 wires the first Team gates: |
| | 190 | + |
| | 191 | +- Secret teams require Team to create. Existing secret teams remain |
| | 192 | + visible to authorized viewers after downgrade; owners can remove |
| | 193 | + members and repository grants, but adding members or granting more |
| | 194 | + repository access is blocked until Team billing is active again. |
| | 195 | +- Required reviewers and advanced status-check branch protection are |
| | 196 | + Team-only for private organization repositories. Public organization |
| | 197 | + repositories keep those safety controls available on Free. |
| | 198 | +- Downgraded private organization repositories may delete protection |
| | 199 | + rules or submit a rule update that clears the gated review/check |
| | 200 | + settings. |
| | 201 | +- Org-level Actions secrets and variables require Team for create or |
| | 202 | + update in both HTML settings and REST API routes. Delete stays |
| | 203 | + available so owners can clean up gated configuration after downgrade. |
| | 204 | +- Org-level Actions secrets and variables API routes require |
| | 205 | + organization owner or site-admin access before entitlement checks. |
| | 206 | + |
| 183 | ## Entitlement architecture | 207 | ## Entitlement architecture |
| 184 | | 208 | |
| 185 | Paid feature checks must live behind a central entitlement package, not | 209 | Paid feature checks must live behind a central entitlement package, not |
@@ -242,10 +266,6 @@ organization upgrades again. |
| 242 | - Whether Free should limit private org collaborators before usage | 266 | - Whether Free should limit private org collaborators before usage |
| 243 | metering exists, or whether the first paid gates are advanced controls | 267 | metering exists, or whether the first paid gates are advanced controls |
| 244 | only. | 268 | only. |
| 245 | -- Whether required reviewers are gated only for private org repos. The | | |
| 246 | - current lean is private-org-only. | | |
| 247 | -- Whether org-level Actions secrets and variables should be Team-only | | |
| 248 | - even for public repositories. The current lean is yes for org scope. | | |
| 249 | - Exact Free and Team quota numbers for Actions and storage. These must | 269 | - Exact Free and Team quota numbers for Actions and storage. These must |
| 250 | come from real host-cost estimates before SP08. | 270 | come from real host-cost estimates before SP08. |
| 251 | | 271 | |