tenseleyflow/shithub / 925e659

+- **Personal Pro tier feature gates (PRO07).** Pro v1 lights up four

+  user-tier paygates ratified in PRO01: required reviewers on private

+  personal repos, multi-reviewer thresholds, advanced branch

+  protection (prevent force-push / deletion / require signed commits),

+  and profile pins above the Free cap of 6 (Pro raises this to 100).

+  Each gate is enforced via a per-feature operator flag in

+  `billing.enforce.*` so launches are reversible without a code

+  rollback. PRO07 ships dark (all flags default false) and operators

+  flip each feature on after the 7-day report-only telemetry soak.

+  Pro user accounts retain existing required-reviewer rules and pin

+  configuration through cancellation; the gate refuses to create new

+  gated state on Free but never deletes prior data. Added the

+  `FeatureProfilePinsBeyondFree` (user-only) and

+  `FeatureCodeOwnersReview` (placeholder; no-op enforce until the

+  CODEOWNERS parser ships) entitlement constants, plus the

+  `LimitProfilePinsFreeCap` / `LimitProfilePinsProCap` limit

+  constants. Migration `0076_profile_pins_pro_cap` raises the

+  `profile_pins.position` check constraint from `1..6` to `1..100`.

+## Pro v1 user-tier matrix (PRO07)

+

+Pro is the user-tier paid plan (single seat, $4/month). PRO01 ratified

+the v1 feature set; PRO07 wires the enforcement matrix. CODEOWNERS is a

+registered placeholder with a no-op enforce path until the parser ships.

+

+| Capability | Free | Pro |

+| --- | --- | --- |

+| Public/private personal repos | Included | Included |

+| Required reviewers on private personal repos | Upgrade | Included |

+| Multi-reviewer (>1 approvals) on private personal repos | Upgrade | Included |

+| Advanced branch protection on private personal repos | Upgrade | Included |

+| CODEOWNERS review | Deferred | Deferred |

+| Profile pins | 6 | 100 |

+

+Multi-reviewer is **not** a separate feature constant — the numeric

+threshold lives in the deny payload of `FeatureRequiredReviewers`.

+

+### Per-feature enforcement flags

+

+PRO05 plumbed user-kind report-only logging through every gating site.

+PRO07 lights up the gates one feature at a time via

+`billing.enforce.*` in the operator's config. Defaults are all false

+(report-only). Each flag is a one-way deploy that operators can roll

+back without code changes.

+

+| Config key | Gate site | Default |

+| --- | --- | --- |

+| `billing.enforce.user_required_reviewers` | `internal/web/handlers/repo/settings_branches.go` | false |

+| `billing.enforce.user_advanced_branch_protection` | `internal/web/handlers/repo/settings_branches.go` | false |

+| `billing.enforce.user_profile_pins_beyond_free` | `internal/web/handlers/profile/pins.go` | false |

+

+Rollout discipline:

+

+1. Deploy with all flags false. Run the report-only telemetry query

+   for 7 days. Confirm zero unexpected user-kind would-denies.

+2. Flip one feature flag in staging. Soak 7 days.

+3. Flip the same feature flag in production.

+4. Repeat per feature.

+

+PRO07's pitfall doc explicitly forbids enforcing a feature without an

+unenforce path. New gating sites land with their own flag; do not

+share flags across features.

+

+### Downgrade preservation

+

+`users.plan = 'free'` after cancellation grandfather's existing gated

+state — required-reviewer rules, profile pins above 6, advanced flags

+on existing rules. The gate refuses to **create** new gated state on

+Free, but never deletes prior configuration. This is the same

+contract as the org-tier downgrade.

+

+  - [Pro for personal accounts](./user/billing.md)

+# Pro for personal accounts

+

+Pro is shithub's single-seat paid plan for personal accounts. It

+unlocks a small set of features beyond what Free offers, charged at

+$4 / month and managed entirely through the Stripe Billing Portal.

+

+Upgrade, downgrade, and invoice management live at

+[`/settings/billing`](../user/account.md).

+

+## What Pro unlocks

+

+| Feature | Free | Pro |

+|---|---|---|

+| Public and private repositories | Included | Included |

+| Required reviewers on private personal repos | Upgrade | Included |

+| Multi-reviewer (>1 approvals) on private personal repos | Upgrade | Included |

+| Advanced branch protection on private personal repos | Upgrade | Included |

+| Pinned repositories on your profile | Up to 6 | Up to 100 |

+

+"Advanced branch protection" covers preventing force-pushes,

+preventing deletion, and requiring signed commits on private personal

+repos. Basic protection (an empty rule, or one with none of those

+flags) stays on Free.

+

+## What stays on Free

+

+- Public and private repositories — no count limits.

+- Org features (Team plan) — Pro applies to your *personal* account.

+  Organizations have a separate Team tier with its own feature set.

+- Issues, pull requests, Actions minutes, Storage — none of these are

+  gated by Pro today. Pro v1 is intentionally small.

+

+## Downgrading

+

+Cancellation flows through the Stripe Billing Portal. shithub honors

+the scheduled cancellation: at the end of the paid period your

+account returns to Free.

+

+- Existing required-reviewer rules and advanced branch protection

+  flags stay in the database. The gate refuses to **create** new

+  gated state on Free, but never deletes prior configuration.

+- Profile pins above 6 stay in place — you keep what you pinned as

+  Pro; the cap re-applies when you next edit your pins.

+

+## Payment failures

+

+A past-due subscription enters a grace period (operator-configured;

+the default is 14 days). Pro features stay available during grace.

+After grace lapses, Pro-only features become read-only until billing

+is brought back into good standing.

+

+## Operator note

+

+Each Pro feature gate has an independent operator-controlled enforce

+flag in `billing.enforce.*`. Until an operator flips a feature on,

+its gate runs in report-only mode — Free users continue to use the

+feature, the would-deny is logged for the soak. This page describes

+the **eventual** Pro behavior; deployment-specific timing depends on

+your operator's per-feature rollout schedule.