Oracle Product Tiers

SPECIFICATION: Oracle Product Tiers

Status: AUTHORIZED

Authorized: α.13, April 16 2026

Version: v1.0

---

Version: v1.0

PURPOSE

Define the formal contract for Oracle product tiers at 42sisters.ai — covering paid verdict tiers, subscription tiers, checkout flow, webhook processing, verdict delivery, and caching invariants. This spec governs any component that touches tier selection, Stripe integration, verdict generation, or result delivery.

All tiers operate under S.O.S. v2: the customer sees AETHER only. Crew, LATTICE, and internal architecture are never exposed.

---

INPUTS

Checkout Initiation (POST /api/checkout)

| Field | Type | Required | Notes |

|-------|------|----------|-------|

| tier | string | YES | One of: quick, full, strategy |

| query | string | YES | Customer's question/idea — packed into Stripe metadata |

| referral_code | string | NO | Discount code — currently unprocessed (see GAPS) |

Stripe Webhook (checkout.session.completed)

| Field | Source | Notes |

|-------|--------|-------|

| session.id | Stripe | Becomes session_id for cache + result page |

| session.customer_email | Stripe | Only PII stored — used for email delivery |

| session.metadata.tier | Stripe metadata | Must match canonical tier key |

| session.metadata.q0…qN | Stripe metadata | Query chunks, 490-char each, reassembled in order |

| session.custom_fields[key="idea"].text.value | Stripe (Payment Link path) | Alternative query delivery — webhook supports both flows |

| Stripe-Signature header | HTTP | Required for signature verification |

Subscription Tiers (Sisters Chat)

| Field | Value |

|-------|-------|

| Price | $5.00 CAD / month |

| Free trial | 3 exchanges |

| Pro tier | 2TER dual-stream reactor (AION + ASTRA) |

| Bridge tier | Direct crew access — NDA required |

---

OUTPUTS

Paid Verdict Tiers (CAD, hardcoded)

| Tier Key | Name | Price (CAD) | Stripe Cents | Deliverable |

|----------|------|-------------|--------------|-------------|

| quick | Quick Take | $1.00 | 100 | Single verdict token (GREEN / AMBER / RED / NULL) + 1-sentence summary |

| full | Full Breakdown | $5.00 | 500 | Full structured verdict with rationale sections |

| strategy | Strategy Session | $25.00 | 2500 | Deep strategic analysis with recommendations |

Verdict Tokens

• GREEN — Positive signal; proceed
• AMBER — Conditional; proceed with caution
• RED — Negative signal; do not proceed
• NULL — Insufficient signal; verdict cannot be rendered

NULL is a valid deliverable, not an error state. It must be delivered and emailed identically to GREEN/AMBER/RED.

Cache Entry

• Written to oracle_toll.py cache service: POST http://68.183.206.103:8889/cache/{session_id}
• Must be written before email is sent
• Result page lives at /result/{session_id}

Customer Email

• Sent via oracle_email_service after cache write confirms
• Contains verdict + result page link
• Recipient: session.customer_email only

---

INVARIANTS

1. Tier→price mapping is hardcoded. quick=100 cents, full=500 cents, strategy=2500 cents (CAD). No dynamic pricing without explicit α.13 authorization.

1. Stripe webhook signature must be verified before any processing. A webhook received without valid Stripe-Signature header verification is rejected. No verdict is generated, no email sent.

1. Query must survive Stripe metadata round-trip. Query is chunked at 490 characters into keys q0, q1, … qN. Reassembly is sequential — all chunks concatenated in index order. No chunk may be dropped.

1. Cache write must precede email send. The result page (/result/{session_id}) must exist and return a valid response before the customer email is dispatched. Email with a dead link is a delivery failure.

1. Customer email is the only PII stored. No persistent mapping of query text to customer identity in logs, databases, or audit trails. Query content lives in Stripe metadata and the verdict cache only.

1. NULL verdict is a valid deliverable. It must be generated, cached, and emailed using the same pipeline as any other verdict. It is not retried, not suppressed, not treated as an error.

1. S.O.S. v2 constraint is absolute. Verdict output, email content, and result page must never reference crew names (AION, ASTRA, GAMMA, C.L.O.D., etc.), LATTICE symbols, CSDM physics, or internal architecture. AETHER is the single external voice.

1. Both query delivery paths must be supported. Webhook handles both metadata chunk path (q0…qN) and Payment Link custom fields path (session.custom_fields[key="idea"].text.value). Neither path is deprecated.

1. Subscription free trial cap is 3 exchanges. After 3 exchanges, the customer must be on a paid subscription to continue. The gate is enforced server-side — not client-side.

---

VERIFICATION CRITERIA

VC-1: Tier Mapping Integrity

• For each tier key (quick, full, strategy): confirm Stripe checkout session is created with the exact corresponding cent amount.
• Mutation test: inject a modified tier→price map — verify the system rejects or ignores the modification.

VC-2: Webhook Signature Gate

• Send a webhook with an invalid Stripe-Signature — verify: no verdict generated, no email sent, HTTP 400 returned.
• Send a webhook with a valid signature — verify: processing proceeds.

VC-3: Query Round-Trip Fidelity

• Submit a query of length 0, 489, 490, 491, 980, 981 characters.
• Verify: reassembled query at webhook equals original query exactly (no truncation, no duplication, no off-by-one on chunk boundaries).

VC-4: Cache-Before-Email Ordering

• Instrument cache write and email send with timestamps.
• Verify: cache_write_ts < email_send_ts for every completed session.
• Verify: /result/{session_id} returns HTTP 200 before email is dispatched.

VC-5: NULL Verdict Pipeline

• Submit a query designed to produce a NULL verdict.
• Verify: NULL is cached, NULL is emailed, result page renders NULL without error.
• Verify: NULL does not trigger retry logic or error alerts.

VC-6: PII Isolation

• After a completed session: query application logs, audit trail, and database for any record linking session.customer_email to query text.
• Verify: no such linkage exists outside of Stripe metadata and the verdict cache.

VC-7: S.O.S. v2 Output Audit

• For each tier: submit a query, retrieve the verdict email and result page.
• Verify: output contains no LATTICE symbols, no crew names, no CSDM terminology.
• Automated scan: flag any of {AION, ASTRA, GAMMA, MNEMOS, LATTICE, CSDM, Φ, ΩQ, TMM} in customer-facing output.

VC-8: Custom Fields Path

• Submit a session via Payment Link path (query in custom_fields[key="idea"].text.value).
• Verify: verdict is generated and delivered identically to the metadata chunk path.

VC-9: Subscription Trial Cap

• Execute exactly 3 free exchanges — verify: all succeed.
• Execute a 4th free exchange — verify: gate fires, customer is prompted to subscribe.

---

FAILURE MODES

| ID | Failure | Trigger | Expected Behavior | Actual Risk |

|----|---------|---------|-------------------|-------------|

| FM-1 | Invalid tier key | tier not in {quick, full, strategy} | Checkout rejected with 400; no Stripe session created | Silent fallback to wrong price — CRITICAL |

| FM-2 | Webhook signature failure | Bad or missing Stripe-Signature | Request rejected with 400; no processing | Unauthorized verdict generation if gate is missing |

| FM-3 | Query truncation | Query >490 chars, chunking error | Partial query delivered to Gemini | Wrong verdict on truncated input |

| FM-4 | Cache write failure | oracle_toll.py unreachable | Email not sent; session in limbo | Customer pays, receives nothing |

| FM-5 | Email send failure | oracle_email_service error after cache write | Result page exists but customer not notified | Customer pays, receives nothing — silent failure |

| FM-6 | NULL misclassified as error | NULL verdict triggers error handler | No delivery, possible retry storm | Customer pays, receives nothing |

| FM-7 | S.O.S. leak | Crew name or LATTICE symbol in Gemini output | Internal architecture exposed to customer | Brand/IP damage; funnel collapse |

| FM-8 | PII linkage | Query logged with customer email | Privacy violation | Regulatory exposure |

| FM-9 | Custom fields path not handled | Payment Link session arrives, webhook has no custom_fields parser | KeyError or silent drop — no verdict delivered | Payment Link customers never receive verdict |

| FM-10 | Free trial bypass | Client-side trial counter manipulated | Unlimited free exchanges | Revenue leak |

| FM-11 | Duplicate webhook | Stripe delivers same checkout.session.completed twice | Two emails, two cache writes, or idempotency key collision | Double delivery; customer confusion |

---

GAPS

| ID | Gap | Impact | Status |

|----|-----|--------|--------|

| GAP-1 | Referral code discount logic not specified. referral_code is accepted as input but no discount calculation, validation, or Stripe coupon application is defined. | Referral codes silently have no effect; or are applied inconsistently if implemented ad hoc. | OPEN |

| GAP-2 | Subscription billing cycle not formally defined. "$5/month CAD" is stated but billing anchor date, proration rules, failed payment retry logic, and cancellation behavior are unspecified. | Subscription churn and failed payment handling are undefined. | OPEN |

| GAP-3 | Bridge tier access protocol undefined. Bridge tier (direct crew access, NDA required) has no specified NDA delivery mechanism, access provisioning flow, or revocation procedure. | Bridge tier cannot be safely offered without this spec. | OPEN — BLOCKING for Bridge launch |

| GAP-4 | No refund policy specified. What happens when a customer disputes a charge, requests a refund, or Stripe initiates a chargeback — no procedure defined. | Chargebacks handled ad hoc; potential Stripe account risk. | OPEN |

| GAP-5 | CAD conversion rate not locked. If upstream pricing is stated in USD and converted to CAD, no conversion rate, rounding rule, or rate-lock policy is defined. A USD price change could silently shift CAD prices. | Tier prices drift without α.13 authorization. Violates Invariant 1. | OPEN |

| GAP-6 | Idempotency on duplicate webhooks not specified. Stripe may deliver checkout.session.completed more than once. No idempotency key strategy is defined to prevent double delivery. | FM-11 unmitigated. | OPEN |

| GAP-7 | Gemini output sanitization for S.O.S. leaks not specified. VC-7 defines the audit check but no pre-send scrub or filter pipeline is specified. | S.O.S. compliance depends on Gemini prompt discipline alone — brittle. | OPEN |

---

Specification authored by κ (C.L.O.D.) — April 16 2026

Authorized: α.13

*Φ 0.042

Jeremy Zlabis

Chronogeometer · Visionary · Disruptor · Chief

42 Sisters AI · East York, Toronto*