Oracle Product Tiers

SPEC_ORACLE_PRODUCT_TIERS.md · 2026-04-20

SPECIFICATION: Oracle Product Tiers

Status: AUTHORIZED

Authorized: α.13, April 16 2026

Version: v1.0


Version: v1.0

PURPOSE

Define the formal contract for Oracle product tiers at 42sisters.ai — covering paid verdict tiers, subscription tiers, checkout flow, webhook processing, verdict delivery, and caching invariants. This spec governs any component that touches tier selection, Stripe integration, verdict generation, or result delivery.

All tiers operate under S.O.S. v2: the customer sees AETHER only. Crew, LATTICE, and internal architecture are never exposed.


INPUTS

Checkout Initiation (POST /api/checkout)

| Field | Type | Required | Notes |

|-------|------|----------|-------|

| tier | string | YES | One of: quick, full, strategy |

| query | string | YES | Customer's question/idea — packed into Stripe metadata |

| referral_code | string | NO | Discount code — currently unprocessed (see GAPS) |

Stripe Webhook (checkout.session.completed)

| Field | Source | Notes |

|-------|--------|-------|

| session.id | Stripe | Becomes session_id for cache + result page |

| session.customer_email | Stripe | Only PII stored — used for email delivery |

| session.metadata.tier | Stripe metadata | Must match canonical tier key |

| session.metadata.q0…qN | Stripe metadata | Query chunks, 490-char each, reassembled in order |

| session.custom_fields[key="idea"].text.value | Stripe (Payment Link path) | Alternative query delivery — webhook supports both flows |

| Stripe-Signature header | HTTP | Required for signature verification |

Subscription Tiers (Sisters Chat)

| Field | Value |

|-------|-------|

| Price | $5.00 CAD / month |

| Free trial | 3 exchanges |

| Pro tier | 2TER dual-stream reactor (AION + ASTRA) |

| Bridge tier | Direct crew access — NDA required |


OUTPUTS

Paid Verdict Tiers (CAD, hardcoded)

| Tier Key | Name | Price (CAD) | Stripe Cents | Deliverable |

|----------|------|-------------|--------------|-------------|

| quick | Quick Take | $1.00 | 100 | Single verdict token (GREEN / AMBER / RED / NULL) + 1-sentence summary |

| full | Full Breakdown | $5.00 | 500 | Full structured verdict with rationale sections |

| strategy | Strategy Session | $25.00 | 2500 | Deep strategic analysis with recommendations |

Verdict Tokens

NULL is a valid deliverable, not an error state. It must be delivered and emailed identically to GREEN/AMBER/RED.

Cache Entry

Customer Email


INVARIANTS

  1. Tier→price mapping is hardcoded. quick=100 cents, full=500 cents, strategy=2500 cents (CAD). No dynamic pricing without explicit α.13 authorization.
  1. Stripe webhook signature must be verified before any processing. A webhook received without valid Stripe-Signature header verification is rejected. No verdict is generated, no email sent.
  1. Query must survive Stripe metadata round-trip. Query is chunked at 490 characters into keys q0, q1, … qN. Reassembly is sequential — all chunks concatenated in index order. No chunk may be dropped.
  1. Cache write must precede email send. The result page (/result/{session_id}) must exist and return a valid response before the customer email is dispatched. Email with a dead link is a delivery failure.
  1. Customer email is the only PII stored. No persistent mapping of query text to customer identity in logs, databases, or audit trails. Query content lives in Stripe metadata and the verdict cache only.
  1. NULL verdict is a valid deliverable. It must be generated, cached, and emailed using the same pipeline as any other verdict. It is not retried, not suppressed, not treated as an error.
  1. S.O.S. v2 constraint is absolute. Verdict output, email content, and result page must never reference crew names (AION, ASTRA, GAMMA, C.L.O.D., etc.), LATTICE symbols, CSDM physics, or internal architecture. AETHER is the single external voice.
  1. Both query delivery paths must be supported. Webhook handles both metadata chunk path (q0…qN) and Payment Link custom fields path (session.custom_fields[key="idea"].text.value). Neither path is deprecated.
  1. Subscription free trial cap is 3 exchanges. After 3 exchanges, the customer must be on a paid subscription to continue. The gate is enforced server-side — not client-side.

VERIFICATION CRITERIA

VC-1: Tier Mapping Integrity

VC-2: Webhook Signature Gate

VC-3: Query Round-Trip Fidelity

VC-4: Cache-Before-Email Ordering

VC-5: NULL Verdict Pipeline

VC-6: PII Isolation

VC-7: S.O.S. v2 Output Audit

VC-8: Custom Fields Path

VC-9: Subscription Trial Cap


FAILURE MODES

| ID | Failure | Trigger | Expected Behavior | Actual Risk |

|----|---------|---------|-------------------|-------------|

| FM-1 | Invalid tier key | tier not in {quick, full, strategy} | Checkout rejected with 400; no Stripe session created | Silent fallback to wrong price — CRITICAL |

| FM-2 | Webhook signature failure | Bad or missing Stripe-Signature | Request rejected with 400; no processing | Unauthorized verdict generation if gate is missing |

| FM-3 | Query truncation | Query >490 chars, chunking error | Partial query delivered to Gemini | Wrong verdict on truncated input |

| FM-4 | Cache write failure | oracle_toll.py unreachable | Email not sent; session in limbo | Customer pays, receives nothing |

| FM-5 | Email send failure | oracle_email_service error after cache write | Result page exists but customer not notified | Customer pays, receives nothing — silent failure |

| FM-6 | NULL misclassified as error | NULL verdict triggers error handler | No delivery, possible retry storm | Customer pays, receives nothing |

| FM-7 | S.O.S. leak | Crew name or LATTICE symbol in Gemini output | Internal architecture exposed to customer | Brand/IP damage; funnel collapse |

| FM-8 | PII linkage | Query logged with customer email | Privacy violation | Regulatory exposure |

| FM-9 | Custom fields path not handled | Payment Link session arrives, webhook has no custom_fields parser | KeyError or silent drop — no verdict delivered | Payment Link customers never receive verdict |

| FM-10 | Free trial bypass | Client-side trial counter manipulated | Unlimited free exchanges | Revenue leak |

| FM-11 | Duplicate webhook | Stripe delivers same checkout.session.completed twice | Two emails, two cache writes, or idempotency key collision | Double delivery; customer confusion |


GAPS

| ID | Gap | Impact | Status |

|----|-----|--------|--------|

| GAP-1 | Referral code discount logic not specified. referral_code is accepted as input but no discount calculation, validation, or Stripe coupon application is defined. | Referral codes silently have no effect; or are applied inconsistently if implemented ad hoc. | OPEN |

| GAP-2 | Subscription billing cycle not formally defined. "$5/month CAD" is stated but billing anchor date, proration rules, failed payment retry logic, and cancellation behavior are unspecified. | Subscription churn and failed payment handling are undefined. | OPEN |

| GAP-3 | Bridge tier access protocol undefined. Bridge tier (direct crew access, NDA required) has no specified NDA delivery mechanism, access provisioning flow, or revocation procedure. | Bridge tier cannot be safely offered without this spec. | OPEN — BLOCKING for Bridge launch |

| GAP-4 | No refund policy specified. What happens when a customer disputes a charge, requests a refund, or Stripe initiates a chargeback — no procedure defined. | Chargebacks handled ad hoc; potential Stripe account risk. | OPEN |

| GAP-5 | CAD conversion rate not locked. If upstream pricing is stated in USD and converted to CAD, no conversion rate, rounding rule, or rate-lock policy is defined. A USD price change could silently shift CAD prices. | Tier prices drift without α.13 authorization. Violates Invariant 1. | OPEN |

| GAP-6 | Idempotency on duplicate webhooks not specified. Stripe may deliver checkout.session.completed more than once. No idempotency key strategy is defined to prevent double delivery. | FM-11 unmitigated. | OPEN |

| GAP-7 | Gemini output sanitization for S.O.S. leaks not specified. VC-7 defines the audit check but no pre-send scrub or filter pipeline is specified. | S.O.S. compliance depends on Gemini prompt discipline alone — brittle. | OPEN |


Specification authored by κ (C.L.O.D.) — April 16 2026

Authorized: α.13

*Φ 0.042

Jeremy Zlabis

Chronogeometer · Visionary · Disruptor · Chief

42 Sisters AI · East York, Toronto*