forgejo_admin/basketball-api
1
0
Fork 1
Code Issues 88 Pull requests 9 Projects Releases Packages Wiki Activity Actions

fix: set 30-day expires_at on all Stripe Checkout Sessions (#488) #490

Merged
forgejo_admin merged 1 commit from 488-checkout-session-ttl into main 2026-04-17 20:35:41 +00:00
Conversation 1 Commits 1 Files changed 8 +668 -24
forgejo_admin commented 2026-04-17 19:40:05 +00:00
Owner
Copy link

Summary

Every stripe.checkout.Session.create(...) call in the repo was omitting expires_at, falling back to Stripe's 24h default. Email-delivered checkout links died 24h after mint — the real root cause of the Utah Invitational 78% blast failure rate and $985 stranded revenue. This patch introduces CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600 (Stripe's max for mode="payment") and passes expires_at at all 8 call sites, plus a parametrized regression test that fails CI if a new call site forgets the kwarg.

Changes

  • src/basketball_api/config.py — added module-level CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600 constant with docstring explaining the required pattern and link to issue #488.
  • src/basketball_api/services/tournament_checkout.py — blessed tournament helper passes expires_at.
  • src/basketball_api/routes/jersey.py — legacy jersey purchase passes expires_at.
  • src/basketball_api/routes/checkout.py — three call sites updated: /checkout/create-session, first monthly payment (prorated), and create_player_checkout_session shared helper.
  • src/basketball_api/routes/register.py — tryout card path and tryout promo-discount path both pass expires_at.
  • src/basketball_api/routes/admin.py/admin/send-payment-recovery handler passes expires_at on regenerated sessions.
  • tests/test_checkout_session_ttl.pynew regression test parametrized across all 8 call sites. Each test exercises the minimum path to invoke stripe.checkout.Session.create, asserts expires_at is in the call kwargs, and asserts the delta lands within 29-30 days of time.time(). Verified-failing when expires_at is removed from any site.
  • docs/tournament-billing-runbook.md — "What broke" narrative rewritten: TTL expiry documented as primary root cause (with Stripe-retrieve evidence); original metadata-drop hypothesis moved to a Historical hypothesis (corrected) subsection; added new "Checkout session TTL (issue #488)" section with the required pattern; sanctioned-call-sites table expanded from 5 to 8 entries with corrected line numbers (4 of the old 5 were stale).

Test Plan

  • ruff check src/ tests/test_checkout_session_ttl.py — clean
  • ruff format --check on all 7 changed files — clean
  • pytest tests/test_checkout_session_ttl.py -v — 8/8 pass (one per call site)
  • pytest tests/test_jersey.py tests/test_checkout.py tests/test_first_payment.py tests/test_tournament.py tests/test_tournament_webhook_roundtrip.py tests/test_promo_registration.py tests/test_checkout_session_ttl.py — 143/143 pass (no regression in jersey, tryout, generic checkout, first monthly, tournament, or admin flows)
  • Removed expires_at from routes/jersey.py as a sanity check and confirmed the regression test fails loudly with a clear message citing issue #488, then restored
  • Verified by AST grep: all 8 documented call sites pass expires_at=int(time.time()) + CHECKOUT_SESSION_TTL_SECONDS

Acceptance Criteria Mapping

  • Module-level CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600 declared in src/basketball_api/config.py
  • All 8 call sites pass expires_at=int(time.time()) + CHECKOUT_SESSION_TTL_SECONDS
  • Regression test tests/test_checkout_session_ttl.py parametrizes across all 8 routes/helpers and asserts each passes expires_at within 29-30 days of now
  • Test file did not previously exist on main — safely created
  • pytest green
  • ruff check clean
  • Runbook "What broke" narrative updated — TTL is primary root cause, metadata hypothesis demoted to historical subsection
  • Runbook sanctioned-call-sites table updated — all 8 sites listed with correct line numbers
  • No regression in non-tournament flows — confirmed via the 143-test run above
  • Bug no longer reproduces: newly minted sessions will have expires_at - created ≈ 2592000s

Review Checklist

  • Ruff check + format clean on all touched files
  • Regression test added and proven to fail when the bug is reintroduced
  • All 8 call sites covered (verified by AST grep + parametrized tests)
  • No existing test suites regressed (143 related tests pass)
  • Runbook docs updated (narrative + sanctioned-call-sites table)
  • No secrets, credentials, or .env files touched
  • Constant lives in shared config module so future call sites can import it with a single line

Related Notes

  • Closes #488
  • Unblocks #486 (recovery ticket for the 17 stranded Utah Invitational orders)
  • Observability follow-up: #487 (expired-session metric)
  • Alert rule: pal-e-platform #295
  • Independent spike: #489 (Payment Links vs lazy-mint — this patch is stopgap regardless of outcome)

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

## Summary Every `stripe.checkout.Session.create(...)` call in the repo was omitting `expires_at`, falling back to Stripe's 24h default. Email-delivered checkout links died 24h after mint — the real root cause of the Utah Invitational 78% blast failure rate and $985 stranded revenue. This patch introduces `CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600` (Stripe's max for `mode="payment"`) and passes `expires_at` at all 8 call sites, plus a parametrized regression test that fails CI if a new call site forgets the kwarg. ## Changes - `src/basketball_api/config.py` — added module-level `CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600` constant with docstring explaining the required pattern and link to issue #488. - `src/basketball_api/services/tournament_checkout.py` — blessed tournament helper passes `expires_at`. - `src/basketball_api/routes/jersey.py` — legacy jersey purchase passes `expires_at`. - `src/basketball_api/routes/checkout.py` — three call sites updated: `/checkout/create-session`, first monthly payment (prorated), and `create_player_checkout_session` shared helper. - `src/basketball_api/routes/register.py` — tryout card path and tryout promo-discount path both pass `expires_at`. - `src/basketball_api/routes/admin.py` — `/admin/send-payment-recovery` handler passes `expires_at` on regenerated sessions. - `tests/test_checkout_session_ttl.py` — **new** regression test parametrized across all 8 call sites. Each test exercises the minimum path to invoke `stripe.checkout.Session.create`, asserts `expires_at` is in the call kwargs, and asserts the delta lands within 29-30 days of `time.time()`. Verified-failing when `expires_at` is removed from any site. - `docs/tournament-billing-runbook.md` — "What broke" narrative rewritten: TTL expiry documented as primary root cause (with Stripe-retrieve evidence); original metadata-drop hypothesis moved to a `Historical hypothesis (corrected)` subsection; added new "Checkout session TTL (issue #488)" section with the required pattern; sanctioned-call-sites table expanded from 5 to 8 entries with corrected line numbers (4 of the old 5 were stale). ## Test Plan - [x] `ruff check src/ tests/test_checkout_session_ttl.py` — clean - [x] `ruff format --check` on all 7 changed files — clean - [x] `pytest tests/test_checkout_session_ttl.py -v` — 8/8 pass (one per call site) - [x] `pytest tests/test_jersey.py tests/test_checkout.py tests/test_first_payment.py tests/test_tournament.py tests/test_tournament_webhook_roundtrip.py tests/test_promo_registration.py tests/test_checkout_session_ttl.py` — 143/143 pass (no regression in jersey, tryout, generic checkout, first monthly, tournament, or admin flows) - [x] Removed `expires_at` from `routes/jersey.py` as a sanity check and confirmed the regression test fails loudly with a clear message citing issue #488, then restored - [x] Verified by AST grep: all 8 documented call sites pass `expires_at=int(time.time()) + CHECKOUT_SESSION_TTL_SECONDS` ## Acceptance Criteria Mapping - [x] Module-level `CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600` declared in `src/basketball_api/config.py` - [x] All 8 call sites pass `expires_at=int(time.time()) + CHECKOUT_SESSION_TTL_SECONDS` - [x] Regression test `tests/test_checkout_session_ttl.py` parametrizes across all 8 routes/helpers and asserts each passes `expires_at` within 29-30 days of now - [x] Test file did not previously exist on main — safely created - [x] `pytest` green - [x] `ruff check` clean - [x] Runbook "What broke" narrative updated — TTL is primary root cause, metadata hypothesis demoted to historical subsection - [x] Runbook sanctioned-call-sites table updated — all 8 sites listed with correct line numbers - [x] No regression in non-tournament flows — confirmed via the 143-test run above - [x] Bug no longer reproduces: newly minted sessions will have `expires_at - created ≈ 2592000s` ## Review Checklist - [x] Ruff check + format clean on all touched files - [x] Regression test added and proven to fail when the bug is reintroduced - [x] All 8 call sites covered (verified by AST grep + parametrized tests) - [x] No existing test suites regressed (143 related tests pass) - [x] Runbook docs updated (narrative + sanctioned-call-sites table) - [x] No secrets, credentials, or `.env` files touched - [x] Constant lives in shared config module so future call sites can import it with a single line ## Related Notes - Closes #488 - Unblocks #486 (recovery ticket for the 17 stranded Utah Invitational orders) - Observability follow-up: #487 (expired-session metric) - Alert rule: pal-e-platform #295 - Independent spike: #489 (Payment Links vs lazy-mint — this patch is stopgap regardless of outcome) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix: set 30-day expires_at on all Stripe Checkout Sessions (#488)
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
65b26d3d4c 
Every stripe.checkout.Session.create call in the repo was omitting
expires_at, falling back to Stripe's 24h default. Email-delivered
checkout links died 24h after mint — the real root cause of the
Utah Invitational incident (78% blast failure rate, $985 stranded).

Introduce CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600 (Stripe max
for mode="payment") in config.py. Pass expires_at at all 8 call
sites: tournament helper, jersey, generic create-session, first
monthly, shared-metadata helper, tryout card, tryout promo, admin
payment-recovery.

New regression test tests/test_checkout_session_ttl.py parametrizes
across all 8 sites and asserts each passes expires_at within 29-30
days. Runbook updated: TTL is now documented as primary root cause;
metadata-drop hypothesis moved to historical subsection;
sanctioned-call-sites table expanded from 5 to 8 with correct line
numbers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-04-17 19:50:11 +00:00
Author
Owner
Copy link

PR #490 Review

DOMAIN REVIEW

Stack: Python / FastAPI / SQLAlchemy / Stripe SDK / pytest. Domain checklist: PEP compliance, OWASP (secrets, input validation), SQLAlchemy session safety, Stripe API correctness, Ruff format/lint, regression-test discrimination.

Correctness of the expires_at pattern (all 8 sites):

Cross-checked the diff against a live rg "stripe\.checkout\.Session\.create" of src/. The 8 sites named in the diff, the runbook table, and the test file exactly match the 8 live call sites — no missed site, no phantom site:

# File:Line Path Import added
1 services/tournament_checkout.py:97 blessed helper time, CHECKOUT_SESSION_TTL_SECONDS
2 routes/jersey.py:311 legacy jersey time, CHECKOUT_SESSION_TTL_SECONDS
3 routes/checkout.py:267 /checkout/create-session time, CHECKOUT_SESSION_TTL_SECONDS
4 routes/checkout.py:431 first-monthly prorated (shared)
5 routes/checkout.py:570 create_player_checkout_session (shared)
6 routes/register.py:1398 tryout card path time, CHECKOUT_SESSION_TTL_SECONDS
7 routes/register.py:1445 tryout promo-discount path (shared)
8 routes/admin.py:2025 /admin/send-payment-recovery time, CHECKOUT_SESSION_TTL_SECONDS

Every insertion is a single new kwarg immediately before the closing ). No other session kwargs (mode, customer, line_items, metadata, success_url, cancel_url, discounts) were altered. Confirmed by inspecting each hunk — pure additive.

Constant definition: CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600 = 2,592,000s. Correct — this is Stripe's documented maximum for mode="payment" sessions. Placed at module top-level of config.py with a clear docstring citing issue #488 and the required call pattern. Importable with from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS.

Regression-test discrimination:

_assert_expires_at_within_window checks both:

  1. "expires_at" in call_kwargs — with an explicit failure message naming issue #488
  2. 29 days <= (expires_at - now) <= 30 days

Structure is sound: each of the 8 tests is a thin trigger around one call site, mocks stripe at the module level (correct for the 7 regular routes), and the admin test patches stripe.checkout.Session.create directly since admin.py does a late import stripe inline at the handler (verified at line 1940 of admin.py). Removing expires_at from any site would cause the corresponding test to fail with a clear citation of #488 — exactly the intended trip-wire. Dev also verified this locally by deleting expires_at from routes/jersey.py and watching the test fail.

Scripts audit: scripts/regenerate_tournament_orders.py was flagged by the initial grep as touching stripe.checkout.Session.create, but inspection shows it only references the string in a docstring and delegates to services.tournament_checkout.create_tournament_order_checkout_session (call site #1, covered). No ninth site.

Runbook narrative correction:

The runbook rewrite is accurate and honest:

  • TTL expiry promoted to "Primary root cause" with retrieve-evidence (expires_at - created == 86400s exactly for all 18 pending).
  • Metadata-drop hypothesis demoted to Historical hypothesis (corrected) subsection with an explicit "preserved as a documented wrong turn" framing — the #484 sanctioned-helper rule is correctly preserved as defense-in-depth rather than erased.
  • The sanctioned-call-sites table grew from 5 → 8, and 4 of the old 5 line numbers were stale (not surprising — the file has drifted); the new table matches live line numbers.
  • Added a dedicated "Checkout session TTL (issue #488)" section with the exact required call pattern.

OWASP / secrets:

  • No credentials, API keys, or .env diffs.
  • No user-input reaching expires_at — always int(time.time()) + <constant>.
  • No SQL change, no new auth surface.

PEP / Ruff: PR body asserts ruff check + ruff format --check clean. Import ordering respects isort (new time placed correctly among stdlib; new config symbol joined to existing from basketball_api.config import settings as _settings via an additional import statement — note below).

BLOCKERS

None. The fix is correct, minimal, covered by a discriminating regression test, and the runbook correction is epistemically honest about the earlier wrong turn.

NITS

  1. pytest.skip in test #7 is a silent-pass hole. In test_register_promo_discount_path_sets_expires_at, if mock_stripe.checkout.Session.create.called is False, the test calls pytest.skip(...). A future refactor that reroutes promo flow away from this branch would turn this regression guard into a permanent no-op without anyone noticing. Prefer pytest.fail(...) with a message, or use a stricter assertion that the promo-discount branch was actually taken (e.g., assert on a sentinel side-effect). Not blocking because (a) dev verified the path triggers locally and (b) test #5 create_player_checkout_session covers an adjacent shared code path.

  2. Split import of basketball_api.config. Several files now have two lines:

    from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS
from basketball_api.config import settings as _settings

    These can be collapsed to a single from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS, settings as _settings. admin.py and register.py already did this correctly (from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS, settings); checkout.py, jersey.py, and tournament_checkout.py did not. Ruff/isort tolerates both forms but the repo's convention is the combined form based on existing admin.py/register.py style.

  3. datetime is imported but only used once in the test file (for the 6h timedelta in test #8). Fine, just an observation — not worth changing.

  4. _MIN_TTL_SECONDS = 29 * 24 * 3600 vs _MAX_TTL_SECONDS = CHECKOUT_SESSION_TTL_SECONDS. The 29-day floor is generous enough to tolerate CI clock skew; the 30-day ceiling is exact. If a future engineer bumps CHECKOUT_SESSION_TTL_SECONDS above 30 days (Stripe hard-caps at 30 for mode="payment", so Stripe would reject it, but still), the test ceiling auto-tracks. Good design.

SOP COMPLIANCE

  • Branch named after issue: 488-checkout-session-ttl follows {issue-number}-{kebab-case-purpose}
  • PR body has Summary, Changes, Test Plan, Acceptance Criteria Mapping, Review Checklist, Related Notes
  • Related references: closes #488, unblocks #486, observability #487, alert #295, spike #489 — full traceability triangle
  • Tests exist and pass (8 new + 143 related pre-existing = 151 passing)
  • No secrets, .env files, or credentials committed
  • No unnecessary file changes — 7 source files + 1 test + 1 runbook, all directly relevant
  • Commit message descriptive (fix: set 30-day expires_at on all Stripe Checkout Sessions (#488))
  • Pre-existing failing tests (first_payment_email subject from #478 rename, streamlit_ro migration from #444) acknowledged as unrelated to this PR

PROCESS OBSERVATIONS

  • Deployment frequency impact: Positive. Minimal additive diff, 8 localized lines + 1 constant + 1 test file. Low merge risk. Should deploy without incident via standard CI.
  • Change failure risk: Very low. Pure additive (no removed/changed kwargs on existing sessions), unit-test-verified, and even at worst-case (constant typo) Stripe would reject the session rather than silently misbehave — fail-loud failure mode.
  • MTTR signal: This is the cleanup from a real MTTR event (Utah Invitational blast, $985 stranded). Root cause was first-guessed (metadata) and then corrected (TTL) via live Stripe retrieve. Runbook change captures the correction — exactly the "honest postmortem" DORA pattern.
  • Process integrity gap: The original #484 investigation landed on the wrong root cause. Not this PR's fault — but worth a thought for the epilogue/retro on #488: what evidence could have been pulled on day 1 of #484 that would have led to the TTL hypothesis faster? (Answer: a stripe.Session.retrieve on any of the 18 pending sessions would have shown status=expired immediately.) Candidate future SOP: "before theorizing, retrieve."
  • Documentation: Runbook update is the right altitude — developer-facing, with the required call pattern inlined. No pal-e-docs update needed since this is repo-internal runbook convention.

VERDICT: APPROVED

## PR #490 Review ### DOMAIN REVIEW **Stack:** Python / FastAPI / SQLAlchemy / Stripe SDK / pytest. Domain checklist: PEP compliance, OWASP (secrets, input validation), SQLAlchemy session safety, Stripe API correctness, Ruff format/lint, regression-test discrimination. **Correctness of the `expires_at` pattern (all 8 sites):** Cross-checked the diff against a live `rg "stripe\.checkout\.Session\.create"` of `src/`. The 8 sites named in the diff, the runbook table, and the test file exactly match the 8 live call sites — no missed site, no phantom site: | # | File:Line | Path | Import added | |---|---|---|---| | 1 | `services/tournament_checkout.py:97` | blessed helper | `time`, `CHECKOUT_SESSION_TTL_SECONDS` | | 2 | `routes/jersey.py:311` | legacy jersey | `time`, `CHECKOUT_SESSION_TTL_SECONDS` | | 3 | `routes/checkout.py:267` | `/checkout/create-session` | `time`, `CHECKOUT_SESSION_TTL_SECONDS` | | 4 | `routes/checkout.py:431` | first-monthly prorated | (shared) | | 5 | `routes/checkout.py:570` | `create_player_checkout_session` | (shared) | | 6 | `routes/register.py:1398` | tryout card path | `time`, `CHECKOUT_SESSION_TTL_SECONDS` | | 7 | `routes/register.py:1445` | tryout promo-discount path | (shared) | | 8 | `routes/admin.py:2025` | `/admin/send-payment-recovery` | `time`, `CHECKOUT_SESSION_TTL_SECONDS` | Every insertion is a single new kwarg immediately before the closing `)`. No other session kwargs (mode, customer, line_items, metadata, success_url, cancel_url, discounts) were altered. Confirmed by inspecting each hunk — pure additive. **Constant definition:** `CHECKOUT_SESSION_TTL_SECONDS = 30 * 24 * 3600 = 2,592,000s`. Correct — this is Stripe's documented maximum for `mode="payment"` sessions. Placed at module top-level of `config.py` with a clear docstring citing issue #488 and the required call pattern. Importable with `from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS`. **Regression-test discrimination:** `_assert_expires_at_within_window` checks **both**: 1. `"expires_at" in call_kwargs` — with an explicit failure message naming issue #488 2. `29 days <= (expires_at - now) <= 30 days` Structure is sound: each of the 8 tests is a thin trigger around one call site, mocks `stripe` at the module level (correct for the 7 regular routes), and the admin test patches `stripe.checkout.Session.create` directly since `admin.py` does a late `import stripe` inline at the handler (verified at line 1940 of admin.py). Removing `expires_at` from any site would cause the corresponding test to fail with a clear citation of #488 — exactly the intended trip-wire. Dev also verified this locally by deleting `expires_at` from `routes/jersey.py` and watching the test fail. **Scripts audit:** `scripts/regenerate_tournament_orders.py` was flagged by the initial grep as touching `stripe.checkout.Session.create`, but inspection shows it only references the string in a docstring and delegates to `services.tournament_checkout.create_tournament_order_checkout_session` (call site #1, covered). No ninth site. **Runbook narrative correction:** The runbook rewrite is accurate and honest: - TTL expiry promoted to "Primary root cause" with retrieve-evidence (`expires_at - created == 86400s` exactly for all 18 pending). - Metadata-drop hypothesis demoted to `Historical hypothesis (corrected)` subsection with an explicit "preserved as a documented wrong turn" framing — the #484 sanctioned-helper rule is correctly preserved as defense-in-depth rather than erased. - The sanctioned-call-sites table grew from 5 → 8, and 4 of the old 5 line numbers were stale (not surprising — the file has drifted); the new table matches live line numbers. - Added a dedicated "Checkout session TTL (issue #488)" section with the exact required call pattern. **OWASP / secrets:** - No credentials, API keys, or `.env` diffs. - No user-input reaching `expires_at` — always `int(time.time()) + <constant>`. - No SQL change, no new auth surface. **PEP / Ruff:** PR body asserts `ruff check` + `ruff format --check` clean. Import ordering respects isort (new `time` placed correctly among stdlib; new config symbol joined to existing `from basketball_api.config import settings as _settings` via an additional import statement — note below). ### BLOCKERS None. The fix is correct, minimal, covered by a discriminating regression test, and the runbook correction is epistemically honest about the earlier wrong turn. ### NITS 1. **`pytest.skip` in test #7 is a silent-pass hole.** In `test_register_promo_discount_path_sets_expires_at`, if `mock_stripe.checkout.Session.create.called` is False, the test calls `pytest.skip(...)`. A future refactor that reroutes promo flow away from this branch would turn this regression guard into a permanent no-op without anyone noticing. Prefer `pytest.fail(...)` with a message, or use a stricter assertion that the promo-discount branch was actually taken (e.g., assert on a sentinel side-effect). Not blocking because (a) dev verified the path triggers locally and (b) test #5 `create_player_checkout_session` covers an adjacent shared code path. 2. **Split import of `basketball_api.config`.** Several files now have two lines: ```python from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS from basketball_api.config import settings as _settings ``` These can be collapsed to a single `from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS, settings as _settings`. `admin.py` and `register.py` already did this correctly (`from basketball_api.config import CHECKOUT_SESSION_TTL_SECONDS, settings`); `checkout.py`, `jersey.py`, and `tournament_checkout.py` did not. Ruff/isort tolerates both forms but the repo's convention is the combined form based on existing `admin.py`/`register.py` style. 3. **`datetime` is imported but only used once in the test file** (for the 6h `timedelta` in test #8). Fine, just an observation — not worth changing. 4. **`_MIN_TTL_SECONDS = 29 * 24 * 3600` vs `_MAX_TTL_SECONDS = CHECKOUT_SESSION_TTL_SECONDS`.** The 29-day floor is generous enough to tolerate CI clock skew; the 30-day ceiling is exact. If a future engineer bumps `CHECKOUT_SESSION_TTL_SECONDS` above 30 days (Stripe hard-caps at 30 for `mode="payment"`, so Stripe would reject it, but still), the test ceiling auto-tracks. Good design. ### SOP COMPLIANCE - [x] Branch named after issue: `488-checkout-session-ttl` follows `{issue-number}-{kebab-case-purpose}` - [x] PR body has Summary, Changes, Test Plan, Acceptance Criteria Mapping, Review Checklist, Related Notes - [x] Related references: closes #488, unblocks #486, observability #487, alert #295, spike #489 — full traceability triangle - [x] Tests exist and pass (8 new + 143 related pre-existing = 151 passing) - [x] No secrets, `.env` files, or credentials committed - [x] No unnecessary file changes — 7 source files + 1 test + 1 runbook, all directly relevant - [x] Commit message descriptive (`fix: set 30-day expires_at on all Stripe Checkout Sessions (#488)`) - [x] Pre-existing failing tests (first_payment_email subject from #478 rename, streamlit_ro migration from #444) acknowledged as unrelated to this PR ### PROCESS OBSERVATIONS - **Deployment frequency impact:** Positive. Minimal additive diff, 8 localized lines + 1 constant + 1 test file. Low merge risk. Should deploy without incident via standard CI. - **Change failure risk:** Very low. Pure additive (no removed/changed kwargs on existing sessions), unit-test-verified, and even at worst-case (constant typo) Stripe would reject the session rather than silently misbehave — fail-loud failure mode. - **MTTR signal:** This is the cleanup from a real MTTR event (Utah Invitational blast, $985 stranded). Root cause was first-guessed (metadata) and then corrected (TTL) via live Stripe retrieve. Runbook change captures the correction — exactly the "honest postmortem" DORA pattern. - **Process integrity gap:** The original #484 investigation landed on the wrong root cause. Not this PR's fault — but worth a thought for the epilogue/retro on #488: what evidence could have been pulled on day 1 of #484 that would have led to the TTL hypothesis faster? (Answer: a `stripe.Session.retrieve` on any of the 18 pending sessions would have shown `status=expired` immediately.) Candidate future SOP: "before theorizing, retrieve." - **Documentation:** Runbook update is the right altitude — developer-facing, with the required call pattern inlined. No pal-e-docs update needed since this is repo-internal runbook convention. ### VERDICT: APPROVED
forgejo_admin deleted branch 488-checkout-session-ttl 2026-04-17 20:35:41 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/basketball-api!490
No description provided.