Step 1 of 5
Audit the money path
Trace where amounts come from and who declares success.
Audit the payment implementation. Trace and report: where amounts/prices are defined (must be server-side - flag any client-sent amount that the server trusts); how checkout sessions are created; who declares success (must be server verification with the provider, never the redirect alone); where payment records live and their state model; how paid access is granted. Produce the money-path diagram in text and flag every trust violation.
Expected after this step
A traced money path with every trust violation flagged.
Should not happen
- ✕Success pages granting access without server verification
- ✕Refresh on success double-granting purchases
- ✕Client-editable amounts reaching the provider
- ✕Declined payments leaving half-granted states
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !Success pages granting access without server verification
- !Refresh on success double-granting purchases
- !Client-editable amounts reaching the provider
- !Declined payments leaving half-granted states
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
The audit shows the client sending amounts or declaring success. Those are critical: move price lookup and success verification server-side before any further testing.