What's shipped, what's next.

Shipped

Auth

Multi-provider auth, 2FA, API keys, passkeys, SSO — all wired via Better Auth.

• ✓
  Better Auth — multi-provider sign-in (email, Google, GitHub, magic link)

  Primary auth handler with drizzle adapter. API route: POST /api/auth/[...all].

  src/libs/BetterAuth.ts
• ✓
  2FA TOTP — time-based one-time passwords

  TOTP plugin wired in Better Auth config.

  src/libs/BetterAuth.ts
• ✓
  API keys — create, revoke, scope

  Better Auth API Keys plugin with dashboard UI.

  src/libs/ApiKeys.ts
• ✓
  Magic link — passwordless email sign-in

  Email template dispatched via the Resend adapter.

  src/libs/email/templates/magic-link.ts
• ✓
  Passkey scaffolding — WebAuthn registration + authentication

  6-module passkey tree: registration, authentication, storage, helpers, types.

  src/libs/passkeys/index.ts
• ✓
  SSO / WorkOS scaffolding — enterprise single sign-on

  isWired check + createConnection + getAuthorizationUrl.

  src/libs/Sso.ts
• ✓
  RBAC — role-based access control via CASL

  Ability rules + Can component + api-guard middleware.

  src/libs/abilities.ts
• ✓
  Multi-tenancy — orgs + Postgres RLS

  withOrgContext() RLS wrapper; org schema + migrations.

  src/libs/RLS.ts

Shipped

Billing

Stripe, Paddle, and Polar adapters. Subscriptions, usage metering, tax, dunning, and revenue analytics.

• ✓
  Stripe adapter — subscriptions, one-time charges

  22 tests covering cents handling, sig verification, error mapping.

  src/libs/payments/stripe-adapter.ts
• ✓
  Paddle adapter — subscriptions + webhook

  15 tests: sig verification, idempotency, handled events, GET probe.

  src/libs/payments/paddle-adapter.ts
• ✓
  Polar adapter — open-source billing alternative

  25 tests: cents handling, sig, error mapping.

  src/libs/payments/polar-adapter.ts
• ✓
  Subscriptions table — Stripe lifecycle persistence

  Stripe Subscription state in the subscriptions table. Webhook: /api/stripe/webhook.

  src/app/api/stripe/webhook/route.ts
• ✓
  Stripe Meters — usage-based billing

  Usage.ts + usage-report job. Admin UI at /dashboard/admin/usage.

  src/libs/Usage.ts
• ✓
  Stripe Tax — automatic tax calculation

  Tax.ts + TaxIdSection + 2 webhook handlers.

  src/libs/Tax.ts
• ✓
  Dunning — Stripe Smart Retries + email

  invoice.payment_failed webhook handler + DunningEmail template.

  src/libs/stripe/handlers/invoice-payment-failed.ts
• ✓
  MRR / ARR / NRR analytics — integer cents, cohort breakdown

  18 tests covering churn, series, cohorts, breakdown, events.

  src/libs/Revenue.ts
• ✓
  Stripe Customer Portal — self-serve billing management

  billing_portal session creation in stripe actions.

  src/components/dashboard/ManageBillingButton.tsx

Shipped

Compliance

Tamper-evident audit chain, privacy export, account deletion, idempotency, WORM rows, RLS, CSP, and security.txt.

• ✓
  Audit chain — tamper-evident, SHA-256 hash-linked, append-only

  WORM trigger + RLS + hash chain; verify/export/append API.

  src/libs/AuditChain.ts
• ✓
  Privacy data export — gzip JSON blob via signed URL

  requestDataExport() + Inngest job + Storage.put(). E2E spec: tests/e2e/rgpd-export.spec.ts.

  src/actions/account.ts
• ✓
  Account deletion — 30-day grace period with cancel link

  requestAccountDeletion() + daily cron hard-deletes after deadline.

  src/actions/account.ts
• ✓
  Idempotency keys — safe webhook retry without double-charge

  Idempotency-Key header contract. SHA-256 request hash. 24h TTL cache.

  src/libs/Idempotency.ts
• ✓
  Suppression layer — false-positive / accepted-risk marking

  SuppressFindingButton + SuppressionReasonDialog + SuppressedRowBadge.

  src/libs/Suppression.ts
• ✓
  WORM rows — physically blocked DELETE at Postgres trigger level

  audit_chain.worm column + audit_chain_worm_no_delete trigger.

  src/libs/AuditChain.ts
• ✓
  Postgres RLS — tenant isolation via Row Level Security

  withOrgContext() wrapper + migration 0004-multi-tenant-orgs.

  src/libs/RLS.ts
• ✓
  Content-Security-Policy — production hardening defaults

  CSP + HSTS + X-Frame-Options + Permissions-Policy in next.config.ts.

  next.config.ts
• ✓
  security.txt — RFC 9116 disclosure policy

  Contact + Expires + Policy assembled from env vars at request time.

  src/app/.well-known/security.txt/route.ts

In Progress

Partially shipped

Files exist and tests pass, but the decision was originally deferred — these shipped ahead of plan.

No ETA. No version numbers. Shipped when the work is complete.

Deferred

Next up (no ETA)

Intentionally absent per the stack decision. Will be added in a future wave.

• ○
  Realtime — Durable Objects / WebSocket

  No WebSocket or realtime lib in package.json. CF Durable Objects path available via wrangler.toml.

  deferred
• ○
  Vercel AI SDK v5

  Llm.ts is a custom provider abstraction (Anthropic + OpenAI + Ollama). Vercel AI SDK is a drop-in alternative.

  deferred
• ○
  API SDK generation — OpenAPI-first client generation

  OpenAPI spec is live at /api-docs. Client generation deferred; no openapi-generator in deps.

  deferred
• ○
  Tiptap bundle audit

  Tiptap shipped ahead of plan. Bundle size audit deferred.

  deferred
• ○
  CAPTCHA — hCaptcha / Cloudflare Turnstile

  Skipped per stack decision. CF WAF is the bot-mitigation layer.

  deferred
• ○
  Vector DB — pgvector / Pinecone

  Skipped per stack decision. Postgres FTS + pg_trgm covers the search use case.

  deferred