Email + password authentication on canonical users. Sessions, password hashing (argon2id), failed-attempt audit log.
Email + password sign-up & sign-in Argon2id hashing (no SHA-256 password footguns) Sessions with IP + User-Agent recorded for audit compliance
Compliance (EU) Required
GDPR + EU AI Act. Cookie consent, DSAR orchestrator, erasure orchestrator, auto-generated privacy policy + model card.
Cookie banner (IP/UA hashed, never plaintext) DSAR access + portability + erasure flows Privacy policy auto-generated from installed manifests VAPID web-push notifications via @block65/webcrypto-web-push (Cloudflare Workers compatible). Requires compliance-eu cookie consent. iOS subscriptions auto-evict after 7 days.
CF Workers compatible — uses Web Crypto API, not Node.js https.request VAPID keys generated server-side by dev-up.sh; never client-side Explicit user consent required before subscribing (gated behind button click + cookie consent) needs compliance-eu
payments
Subscriptions (Stripe + x402)
Stripe Checkout for humans, x402 USDC on Base for agents. Idempotent webhook, customer portal, agent spend caps.
Stripe Checkout + automatic tax Idempotent webhook (DB-level unique on event_id) x402 sibling endpoint — agents pay in USDC on Base needs auth-better ✗ polar-subscriptions
Google OAuth 2.1 + PKCE. State + PKCE verifier in HTTP-only cookies. Stores OAuth account in the canonical account table.
OAuth 2.1 + PKCE S256 — no implicit flow State + nonce in HTTP-only SameSite=Lax cookies Upserts account row with provider='google' needs auth-better
GitHub OAuth 2.1. CSRF-protected via state cookie. Fetches primary verified email from /user/emails.
State cookie for CSRF protection Handles private emails via /user/emails fallback Upserts account row with provider='github' needs auth-better
Apple Sign-In via OAuth 2.1 + PKCE. response_mode=form_post. V1: client_secret JWT generation is stubbed — V2 required for production.
PKCE S256 + state + nonce in HTTP-only cookies response_mode=form_post (POST callback, not GET) V1: client_secret JWT stubbed — see README for V2 spec needs auth-better
payments
Stripe Tax (EU VAT)
EU VAT collection via Stripe Tax. Tax-id collection, per-country rate calculation, B2B reverse-charge detection, and per-country audit summaries for VAT OSS filing.
Automatic EU VAT at Stripe Checkout (no configuration needed) B2B reverse-charge: zero-amount audit row for exempt customers tax_collected ledger with per-country, per-jurisdiction breakdown needs stripe-subscriptions
payments
One-time Payments (Stripe + x402)
One-time charges for digital downloads, services, and donations. Stripe Checkout for humans, x402 USDC on Base for agents. Shares the idempotency log with stripe-subscriptions.
Stripe Checkout mode=payment (one-time, not subscription) Invoices table with PDF URL + line items x402 agent rail: purchase_product MCP tool (humanApprovalRequired) needs auth-better needs stripe-subscriptions
payments
Connect Marketplace (Stripe)
Stripe Connect for two-sided marketplaces. Vendor onboarding via Stripe-hosted flows, payout tracking, KYC via Stripe. Shares the stripe-subscriptions idempotency log.
Stripe-hosted Express/Custom/Standard onboarding (single-use URL, 1-hour TTL) Payout lifecycle: created → in_transit → paid / failed KYC subprocessor: Stripe Inc. (identity_documents, bank_account, ssn_or_tax_id) needs stripe-subscriptions
compliance
Age Verification
Yoti Age Estimation + Photo-ID fallback. Ed25519-signed AgeAttestation (365-day TTL, revocable). BIPA disclosure gate for Illinois. UK Online Safety Act (HEAA), Texas HB 1181, COPPA, EU AVS.
Yoti Age Estimation + Photo-ID fallback (no Yoti SDK install — raw fetch) Ed25519 AgeAttestation: threshold, method, TTL only — photo NEVER stored BIPA disclosure gate: Illinois users see consent screen before Yoti redirect needs auth-better
OpenRouter gateway with bring-your-own-key as a first-class flow. Token-metered billing, prompt-injection guard, message-level audit.
OpenRouter passthrough — cost goes straight to your account BYOK: per-org Anthropic / OpenAI / Gemini key override Prompt-injection guard: allowlist of tool names per agent identity commerce
Booking & scheduling
Cal.com-style booking with timezone-aware availability, Stripe deposits, reminder emails, agent-callable scheduling.
Timezone-aware availability (IANA tz, DST-correct slot math) Pure availability lib — no DB/network deps, 25 tests pin edge cases MCP tools: book_meeting + cancel_booking (humanApprovalRequired)