tracked from account setup through live verification.
Patreon Integration Tracker
A source-backed goal board for turning Chopshopr into a Patreon-aware product path: OAuth first, entitlement sync second, webhook truth third, then launch proof.
hard gates that require account credentials, secrets, or deploy access.
launch-packet-derived proof checks across auth, data handling, entitlement lookup, launch handoff, operations, and live verification.
named proof receipts that must be filled before the Patreon release claim is true.
objective-level requirements currently satisfied by source, test, and live evidence.
Build the integration in the order failures become cheapest.
Each goal has an owner boundary, proof receipt, and falsifier. The board starts honest: the storage-backed server contract is test-backed; real access still needs Patreon account setup.
The next operator move is generated from the same launch packet.
bun run patreon:launch-control -- --json turns the goals, blockers, runbook, and
proof queue into a current-stage report. It keeps secret values, secret-id values, creator URLs,
and member identities out of the artifact while showing the exact next command.
The final-state sequence can be rehearsed without real credentials.
bun run patreon:launch-rehearsal -- --json --write-report memory-bank/artifacts/patreon-launch-rehearsal/latest-report.json
creates a temporary support fixture and redacted synthetic deploy inputs, then proves the launch packet,
launch control, and completion audit can all reach ready state. It does not call Patreon, call AWS, or
mutate the committed support page.
The deploy environment now has its own redacted go/no-go check.
bun run patreon:runtime-preflight -- --json --write-report memory-bank/artifacts/patreon-runtime-preflight/latest-report.json
compares the CDK deploy inputs from the shell or the same private operator env file, Lambda runtime
readiness contract, exact OAuth callback, support handoff, and post-deploy live parity command before the
release claim moves forward. It reports keys and counts, not secret values, secret-id values, or the
env-file path.
The deployed AWS and live-domain state now has its own redacted receipt.
bun run patreon:production-audit -- --json --write-report memory-bank/artifacts/patreon-production-audit/latest-report.json
checks the CloudFormation stack, deployed Patreon Lambda key presence, public readiness endpoint, and protected
proof readiness without printing Lambda environment values, secret values, secret-id values, physical resource ids,
member ids, or emails. The protected form adds --protected --sync-secret-id "$CHOPSHOPR_PATREON_SYNC_SECRET_ID"
and a real member lookup input.
The current release now has a single go/no-go auditor.
bun run patreon:release-gate -- --json --live --strict --expected-revision "$(git rev-parse --short=12 HEAD)" --write-report memory-bank/artifacts/patreon-release-gate/latest-report.json
compares the local release revision with the public route's x-amz-meta-chopshopr-site-revision
header, confirms the worktree is clean, and imports the final redacted Patreon receipts. It prints no secret values,
secret-id values, member ids, or emails. The tracker also reads its own live revision header in the browser so
committed dashboard data does not need to carry stale post-deploy proof.
The gate imports the operator account-input env receipt first, so the Patreon app, callback, campaign, and secret-destination handoff can turn green before deploy, webhook capture, protected member lookup, and completion proof run.
The last three receipts stay visible until the external Patreon loop is real.
The tracker imports memory-bank/artifacts/patreon-webhook-capture/latest-report.json,
memory-bank/artifacts/patreon-live-proof/latest-report.json, and
memory-bank/artifacts/patreon-completion-report/latest-report.json when dashboard data is regenerated.
Each receipt reports only status, counts, committed artifact paths, and blocker ids.
Account-input readiness now has a redacted local validator.
bun run patreon:operator-env-check -- --write-env-template memory-bank/artifacts/patreon-operator-env-check/operator.env.template
writes a blank private-copy starter with the exact callback URI and no secret or secret-id values.
bun run patreon:operator-env-check -- --json --strict --write-report memory-bank/artifacts/patreon-operator-env-check/latest-report.json
validates the shell or a supplied --env-file before bootstrap. Set
CHOPSHOPR_PATREON_OPERATOR_ENV_FILE to a filled private copy so launch packet,
credential intake, launch control, completion report, CDK deploy, and secret bootstrap dry-runs read the same source without printing values
or the file path.
The deploy wrapper forwards only deploy-safe Patreon keys into CDK, not raw source secret values.
The report records presence, source, exact callback shape, and next commands, while keeping secret
values, secret-id values, creator URLs, member ids, and emails out of the report.
The external credential ask is now a non-secret artifact.
Generated by bun run patreon:credential-intake -- --json or
bun run patreon:credential-intake -- --env-file "$CHOPSHOPR_PATREON_OPERATOR_ENV_FILE" --json,
this checklist names every plain field, secret destination, private-input prompt, receipt path, and command
needed before the first real Patreon deploy. The durable report path is
memory-bank/artifacts/patreon-credential-intake/latest-report.json.
The remaining Patreon-side work is packaged for a third-party operator.
Generated by bun run patreon:operator-packet -- --json, this packet lists the
account inputs, secret destinations, webhook capture, support activation, and live-proof commands
without raw secret values or secret-id values. The durable report path is
memory-bank/artifacts/patreon-operator-handoff/latest-report.json.
The dashboard now tracks the receipt each gate still needs.
These slots are generated from bun run patreon:launch-packet -- --json. A gate stays blocked
until its owner, missing inputs, proof requirement, and verifier command all line up with real evidence.
The requested end state is tested requirement by requirement.
This audit preserves the full objective: Patreon integration, goal series, auditing, and the public HTML tracker. Local contracts can be satisfied; launch claims stay blocked until live Patreon credentials, webhook capture, and member proof exist.
Every milestone needs a receipt before it can move right.
This ledger translates Patreon documentation into Chopshopr-specific checkpoints, without putting client secrets, access tokens, refresh tokens, or webhook secrets into browser code.
| Area | Gate | Proof required | Risk | Status |
|---|
Keep Patreon trust at the server boundary.
The browser can show progress and start account linking. Client secret stays server-side; token exchange, token storage, webhook verification, and entitlement decisions stay behind Chopshopr server code.
Patreon creator account, client id, client secret, allowed redirect URI.
www.patreon.com/oauth2/authorize
Stored state verification, one-time code handling, server-side token exchange, receipt, and scheduled refresh.
/api/patreon/oauth/callback
Campaign lookup, paginated member ingestion, email-scoped match where approved.
/api/patreon/sync -> /api/oauth2/v2/campaigns/{campaign_id}/members
Member and pledge triggers update local entitlement state after HMAC validation.
/api/patreon/webhook
The route now fails closed until Patreon is actually configured.
/api/patreon/readiness reports missing environment keys. The local audit command is
bun run patreon:audit -- --json. OAuth and webhook actions refuse to proceed without
server-side secrets. OAuth start stores state in a retained server-side session table. The callback
exchanges codes against www.patreon.com/api/oauth2/token, stores access and refresh
tokens server-side, returns only a token receipt, and rotates expiring token rows every six hours.
Protected manual refresh is available at /api/patreon/oauth/refresh. /api/patreon/sync requires
x-chopshopr-patreon-sync-secret, reads paginated campaign members, and writes stored
entitlement records. /api/patreon/entitlement uses the same admin secret to look up
member access by member id or email and returns only active, tier, access, source, and timestamp
receipts. It does not return member email or full name. /api/patreon/webhooks uses the same admin secret to list or create
Patreon webhooks while redacting returned signing secrets. Webhook endpoint validates X-Patreon-Signature against raw request body.
Webhook delivery still lands at
/api/patreon/webhook, which validates X-Patreon-Signature against raw request body before
updating the retained entitlement table. Live receiver proof still requires storing Patreon's webhook
signing secret in the deployed server secret store. Release verification runs through
bun run patreon:live-verify -- --base-url https://chopshopr.ai --json; that public proof checks
the tracker route, the /support/ handoff marker, the no-local-checkout boundary, tier-code parity,
and the readiness endpoint. Protected webhook ops and entitlement probing require --protected plus the admin sync secret. Access lookup proof can add
--member-id or --email, and the verifier redacts returned secret and identity fields.
The public supporter handoff lives at /support/, keeps the Patreon page marked pending, and has no local checkout.
Launch sequencing is now captured by bun run patreon:launch-packet -- --json, which maps
every remaining CHOPSHOPR_PATREON_* deploy input, Secrets Manager id, support-page,
and live-verifier gate to an owner without printing secret values. bun run patreon:launch-runbook -- --json --write-report memory-bank/artifacts/patreon-launch-runbook/latest-report.json
turns that packet into the two-pass operator path: generated webhook placeholder for first deploy,
bun run patreon:webhook-capture -- --apply --json creation/capture that writes the returned signing secret to Secrets Manager without printing it,
bun run patreon:activate-support -- --dry-run --json validation for the real creator URL,
support-page flip, redeploy, and live member proof. bun run patreon:credential-intake -- --json --write-report memory-bank/artifacts/patreon-credential-intake/latest-report.json
emits the private-input credential intake and receipt checklist without raw secrets, with an operator env-file copy able to drive launch control, completion report, packet refresh, secret bootstrap dry-runs, and deploy-safe CDK runtime wiring. bun run patreon:operator-packet -- --json --write-report memory-bank/artifacts/patreon-operator-handoff/latest-report.json
emits the external operator account, secret-destination, webhook, support, and live-proof packet without raw secrets.
bun run patreon:launch-rehearsal -- --json --write-report memory-bank/artifacts/patreon-launch-rehearsal/latest-report.json
runs a redacted synthetic ready-state rehearsal across the same launch packet, launch control, and completion audit without calling Patreon or AWS.
bun run patreon:production-audit -- --json --write-report memory-bank/artifacts/patreon-production-audit/latest-report.json
records the deployed stack, Lambda runtime-key presence, public readiness, and protected-proof readiness without printing Lambda environment values or physical resource ids.
bun run patreon:release-gate -- --json --live --strict --expected-revision "$(git rev-parse --short=12 HEAD)" --write-report memory-bank/artifacts/patreon-release-gate/latest-report.json
ties the current git revision to the live deployed metadata header and imports the final production, webhook,
live-proof, and completion receipts into one release go/no-go artifact.
bun run patreon:operator-env-check -- --write-env-template memory-bank/artifacts/patreon-operator-env-check/operator.env.template
keeps the first account-input handoff as a blank dotenv artifact before any strict check or secret bootstrap.
The public tracker data is regenerated with
bun run patreon:launch-packet -- --write-dashboard-data sites/chopshopr/labs/patreon-integration/dashboard-data.js
so the HTML goal board stays tied to the same readiness audit. The final protected verifier can write
memory-bank/artifacts/patreon-live-proof/latest-report.json with redacted dashboard, readiness,
webhook, and entitlement proof for release review with --sync-secret-id "$CHOPSHOPR_PATREON_SYNC_SECRET_ID".
The objective completion state can be captured with
bun run patreon:completion-report -- --env-file "$CHOPSHOPR_PATREON_OPERATOR_ENV_FILE" --json --live-base-url https://chopshopr.ai --protected --sync-secret-id "$CHOPSHOPR_PATREON_SYNC_SECRET_ID" --aws-profile "PowerUserAccess-837098963105" --member-id "$CHOPSHOPR_PATREON_PROOF_MEMBER_ID" --strict --write-report memory-bank/artifacts/patreon-completion-report/latest-report.json
so the goal, audit, evidence, blocker, completion, private env-file source, and live-verifier ledger is saved without secret values, secret-id values, or env-file paths.
Definition of done for a real Patreon-backed Chopshopr release.
OAuth state/token receipt and refresh tests, paginated sync fixture, protected entitlement lookup fixture, webhook create/list fixture, webhook HMAC fixture, entitlement storage tests, launch rehearsal report, and live verifier mock tests.
Registered redirect URI, creator account secrets, Patreon creator page URL, sync backfill, protected entitlement lookup by member id/email, webhook registration receipt, captured webhook signing secret, no browser secrets.
bun run patreon:webhook-capture -- --apply --json --base-url https://chopshopr.ai --creator-token-secret-id "$CHOPSHOPR_PATREON_CREATOR_ACCESS_TOKEN_SECRET_ID" --webhook-secret-id "$CHOPSHOPR_PATREON_WEBHOOK_SECRET_ID" --aws-profile "PowerUserAccess-837098963105" --write-report memory-bank/artifacts/patreon-webhook-capture/latest-report.json, bun run patreon:production-audit -- --json --protected --sync-secret-id "$CHOPSHOPR_PATREON_SYNC_SECRET_ID" --aws-profile "PowerUserAccess-837098963105" --member-id "$CHOPSHOPR_PATREON_PROOF_MEMBER_ID" --strict --write-report memory-bank/artifacts/patreon-production-audit/latest-report.json, bun run patreon:live-verify -- --base-url https://chopshopr.ai --protected --sync-secret-id "$CHOPSHOPR_PATREON_SYNC_SECRET_ID" --aws-profile "PowerUserAccess-837098963105" --member-id "$CHOPSHOPR_PATREON_PROOF_MEMBER_ID" --json --strict --write-report memory-bank/artifacts/patreon-live-proof/latest-report.json, bun run patreon:completion-report -- --env-file "$CHOPSHOPR_PATREON_OPERATOR_ENV_FILE" --json --live-base-url https://chopshopr.ai --protected --sync-secret-id "$CHOPSHOPR_PATREON_SYNC_SECRET_ID" --aws-profile "PowerUserAccess-837098963105" --member-id "$CHOPSHOPR_PATREON_PROOF_MEMBER_ID" --strict --write-report memory-bank/artifacts/patreon-completion-report/latest-report.json, bun run patreon:release-gate -- --json --live --strict --expected-revision "$(git rev-parse --short=12 HEAD)" --write-report memory-bank/artifacts/patreon-release-gate/latest-report.json, real membership link, downgrade simulation, deploy verification, and redacted release receipts.