Security Notes

This page describes the current security-related principles of the active LiVi billing and access architecture.

Current scope

At the current stage, the documented security layer is focused on payment processing, access validation and backend state consistency.

It is not yet a complete platform-wide security specification.

Access state should be determined by backend entitlement state rather than by local UI state alone.

This reduces the risk of false local access restoration and keeps product access tied to the actual backend record.

Payment completion is handled through backend callback processing rather than only through frontend return flow.

This helps separate visual return behavior from actual payment confirmation state.

Payment events should be processed in a way that avoids duplicate access activation or repeated state mutation from the same payment callback.

Webhook processing should rely on payment-provider verification logic before mutating payment or access state.

The current structure separates:

This reduces confusion and limits the amount of sensitive logic living directly in the product frontend.

Projects deployed in separate environments may require separate environment variable configuration.

A newly deployed billing or product project should not be assumed to inherit previous environment settings automatically.

The present documentation reflects the current active billing and access layer only.

Broader platform-level security policies, account security and future developer authentication layers may be documented later as the system expands.