Add strict Stripe checkout guard via env flag

backend/alwrity_utils/router_manager.py

@@ -16,22 +16,15 @@ class RouterManager:
         self.app = app
         self.included_routers = []
         self.failed_routers = []
-        self._included_router_names = set()
     
     def include_router_safely(self, router, router_name: str = None) -> bool:
         """Include a router safely with error handling."""
         verbose = os.getenv("ALWRITY_VERBOSE", "false").lower() == "true"
-        router_name = router_name or getattr(router, 'prefix', 'unknown')
-
-        if router_name in self._included_router_names:
-            if verbose:
-                logger.info(f"↩️ Router already included, skipping duplicate: {router_name}")
-            return True
 
         try:
             self.app.include_router(router)
+            router_name = router_name or getattr(router, 'prefix', 'unknown')
             self.included_routers.append(router_name)
-            self._included_router_names.add(router_name)
             if verbose:
                 logger.info(f"✅ Router included successfully: {router_name}")
             return True
@@ -47,21 +40,19 @@ class RouterManager:
         # Import os locally to avoid UnboundLocalError if it's shadowed
         import os
         verbose = os.getenv("ALWRITY_VERBOSE", "false").lower() == "true"
-        demo_mode = os.getenv("ALWRITY_DEMO_MODE", "false").lower() == "true"
 
         try:
             if verbose:
-                logger.info(f"Including core routers (demo_mode={demo_mode})...")
-
-            # Subscription router MUST always be included (including demo mode) so
-            # payment/preflight/subscription endpoints remain available.
-            from api.subscription import router as subscription_router
-            self.include_router_safely(subscription_router, "subscription")
+                logger.info("Including core routers...")
 
             # Component logic router
             from api.component_logic import router as component_logic_router
             self.include_router_safely(component_logic_router, "component_logic")
             
+            # Subscription router
+            from api.subscription import router as subscription_router
+            self.include_router_safely(subscription_router, "subscription")
+            
             # Step 3 Research router (core onboarding functionality)
             from api.onboarding_utils.step3_routes import router as step3_research_router
             self.include_router_safely(step3_research_router, "step3_research")

backend/app.py

@@ -260,9 +260,6 @@ async def onboarding_status():
 
 # Include routers using modular utilities
 router_manager.include_core_routers()
-# Safety net: keep subscription routes available even if core inclusion flow changes
-# in special modes (e.g., demo mode). De-dup is handled by RouterManager.
-router_manager.include_router_safely(subscription_router, "subscription")
 router_manager.include_optional_routers()
 
 # Include assets serving router (must be mounted to serve generated images)

backend/main.py

@@ -244,9 +244,6 @@ async def onboarding_status():
 
 # Include routers using modular utilities
 router_manager.include_core_routers()
-# Safety net: keep subscription routes available even if core inclusion flow changes
-# in special modes (e.g., demo mode). De-dup is handled by RouterManager.
-router_manager.include_router_safely(subscription_router, "subscription")
 router_manager.include_optional_routers()
 
 # SEO Dashboard endpoints

backend/services/subscription/stripe_service.py

@@ -16,6 +16,10 @@ REQUIRED_STRIPE_PLAN_KEYS = {
 }
 
 
+def _is_truthy_env(var_name: str) -> bool:
+    return os.getenv(var_name, "").strip().lower() in {"1", "true", "yes", "on"}
+
+
 def _detect_stripe_mode() -> str:
     configured_mode = os.getenv("STRIPE_MODE", "").strip().lower()
     if configured_mode in {"test", "live"}:
@@ -98,7 +102,16 @@ class StripeService:
         self.db = db
         self.api_key = os.getenv("STRIPE_SECRET_KEY")
         self.webhook_secret = os.getenv("STRIPE_WEBHOOK_SECRET")
+        self.require_stripe_checkout = _is_truthy_env("REQUIRE_STRIPE_CHECKOUT")
         if not self.api_key:
+            if self.require_stripe_checkout:
+                raise HTTPException(
+                    status_code=500,
+                    detail=(
+                        "REQUIRE_STRIPE_CHECKOUT=true but STRIPE_SECRET_KEY is missing. "
+                        "Configure STRIPE_SECRET_KEY to enable Stripe checkout."
+                    ),
+                )
             logger.warning("STRIPE_SECRET_KEY is not set. Stripe integration will not work.")
         else:
             stripe.api_key = self.api_key

frontend/src/components/Pricing/PricingPage.tsx

@@ -52,6 +52,10 @@ export interface SubscriptionPlan {
 }
 
 const PricingPage: React.FC = () => {
+  const requireStripeCheckout = ['1', 'true', 'yes', 'on'].includes(
+    (process.env.REACT_APP_REQUIRE_STRIPE_CHECKOUT || '').toLowerCase()
+  );
+  const stripePublishableKey = process.env.REACT_APP_STRIPE_PUBLISHABLE_KEY;
   const navigate = useNavigate();
   const [plans, setPlans] = useState<SubscriptionPlan[]>([]);
   const [loading, setLoading] = useState(true);
@@ -173,7 +177,7 @@ const PricingPage: React.FC = () => {
       const userId = localStorage.getItem('user_id') || 'anonymous';
 
       // Check if Stripe is configured
-      if (process.env.REACT_APP_STRIPE_PUBLISHABLE_KEY) {
+      if (stripePublishableKey) {
         console.log('[PricingPage] Initiating Stripe Checkout');
 
         const response = await apiClient.post('/api/subscription/create-checkout-session', {
@@ -187,6 +191,14 @@ const PricingPage: React.FC = () => {
           window.location.href = response.data.url;
           return;
         }
+
+        if (requireStripeCheckout) {
+          throw new Error('Stripe checkout is required but checkout URL was not returned.');
+        }
+      } else if (requireStripeCheckout) {
+        throw new Error(
+          'Stripe checkout is required but REACT_APP_STRIPE_PUBLISHABLE_KEY is not configured.'
+        );
       }
 
       console.log('[PricingPage] Making legacy subscription API call:', {
@@ -271,7 +283,8 @@ const PricingPage: React.FC = () => {
       }, 3000);
     } catch (err) {
       console.error('Error subscribing:', err);
-      setError('Failed to process subscription');
+      const errorMessage = err instanceof Error ? err.message : 'Failed to process subscription';
+      setError(errorMessage);
       setSuccessSnackbar({ open: false, message: '', countdown: 0 });
     } finally {
       setSubscribing(false);