home / skills / phrazzld / claude-config / fix-stripe

fix-stripe skill

safe

/skills/fix-stripe

This skill audits Stripe integration and fixes the highest-priority issue one at a time, then verifies the result.

npx playbooks add skill phrazzld/claude-config --skill fix-stripe

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.7 KB

---
name: fix-stripe
description: |
  Run /check-stripe, then fix the highest priority Stripe issue.
  Creates one fix per invocation. Invoke again for next issue.
  Use /log-stripe-issues to create issues without fixing.
effort: high
---

# /fix-stripe

Fix the highest priority Stripe integration issue.

## What This Does

1. Invoke `/check-stripe` to audit Stripe integration
2. Identify highest priority issue
3. Fix that one issue
4. Verify the fix
5. Report what was done

**This is a fixer.** It fixes one issue at a time. Run again for next issue. Use `/stripe` for full lifecycle.

## Process

### 1. Run Primitive

Invoke `/check-stripe` skill to get prioritized findings.

### 2. Fix Priority Order

Fix in this order:
1. **P0**: Missing webhook secret, hardcoded keys
2. **P1**: Webhook verification, customer portal, subscription checks
3. **P2**: Idempotency, error handling
4. **P3**: Advanced features

### 3. Execute Fix

**Missing webhook secret (P0):**
Add to `.env.local`:
```
STRIPE_WEBHOOK_SECRET=whsec_...
```

Get from Stripe Dashboard or CLI:
```bash
stripe listen --print-secret
```

**Hardcoded keys (P0):**
Replace hardcoded keys with environment variables:
```typescript
// Before
const stripe = new Stripe('sk_test_...', { apiVersion: '2024-12-18.acacia' });

// After
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, { apiVersion: '2024-12-18.acacia' });
```

**Webhook verification missing (P1):**
Update webhook handler:
```typescript
export async function POST(req: Request) {
  const body = await req.text();
  const signature = req.headers.get('stripe-signature')!;

  let event: Stripe.Event;
  try {
    event = stripe.webhooks.constructEvent(
      body,
      signature,
      process.env.STRIPE_WEBHOOK_SECRET!
    );
  } catch (err) {
    return new Response('Webhook signature verification failed', { status: 400 });
  }

  // Handle event...
}
```

**No customer portal (P1):**
Add billing portal endpoint:
```typescript
// app/api/stripe/portal/route.ts
export async function POST(req: Request) {
  const { customerId } = await req.json();

  const session = await stripe.billingPortal.sessions.create({
    customer: customerId,
    return_url: `${process.env.NEXT_PUBLIC_APP_URL}/settings`,
  });

  return Response.json({ url: session.url });
}
```

**Subscription status not checked (P1):**
Add subscription check middleware:
```typescript
async function requireActiveSubscription(userId: string) {
  const subscription = await getSubscription(userId);
  if (!subscription || subscription.status !== 'active') {
    throw new Error('Active subscription required');
  }
}
```

### 4. Verify

After fix:
```bash
# Test webhook verification
stripe trigger checkout.session.completed

# Check portal works
curl -X POST http://localhost:3000/api/stripe/portal \
  -H "Content-Type: application/json" \
  -d '{"customerId": "cus_test"}'
```

### 5. Report

```
Fixed: [P0] Webhook signature not verified

Updated: app/api/webhooks/stripe/route.ts
- Added signature verification with constructEvent()
- Added error handling for invalid signatures

Verified: stripe trigger checkout.session.completed → verified

Next highest priority: [P1] No customer portal
Run /fix-stripe again to continue.
```

## Branching

Before making changes:
```bash
git checkout -b fix/stripe-$(date +%Y%m%d)
```

## Single-Issue Focus

Payment integrations are critical. Fix one thing at a time:
- Test each change thoroughly
- Easy to rollback specific fixes
- Clear audit trail for PCI

Run `/fix-stripe` repeatedly to work through the backlog.

## Related

- `/check-stripe` - The primitive (audit only)
- `/log-stripe-issues` - Create issues without fixing
- `/stripe` - Full Stripe lifecycle
- `/stripe-health` - Webhook diagnostics

Overview

This skill runs /check-stripe, finds the highest priority Stripe integration issue, and applies a single focused fix per invocation. It automates one remediation step, verifies the change, and reports results so you can run it again to address the next issue. Use it when you want incremental, auditable fixes to Stripe configurations and handlers.

How this skill works

First it calls /check-stripe to produce a prioritized list of findings. It selects the top-priority item (P0 → P1 → P2 → P3), applies a single, targeted code or configuration change, then runs basic verification (webhook triggers or API calls). Finally it produces a short report describing the change, files updated, verification results, and the next highest priority issue.

When to use it

You have a Stripe audit report and want automated, one-at-a-time fixes.
Critical issues like missing webhook secrets or hardcoded API keys are present.
You need traceable, small commits for payment integration changes.
You prefer incremental remediation to reduce risk and simplify rollbacks.
You want automated verification after each fix.

Best practices

Run in a feature branch (e.g., fix/stripe-YYYYMMDD) and test before merge.
Fix only one issue per invocation to keep changes small and reviewable.
Keep secrets out of source control; store keys in environment variables.
Use Stripe CLI to generate webhook secrets and trigger events for verification.
Document each fix in the report so auditors can follow the change history.

Example use cases

Add STRIPE_WEBHOOK_SECRET to .env.local and update webhook handler to verify signatures.
Replace hardcoded secret keys with process.env environment variables in server code.
Add a billing portal endpoint so customers can manage subscriptions.
Enforce subscription status checks before granting paid features.
Improve idempotency or error handling for retry-prone payment endpoints.

FAQ

How many issues does this skill fix per run?

It fixes exactly one prioritized issue per invocation. Run it again to address the next item.

Will it push commits automatically?

The skill prepares and verifies the change; follow your workflow to commit and push from the feature branch to maintain auditability.