Status & roadmap
What this is: the precise, un-rounded state of the system. Read this before quoting any capability as “done.”
Who it’s for: anyone deciding whether they can build on a piece of this yet, or reporting status upward.
What to read next: Operational guardrails · Architecture · Routing & failover.
Headline — do not round up. The Phase-A foundation is in review
(PR #1222, LOO-2182) and
inert: the orchestrator and vault are not on the live checkout path. The
PSP charge legs are stubbed pending sandbox credentials; only the Basis
Theory vault leg is real-tested (against a TEST tenant). Banks are secured but
routing is not live. Going live is gated on counsel sign-off (LOO-2206),
vendor sandbox credentials, and an NmiProvider (LOO-2192).
Legend
| Label | Meaning |
|---|---|
| 🟢 Built | Code merged in the foundation PR; tested. May be inert (not wired to a live path). |
| 🟡 Stubbed | A real interface exists, backed by a stub/skeleton; needs a real implementation or credentials. |
| 🔶 Gated | Blocked on a non-code prerequisite (counsel, banking, vendor creds, a confirmed tenant). |
| ⬜ Planned | Designed in ADR-0093; not yet built. |
What’s built vs stubbed vs gated vs planned
| Capability | State | Notes |
|---|---|---|
RoutingPolicyEngine (eligibility, kill-switch, ordering) | 🟢 Built · inert | Not instantiated on the live charge path. |
chargeAcrossProviders (cross-PSP cascade) | 🟢 Built · inert | No-double-charge invariant proven offline. |
PaymentOrchestrator (composes the two) | 🟢 Built · inert | Resolves providers by name. |
TokenVault / TokenChargeProvider interfaces | 🟢 Built | The two seams. |
De-Striped, capability-segregated PaymentProvider | 🟢 Built | LOO-2225. |
EntityRegistry + 7-entity seed + payments.entities (0005) | 🟢 Built | MID ids/statuses are Phase-0 placeholders (🔶). |
Recon-ready ledger dimensions (accounting 0006) | 🟢 Built | Columns only; recon engine is ⬜. |
Canonical identity map (identity.user_external_ids, 0024) | 🟢 Built | The linchpin (LOO-2220). |
PaymentSessionService + FulfillmentGate | 🟢 Built (skeleton) | Mints pending sessions with placeholder URLs; gate is 🟡 in-memory. |
| No-double-charge + eligibility proof tests | 🟢 Built · passing | Offline, against StubVault + StubProvider. |
| LOO-2203 idempotency fix (deterministic keys) | 🟢 Built | Replaces randomUUID() key. |
StripeProvider | 🟢 Built | The only real provider; legacy, hardcoded, no routing. |
StubProvider / StubVault | 🟢 Built | Back the offline proofs; honest fallback. |
| PSP charge legs (real money) | 🟡 Stubbed | Need sandbox creds + NmiProvider. |
BasisTheoryVault wiring into the service | 🔶 Gated | Built, but not instantiated; needs a confirmed tenant (LOO-2189 / 2224). The vault leg is real-tested via a gated spike against a BT TEST tenant. |
| Live routing of real money | 🔶 Gated | Banks secured; counsel sign-off (LOO-2206) + sandbox creds + NmiProvider (LOO-2192) required. |
| Cart→category derivation (bind product to intent) | ⬜ Planned | Prerequisite before any real MID routes money (LOO-2190 / 2227). |
NmiProvider (first non-Stripe provider) | ⬜ Planned | LOO-2192 — proves the abstraction. |
| Own-clock subscription engine on vault tokens | ⬜ Planned | Phase B (ADR-0084). |
| Account-updater | ⬜ Planned | Phase B; depends on Loop-owned-TRID network tokens (LOO-2207). |
| Discount / price-resolution seam | ⬜ Planned | Cross-system #2. |
| Real-time CDP customer-context API | ⬜ Planned | Cross-system #4. |
| 3-way reconciliation, reserves, MoR, tax, chargeback survival | ⬜ Planned | Phase C (e.g. LOO-2210). |
LoopVault / own CDE (SAQ D) | ⬜ Planned · gated | Phase D destination; trigger-gated. |
What PR #1222 actually ships
The foundation is the abstraction + the recon-ready data + the proofs, deliberately not a live money path:
- the two seams (
PaymentProviderde-Striped +TokenVault); - the three routing primitives with the no-double-charge + eligibility proofs (offline);
- the entity registry + seed (Phase-0 placeholders) and
payments.entity_id; - recon-ready ledger dimensions and the canonical identity map;
- the payment-session contract + fulfillment-gate skeleton;
BasisTheoryVault(built, not wired) + a gated BT TEST-tenant spike.
It does not ship: a live charge through the orchestrator, a real PSP charge leg, a wired vault, or any of the Phase B/C/D capabilities.
Roadmap (from ADR-0093)
| Phase | Scope | State |
|---|---|---|
| Phase 0 | Banking & compliance (MID/TOS audit per LLC×product; ≥2 warm high-risk acquirers per RUO entity; counsel sign-off on the entity↔product↔MID matrix + MoR/tax; secure a Loop-owned TRID) | 🔶 In progress / gating — non-code, gates the software |
| Phase A | Thin slice (SAQ A): real entity_id + recon-ready dimensions; one NmiProvider auth+capture; provider-neutral attempt ledger + deterministic idempotency + eligibility-constrained failover + no-double-charge proof | 🟢/🟡 In review (PR #1222); abstraction + proofs built, live charge stubbed |
| Phase B | Exportable, high-risk-confirmed vault + network tokens (Loop-owned TRID); validate cross-acquirer portability; migrate recurring off Stripe Billing with account-updater + dunning | ⬜ Planned |
| Phase B-ROC | Scope-minimized Level 1 ROC (parallel, volume-triggered) | ⬜ Planned |
| Phase C | 3-way reconciliation per MID per entity; reserve/settlement modeling; chargeback monitoring (ECM/VAMP) + Ethoca/RDR + representment; MoR + sales-tax/VAT/nexus; KYC/AML + OFAC on payouts | ⬜ Planned |
| Phase D | Own CDE (SAQ D) — unchanged destination, trigger-gated | ⬜ Planned · gated |
The gates to “live”
Every one of these is required before a single real charge routes through the orchestrator. None are satisfied yet.
Reference tickets
- Epic: LOO-2182 (Unified Payment Orchestration) · PR: #1222
- Entity model: LOO-2187 · Routing: LOO-2190 · Safety/no-double-charge: LOO-2208 · Spike: LOO-2226
- De-Striping: LOO-2225 · Idempotency fix: LOO-2203 · Recon dimensions: LOO-2209 · Identity map: LOO-2220
- Payment session: LOO-2222 · Hosted surface: LOO-2227 · Network tokens/TRID: LOO-2207
- Gates: counsel sign-off LOO-2206 ·
NmiProviderLOO-2192 · BT wiring LOO-2189 / 2224 · Phase-0 LOO-2204 / 2205 / 2206 - Governance: LOO-2215 (human sign-off on money paths) · Payouts KYC: LOO-2213
Ticket numbers are drawn from the ADR and the foundation code comments. For live status, the Linear epic LOO-2182 and its children are the source of truth.
See also
- Operational guardrails — Phase-0 gating + human sign-off
- Architecture — where each built/planned piece sits
- Overview & why — the problem this all serves