O Promptbook substitui um pentest?

Não. Ele ajuda a encontrar sinais e organizar a revisão. Validação de impacto, cadeia de exploração e confirmação de correção ficam no Pentest Manual.

Por que o Pentest Manual não fica em checkout comum?

Porque escopo, autorização, ambiente e risco operacional precisam ser avaliados antes da proposta.

Stripe and digital delivery: why the success page cannot unlock access

Payment confirmed is not the same as page loaded

The common digital-product mistake is unlocking material when the customer returns to the success page. That breaks in simple scenarios: the browser closes, the network fails, redirect never happens, async methods settle later, or someone tries to forge a URL.

The healthier path is server-side: Stripe confirms the event, the server verifies the signature, the system generates a personal link, and the customer receives a transactional e-mail.

What must exist before selling

Hosted Checkout, with no card data touching RET servers.
Webhook verification over the raw request body.
Idempotency for retries and concurrent delivery attempts.
Temporary signed link without plaintext e-mail in the token.
ZIP with manifest, hash, complete files, and portable names.
E-mail with clear text, simple fallback, and support path.

Where delivery usually breaks

Webhook accepts JSON without verifying the signature.
Test events reach production.
Download link becomes public or permanent.
ZIP misses newly added product files.
E-mail promises an attachment but sends a broken link.
Checkout remains enabled when delivery is not configured.

Good digital delivery does not depend on redirect luck. It depends on signed events, traceable access, and a package checked before production.

Payment confirmed is not the same as page loaded

The healthier path is server-side: Stripe confirms the event, the server verifies the signature, the system generates a personal link, and the customer receives a transactional e-mail.

What must exist before selling

Hosted Checkout, with no card data touching RET servers.
Webhook verification over the raw request body.
Idempotency for retries and concurrent delivery attempts.
Temporary signed link without plaintext e-mail in the token.
ZIP with manifest, hash, complete files, and portable names.
E-mail with clear text, simple fallback, and support path.

Where delivery usually breaks

Webhook accepts JSON without verifying the signature.
Test events reach production.
Download link becomes public or permanent.
ZIP misses newly added product files.
E-mail promises an attachment but sends a broken link.
Checkout remains enabled when delivery is not configured.

Good digital delivery does not depend on redirect luck. It depends on signed events, traceable access, and a package checked before production.