Reviewed changes — mirrors the workspace's Deploy plan into a new workspaces.deploy_plan column via the customer.subscription.* Stripe webhooks so the deploy gate and dashboard can read entitlement from the local DB instead of Stripe.

• Add deployPlan column — nullable varchar(64) on the drizzle workspaces schema; DDL is applied via drizzle-kit push (the migrate script wired into .depot/workflows/job_pscale_pr.yaml), so no SQL migration file is needed.
• New detectDeployPlan helper — scans sub.items.data[].price.metadata.plan (trimmed), returns the first recognized plan from DEPLOY_PLANS = [starter, pro, business], fails closed with a console.warn on an unrecognized value, and reads only the webhook payload (no extra Stripe calls). Solid unit coverage in deployPlan.test.ts.
• Wire mirrorDeployPlan into the webhook — writes deployPlan only when it changed; called in subscription.updated (ahead of every skip-path), subscription.deleted (sets null), and subscription.created (best-effort lookup by stripeSubscriptionId).

⚠️ subscription.created mirror loses the race with the workspace→subscription link

The created handler looks up the workspace by stripeSubscriptionId == sub.id, but the row isn't linked to the subscription at that moment. The createSubscription mutation calls Stripe first and only writes stripeSubscriptionId to the DB after the create call returns, while Stripe fires customer.subscription.created the instant the subscription exists. The webhook commonly wins the race, so wsForDeploy is null and the mirror is skipped.

The inline comment leans on "a later subscription.updated syncs it," but Stripe only emits subscription.updated on an actual change. A brand-new Deploy subscription that is never modified produces no such event, so deployPlan stays null until some unrelated future billing change happens to fire an updated webhook. The createSubscription mutation itself does not set deployPlan, so there is no in-band write to fall back on.

# `subscription.created` mirror loses the race with the workspace→subscription link

## Affected sites
- `web/apps/dashboard/app/api/webhooks/stripe/route.ts:440-446` — looks up `wsForDeploy` by `stripeSubscriptionId == sub.id`; null in the common case at create time.
- `web/apps/dashboard/lib/trpc/routers/stripe/createSubscription.ts:158-165` — writes `stripeSubscriptionId: sub.id` to the DB only *after* `stripe.subscriptions.create` returns, so the link doesn't exist when the `created` webhook arrives.

## Required outcome
- A workspace that creates a Deploy subscription has `deployPlan` populated promptly (within the create flow), not contingent on a future unrelated `subscription.updated` event.

## Suggested approach (optional)
- Set `deployPlan: detectDeployPlan(sub)` inline in the `createSubscription` transaction at `createSubscription.ts:158-165`, alongside `stripeSubscriptionId`/`tier`. That makes the create path authoritative and reduces the webhook to a redundant best-effort safety net. The `created` webhook block can stay as-is for paths that create subscriptions outside this mutation.

## Open questions for the human
- Are there subscription-creation paths other than the `createSubscription` mutation (e.g. Stripe-dashboard-created subs, imports) that rely solely on the webhook? If so, the webhook race still leaves those unmirrored until the next `updated`, and a backfill/reconcile may be warranted.

ℹ️ Go-side workspaces schema has no deploy_plan column yet

The PR's stated goal is that the deploy gate reads entitlement from the local DB, but the deploy gate is a Go service whose schema-of-record for sqlc codegen is pkg/mysql/schema/workspaces.sql, which does not define deploy_plan. This is expected for the write-only half of ENG-2872 and there's no live drift — drizzle-kit push owns the real column on PlanetScale, and the Go .sql is a codegen input, not applied DDL. Flagging only so the follow-up "read half" PR remembers to add the column there before the Go reader can select it.

  ^{｜ Fix it ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

ℹ️ No critical issues — one minor suggestion inline. The created-case race flagged in the prior review remains open (the .created block is unchanged), but it is already on record so I am not re-raising it here.

Reviewed changes — the branch was rebased onto newer main since the prior review at a204b01; the only content change is a temporary debug log added inside mirrorDeployPlan.

• Temporary console.info in mirrorDeployPlan — logs workspaceId, subscriptionId, detectedPlan, previousPlan, and changed on every webhook call (subscription.created / updated / deleted), guarded by a Remove once verified comment. Detection, schema, deletion-clears-plan, and best-effort .created lookup are otherwise unchanged from the prior review.

  ^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}