The Never Contract.
Numbered promises. The enforceable ones fail our deploy.
0 · Ways this page could still lie
- The checks run in a private repository’s CI. A public mirror of the check scripts is planned, pending a founder decision — until it exists you are trusting our word that the checks below are the checks that actually run.
- iOS releases are audited post-release, not deploy-gated: App Store review sits between us and production, so a native build is verified after it ships, not before.
- A malicious maintainer could delete these checks in the same commit that breaks a promise. That is exactly what the planned public mirror is meant to fix.
- This page is rebuilt at deploy time by the same pipeline it describes — it is not an independent auditor of itself.
- The source scan strips comments with a heuristic, and promises like “never sell your data” are things a build cannot fully prove — those carry no badge for that reason.
Enforced by code
Each clause below maps 1:1 to an executable check. If the code stops honoring it, the build fails — the badge is the mechanism, stated in plain English.
- 1
Our paywall can never promise more than the code actually grants.✓CI-enforced
The entitlements smoke test asserts every benefit line in the iOS paywall equals the plan quota hard-coded in
server/entitlements.ts, and fails the build if they drift; it runs in CI on every push and pull request. - 2
The web app can never quietly carry the App Store billing SDK.✓CI-enforced
CI greps the built web bundle and fails if the App Store billing SDK (
react-native-purchases/RNPurchases) is present; it runs in GitHub Actions on every push and pull request. - 3
The caught-up share receipt can never claim numbers beyond hard-coded bounds, and its page and preview image can never disagree.✓CI-enforced
The
og:smoketest asserts the caught-up receipt's numbers are clamped to hard bounds (≤5000 cleared, ≤500 senders) and that its /r page and /og/receipt preview image are both derived from one shared contract; it runs in CI on every push and pull request. - 4
We will never add a streak.✓CI-enforced
never-checks N1scans the app's source (comments stripped) for streak, daily-goal and “don't break the chain” language and fails on any match; it runs in CI and before every site deploy. - 5
The deck can never become an infinite scroll.✓CI-enforced
never-checks N2scans the deck screens for infinite-scroll primitives (FlatList onEndReached,InfiniteScroll) and fails on any match; it runs in CI and before every site deploy. - 6
We will never send you a re-engagement or win-back notification.✓CI-enforced
never-checks N3scans the app and server for re-engagement, win-back and come-back-notification code and fails on any match; it runs in CI and before every site deploy. - 13
When Flick reaches the end of the deck, we will never claim we closed your inbox for you.✓CI-enforced
never-checks N4fails the build if the end-of-deck copy in lib/terminus.ts ever claims Flick “closed” your inbox for you (rather than that you closed Flick); it runs in CI and before every site deploy. If that copy module is ever removed, N5 fails the build so this badge can never outlive its check.
Promises we make
Real commitments we can’t yet machine-verify. No badge — we won’t put a check mark on a sentence a check doesn’t prove.
- 7
We will never sell your data.
PromiseA promise, not a proof — nothing in our pipeline can machine-verify a data sale never happened. Our business model (paid subscriptions, no ad network) removes the incentive, and our privacy policy states it plainly.
- 8
We will never train AI on your mail.
PromiseA promise — your email is sent request-scoped to draft one reply and is never retained as training data, by us or on our instruction. We cannot yet machine-prove a negative, so this carries no badge.
- 9
We will never send email from your account.
PromiseArchitectural: Flick's OAuth mail scope is read-and-draft only, so approved replies are saved as drafts in your own mailbox for you to send. We hold this as a promise rather than a badge because not every connection type is send-blocked by a single machine check.
- 10
We will never show you ads.
PromiseA promise — Flick ships no ad network, no ad SDK and no IDFA tracking on iOS. There's no ad code path to gate, so this carries no badge.
- 11
We will never add a leaderboard or a badge that counts up.
PromiseA promise for the leaderboard and count-up-badge half of our anti-gamification stance. The other half — “never add a streak” — is the CI-enforced clause above.
- 12
We will never make session length a success metric.
PromiseA promise — time-in-app is not a goal we optimize; there is no “time well spent” target in the product and no such metric drives the roadmap. Not yet machine-checkable, so no badge.
Where each promise is enforced
The web app is gated by CI and, for the deck-behavior clauses, by our deploy. iOS binaries clear App Store review before they reach you, so they are audited after release, not gated before it.
| Enforced clause | Web | iOS |
|---|---|---|
| 1. Our paywall can never promise more than the code actually grants. | ✓ CI | post-release audit |
| 2. The web app can never quietly carry the App Store billing SDK. | ✓ CI | n/a — the native app uses StoreKit by design |
| 3. The caught-up share receipt can never claim numbers beyond hard-coded bounds, and its page and preview image can never disagree. | ✓ CI | post-release audit |
| 4. We will never add a streak. | ✓ CI + deploy | post-release audit |
| 5. The deck can never become an infinite scroll. | ✓ CI + deploy | post-release audit |
| 6. We will never send you a re-engagement or win-back notification. | ✓ CI + deploy | post-release audit |
| 13. When Flick reaches the end of the deck, we will never claim we closed your inbox for you. | ✓ CI + deploy | post-release audit |
The red run
Proof the check actually fails on a real violation — not just when it’s convenient.
Check failing on a deliberate violation
$ npx tsx scripts/never-checks.ts # run from prototypes/swipe-loop — the exact command CI runs
The Never Contract — executable checks
[FAIL] N1 no-streak
2 violation(s): prototypes/swipe-loop/src/app/_redrun-violation.ts:2 [streak] "export const streakBanner = "🔥 7-day streak! Don't break the chain!";" · prototypes/swipe-loop/src/app/_redrun-violation.ts:2 [don't-break-the-chain] "export const streakBanner = "🔥 7-day streak! Don't break the chain!";"
[PASS] N2 no-infinite-scroll
clean — scanned 9 src/app file(s)
[PASS] N3 no-reengagement
clean — scanned 38 src+server file(s)
[PASS] N4 terminus-honesty
lib/terminus.ts present — copy makes no "we closed" claim
[PASS] N5 single-source-of-truth
13 clauses, every 'ci' clause backed by a present check, page reads the register
NEVER-CHECKS FAILED — 1 clause(s) the code no longer honors:
- N1 no-streak: 2 violation(s): prototypes/swipe-loop/src/app/_redrun-violation.ts:2 [streak] "export const streakBanner = "🔥 7-day streak! Don't break the chain!";" · prototypes/swipe-loop/src/app/_redrun-violation.ts:2 [don't-break-the-chain] "export const streakBanner = "🔥 7-day streak! Don't break the chain!";"
exit code: 1The same check passing after removal
$ npx tsx scripts/never-checks.ts # run from prototypes/swipe-loop — the exact command CI runs
The Never Contract — executable checks
[PASS] N1 no-streak
clean — scanned 28 src+lib file(s)
[PASS] N2 no-infinite-scroll
clean — scanned 8 src/app file(s)
[PASS] N3 no-reengagement
clean — scanned 37 src+server file(s)
[PASS] N4 terminus-honesty
lib/terminus.ts present — copy makes no "we closed" claim
[PASS] N5 single-source-of-truth
13 clauses, every 'ci' clause backed by a present check, page reads the register
never-checks: all 5 clauses honored.
exit code: 0Captured 2026-07-09: never-checks failing on a deliberately added streak banner, then passing after its removal. Reproduce from the prototypes/swipe-loop directory: add a line containing the word streak to the app source, then run npx tsx scripts/never-checks.ts — the exact command our CI runs on every push.
How to hold us to this
Every clause above is published as machine-readable JSON at /never.json — tier, mechanism, and the exact check name per clause.
The checks are:
never-checks N1–N5— this contract’s own suite (streak, infinite-scroll, re-engagement, terminus copy, single-source-of-truth); runs in CI and before every site deploy.entitlements:smoke,og:smoke— paywall-copy and share-receipt invariants; run in CI on every push and pull request.- the CI web-bundle grep — fails the build if the App Store billing SDK leaks into the web app.
The check scripts ship inside the app repository; a public mirror of them is planned. Until then, the honest limits are spelled out in clause 0 above.