Sharing and friend features look trivial until you actually enumerate the states: invited, pending acceptance, connected, disconnected — and all of that times two people. Every gap between those states is either a bug or a privacy leak, and they're never in the obvious places.

Enforce accept before anything is shared

Nothing is shared until the other side explicitly accepts. An invite is a request, not a grant. Making that the hard rule closes the whole category of "I never agreed to see this" leaks, and it makes the permission model something you can explain in one sentence.

Scope destructive actions precisely

A real bug I fixed: disconnecting one relationship was quietly removing unrelated shared connections. The fix is to model each connection as its own independent edge, so a disconnect touches exactly one relationship and can't ripple outward.

Make cancel and cleanup idempotent

Cancel-invite, re-invite, and cleanup all have to be safe to run twice, because in a networked app they will be. Side effects follow the same rule: quota deducts on acceptance and restores on removal, deterministically, so a double-tap or a retry can never double-count.