SnapAPI session 57: css parameter feature, 366 tests

projects/snapapi/memory/sessions.md

@@ -1,5 +1,41 @@
 # SnapAPI Session Log
 
+## Session 57 — 2026-03-04 21:00 CET (Custom CSS Feature)
+
+**Goal:** Add `css` parameter for custom CSS injection.
+
+**Health Check:**
+- Production: ✅ healthy, 2 replicas (still v0.5.2, VULNERABLE — BUG-016)
+- Staging: ✅ healthy, new deployment
+
+**Work Done:**
+
+### 1. Feature: `css` parameter — sub-agent: snapapi-dev-css-3
+- New string parameter for POST/GET screenshot endpoints
+- Injects `<style>` tag via `page.addStyleTag()` after navigation, before capture
+- Validation: max 5000 chars (returns 400)
+- Works alongside darkMode and hideSelectors
+- 11 new tests (6 service-level, 5 route-level) — TDD RED→GREEN
+- OpenAPI spec, changelog, landing page code examples, SDK READMEs all updated
+- **Test suite: 366 tests passing** (was 360)
+
+### 2. Vulnerability Confirmation
+- Production /v1/signup/free still returns free API keys — confirmed and cleaned up test key
+
+**Investor Test:**
+1. Stranger trust with money? **Yes on staging**
+2. Data loss on crash? **No** (CNPG PostgreSQL)
+3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free CONFIRMED still active
+4. Key recovery? **Yes on staging**
+5. All website features work? **Yes on staging**
+
+**Blockers (unchanged):**
+- **⚠️ CRITICAL: Production deploy needed** — BUG-016 (free signup) is a live security issue
+- Stripe production webhook: needs investor
+- CI/CD: No Forgejo runner
+
+---
+
 ## Session 56 — 2026-03-04 18:00 CET (SDK Docs + Tests, Vulnerability Confirmed)
 
 **Goal:** Update SDKs with darkMode/hideSelectors docs + tests, landing page improvements.