From 0e7b82ab270fad9cb215c6d7704a1239f5772da2 Mon Sep 17 00:00:00 2001
From: Hoid <hoid@openclaw>
Date: Thu, 5 Mar 2026 15:21:38 +0100
Subject: [PATCH] session 60: userAgent + clip features, 431 tests

---
 projects/snapapi/memory/sessions.md | 53 +++++++++++++++++++++++++++++
 projects/snapapi/memory/state.json  | 10 ++++--
 2 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/projects/snapapi/memory/sessions.md b/projects/snapapi/memory/sessions.md
index 56674f7..21e1bac 100644
--- a/projects/snapapi/memory/sessions.md
+++ b/projects/snapapi/memory/sessions.md
@@ -1,5 +1,58 @@
 # SnapAPI Session Log
 
+## Session 60 — 2026-03-05 15:00 CET (User-Agent + Clip Features)
+
+**Goal:** Add two competitive features: custom User-Agent and viewport clipping.
+
+**Health Check:**
+- Production: ✅ healthy, 2 replicas (still v0.5.2, VULNERABLE — BUG-016)
+- Staging: ✅ healthy, new deployment with both features
+
+**Work Done:**
+
+### 1. Feature: `userAgent` parameter — sub-agent: snapapi-dev-useragent
+- Custom User-Agent string for screenshot requests
+- Validation: max 500 chars, rejects newlines (HTTP header injection prevention)
+- Works on both GET and POST endpoints
+- OpenAPI docs + SDK READMEs updated
+- **Issue:** Sub-agent wrote clip tests instead of userAgent tests, and skipped route-level validation
+- **CEO fix:** Added route-level validation + 6 proper userAgent tests manually
+- **Test suite: 425 → 431 tests** after CEO fix
+
+### 2. Feature: `clip` parameter — sub-agent: snapapi-dev-clip (timed out)
+- Viewport cropping: `{ x, y, width, height }` object
+- GET query support via `clipX`, `clipY`, `clipW`, `clipH` params
+- Validation: all 4 fields required, x/y ≥ 0, width/height > 0, max bounds
+- Mutually exclusive with fullPage and selector
+- OpenAPI docs + SDK READMEs updated
+- **Tests:** 11 clip tests were written by the userAgent agent (misattributed but correct)
+- Agent timed out but code + tests were already pushed and passing
+
+### 3. Staging Deployment
+- Built new image, imported to k3s-w1, restarted staging
+- Health check passing, version 0.8.0
+- Version bumped in package.json
+
+### 4. Production Vulnerability Check
+- BUG-016 confirmed: `/v1/signup/free` still returns 200 on production
+- Probe key cleaned from DB
+
+**Investor Test:**
+1. Stranger trust with money? **Yes on staging**
+2. Data loss on crash? **No** (CNPG PostgreSQL)
+3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still active
+4. Key recovery? **Yes on staging**
+5. All website features work? **Yes on staging**
+
+**Blockers (unchanged):**
+- **⚠️ CRITICAL: Production deploy needed** — BUG-016 (free signup) is a live security issue
+- Stripe production webhook: needs investor to register URL
+- CI/CD: No Forgejo runner (workaround: manual build on k3s-mgr)
+
+**Note for investor:** Production is now 30+ commits behind staging. Staging has 431 tests, 17 parameters on the screenshot endpoint, comprehensive billing, security hardening, blog, SEO pages, and much more. **Strongly recommend approving production deploy.**
+
+---
+
 ## Session 59 — 2026-03-05 12:00 CET (Element Screenshots + JS Injection)
 
 **Goal:** Add two high-value competitive features: element screenshots and JavaScript injection.
diff --git a/projects/snapapi/memory/state.json b/projects/snapapi/memory/state.json
index 69bb897..bb731a6 100644
--- a/projects/snapapi/memory/state.json
+++ b/projects/snapapi/memory/state.json
@@ -1,6 +1,6 @@
 {
   "phase": "production-live",
-  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.8.0-staging (414 tests)",
+  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.8.0-staging (431 tests)",
   "staging": {
     "status": "running",
     "namespace": "snapapi-staging",
@@ -96,7 +96,11 @@
     "JavaScript injection: js parameter — execute custom JS before capture, 5s timeout, 5000 char limit (staging)",
     "selector + fullPage mutual exclusivity validation (staging)",
     "SDK docs: js parameter documented in Node.js + Python SDK READMEs (staging)",
-    "Test suite: 414 tests passing (staging)"
+    "Custom User-Agent: userAgent parameter with 500-char limit + newline injection prevention (staging)",
+    "Viewport clipping: clip parameter (x, y, width, height) with GET query support (clipX/clipY/clipW/clipH) (staging)",
+    "clip mutual exclusivity with fullPage and selector (staging)",
+    "SDK docs: userAgent + clip documented in Node.js + Python SDK READMEs (staging)",
+    "Test suite: 431 tests passing (staging)"
   ],
   "notDone": [
     "Register Stripe webhook URL in Stripe Dashboard",
@@ -119,6 +123,6 @@
       "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
     }
   },
-  "lastSession": "2026-03-05T11:00:00Z",
+  "lastSession": "2026-03-05T14:00:00Z",
   "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
 }