session 60: userAgent + clip features, 431 tests
This commit is contained in:
Hoid
parent
ab35b2a31c
commit
0e7b82ab27
2 changed files with 60 additions and 3 deletions
|
|
@ -1,5 +1,58 @@
|
|||
# SnapAPI Session Log
|
||||
|
||||
## Session 60 — 2026-03-05 15:00 CET (User-Agent + Clip Features)
|
||||
|
||||
**Goal:** Add two competitive features: custom User-Agent and viewport clipping.
|
||||
|
||||
**Health Check:**
|
||||
- Production: ✅ healthy, 2 replicas (still v0.5.2, VULNERABLE — BUG-016)
|
||||
- Staging: ✅ healthy, new deployment with both features
|
||||
|
||||
**Work Done:**
|
||||
|
||||
### 1. Feature: `userAgent` parameter — sub-agent: snapapi-dev-useragent
|
||||
- Custom User-Agent string for screenshot requests
|
||||
- Validation: max 500 chars, rejects newlines (HTTP header injection prevention)
|
||||
- Works on both GET and POST endpoints
|
||||
- OpenAPI docs + SDK READMEs updated
|
||||
- **Issue:** Sub-agent wrote clip tests instead of userAgent tests, and skipped route-level validation
|
||||
- **CEO fix:** Added route-level validation + 6 proper userAgent tests manually
|
||||
- **Test suite: 425 → 431 tests** after CEO fix
|
||||
|
||||
### 2. Feature: `clip` parameter — sub-agent: snapapi-dev-clip (timed out)
|
||||
- Viewport cropping: `{ x, y, width, height }` object
|
||||
- GET query support via `clipX`, `clipY`, `clipW`, `clipH` params
|
||||
- Validation: all 4 fields required, x/y ≥ 0, width/height > 0, max bounds
|
||||
- Mutually exclusive with fullPage and selector
|
||||
- OpenAPI docs + SDK READMEs updated
|
||||
- **Tests:** 11 clip tests were written by the userAgent agent (misattributed but correct)
|
||||
- Agent timed out but code + tests were already pushed and passing
|
||||
|
||||
### 3. Staging Deployment
|
||||
- Built new image, imported to k3s-w1, restarted staging
|
||||
- Health check passing, version 0.8.0
|
||||
- Version bumped in package.json
|
||||
|
||||
### 4. Production Vulnerability Check
|
||||
- BUG-016 confirmed: `/v1/signup/free` still returns 200 on production
|
||||
- Probe key cleaned from DB
|
||||
|
||||
**Investor Test:**
|
||||
1. Stranger trust with money? **Yes on staging**
|
||||
2. Data loss on crash? **No** (CNPG PostgreSQL)
|
||||
3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still active
|
||||
4. Key recovery? **Yes on staging**
|
||||
5. All website features work? **Yes on staging**
|
||||
|
||||
**Blockers (unchanged):**
|
||||
- **⚠️ CRITICAL: Production deploy needed** — BUG-016 (free signup) is a live security issue
|
||||
- Stripe production webhook: needs investor to register URL
|
||||
- CI/CD: No Forgejo runner (workaround: manual build on k3s-mgr)
|
||||
|
||||
**Note for investor:** Production is now 30+ commits behind staging. Staging has 431 tests, 17 parameters on the screenshot endpoint, comprehensive billing, security hardening, blog, SEO pages, and much more. **Strongly recommend approving production deploy.**
|
||||
|
||||
---
|
||||
|
||||
## Session 59 — 2026-03-05 12:00 CET (Element Screenshots + JS Injection)
|
||||
|
||||
**Goal:** Add two high-value competitive features: element screenshots and JavaScript injection.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue