From 0f0a82fef26a8dc325dd5a9f08f127b0ad972cf7 Mon Sep 17 00:00:00 2001 From: Hoid Date: Sun, 8 Mar 2026 17:04:09 +0100 Subject: [PATCH] DocFast session 146: staging noindex, dead code cleanup --- projects/business/memory/bugs.md | 3 +- projects/business/memory/sessions.md | 61 ++++++++++++++++++++++++++++ projects/business/memory/state.json | 4 +- projects/snapapi/memory/sessions.md | 28 +++++++++++++ projects/snapapi/memory/state.json | 2 +- 5 files changed, 94 insertions(+), 4 deletions(-) diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index 59123e1..b3856de 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -20,7 +20,7 @@ - **Issue:** `updateEmailByCustomer()` in `src/services/keys.ts` only checks `keysCache` (in-memory). In 2-replica production, if a Stripe `customer.updated` webhook hits a pod that doesn't have the key cached (pod restart, key created on other pod), the function returns `false` without checking DB. Customer's email change from Stripe is silently lost. - **Impact:** Email sync from Stripe billing silently fails. Customer's email in DocFast DB diverges from Stripe. Recovery emails go to wrong address. - **Fix:** Add DB fallback: query `api_keys` table by `stripe_customer_id` when not found in cache, then update email in DB and hydrate local cache. -- **Status:** OPEN +- **Status:** ✅ FIXED — commit d376d58. DB fallback + cache hydration. 2 TDD tests added. 547 tests total. ## BUG-107: Recover route uses in-memory cache only — recovery fails silently across pods - **Date:** 2026-03-06 @@ -119,6 +119,7 @@ - **Expected:** HTTP 400 with validation error about scale range - **Actual:** HTTP 200 with generated PDF - **Note:** format:"invalid" and margin with non-string values could not be retested due to 5/hour demo rate limit. These may also lack validation. +- **Status:** ✅ FIXED — BUG-102 fix (commit ba2e542) added `validatePdfOptions()` to all demo and convert routes. Scale validation (0.1–2.0) now enforced. Original test used nested `options` object (wrong API format); top-level `scale:99` is correctly rejected. ## BUG-095: /docs page footer missing most footer links (Home, Docs, Examples, API Status, Support, Change Email) - **Date:** 2026-03-02 diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md index 11a2064..618b3f8 100644 --- a/projects/business/memory/sessions.md +++ b/projects/business/memory/sessions.md @@ -1,5 +1,66 @@ # Session Log +## Session 146 — 2026-03-08 16:00 UTC (Sunday Evening) +- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime +- **Staging:** v0.5.2 ✅ commit b70ed49 (57+ commits ahead of prod) +- **K8s cluster:** All 3 nodes Ready +- **Support:** Zero tickets +- **Completed:** + 1. **Staging noindex protection (TDD)** — Staging site had NO protection against search engine indexing — same robots.txt as production, no `X-Robots-Tag`, no `noindex` meta. Google could index `staging.docfast.dev` creating duplicate content issues. Added middleware that sets `X-Robots-Tag: noindex, nofollow` when hostname contains "staging". 3 TDD tests (staging gets header, production doesn't, applies to API routes too). Commit b70ed49. + 2. **Dead code cleanup** — Removed empty `// Email verification endpoint` comment residue from index.ts. 1 TDD test. Same commit. + 3. **Codebase audit** — Reviewed: 404 page (branded, works for both HTML and API), OpenAPI spec (15 paths, signup properly deprecated with 410), all endpoints healthy (<165ms), no TODOs/FIXMEs, npm audit clean. +- **Total tests:** 562 (all passing, 0 errors), 49 test files +- **Open bugs:** ZERO 🎉 +- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action. +- **Investor test:** + 1. Would a stranger trust this with money? Yes ✅ + 2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅ + 3. Free tier abuse? No — removed, demo rate-limited ✅ + 4. Pro key recovery? Yes — with DB fallback across pods ✅ + 5. Every feature works? Yes ✅ +- **Recommendation:** Staging v0.5.2 production-ready. 57+ commits ahead with 562 tests. Awaiting CI runner restoration + investor approval for production tag. + +## Session 145 — 2026-03-08 13:00 UTC (Sunday Afternoon) +- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime +- **Staging:** v0.5.2 ✅ commit 7206cb5 (56+ commits ahead of prod) +- **K8s cluster:** All 3 nodes Ready +- **Support:** Zero tickets +- **Completed:** + 1. **Dead code removal: signup router + legacy verification (TDD)** — Removed entire dead signup router (`src/routes/signup.ts`) — was never mounted since free tier removal (410 handler in index.ts stays). Removed `isEmailVerified()` and `getVerifiedApiKey()` from verification.ts (only callers were in dead signup router). Removed stale-key cleanup from `cleanupStaleData()` that queried legacy `verifications` table (no active code writes to it since session 143). Updated usage middleware message from "Free tier limit" to "Account limit". 8 new TDD tests added, signup.test.ts removed. Net -229 lines. Commit 7206cb5. + 2. **Full infrastructure health check** — All 3 K8s nodes Ready, both prod replicas healthy (0 restarts, ~10d uptime), DB connected (PostgreSQL 17.4), browser pool 15/15. All 12 endpoints returning 200 in <165ms. Sitemap valid, robots.txt correct. + 3. **Sub-agent platform issue** — Sub-agent spawn failed instantly (same issue as session 142). Implemented changes directly. +- **Total tests:** 556 (all passing, 0 errors), 48 test files +- **Open bugs:** ZERO 🎉 +- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action. +- **Investor test:** + 1. Would a stranger trust this with money? Yes ✅ + 2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅ + 3. Free tier abuse? No — removed, demo rate-limited ✅ + 4. Pro key recovery? Yes — with DB fallback across pods ✅ + 5. Every feature works? Yes ✅ +- **Recommendation:** Staging v0.5.2 production-ready. 56+ commits ahead with 556 tests. Awaiting CI runner restoration + investor approval for production tag. + +## Session 144 — 2026-03-08 10:00 UTC (Sunday Morning) +- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime +- **Staging:** v0.5.2 ✅ commit 9215627 (55+ commits ahead of prod) +- **K8s cluster:** All 3 nodes Ready +- **Support:** Zero tickets +- **Completed:** + 1. **Dependency updates** — Updated pg 8.19→8.20, puppeteer 24.37→24.38, stripe 20.4.0→20.4.1, @types/node 22.19.13→22.19.15. npm audit: 0 vulnerabilities. All 559 tests passing. Commit da57f57. + 2. **Multi-stage Dockerfile (TDD)** — Optimized Dockerfile from single-stage to multi-stage build. Stage 1 (builder): installs all deps, compiles TypeScript, generates OpenAPI, builds HTML. Stage 2 (production): fresh slim image, Chromium + production deps only. Final image excludes: TypeScript source, tsconfig, dev deps, build scripts. 2 TDD tests added (dist/index.js exists, public/index.html exists). Commit 9215627. + 3. **Bug tracker cleanup** — Updated BUG-108 status to FIXED (was marked OPEN despite being fixed in session 142). Added FIXED status to BUG-096 (effectively resolved by BUG-102 fix). + 4. **Full audit** — All 11 pages/endpoints returning 200, sitemap valid (7 pages, correct namespace), security headers clean (no duplicates), structured data present, no accessibility regressions, npm audit clean. +- **Total tests:** 561 (all passing, 0 errors), 46 test files +- **Open bugs:** ZERO 🎉 +- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action. +- **Investor test:** + 1. Would a stranger trust this with money? Yes ✅ + 2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅ + 3. Free tier abuse? No — removed, demo rate-limited ✅ + 4. Pro key recovery? Yes — with DB fallback across pods ✅ + 5. Every feature works? Yes ✅ +- **Recommendation:** Staging v0.5.2 production-ready. 55+ commits ahead with 561 tests. Awaiting CI runner restoration + investor approval for production tag. + ## Session 143 — 2026-03-08 07:00 UTC (Sunday Morning) - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime - **Staging:** v0.5.2 ✅ commit 2793207 (53+ commits ahead of prod) diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json index a728b45..51e95ee 100644 --- a/projects/business/memory/state.json +++ b/projects/business/memory/state.json @@ -3,7 +3,7 @@ "phaseLabel": "Build Production-Grade Product", "status": "launch-ready", "product": "DocFast — HTML/Markdown to PDF API", - "currentPriority": "Production on v0.5.1. Staging v0.5.2 (53+ commits ahead). npm audit 0 vulns. 559 tests passing (45 files). ZERO open bugs. Removed dead token-based verification system (unbounded memory growth, multi-replica unsafe, never triggered). CI runner still absent — needs restoration. Ready for production tag when investor approves.", + "currentPriority": "Production on v0.5.1. Staging v0.5.2 (57+ commits ahead). npm audit 0 vulns. 562 tests passing (49 files). ZERO open bugs. Added staging noindex protection (X-Robots-Tag). CI runner still absent — needs restoration. Ready for production tag when investor approves.", "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.", "ownerDirectives": [ "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account." @@ -83,7 +83,7 @@ "LOW": [], "note": "All bugs resolved. BUG-105 fixed 4f6659c. BUG-104 fixed 503e651. BUG-103 (template validation bypass) fixed 47571c8. BUG-102 (sanitized options ignored) fixed ba2e542. BUG-101 (body limits) fixed c03f217. BUG-100 (flush poisoning) fixed d2f819d. BUG-099 (memory leak) fixed 5f776db. BUG-098 (interceptor leak) fixed 024fa00." }, - "sessionCount": 143 + "sessionCount": 146 }, "blockers": [], "startDate": "2026-02-14" diff --git a/projects/snapapi/memory/sessions.md b/projects/snapapi/memory/sessions.md index e35a68a..173e3bd 100644 --- a/projects/snapapi/memory/sessions.md +++ b/projects/snapapi/memory/sessions.md @@ -1,5 +1,33 @@ # SnapAPI Session Log +## Session 75 — 2026-03-08 15:00 CET (Sunday Afternoon) + +**Goal:** Routine health check. + +**Health Check:** +- Production: ✅ 2 replicas running (10d uptime), v0.5.2, spread across w1/w2 +- Staging: ✅ 1 replica running (~6h uptime), 494 tests passing +- All pods healthy, no restarts + +**Work Done:** None. 6th consecutive session with nothing actionable. + +**Investor Test:** +1. Stranger trust with money? **Not yet** — production at v0.5.2, staging at v0.11.0 +2. Data loss on crash? **No** (CNPG PostgreSQL with backups) +3. Free tier abuse? **⛔ BLOCKED** at ingress, 0 free keys +4. Key recovery? **Staging only** +5. All website features work? **Staging only** + +**External Blockers (unchanged):** +- Production deploy approval (v0.5.2 → staging features) +- Stripe webhook URL registration +- CI/CD Forgejo token (write:package scope) +- Staging TLS (DNS for staging.snapapi.eu) + +**Assessment:** Nothing new. Product is mature in staging (494 tests). All meaningful work remains blocked on external approvals. Repeated sessions are just burning tokens at this point. + +--- + ## Session 74 — 2026-03-08 12:00 CET (Sunday Noon) **Goal:** Health check, look for productive work. diff --git a/projects/snapapi/memory/state.json b/projects/snapapi/memory/state.json index 5b760f2..b70f229 100644 --- a/projects/snapapi/memory/state.json +++ b/projects/snapapi/memory/state.json @@ -136,6 +136,6 @@ "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS" } }, - "lastSession": "2026-03-08T08:00:00Z", + "lastSession": "2026-03-08T14:00:00Z", "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git" }