DocFast session 146: staging noindex, dead code cleanup

2026-03-08 17:04:09 +01:00 · 2026-03-08 17:04:09 +01:00 · 0f0a82fef2
commit 0f0a82fef2
parent 8cc6b4fd4e
5 changed files with 94 additions and 4 deletions
--- a/projects/business/memory/bugs.md
+++ b/projects/business/memory/bugs.md
@ -20,7 +20,7 @@
 - **Issue:** `updateEmailByCustomer()` in `src/services/keys.ts` only checks `keysCache` (in-memory). In 2-replica production, if a Stripe `customer.updated` webhook hits a pod that doesn't have the key cached (pod restart, key created on other pod), the function returns `false` without checking DB. Customer's email change from Stripe is silently lost.
 - **Impact:** Email sync from Stripe billing silently fails. Customer's email in DocFast DB diverges from Stripe. Recovery emails go to wrong address.
 - **Fix:** Add DB fallback: query `api_keys` table by `stripe_customer_id` when not found in cache, then update email in DB and hydrate local cache.
- **Status:** OPEN
+- **Status:** ✅ FIXED — commit d376d58. DB fallback + cache hydration. 2 TDD tests added. 547 tests total.

 ## BUG-107: Recover route uses in-memory cache only — recovery fails silently across pods
 - **Date:** 2026-03-06
@ -119,6 +119,7 @@
 - **Expected:** HTTP 400 with validation error about scale range
 - **Actual:** HTTP 200 with generated PDF
 - **Note:** format:"invalid" and margin with non-string values could not be retested due to 5/hour demo rate limit. These may also lack validation.
+- **Status:** ✅ FIXED — BUG-102 fix (commit ba2e542) added `validatePdfOptions()` to all demo and convert routes. Scale validation (0.1–2.0) now enforced. Original test used nested `options` object (wrong API format); top-level `scale:99` is correctly rejected.

 ## BUG-095: /docs page footer missing most footer links (Home, Docs, Examples, API Status, Support, Change Email)
 - **Date:** 2026-03-02
--- a/projects/business/memory/sessions.md
+++ b/projects/business/memory/sessions.md
@ -1,5 +1,66 @@
 # Session Log

+## Session 146 — 2026-03-08 16:00 UTC (Sunday Evening)
+- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime
+- **Staging:** v0.5.2 ✅ commit b70ed49 (57+ commits ahead of prod)
+- **K8s cluster:** All 3 nodes Ready
+- **Support:** Zero tickets
+- **Completed:**
+  1. **Staging noindex protection (TDD)** — Staging site had NO protection against search engine indexing — same robots.txt as production, no `X-Robots-Tag`, no `noindex` meta. Google could index `staging.docfast.dev` creating duplicate content issues. Added middleware that sets `X-Robots-Tag: noindex, nofollow` when hostname contains "staging". 3 TDD tests (staging gets header, production doesn't, applies to API routes too). Commit b70ed49.
+  2. **Dead code cleanup** — Removed empty `// Email verification endpoint` comment residue from index.ts. 1 TDD test. Same commit.
+  3. **Codebase audit** — Reviewed: 404 page (branded, works for both HTML and API), OpenAPI spec (15 paths, signup properly deprecated with 410), all endpoints healthy (<165ms), no TODOs/FIXMEs, npm audit clean.
+- **Total tests:** 562 (all passing, 0 errors), 49 test files
+- **Open bugs:** ZERO 🎉
+- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action.
+- **Investor test:**
+  1. Would a stranger trust this with money? Yes ✅
+  2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅
+  3. Free tier abuse? No — removed, demo rate-limited ✅
+  4. Pro key recovery? Yes — with DB fallback across pods ✅
+  5. Every feature works? Yes ✅
+- **Recommendation:** Staging v0.5.2 production-ready. 57+ commits ahead with 562 tests. Awaiting CI runner restoration + investor approval for production tag.
+
+## Session 145 — 2026-03-08 13:00 UTC (Sunday Afternoon)
+- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime
+- **Staging:** v0.5.2 ✅ commit 7206cb5 (56+ commits ahead of prod)
+- **K8s cluster:** All 3 nodes Ready
+- **Support:** Zero tickets
+- **Completed:**
+  1. **Dead code removal: signup router + legacy verification (TDD)** — Removed entire dead signup router (`src/routes/signup.ts`) — was never mounted since free tier removal (410 handler in index.ts stays). Removed `isEmailVerified()` and `getVerifiedApiKey()` from verification.ts (only callers were in dead signup router). Removed stale-key cleanup from `cleanupStaleData()` that queried legacy `verifications` table (no active code writes to it since session 143). Updated usage middleware message from "Free tier limit" to "Account limit". 8 new TDD tests added, signup.test.ts removed. Net -229 lines. Commit 7206cb5.
+  2. **Full infrastructure health check** — All 3 K8s nodes Ready, both prod replicas healthy (0 restarts, ~10d uptime), DB connected (PostgreSQL 17.4), browser pool 15/15. All 12 endpoints returning 200 in <165ms. Sitemap valid, robots.txt correct.
+  3. **Sub-agent platform issue** — Sub-agent spawn failed instantly (same issue as session 142). Implemented changes directly.
+- **Total tests:** 556 (all passing, 0 errors), 48 test files
+- **Open bugs:** ZERO 🎉
+- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action.
+- **Investor test:**
+  1. Would a stranger trust this with money? Yes ✅
+  2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅
+  3. Free tier abuse? No — removed, demo rate-limited ✅
+  4. Pro key recovery? Yes — with DB fallback across pods ✅
+  5. Every feature works? Yes ✅
+- **Recommendation:** Staging v0.5.2 production-ready. 56+ commits ahead with 556 tests. Awaiting CI runner restoration + investor approval for production tag.
+
+## Session 144 — 2026-03-08 10:00 UTC (Sunday Morning)
+- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime
+- **Staging:** v0.5.2 ✅ commit 9215627 (55+ commits ahead of prod)
+- **K8s cluster:** All 3 nodes Ready
+- **Support:** Zero tickets
+- **Completed:**
+  1. **Dependency updates** — Updated pg 8.19→8.20, puppeteer 24.37→24.38, stripe 20.4.0→20.4.1, @types/node 22.19.13→22.19.15. npm audit: 0 vulnerabilities. All 559 tests passing. Commit da57f57.
+  2. **Multi-stage Dockerfile (TDD)** — Optimized Dockerfile from single-stage to multi-stage build. Stage 1 (builder): installs all deps, compiles TypeScript, generates OpenAPI, builds HTML. Stage 2 (production): fresh slim image, Chromium + production deps only. Final image excludes: TypeScript source, tsconfig, dev deps, build scripts. 2 TDD tests added (dist/index.js exists, public/index.html exists). Commit 9215627.
+  3. **Bug tracker cleanup** — Updated BUG-108 status to FIXED (was marked OPEN despite being fixed in session 142). Added FIXED status to BUG-096 (effectively resolved by BUG-102 fix).
+  4. **Full audit** — All 11 pages/endpoints returning 200, sitemap valid (7 pages, correct namespace), security headers clean (no duplicates), structured data present, no accessibility regressions, npm audit clean.
+- **Total tests:** 561 (all passing, 0 errors), 46 test files
+- **Open bugs:** ZERO 🎉
+- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action.
+- **Investor test:**
+  1. Would a stranger trust this with money? Yes ✅
+  2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅
+  3. Free tier abuse? No — removed, demo rate-limited ✅
+  4. Pro key recovery? Yes — with DB fallback across pods ✅
+  5. Every feature works? Yes ✅
+- **Recommendation:** Staging v0.5.2 production-ready. 55+ commits ahead with 561 tests. Awaiting CI runner restoration + investor approval for production tag.
+
 ## Session 143 — 2026-03-08 07:00 UTC (Sunday Morning)
 - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime
 - **Staging:** v0.5.2 ✅ commit 2793207 (53+ commits ahead of prod)
--- a/projects/business/memory/state.json
+++ b/projects/business/memory/state.json
@ -3,7 +3,7 @@
  "phaseLabel": "Build Production-Grade Product",
  "status": "launch-ready",
  "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Production on v0.5.1. Staging v0.5.2 (53+ commits ahead). npm audit 0 vulns. 559 tests passing (45 files). ZERO open bugs. Removed dead token-based verification system (unbounded memory growth, multi-replica unsafe, never triggered). CI runner still absent — needs restoration. Ready for production tag when investor approves.",
+  "currentPriority": "Production on v0.5.1. Staging v0.5.2 (57+ commits ahead). npm audit 0 vulns. 562 tests passing (49 files). ZERO open bugs. Added staging noindex protection (X-Robots-Tag). CI runner still absent — needs restoration. Ready for production tag when investor approves.",
  "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.",
  "ownerDirectives": [
    "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account."
@ -83,7 +83,7 @@
    "LOW": [],
    "note": "All bugs resolved. BUG-105 fixed 4f6659c. BUG-104 fixed 503e651. BUG-103 (template validation bypass) fixed 47571c8. BUG-102 (sanitized options ignored) fixed ba2e542. BUG-101 (body limits) fixed c03f217. BUG-100 (flush poisoning) fixed d2f819d. BUG-099 (memory leak) fixed 5f776db. BUG-098 (interceptor leak) fixed 024fa00."
  },
-  "sessionCount": 143
+  "sessionCount": 146
  },
  "blockers": [],
  "startDate": "2026-02-14"
--- a/projects/snapapi/memory/sessions.md
+++ b/projects/snapapi/memory/sessions.md
@ -1,5 +1,33 @@
 # SnapAPI Session Log

+## Session 75 — 2026-03-08 15:00 CET (Sunday Afternoon)
+
+**Goal:** Routine health check.
+
+**Health Check:**
+- Production: ✅ 2 replicas running (10d uptime), v0.5.2, spread across w1/w2
+- Staging: ✅ 1 replica running (~6h uptime), 494 tests passing
+- All pods healthy, no restarts
+
+**Work Done:** None. 6th consecutive session with nothing actionable.
+
+**Investor Test:**
+1. Stranger trust with money? **Not yet** — production at v0.5.2, staging at v0.11.0
+2. Data loss on crash? **No** (CNPG PostgreSQL with backups)
+3. Free tier abuse? **⛔ BLOCKED** at ingress, 0 free keys
+4. Key recovery? **Staging only**
+5. All website features work? **Staging only**
+
+**External Blockers (unchanged):**
+- Production deploy approval (v0.5.2 → staging features)
+- Stripe webhook URL registration
+- CI/CD Forgejo token (write:package scope)
+- Staging TLS (DNS for staging.snapapi.eu)
+
+**Assessment:** Nothing new. Product is mature in staging (494 tests). All meaningful work remains blocked on external approvals. Repeated sessions are just burning tokens at this point.
+
+---
+
 ## Session 74 — 2026-03-08 12:00 CET (Sunday Noon)

 **Goal:** Health check, look for productive work.
--- a/projects/snapapi/memory/state.json
+++ b/projects/snapapi/memory/state.json
@ -136,6 +136,6 @@
      "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
    }
  },
-  "lastSession": "2026-03-08T08:00:00Z",
+  "lastSession": "2026-03-08T14:00:00Z",
  "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
 }