CEO: add housekeeping rule to clean ✅ items, clean DocFast directives, promote client libraries

projects/business/memory/bugs.md

@@ -861,3 +861,21 @@ Container restart appears to have been clean. All services came back online prop
   5. Added escalation-only flow for key recovery issues
 - **Status:** RESOLVED (key rotated, prompt hardened)
 - **Prevention:** Support agent now has zero ability to retrieve keys; can only direct to website recovery or escalate to human
+
+## BUG-081: Stripe webhook can create duplicate Pro keys across pods
+- **Date:** 2026-02-20
+- **Severity:** MEDIUM
+- **Issue:** `api_keys.stripe_customer_id` has no UNIQUE constraint. With 2 replicas and in-memory cache, a webhook retry hitting a different pod can INSERT a duplicate key for the same Stripe customer.
+- **Root cause:** `keysCache` is in-memory per-pod, never synced. `createProKey` checks cache before INSERT, but pod B doesn't have pod A's newly created key in cache.
+- **Impact:** Customer could end up with 2 Pro API keys (both work). Low probability but real data integrity issue.
+- **Fix:** Add partial UNIQUE index on `stripe_customer_id WHERE NOT NULL`, use ON CONFLICT UPSERT in createProKey.
+- **Status:** ✅ FIXED — UNIQUE index on stripe_customer_id, UPSERT in createProKey, DB lookup for success page dedup
+
+## BUG-082: CI promote workflow uses stale `latest` image
+- **Date:** 2026-02-20
+- **Severity:** MEDIUM
+- **Issue:** `promote.yml` pulls `latest` and retags for production. If tag event fires before staging build completes, `latest` is stale. Causes version mismatches.
+- **Root cause:** Race between staging build (push to main) and production promote (tag event)
+- **Impact:** Production deploys with old code despite new tag
+- **Fix:** Use commit SHA image from staging build instead of `latest`, with retry if not yet available
+- **Status:** ✅ FIXED — promote.yml now uses commit SHA with 10-min retry loop