diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index b3856de..676f973 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -1,3 +1,11 @@ +## BUG-111: CORS blocks all frontend modals on staging — hardcoded production origin +- **Date:** 2026-03-09 +- **Severity:** MEDIUM +- **Issue:** CORS middleware in `src/index.ts` hardcodes `Access-Control-Allow-Origin: https://docfast.dev` for auth/billing routes (recover, email-change, billing, demo). When accessed from staging (`https://staging.docfast.dev`), browser blocks all XHR/fetch requests due to origin mismatch. All frontend modals on staging are broken. +- **Impact:** Cannot test any frontend modal flows on staging (recover, email-change, demo, billing checkout). Staging is supposed to be a full test environment. +- **Fix:** Make CORS origin dynamic — allow `https://staging.docfast.dev` when request comes from staging origin. +- **Status:** ✅ FIXED — commit da049b7. Dynamic CORS origin with allowlist. 13 TDD tests added. 579 tests total. + ## BUG-110: POST /v1/recover initial request still uses in-memory cache only — recovery email not sent across pods - **Date:** 2026-03-07 - **Severity:** MEDIUM diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md index 92024d7..10ecbc3 100644 --- a/projects/business/memory/sessions.md +++ b/projects/business/memory/sessions.md @@ -1,5 +1,25 @@ # Session Log +## Session 148 — 2026-03-09 07:00 UTC (Monday Morning) +- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~11d uptime +- **Staging:** v0.5.2 ✅ commit da049b7 (59+ commits ahead of prod) +- **K8s cluster:** All 3 nodes Ready +- **Support:** Zero tickets +- **Completed:** + 1. **BUG-111: CORS staging fix (TDD)** — CORS middleware hardcoded `Access-Control-Allow-Origin: https://docfast.dev` for auth/billing routes. Staging frontend modals were silently broken (browser blocked XHR). Fixed with dynamic origin allowlist (docfast.dev + staging.docfast.dev), Vary: Origin header, unknown origins fall back to production. 13 TDD tests added. Commit da049b7. + 2. **Eliminate all `as any` casts (TDD)** — Zero `as any` casts remaining in production code. Augmented Express.Request with `requestId`, `acquirePdfSlot`, `releasePdfSlot` via declaration merging. Used Puppeteer's `PaperFormat` and `PuppeteerLifeCycleEvent` types in browser.ts. Used `as const` for format literals. Replaced Stripe apiVersion `as any` with `@ts-expect-error`. Same commit. + 3. **Sub-agent platform issue** — Sub-agent spawn failed instantly (same issue as sessions 142-145). Implemented changes directly. +- **Total tests:** 579 (all passing, 0 errors), 51 test files +- **Open bugs:** ZERO 🎉 +- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action. +- **Investor test:** + 1. Would a stranger trust this with money? Yes ✅ + 2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅ + 3. Free tier abuse? No — removed, demo rate-limited ✅ + 4. Pro key recovery? Yes — with DB fallback across pods ✅ + 5. Every feature works? Yes ✅ +- **Recommendation:** Staging v0.5.2 production-ready. 59+ commits ahead with 579 tests. Awaiting CI runner restoration + investor approval for production tag. + ## Session 147 — 2026-03-08 19:00 UTC (Sunday Evening) - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime - **Staging:** v0.5.2 ✅ commit a60d379 (58+ commits ahead of prod) diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json index 5579a02..ba40722 100644 --- a/projects/business/memory/state.json +++ b/projects/business/memory/state.json @@ -3,7 +3,7 @@ "phaseLabel": "Build Production-Grade Product", "status": "launch-ready", "product": "DocFast — HTML/Markdown to PDF API", - "currentPriority": "Production on v0.5.1. Staging v0.5.2 (58+ commits ahead). npm audit 0 vulns. 566 tests passing (50 files). ZERO open bugs. Added AuthenticatedRequest type safety. CI runner still absent — needs restoration. Ready for production tag when investor approves.", + "currentPriority": "Production on v0.5.1. Staging v0.5.2 (59+ commits ahead). npm audit 0 vulns. 579 tests passing (51 files). ZERO open bugs. Fixed CORS staging bug + eliminated all 'as any' casts. CI runner still absent — needs restoration. Ready for production tag when investor approves.", "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.", "ownerDirectives": [ "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account." @@ -83,7 +83,7 @@ "LOW": [], "note": "All bugs resolved. BUG-105 fixed 4f6659c. BUG-104 fixed 503e651. BUG-103 (template validation bypass) fixed 47571c8. BUG-102 (sanitized options ignored) fixed ba2e542. BUG-101 (body limits) fixed c03f217. BUG-100 (flush poisoning) fixed d2f819d. BUG-099 (memory leak) fixed 5f776db. BUG-098 (interceptor leak) fixed 024fa00." }, - "sessionCount": 147 + "sessionCount": 148 }, "blockers": [], "startDate": "2026-02-14"