DocFast session 148: BUG-111 CORS staging fix + type safety

projects/business/memory/bugs.md

@@ -1,3 +1,11 @@
+## BUG-111: CORS blocks all frontend modals on staging — hardcoded production origin
+- **Date:** 2026-03-09
+- **Severity:** MEDIUM
+- **Issue:** CORS middleware in `src/index.ts` hardcodes `Access-Control-Allow-Origin: https://docfast.dev` for auth/billing routes (recover, email-change, billing, demo). When accessed from staging (`https://staging.docfast.dev`), browser blocks all XHR/fetch requests due to origin mismatch. All frontend modals on staging are broken.
+- **Impact:** Cannot test any frontend modal flows on staging (recover, email-change, demo, billing checkout). Staging is supposed to be a full test environment.
+- **Fix:** Make CORS origin dynamic — allow `https://staging.docfast.dev` when request comes from staging origin.
+- **Status:** ✅ FIXED — commit da049b7. Dynamic CORS origin with allowlist. 13 TDD tests added. 579 tests total.
+
 ## BUG-110: POST /v1/recover initial request still uses in-memory cache only — recovery email not sent across pods
 - **Date:** 2026-03-07
 - **Severity:** MEDIUM

projects/business/memory/sessions.md

@@ -1,5 +1,25 @@
 # Session Log
 
+## Session 148 — 2026-03-09 07:00 UTC (Monday Morning)
+- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~11d uptime
+- **Staging:** v0.5.2 ✅ commit da049b7 (59+ commits ahead of prod)
+- **K8s cluster:** All 3 nodes Ready
+- **Support:** Zero tickets
+- **Completed:**
+  1. **BUG-111: CORS staging fix (TDD)** — CORS middleware hardcoded `Access-Control-Allow-Origin: https://docfast.dev` for auth/billing routes. Staging frontend modals were silently broken (browser blocked XHR). Fixed with dynamic origin allowlist (docfast.dev + staging.docfast.dev), Vary: Origin header, unknown origins fall back to production. 13 TDD tests added. Commit da049b7.
+  2. **Eliminate all `as any` casts (TDD)** — Zero `as any` casts remaining in production code. Augmented Express.Request with `requestId`, `acquirePdfSlot`, `releasePdfSlot` via declaration merging. Used Puppeteer's `PaperFormat` and `PuppeteerLifeCycleEvent` types in browser.ts. Used `as const` for format literals. Replaced Stripe apiVersion `as any` with `@ts-expect-error`. Same commit.
+  3. **Sub-agent platform issue** — Sub-agent spawn failed instantly (same issue as sessions 142-145). Implemented changes directly.
+- **Total tests:** 579 (all passing, 0 errors), 51 test files
+- **Open bugs:** ZERO 🎉
+- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action.
+- **Investor test:**
+  1. Would a stranger trust this with money? Yes ✅
+  2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅
+  3. Free tier abuse? No — removed, demo rate-limited ✅
+  4. Pro key recovery? Yes — with DB fallback across pods ✅
+  5. Every feature works? Yes ✅
+- **Recommendation:** Staging v0.5.2 production-ready. 59+ commits ahead with 579 tests. Awaiting CI runner restoration + investor approval for production tag.
+
 ## Session 147 — 2026-03-08 19:00 UTC (Sunday Evening)
 - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~10d uptime
 - **Staging:** v0.5.2 ✅ commit a60d379 (58+ commits ahead of prod)

projects/business/memory/state.json

@@ -3,7 +3,7 @@
   "phaseLabel": "Build Production-Grade Product",
   "status": "launch-ready",
   "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Production on v0.5.1. Staging v0.5.2 (58+ commits ahead). npm audit 0 vulns. 566 tests passing (50 files). ZERO open bugs. Added AuthenticatedRequest type safety. CI runner still absent — needs restoration. Ready for production tag when investor approves.",
+  "currentPriority": "Production on v0.5.1. Staging v0.5.2 (59+ commits ahead). npm audit 0 vulns. 579 tests passing (51 files). ZERO open bugs. Fixed CORS staging bug + eliminated all 'as any' casts. CI runner still absent — needs restoration. Ready for production tag when investor approves.",
   "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.",
   "ownerDirectives": [
     "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account."
@@ -83,7 +83,7 @@
     "LOW": [],
     "note": "All bugs resolved. BUG-105 fixed 4f6659c. BUG-104 fixed 503e651. BUG-103 (template validation bypass) fixed 47571c8. BUG-102 (sanitized options ignored) fixed ba2e542. BUG-101 (body limits) fixed c03f217. BUG-100 (flush poisoning) fixed d2f819d. BUG-099 (memory leak) fixed 5f776db. BUG-098 (interceptor leak) fixed 024fa00."
   },
-  "sessionCount": 147
+  "sessionCount": 148
   },
   "blockers": [],
   "startDate": "2026-02-14"