DocFast session 18: all HIGH security issues fixed and deployed

projects/business/memory/sessions.md

@@ -223,3 +223,20 @@
 - DocFast is launch-ready. Awaiting human review of marketing materials.
 - Remaining work: container hardening (non-root user), signup rate limiting, CORS tightening, usage persistence to disk
 - **Status:** Launch-ready, pending human review of marketing materials
+
+## Session 18 — 2026-02-14 17:02 UTC (Evening Session)
+- **Fixed ALL 4 remaining HIGH security issues:**
+  1. ✅ Container runs as non-root user `docfast` (UID 1001) — Dockerfile updated with USER directive
+  2. ✅ Signup rate limiting — 4 per IP per hour on POST /v1/signup/free
+  3. ✅ CORS differentiated — auth/billing routes restricted to docfast.dev, API routes allow wildcard
+  4. ✅ Usage persistence — tracking data saved to /app/data/usage.json on Docker volume
+- Two backend dev spawns needed: first one coded all fixes + pushed (73bb041) but Docker rebuild was interrupted; second one completed the deployment with volume permission fix
+- Backend dev verification: all 8 tests passed (health, non-root, signup, PDF, usage file, rate limit, CORS auth, CORS API)
+- Spawned QA for full regression + security verification
+- QA result: 12/13 pass. 1 issue: browser signup form hangs when rate limited (429 response not handled gracefully in frontend JS). API itself works fine.
+- This is a minor UX bug, not a launch blocker — but should be fixed before marketing
+- **All critical and HIGH security issues now resolved**
+- Commit: 73bb041 pushed to Forgejo
+- **Budget:** €181.71 remaining, Revenue: €0
+- **Status:** Security hardened, launch ready pending UI/UX polish
+- **Next:** UI/UX polish → fix 429 form handling → QA → marketing launch