diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index 5cf7237..0474e1f 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -290,4 +290,27 @@ Container restart appears to have been clean. All services came back online prop - **Endpoint:** `POST /v1/convert/url` - **Issue:** URL validation only checks protocol (http/https) but does NOT block private/internal IP addresses. Attacker can request internal URLs like `http://169.254.169.254/latest/meta-data/` (cloud metadata), `http://127.0.0.1:3100/health`, or any RFC1918 address. - **Fix:** Resolve hostname via DNS before passing to Puppeteer, block private IP ranges. -- **Status:** FIX IN PROGRESS (sub-agent deployed) +- **Status:** FIXED (verified in Session 38) + +## BUG-041: Docker Healthcheck Broken — Container Permanently "Unhealthy" +- **Severity:** MEDIUM +- **Issue:** docker-compose.yml healthcheck uses `curl` but the `node:22-bookworm-slim` image doesn't include curl. Container has 513+ consecutive healthcheck failures. +- **Impact:** Docker reports container as "unhealthy" even though the app works fine. Breaks any orchestration that depends on Docker health status. +- **Fix:** Switch healthcheck to use `node -e "fetch(...)"` instead of curl. +- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39) + +## BUG-042: Pricing in USD Instead of EUR +- **Severity:** MEDIUM +- **Issue:** Landing page shows $0/mo and $9/mo. JSON-LD uses priceCurrency: "USD". Business is Austrian/EU and must price in EUR per business requirements. +- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39) + +## BUG-043: No Legal Pages (Impressum, Privacy, Terms) +- **Severity:** HIGH +- **Issue:** Zero legal pages on the site. Austrian law (§5 ECG) requires Impressum for commercial websites. GDPR requires privacy policy. No Terms of Service for paid API. +- **Impact:** Launch blocker — operating a commercial website in Austria without Impressum is illegal. +- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39) + +## BUG-044: EU Hosting Not Marketed +- **Severity:** LOW +- **Issue:** Zero mentions of EU hosting, GDPR compliance, or data residency on the landing page. This is a key competitive advantage being wasted. +- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39) diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md index ac5af21..7775a24 100644 --- a/projects/business/memory/sessions.md +++ b/projects/business/memory/sessions.md @@ -676,3 +676,50 @@ - **Note:** Main session also spawned docfast-ceo-session38 in response to investor's "launch now + approve storage box". Deferring report to that session to avoid duplicate. - **Budget:** €181.71 remaining, Revenue: €0 - **Status:** NOT launch-ready. HIGH severity security bug open. + +## Session 38 — 2026-02-16 08:29 UTC (Monday Morning — Proactive Improvements) +- **Context:** 5th consecutive session blocked on investor actions. SKILL.md says "Never idle." Performed full codebase audit and shipped quality improvements. +- **Codebase audit findings + fixes deployed:** + 1. ✅ **Version mismatch fixed** — package.json updated to 0.2.1, health endpoint now correctly reports 0.2.1 + 2. ✅ **404 handler** — API routes return JSON 404, browser requests get styled HTML 404 page (was already partially implemented by prior sub-agent, verified working) + 3. ✅ **Verify page typo** — "if needed.." → "if needed." (double period fixed) + 4. ✅ **Request logging** — Every non-health request logged with method, path, status, response time (pino) + 5. ✅ **Permissions-Policy header** — camera=(), microphone=(), geolocation=(), payment=(self) + 6. ✅ **JSON-LD structured data** — SoftwareApplication schema on landing page for SEO + 7. ✅ **Font preconnect hints** — `` for Google Fonts (performance) + 8. ✅ **Sitemap lastmod dates** — Added 2026-02-16 lastmod to all URLs +- **BUG-038 (health version) and BUG-040 (SSRF) verified FIXED** — both resolved by prior sub-agents, confirmed working on production +- **Commit 86f8da6** pushed to Forgejo, built and deployed to production +- **All changes verified on live site:** version 0.2.1, 404 handler, Permissions-Policy header, JSON-LD, preconnect, sitemap lastmod +- **Investor Test:** + 1. Trust with money? **Almost** — all code deployed, needs real E2E test payment + 2. Data loss? **Mitigated** — BorgBackup daily, local only. Needs off-site Storage Box. + 3. Free tier abuse? **Mitigated** ✅ + 4. Key recovery? **Yes** ✅ + 5. False features? **Clean** ✅ +- **Budget:** €181.71 remaining, Revenue: €0 +- **Status:** NOT launch-ready. Blocked on investor actions only. +- **Blockers (unchanged):** + 1. E2E Pro payment test (real $9 Stripe payment) + 2. 3 Forgejo repo secrets for CI/CD + 3. Hetzner Storage Box (~€3/mo) for off-site backups + +## Session 39 — 2026-02-16 13:01 UTC (Monday Afternoon — Cron) +- **Server health:** UP, PostgreSQL 16.11, pool 15/15, but Docker reports "unhealthy" (513 consecutive failures — curl not in image) +- **Audit findings:** + 1. BUG-041: Docker healthcheck broken (curl not in slim image) — MEDIUM + 2. BUG-042: Pricing in USD ($9) instead of EUR (€9) — MEDIUM + 3. BUG-043: No legal pages (Impressum, Privacy, Terms) — HIGH (Austrian law violation) + 4. BUG-044: EU hosting not marketed (missed competitive advantage) — LOW +- **Sub-agents spawned:** + 1. Backend Dev — Docker healthcheck fix (node-based), USD→EUR pricing, static asset caching + 2. UI/UX Dev — Legal pages (Impressum, Privacy Policy, Terms), footer links, EU hosting badge +- **Storage Box:** Cannot provision via Cloud API (needs Robot API credentials). Escalated to investor. +- **Investor Test:** + 1. Trust with money? **NO** — no legal pages, pricing in wrong currency + 2. Data loss? **Mitigated** — BorgBackup daily, local only. Off-site still needed. + 3. Free tier abuse? **Mitigated** ✅ + 4. Key recovery? **Yes** ✅ + 5. False features? **Clean** ✅ +- **Budget:** €181.71 remaining, Revenue: €0 +- **Status:** NOT launch-ready. HIGH severity legal compliance bug + pricing currency issue. diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json index b1bdf19..ffc3873 100644 --- a/projects/business/memory/state.json +++ b/projects/business/memory/state.json @@ -64,9 +64,9 @@ }, "openBugs": { "CRITICAL": [], - "HIGH": ["BUG-040: SSRF vulnerability in URL→PDF endpoint — no private IP blocking. Fix in progress."], - "MEDIUM": [], - "LOW": ["BUG-038: Health endpoint version shows 0.1.0 instead of 0.2.1 — fix in progress."] + "HIGH": ["BUG-043: No legal pages (Impressum/Privacy/Terms) — Austrian law violation"], + "MEDIUM": ["BUG-041: Docker healthcheck broken (curl missing)", "BUG-042: Pricing in USD not EUR"], + "LOW": ["BUG-044: EU hosting not marketed"] }, "blockers": [ "E2E Pro payment test (needs investor to make real test payment)", @@ -74,5 +74,5 @@ "Off-site backup (Hetzner Storage Box, ~€3/mo)" ], "startDate": "2026-02-14", - "sessionCount": 37 + "sessionCount": 39 } diff --git a/projects/business/memory/uptime-fails.txt b/projects/business/memory/uptime-fails.txt new file mode 100644 index 0000000..a0aba93 --- /dev/null +++ b/projects/business/memory/uptime-fails.txt @@ -0,0 +1 @@ +OK \ No newline at end of file