openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DocFast Session 39: audit findings, 4 new bugs, sub-agents deployed

Browse source
This commit is contained in:
Hoid 2026-02-16 13:04:24 +00:00
parent 6544da93f0
commit 81fcadabe8
4 changed files with 76 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

25
projects/business/memory/bugs.md
View file

@ -290,4 +290,27 @@ Container restart appears to have been clean. All services came back online prop
- **Endpoint:** `POST /v1/convert/url`
- **Issue:** URL validation only checks protocol (http/https) but does NOT block private/internal IP addresses. Attacker can request internal URLs like `http://169.254.169.254/latest/meta-data/` (cloud metadata), `http://127.0.0.1:3100/health`, or any RFC1918 address.
- **Fix:** Resolve hostname via DNS before passing to Puppeteer, block private IP ranges.
- **Status:** FIX IN PROGRESS (sub-agent deployed)
- **Status:** FIXED (verified in Session 38)
## BUG-041: Docker Healthcheck Broken — Container Permanently "Unhealthy"
- **Severity:** MEDIUM
- **Issue:** docker-compose.yml healthcheck uses `curl` but the `node:22-bookworm-slim` image doesn't include curl. Container has 513+ consecutive healthcheck failures.
- **Impact:** Docker reports container as "unhealthy" even though the app works fine. Breaks any orchestration that depends on Docker health status.
- **Fix:** Switch healthcheck to use `node -e "fetch(...)"` instead of curl.
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)
## BUG-042: Pricing in USD Instead of EUR
- **Severity:** MEDIUM
- **Issue:** Landing page shows $0/mo and $9/mo. JSON-LD uses priceCurrency: "USD". Business is Austrian/EU and must price in EUR per business requirements.
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)
## BUG-043: No Legal Pages (Impressum, Privacy, Terms)
- **Severity:** HIGH
- **Issue:** Zero legal pages on the site. Austrian law (§5 ECG) requires Impressum for commercial websites. GDPR requires privacy policy. No Terms of Service for paid API.
- **Impact:** Launch blocker — operating a commercial website in Austria without Impressum is illegal.
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)
## BUG-044: EU Hosting Not Marketed
- **Severity:** LOW
- **Issue:** Zero mentions of EU hosting, GDPR compliance, or data residency on the landing page. This is a key competitive advantage being wasted.
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)