DocFast Session 39: audit findings, 4 new bugs, sub-agents deployed
This commit is contained in:
Hoid
parent
6544da93f0
commit
81fcadabe8
4 changed files with 76 additions and 5 deletions
|
|
@ -290,4 +290,27 @@ Container restart appears to have been clean. All services came back online prop
|
|||
- **Endpoint:** `POST /v1/convert/url`
|
||||
- **Issue:** URL validation only checks protocol (http/https) but does NOT block private/internal IP addresses. Attacker can request internal URLs like `http://169.254.169.254/latest/meta-data/` (cloud metadata), `http://127.0.0.1:3100/health`, or any RFC1918 address.
|
||||
- **Fix:** Resolve hostname via DNS before passing to Puppeteer, block private IP ranges.
|
||||
- **Status:** FIX IN PROGRESS (sub-agent deployed)
|
||||
- **Status:** FIXED (verified in Session 38)
|
||||
|
||||
## BUG-041: Docker Healthcheck Broken — Container Permanently "Unhealthy"
|
||||
- **Severity:** MEDIUM
|
||||
- **Issue:** docker-compose.yml healthcheck uses `curl` but the `node:22-bookworm-slim` image doesn't include curl. Container has 513+ consecutive healthcheck failures.
|
||||
- **Impact:** Docker reports container as "unhealthy" even though the app works fine. Breaks any orchestration that depends on Docker health status.
|
||||
- **Fix:** Switch healthcheck to use `node -e "fetch(...)"` instead of curl.
|
||||
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)
|
||||
|
||||
## BUG-042: Pricing in USD Instead of EUR
|
||||
- **Severity:** MEDIUM
|
||||
- **Issue:** Landing page shows $0/mo and $9/mo. JSON-LD uses priceCurrency: "USD". Business is Austrian/EU and must price in EUR per business requirements.
|
||||
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)
|
||||
|
||||
## BUG-043: No Legal Pages (Impressum, Privacy, Terms)
|
||||
- **Severity:** HIGH
|
||||
- **Issue:** Zero legal pages on the site. Austrian law (§5 ECG) requires Impressum for commercial websites. GDPR requires privacy policy. No Terms of Service for paid API.
|
||||
- **Impact:** Launch blocker — operating a commercial website in Austria without Impressum is illegal.
|
||||
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)
|
||||
|
||||
## BUG-044: EU Hosting Not Marketed
|
||||
- **Severity:** LOW
|
||||
- **Issue:** Zero mentions of EU hosting, GDPR compliance, or data residency on the landing page. This is a key competitive advantage being wasted.
|
||||
- **Status:** FIX IN PROGRESS (sub-agent deployed Session 39)
|
||||
|
|
|
|||
|
|
@ -676,3 +676,50 @@
|
|||
- **Note:** Main session also spawned docfast-ceo-session38 in response to investor's "launch now + approve storage box". Deferring report to that session to avoid duplicate.
|
||||
- **Budget:** €181.71 remaining, Revenue: €0
|
||||
- **Status:** NOT launch-ready. HIGH severity security bug open.
|
||||
|
||||
## Session 38 — 2026-02-16 08:29 UTC (Monday Morning — Proactive Improvements)
|
||||
- **Context:** 5th consecutive session blocked on investor actions. SKILL.md says "Never idle." Performed full codebase audit and shipped quality improvements.
|
||||
- **Codebase audit findings + fixes deployed:**
|
||||
1. ✅ **Version mismatch fixed** — package.json updated to 0.2.1, health endpoint now correctly reports 0.2.1
|
||||
2. ✅ **404 handler** — API routes return JSON 404, browser requests get styled HTML 404 page (was already partially implemented by prior sub-agent, verified working)
|
||||
3. ✅ **Verify page typo** — "if needed.." → "if needed." (double period fixed)
|
||||
4. ✅ **Request logging** — Every non-health request logged with method, path, status, response time (pino)
|
||||
5. ✅ **Permissions-Policy header** — camera=(), microphone=(), geolocation=(), payment=(self)
|
||||
6. ✅ **JSON-LD structured data** — SoftwareApplication schema on landing page for SEO
|
||||
7. ✅ **Font preconnect hints** — `<link rel="preconnect">` for Google Fonts (performance)
|
||||
8. ✅ **Sitemap lastmod dates** — Added 2026-02-16 lastmod to all URLs
|
||||
- **BUG-038 (health version) and BUG-040 (SSRF) verified FIXED** — both resolved by prior sub-agents, confirmed working on production
|
||||
- **Commit 86f8da6** pushed to Forgejo, built and deployed to production
|
||||
- **All changes verified on live site:** version 0.2.1, 404 handler, Permissions-Policy header, JSON-LD, preconnect, sitemap lastmod
|
||||
- **Investor Test:**
|
||||
1. Trust with money? **Almost** — all code deployed, needs real E2E test payment
|
||||
2. Data loss? **Mitigated** — BorgBackup daily, local only. Needs off-site Storage Box.
|
||||
3. Free tier abuse? **Mitigated** ✅
|
||||
4. Key recovery? **Yes** ✅
|
||||
5. False features? **Clean** ✅
|
||||
- **Budget:** €181.71 remaining, Revenue: €0
|
||||
- **Status:** NOT launch-ready. Blocked on investor actions only.
|
||||
- **Blockers (unchanged):**
|
||||
1. E2E Pro payment test (real $9 Stripe payment)
|
||||
2. 3 Forgejo repo secrets for CI/CD
|
||||
3. Hetzner Storage Box (~€3/mo) for off-site backups
|
||||
|
||||
## Session 39 — 2026-02-16 13:01 UTC (Monday Afternoon — Cron)
|
||||
- **Server health:** UP, PostgreSQL 16.11, pool 15/15, but Docker reports "unhealthy" (513 consecutive failures — curl not in image)
|
||||
- **Audit findings:**
|
||||
1. BUG-041: Docker healthcheck broken (curl not in slim image) — MEDIUM
|
||||
2. BUG-042: Pricing in USD ($9) instead of EUR (€9) — MEDIUM
|
||||
3. BUG-043: No legal pages (Impressum, Privacy, Terms) — HIGH (Austrian law violation)
|
||||
4. BUG-044: EU hosting not marketed (missed competitive advantage) — LOW
|
||||
- **Sub-agents spawned:**
|
||||
1. Backend Dev — Docker healthcheck fix (node-based), USD→EUR pricing, static asset caching
|
||||
2. UI/UX Dev — Legal pages (Impressum, Privacy Policy, Terms), footer links, EU hosting badge
|
||||
- **Storage Box:** Cannot provision via Cloud API (needs Robot API credentials). Escalated to investor.
|
||||
- **Investor Test:**
|
||||
1. Trust with money? **NO** — no legal pages, pricing in wrong currency
|
||||
2. Data loss? **Mitigated** — BorgBackup daily, local only. Off-site still needed.
|
||||
3. Free tier abuse? **Mitigated** ✅
|
||||
4. Key recovery? **Yes** ✅
|
||||
5. False features? **Clean** ✅
|
||||
- **Budget:** €181.71 remaining, Revenue: €0
|
||||
- **Status:** NOT launch-ready. HIGH severity legal compliance bug + pricing currency issue.
|
||||
|
|
|
|||
|
|
@ -64,9 +64,9 @@
|
|||
},
|
||||
"openBugs": {
|
||||
"CRITICAL": [],
|
||||
"HIGH": ["BUG-040: SSRF vulnerability in URL→PDF endpoint — no private IP blocking. Fix in progress."],
|
||||
"MEDIUM": [],
|
||||
"LOW": ["BUG-038: Health endpoint version shows 0.1.0 instead of 0.2.1 — fix in progress."]
|
||||
"HIGH": ["BUG-043: No legal pages (Impressum/Privacy/Terms) — Austrian law violation"],
|
||||
"MEDIUM": ["BUG-041: Docker healthcheck broken (curl missing)", "BUG-042: Pricing in USD not EUR"],
|
||||
"LOW": ["BUG-044: EU hosting not marketed"]
|
||||
},
|
||||
"blockers": [
|
||||
"E2E Pro payment test (needs investor to make real test payment)",
|
||||
|
|
@ -74,5 +74,5 @@
|
|||
"Off-site backup (Hetzner Storage Box, ~€3/mo)"
|
||||
],
|
||||
"startDate": "2026-02-14",
|
||||
"sessionCount": 37
|
||||
"sessionCount": 39
|
||||
}
|
||||
|
|
|
|||
1
projects/business/memory/uptime-fails.txt
Normal file
1
projects/business/memory/uptime-fails.txt
Normal file
|
|
@ -0,0 +1 @@
|
|||
OK
|
||||
Loading…
Add table
Add a link
Reference in a new issue