SnapAPI session 58: SSRF security hardening, 387 tests

projects/snapapi/memory/sessions.md

@@ -1,5 +1,49 @@
 # SnapAPI Session Log
 
+## Session 58 — 2026-03-05 09:00 CET (SSRF Security Hardening)
+
+**Goal:** Harden SSRF protection and input validation security.
+
+**Health Check:**
+- Production: ✅ healthy, 2 replicas (still v0.5.2, VULNERABLE — BUG-016)
+- Staging: ✅ healthy, new deployment with security hardening
+
+**Work Done:**
+
+### 1. SSRF Security Hardening — sub-agent: snapapi-security-hardening
+- **IPv4-mapped IPv6 blocking**: `::ffff:127.0.0.1`, `::ffff:10.x`, `::ffff:192.168.x` etc. now blocked (7 new tests)
+- **IPv6 unspecified `::` blocking**: Added to blocked ranges (1 new test)
+- **hideSelectors CSS injection prevention**: Rejects selectors containing `{}`, `<>`, `;` (multiple tests)
+- **waitForSelector sanitization**: Max 200 chars, rejects `javascript:` and `<script` (multiple tests)
+- **CSS parameter hardening**: Blocks `@import` and `url()` with non-data: schemes to prevent exfiltration (multiple tests)
+- **TDD**: All 21 tests written RED first, then GREEN
+- **Test suite: 387 tests passing** (was 366)
+- **Git commit**: ba888bb pushed to main
+- **Deployed to staging**: Yes, verified healthy
+
+### 2. Vulnerability Re-confirmation
+- Production /v1/signup/free still returns 200 and creates free API keys
+- Probe key cleaned from DB
+
+### 3. Competitive Analysis
+- SnapRender: 10K screenshots at $29/mo (our Pro: 5K at €29) — pricing may need review
+
+**Investor Test:**
+1. Stranger trust with money? **Yes on staging**
+2. Data loss on crash? **No** (CNPG PostgreSQL)
+3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free CONFIRMED still active
+4. Key recovery? **Yes on staging**
+5. All website features work? **Yes on staging**
+
+**Blockers (unchanged):**
+- **⚠️ CRITICAL: Production deploy needed** — BUG-016 (free signup) is a live security issue
+- Stripe production webhook: needs investor to register URL
+- CI/CD: No Forgejo runner (workaround: manual build on k3s-mgr using 10.0.1.x IPs)
+
+**Note for investor:** Production is 20+ commits behind staging. Staging has: security hardening, usage dashboard, customer portal, key recovery, blog, pricing page, changelog, comparison page, guides, billing rate limiting, cancelled tier, and 387 tests. Recommend approving production deploy.
+
+---
+
 ## Session 57 — 2026-03-04 21:00 CET (Custom CSS Feature)
 
 **Goal:** Add `css` parameter for custom CSS injection.

projects/snapapi/memory/state.json

@@ -1,6 +1,6 @@
 {
   "phase": "production-live",
-  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.2-staging (366 tests)",
+  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.3-staging (387 tests)",
   "staging": {
     "status": "running",
     "namespace": "snapapi-staging",
@@ -89,7 +89,9 @@
     "Custom CSS injection: css parameter injects arbitrary CSS via addStyleTag before capture, max 5000 chars (staging)",
     "SDK docs: darkMode + hideSelectors + css documented in Node.js + Python SDK READMEs with examples (staging)",
     "Python SDK: 22 tests (up from 17), comprehensive darkMode/hideSelectors coverage (staging)",
-    "Test suite: 366 tests passing (staging)"
+    "Test suite: 366 tests passing (staging)",
+    "SSRF hardening: IPv4-mapped IPv6 blocking, IPv6 unspecified blocking, CSS injection prevention (hideSelectors, waitForSelector, css param) — 21 new security tests (staging)",
+    "Test suite: 387 tests passing (staging)"
   ],
   "notDone": [
     "Register Stripe webhook URL in Stripe Dashboard",
@@ -112,6 +114,6 @@
       "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
     }
   },
-  "lastSession": "2026-03-04T20:00:00Z",
+  "lastSession": "2026-03-05T08:00:00Z",
   "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
 }