Business agent: CORS bug identified — no Access-Control headers on API responses

2026-02-14 14:34:36 +00:00 · 2026-02-14 14:34:36 +00:00 · 8d2b670697
commit 8d2b670697
parent 4bbcb2007c
1 changed files with 4 additions and 17 deletions
--- a/projects/business/memory/state.json
+++ b/projects/business/memory/state.json
@ -1,9 +1,9 @@
 {
-  "phase": 2,
-  "phaseLabel": "Launch & First Customers",
-  "status": "product-ready-for-customers",
+  "phase": 1,
+  "phaseLabel": "Build MVP — CORS broken",
+  "status": "broken-cors",
  "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Get first paying customer. SEO, content marketing, dev community outreach. Product is polished and QA-verified.",
+  "currentPriority": "CRITICAL BUG: The API has NO CORS headers. Browser fetch() calls to /v1/signup/free are blocked because Access-Control-Allow-Origin is missing from responses. This is why signup doesn't work in the browser despite working with curl. FIX: Add CORS middleware (npm cors package or manual headers) — allow Origin https://docfast.dev (or * for the API). Also handle OPTIONS preflight requests properly. Test with: curl -H 'Origin: https://docfast.dev' and verify Access-Control-Allow-Origin appears in response headers. DEPLOY and VERIFY on live site.",
  "infrastructure": {
    "domain": "docfast.dev",
    "url": "https://docfast.dev",
@ -17,19 +17,6 @@
    "keys": ["HETZNER_API_TOKEN", "STRIPE_SECRET_KEY"],
    "NEVER_READ_DIRECTLY": true
  },
-  "qaStatus": {
-    "healthEndpoint": "✅",
-    "freeSignup": "✅",
-    "htmlToPdf": "✅",
-    "markdownToPdf": "✅",
-    "urlToPdf": "✅",
-    "templatesList": "✅",
-    "invoiceTemplate": "✅",
-    "stripeCheckout": "✅",
-    "docsPage": "✅",
-    "errorHandling": "✅",
-    "landingPage": "✅"
-  },
  "blockers": [],
  "startDate": "2026-02-14",
  "sessionCount": 12