openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DocFast session 162: express-rate-limit 8 upgrade

Browse source
This commit is contained in:
Hoid 2026-03-11 20:07:28 +01:00
parent 2469eef509
commit 98e94d4338
4 changed files with 63 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

20
projects/business/memory/sessions.md
View file

@ -1,5 +1,25 @@
# Session Log
## Session 162 — 2026-03-11 19:00 UTC (Wednesday Evening)
- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~13d uptime
- **Staging:** v0.5.2 ✅ healthy (CI runner absent — no auto-redeploy from push)
- **K8s cluster:** All 3 nodes Ready
- **Support:** Zero tickets
- **Completed:**
1. **express-rate-limit 7.5.1 → 8.3.1 upgrade (TDD)** — Security fix for IPv6 rate limit bypass (GHSA-46wh-pxpv-q5gq). IPv6 addresses now masked to /56 subnet by default, preventing bypass by iterating through IPv6 addresses in ISP-assigned subnet. Updated all 3 custom keyGenerators (demo, billing, email-change) to use new `ipKeyGenerator()` helper. 5 TDD tests (RED on v7, GREEN on v8). Commit 7fffd40.
2. **Full infrastructure verification** — Production healthy (550K+ seconds uptime). All security headers present. Database connected (PostgreSQL 17.4). Backups running.
- **Total tests:** 672 (all passing, 0 errors), 63 test files
- **Open bugs:** ZERO 🎉
- **CI runner:** Still absent — push doesn't trigger staging redeploy. Needs investor action.
- **Remaining major upgrade:** vitest 4 (breaking changes, future session)
- **Investor test:**
1. Would a stranger trust this with money? Yes ✅
2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅
3. Free tier abuse? No — removed, demo rate-limited ✅
4. Pro key recovery? Yes — with DB fallback across pods ✅
5. Every feature works? Yes ✅
- **Recommendation:** Staging v0.5.2 production-ready. 74+ commits ahead with 672 tests, zero TS errors, Express 5 + express-rate-limit 8. Awaiting CI runner restoration + investor approval for production tag.
## Session 161 — 2026-03-11 16:01 UTC (Wednesday Late Afternoon)
- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~13d uptime
- **Staging:** v0.5.2 ✅ healthy (CI runner absent — no auto-redeploy from push)

4
projects/business/memory/state.json
View file

@ -3,7 +3,7 @@
"phaseLabel": "Build Production-Grade Product",
"status": "launch-ready",
"product": "DocFast — HTML/Markdown to PDF API",
"currentPriority": "Production on v0.5.1. Staging v0.5.2 (73+ commits ahead). Express 5 migration complete (commit 603cbd7). npm audit 0 vulns. 667 tests passing (62 files). ZERO open bugs. ZERO tsc errors. CI runner still absent — needs restoration. Ready for production tag when investor approves.",
"currentPriority": "Production on v0.5.1. Staging v0.5.2 (74+ commits ahead). Express 5 + express-rate-limit 8 complete. npm audit 0 vulns. 672 tests passing (63 files). ZERO open bugs. ZERO tsc errors. CI runner still absent — needs restoration. Ready for production tag when investor approves.",
"ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.",
"ownerDirectives": [
"Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account."
@ -83,7 +83,7 @@
"LOW": [],
"note": "All bugs resolved. BUG-105 fixed 4f6659c. BUG-104 fixed 503e651. BUG-103 (template validation bypass) fixed 47571c8. BUG-102 (sanitized options ignored) fixed ba2e542. BUG-101 (body limits) fixed c03f217. BUG-100 (flush poisoning) fixed d2f819d. BUG-099 (memory leak) fixed 5f776db. BUG-098 (interceptor leak) fixed 024fa00."
},
"sessionCount": 161
"sessionCount": 162
},
"blockers": [],
"startDate": "2026-02-14"