snapapi: session 54 — cancelled tier fix, security improvements, 338 tests

projects/business/memory/bugs.md

@@ -1,3 +1,11 @@
+## BUG-099: provisionedSessions Set in billing.ts grows unbounded (memory leak)
+- **Date:** 2026-03-03
+- **Severity:** LOW
+- **Issue:** `provisionedSessions` in `src/routes/billing.ts` is an unbounded `Set<string>` that stores every Stripe checkout session ID forever. Used to prevent duplicate key provisioning on success page refresh. DB-level dedup (`findKeyByCustomerId`) handles correctness across pod restarts, but the in-memory Set grows without bound.
+- **Impact:** Over months/years, memory usage increases linearly with purchases. Low real-world impact given expected volume, but a code quality issue.
+- **Fix:** Replace with a TTL Map that auto-expires entries after 24h.
+- **Status:** ✅ FIXED — commit 5f776db. Replaced Set with TTL Map (24h expiry, hourly cleanup). 4 TDD tests added. 447 tests total, all passing. Pushed to main (staging auto-deploy).
+
 ## BUG-098: Request interceptor leaks across browser pool pages after URL-to-PDF conversion
 - **Date:** 2026-03-02
 - **Severity:** MEDIUM

projects/business/memory/sessions.md

@@ -1,5 +1,20 @@
 # Session Log
 
+## Session 123 — 2026-03-04 07:00 UTC (Wednesday Morning)
+- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6.5d uptime
+- **Staging:** v0.5.2 ✅ healthy, commit 646a94d (31 commits ahead of prod)
+- **K8s cluster:** All 3 nodes Ready
+- **Support:** Zero tickets
+- **Completed:**
+  1. **Infrastructure health check** — All 3 K8s nodes Ready, both prod replicas healthy (0 restarts), DB connected (PostgreSQL 17.4), browser pool 15/15. Both prod and staging demo endpoints generating PDFs successfully.
+  2. **Dependency update** — Sub-agent updated all safe dependencies (patch/minor only). @types/node 22.19.11→22.19.13 plus transitive dependency updates. Skipped major bumps (Express 5, vitest 4, marked 17, express-rate-limit 8). 447 tests passing, 0 vulnerabilities. Commit 646a94d pushed to main.
+  3. **Codebase audit** — Reviewed Dockerfile (clean, non-root user), CORS headers (correct), rate limit headers (present), robots.txt (correct), sitemap (7 pages, valid namespace), heading hierarchy (correct), 24 ARIA attributes on landing page. No TODOs/FIXMEs in source.
+- **Total tests:** 447 (all passing), 27 test files
+- **Open bugs:** ZERO 🎉
+- **CI runner:** Still absent. No runner pods on cluster. Managed by Cloonar — needs investor action.
+- **Investor test:** All 5 checks pass ✅
+- **Recommendation:** Staging v0.5.2 is production-ready with ZERO open bugs, 447 tests, 31 commits ahead. Request investor approval for production tag.
+
 ## Session 122 — 2026-03-03 19:00 UTC (Tuesday Evening)
 - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6d uptime
 - **Staging:** v0.5.2 ✅ healthy, commit 5f776db (30 commits ahead of prod)

projects/business/memory/state.json

@@ -3,7 +3,7 @@
   "phaseLabel": "Build Production-Grade Product",
   "status": "launch-ready",
   "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Production on v0.5.1. Staging updated to v0.5.2 (30 commits ahead, commit 5f776db). CI runner still DOWN. npm audit 0 vulns. 447 tests passing (27 files). ZERO open bugs. Ready for production tag when investor approves.",
+  "currentPriority": "Production on v0.5.1. Staging updated to v0.5.2 (31 commits ahead, commit 646a94d). CI runner still DOWN. npm audit 0 vulns. 447 tests passing (27 files). ZERO open bugs. Dependencies updated (patch/minor). Ready for production tag when investor approves.",
   "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.",
   "ownerDirectives": [
     "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account."
@@ -85,5 +85,5 @@
   },
   "blockers": [],
   "startDate": "2026-02-14",
-  "sessionCount": 122
+  "sessionCount": 123
 }

projects/snapapi/memory/bugs.md

@@ -86,6 +86,26 @@
 - **Deployed to staging:** Yes (commit f3a363f, image imported to w1+w2). Verified: 404 on staging.
 - **Production:** ⚠️ STILL VULNERABLE — needs production deploy (v* tag) to fix. This is a security issue.
 
+### BUG-017: Cancelled subscriptions get free tier (100 req/mo) instead of 0 (MEDIUM) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Cancelled customers get downgraded to 'free' tier with 100 requests/month forever — free tier was removed in v0.3.0
+- **Root cause:** `downgradeByCustomer()` set tier to `'free'` which still had a 100-request limit
+- **Fix:** Added `'cancelled'` tier with 0 limit. `downgradeByCustomer()` now sets to `'cancelled'`.
+- **Deployed to staging:** Yes (commit 9575d31). 338 tests passing.
+- **Production:** Awaiting investor approval for v* tag
+
+### BUG-018: Recovery endpoint logs full API keys (LOW) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Full API keys logged during recovery requests — potential key theft via log access
+- **Fix:** Removed `key` field from logger call, now only logs email
+- **Deployed to staging:** Yes (commit 9575d31)
+
+### BUG-019: No rate limiting on billing endpoints (MEDIUM) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Checkout, portal, and recovery endpoints had no rate limiting — could be spammed
+- **Fix:** Added IP-based rate limit (10 req/15min) to billing router, excluding webhook endpoint
+- **Deployed to staging:** Yes (commit 9575d31)
+
 ## Open
 
 ### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED

projects/snapapi/memory/sessions.md

@@ -1,5 +1,57 @@
 # SnapAPI Session Log
 
+## Session 54 — 2026-03-04 09:00 CET (Business Logic & Security Fixes)
+
+**Goal:** Fix discovered business logic bug + security improvements.
+
+**Health Check:**
+- Production: ✅ healthy, 2 replicas, 6+ days uptime (still v0.5.2, VULNERABLE)
+- Staging: ✅ healthy, deployed 9575d31
+
+**Work Done:**
+
+### 1. BUG-017: Cancelled subscriptions get free tier (MEDIUM) — sub-agent: snapapi-dev-fixes
+- `downgradeByCustomer()` was setting tier to `'free'` (100 req/mo) instead of blocking access
+- Added `'cancelled'` tier with 0-request limit
+- TDD: tests written first, 338 tests passing
+
+### 2. BUG-018: Recovery endpoint logs full API keys (LOW)
+- Removed full key from logger call, only logs email now
+- Prevents key theft via log access
+
+### 3. BUG-019: No rate limiting on billing endpoints (MEDIUM)
+- Added 10 req/15min IP rate limit on checkout/portal/recover
+- Webhook endpoint excluded (Stripe needs unrestricted access)
+- Rate limit headers returned in responses
+
+### Confirmed: Production still vulnerable (BUG-016)
+- Tested `POST /v1/signup/free` on production — returns 200 + creates API key
+- Cleaned up test key from DB
+- Fixed on staging but NEEDS production deploy
+
+**Test Suite:** 338 tests passing (up from 334), 1 pre-existing skip
+
+**TDD Compliance:** ✅ All tests written before implementation
+
+**Git Commits:**
+- `9575d31` fix: cancelled tier, remove key logging, add billing rate limits
+
+**Investor Test:**
+1. Stranger trust with money? **Yes on staging**
+2. Data loss on crash? **No** (CNPG PostgreSQL)
+3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still generates keys
+4. Key recovery? **Yes on staging**
+5. All website features work? **Yes on staging**
+
+**⚠️ URGENT: Production deploy still needed.** BUG-016 (free signup) is a security vulnerability. No abuse detected but the endpoint is discoverable. Requesting investor approval for production deploy (staging → prod).
+
+**Blockers:**
+- **Production deploy: URGENT** — security fix + all staging improvements
+- Stripe production webhook: needs investor
+- CI/CD: No Forgejo runner (manual docker build workaround)
+
+---
+
 ## Session 53 — 2026-03-03 21:00 CET (Security Fix: Free Signup Route)
 
 **Goal:** Evening housekeeping — discovered and fixed a security vulnerability.

projects/snapapi/memory/state.json

@@ -1,11 +1,11 @@
 {
   "phase": "production-live",
-  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.3-staging (image f3a363f, 334 tests)",
+  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.0-staging (image 9575d31, 338 tests)",
   "staging": {
     "status": "running",
     "namespace": "snapapi-staging",
     "replicas": 1,
-    "image": "git.cloonar.com/openclawd/snapapi:f3a363f",
+    "image": "git.cloonar.com/openclawd/snapapi:9575d31",
     "healthCheck": "passing"
   },
   "production": {
@@ -79,7 +79,11 @@
     "Developer blog at /blog with 3 posts: why-screenshot-api, screenshot-api-performance, automating-og-images (staging)",
     "Blog: dark theme, JSON-LD BlogPosting schema, OG tags, breadcrumbs, CTA boxes (staging)",
     "Blog: clean URL 301 redirects /blog → /blog.html, /blog/:slug → /blog/:slug.html (staging)",
-    "Blog link in nav and footer, sitemap updated with blog URLs (staging)"
+    "Blog link in nav and footer, sitemap updated with blog URLs (staging)",
+    "Cancelled subscription tier — downgrade sets 'cancelled' (0 requests) instead of 'free' (100 requests) (staging)",
+    "Billing rate limiting — 10 req/15min on checkout/portal/recover endpoints, webhook excluded (staging)",
+    "Security: removed full API key logging from recovery endpoint (staging)",
+    "Test suite: 338 tests passing (staging)"
   ],
   "notDone": [
     "Register Stripe webhook URL in Stripe Dashboard",
@@ -102,6 +106,6 @@
       "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
     }
   },
-  "lastSession": "2026-03-03T20:00:00Z",
+  "lastSession": "2026-03-04T09:00:00Z",
   "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
 }