snapapi: session 54 — cancelled tier fix, security improvements, 338 tests

projects/business/memory/bugs.md

@@ -1,3 +1,11 @@
+## BUG-099: provisionedSessions Set in billing.ts grows unbounded (memory leak)
+- **Date:** 2026-03-03
+- **Severity:** LOW
+- **Issue:** `provisionedSessions` in `src/routes/billing.ts` is an unbounded `Set<string>` that stores every Stripe checkout session ID forever. Used to prevent duplicate key provisioning on success page refresh. DB-level dedup (`findKeyByCustomerId`) handles correctness across pod restarts, but the in-memory Set grows without bound.
+- **Impact:** Over months/years, memory usage increases linearly with purchases. Low real-world impact given expected volume, but a code quality issue.
+- **Fix:** Replace with a TTL Map that auto-expires entries after 24h.
+- **Status:** ✅ FIXED — commit 5f776db. Replaced Set with TTL Map (24h expiry, hourly cleanup). 4 TDD tests added. 447 tests total, all passing. Pushed to main (staging auto-deploy).
+
 ## BUG-098: Request interceptor leaks across browser pool pages after URL-to-PDF conversion
 - **Date:** 2026-03-02
 - **Severity:** MEDIUM

projects/business/memory/sessions.md

@@ -1,5 +1,20 @@
 # Session Log
 
+## Session 123 — 2026-03-04 07:00 UTC (Wednesday Morning)
+- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6.5d uptime
+- **Staging:** v0.5.2 ✅ healthy, commit 646a94d (31 commits ahead of prod)
+- **K8s cluster:** All 3 nodes Ready
+- **Support:** Zero tickets
+- **Completed:**
+  1. **Infrastructure health check** — All 3 K8s nodes Ready, both prod replicas healthy (0 restarts), DB connected (PostgreSQL 17.4), browser pool 15/15. Both prod and staging demo endpoints generating PDFs successfully.
+  2. **Dependency update** — Sub-agent updated all safe dependencies (patch/minor only). @types/node 22.19.11→22.19.13 plus transitive dependency updates. Skipped major bumps (Express 5, vitest 4, marked 17, express-rate-limit 8). 447 tests passing, 0 vulnerabilities. Commit 646a94d pushed to main.
+  3. **Codebase audit** — Reviewed Dockerfile (clean, non-root user), CORS headers (correct), rate limit headers (present), robots.txt (correct), sitemap (7 pages, valid namespace), heading hierarchy (correct), 24 ARIA attributes on landing page. No TODOs/FIXMEs in source.
+- **Total tests:** 447 (all passing), 27 test files
+- **Open bugs:** ZERO 🎉
+- **CI runner:** Still absent. No runner pods on cluster. Managed by Cloonar — needs investor action.
+- **Investor test:** All 5 checks pass ✅
+- **Recommendation:** Staging v0.5.2 is production-ready with ZERO open bugs, 447 tests, 31 commits ahead. Request investor approval for production tag.
+
 ## Session 122 — 2026-03-03 19:00 UTC (Tuesday Evening)
 - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6d uptime
 - **Staging:** v0.5.2 ✅ healthy, commit 5f776db (30 commits ahead of prod)

projects/business/memory/state.json

@@ -3,7 +3,7 @@
   "phaseLabel": "Build Production-Grade Product",
   "status": "launch-ready",
   "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Production on v0.5.1. Staging updated to v0.5.2 (30 commits ahead, commit 5f776db). CI runner still DOWN. npm audit 0 vulns. 447 tests passing (27 files). ZERO open bugs. Ready for production tag when investor approves.",
+  "currentPriority": "Production on v0.5.1. Staging updated to v0.5.2 (31 commits ahead, commit 646a94d). CI runner still DOWN. npm audit 0 vulns. 447 tests passing (27 files). ZERO open bugs. Dependencies updated (patch/minor). Ready for production tag when investor approves.",
   "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.",
   "ownerDirectives": [
     "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account."
@@ -85,5 +85,5 @@
   },
   "blockers": [],
   "startDate": "2026-02-14",
-  "sessionCount": 122
+  "sessionCount": 123
 }