snapapi: session 54 — cancelled tier fix, security improvements, 338 tests

projects/snapapi/memory/bugs.md

@@ -86,6 +86,26 @@
 - **Deployed to staging:** Yes (commit f3a363f, image imported to w1+w2). Verified: 404 on staging.
 - **Production:** ⚠️ STILL VULNERABLE — needs production deploy (v* tag) to fix. This is a security issue.
 
+### BUG-017: Cancelled subscriptions get free tier (100 req/mo) instead of 0 (MEDIUM) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Cancelled customers get downgraded to 'free' tier with 100 requests/month forever — free tier was removed in v0.3.0
+- **Root cause:** `downgradeByCustomer()` set tier to `'free'` which still had a 100-request limit
+- **Fix:** Added `'cancelled'` tier with 0 limit. `downgradeByCustomer()` now sets to `'cancelled'`.
+- **Deployed to staging:** Yes (commit 9575d31). 338 tests passing.
+- **Production:** Awaiting investor approval for v* tag
+
+### BUG-018: Recovery endpoint logs full API keys (LOW) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Full API keys logged during recovery requests — potential key theft via log access
+- **Fix:** Removed `key` field from logger call, now only logs email
+- **Deployed to staging:** Yes (commit 9575d31)
+
+### BUG-019: No rate limiting on billing endpoints (MEDIUM) — FIXED (staging)
+- **Found:** Session 54 (self-discovered)
+- **Impact:** Checkout, portal, and recovery endpoints had no rate limiting — could be spammed
+- **Fix:** Added IP-based rate limit (10 req/15min) to billing router, excluding webhook endpoint
+- **Deployed to staging:** Yes (commit 9575d31)
+
 ## Open
 
 ### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED

projects/snapapi/memory/sessions.md

@@ -1,5 +1,57 @@
 # SnapAPI Session Log
 
+## Session 54 — 2026-03-04 09:00 CET (Business Logic & Security Fixes)
+
+**Goal:** Fix discovered business logic bug + security improvements.
+
+**Health Check:**
+- Production: ✅ healthy, 2 replicas, 6+ days uptime (still v0.5.2, VULNERABLE)
+- Staging: ✅ healthy, deployed 9575d31
+
+**Work Done:**
+
+### 1. BUG-017: Cancelled subscriptions get free tier (MEDIUM) — sub-agent: snapapi-dev-fixes
+- `downgradeByCustomer()` was setting tier to `'free'` (100 req/mo) instead of blocking access
+- Added `'cancelled'` tier with 0-request limit
+- TDD: tests written first, 338 tests passing
+
+### 2. BUG-018: Recovery endpoint logs full API keys (LOW)
+- Removed full key from logger call, only logs email now
+- Prevents key theft via log access
+
+### 3. BUG-019: No rate limiting on billing endpoints (MEDIUM)
+- Added 10 req/15min IP rate limit on checkout/portal/recover
+- Webhook endpoint excluded (Stripe needs unrestricted access)
+- Rate limit headers returned in responses
+
+### Confirmed: Production still vulnerable (BUG-016)
+- Tested `POST /v1/signup/free` on production — returns 200 + creates API key
+- Cleaned up test key from DB
+- Fixed on staging but NEEDS production deploy
+
+**Test Suite:** 338 tests passing (up from 334), 1 pre-existing skip
+
+**TDD Compliance:** ✅ All tests written before implementation
+
+**Git Commits:**
+- `9575d31` fix: cancelled tier, remove key logging, add billing rate limits
+
+**Investor Test:**
+1. Stranger trust with money? **Yes on staging**
+2. Data loss on crash? **No** (CNPG PostgreSQL)
+3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free still generates keys
+4. Key recovery? **Yes on staging**
+5. All website features work? **Yes on staging**
+
+**⚠️ URGENT: Production deploy still needed.** BUG-016 (free signup) is a security vulnerability. No abuse detected but the endpoint is discoverable. Requesting investor approval for production deploy (staging → prod).
+
+**Blockers:**
+- **Production deploy: URGENT** — security fix + all staging improvements
+- Stripe production webhook: needs investor
+- CI/CD: No Forgejo runner (manual docker build workaround)
+
+---
+
 ## Session 53 — 2026-03-03 21:00 CET (Security Fix: Free Signup Route)
 
 **Goal:** Evening housekeeping — discovered and fixed a security vulnerability.

projects/snapapi/memory/state.json

@@ -1,11 +1,11 @@
 {
   "phase": "production-live",
-  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.3-staging (image f3a363f, 334 tests)",
+  "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.7.0-staging (image 9575d31, 338 tests)",
   "staging": {
     "status": "running",
     "namespace": "snapapi-staging",
     "replicas": 1,
-    "image": "git.cloonar.com/openclawd/snapapi:f3a363f",
+    "image": "git.cloonar.com/openclawd/snapapi:9575d31",
     "healthCheck": "passing"
   },
   "production": {
@@ -79,7 +79,11 @@
     "Developer blog at /blog with 3 posts: why-screenshot-api, screenshot-api-performance, automating-og-images (staging)",
     "Blog: dark theme, JSON-LD BlogPosting schema, OG tags, breadcrumbs, CTA boxes (staging)",
     "Blog: clean URL 301 redirects /blog → /blog.html, /blog/:slug → /blog/:slug.html (staging)",
-    "Blog link in nav and footer, sitemap updated with blog URLs (staging)"
+    "Blog link in nav and footer, sitemap updated with blog URLs (staging)",
+    "Cancelled subscription tier — downgrade sets 'cancelled' (0 requests) instead of 'free' (100 requests) (staging)",
+    "Billing rate limiting — 10 req/15min on checkout/portal/recover endpoints, webhook excluded (staging)",
+    "Security: removed full API key logging from recovery endpoint (staging)",
+    "Test suite: 338 tests passing (staging)"
   ],
   "notDone": [
     "Register Stripe webhook URL in Stripe Dashboard",
@@ -102,6 +106,6 @@
       "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
     }
   },
-  "lastSession": "2026-03-03T20:00:00Z",
+  "lastSession": "2026-03-04T09:00:00Z",
   "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
 }