From 9f484a15cb8663c83bf12c996b33295af1513de4 Mon Sep 17 00:00:00 2001 From: Hoid Date: Fri, 6 Mar 2026 15:14:43 +0100 Subject: [PATCH] SnapAPI session 65: PDF output feature + QA pass (490 tests) --- projects/snapapi/memory/bugs.md | 18 +++++++++++++ projects/snapapi/memory/sessions.md | 41 +++++++++++++++++++++++++++++ projects/snapapi/memory/state.json | 11 +++++--- 3 files changed, 66 insertions(+), 4 deletions(-) diff --git a/projects/snapapi/memory/bugs.md b/projects/snapapi/memory/bugs.md index b81e2ec..ca70a85 100644 --- a/projects/snapapi/memory/bugs.md +++ b/projects/snapapi/memory/bugs.md @@ -124,6 +124,24 @@ - **Production:** Awaiting investor approval for v* tag ### BUG-011: No URL length limit (HIGH) — FIXED (staging) + +## Open + +### BUG-020: /status returns 200 instead of 301 redirect (LOW) +- **Severity:** LOW +- **Endpoint:** `GET /status` +- **Expected:** 301 redirect to `/status.html` (consistent with /privacy, /terms, /impressum, /compare, /blog, /guides/quick-start which all 301) +- **Actual:** Returns 200 serving the page directly +- **Found:** Session 65b QA (2026-03-06) +- **Impact:** Inconsistent clean URL behavior. All other clean URLs redirect to .html, /status does not. SEO implications (duplicate content at two URLs without redirect). + +### BUG-021: Long URL validation untestable via playground due to shared rate limit (LOW) +- **Severity:** LOW (testing gap, not a code bug) +- **Endpoint:** `POST /v1/playground` +- **Expected:** URL >2048 chars returns 400 +- **Actual:** Cannot verify — SSRF protection tests consume the 5 req/hour playground rate limit, so subsequent long URL test gets 429 instead of 400 +- **Found:** Session 65b QA (2026-03-06) +- **Impact:** URL length validation cannot be independently verified via playground when other playground tests run first. Consider: rate limit should not apply before URL validation, or URL validation tests need a separate endpoint. - **Found:** Session 17 QA - **Impact:** Extremely long URLs could waste server resources - **Fix:** Added 2048 character URL length limit in SSRF validation (returns 400) diff --git a/projects/snapapi/memory/sessions.md b/projects/snapapi/memory/sessions.md index 134f305..e1c6952 100644 --- a/projects/snapapi/memory/sessions.md +++ b/projects/snapapi/memory/sessions.md @@ -1,5 +1,46 @@ # SnapAPI Session Log +## Session 65 — 2026-03-06 15:00 CET (PDF Feature + QA) + +**Goal:** Add high-value PDF output feature + comprehensive staging QA pass. + +**Health Check:** +- Production: ✅ healthy, 2 replicas, v0.5.2 (VULNERABLE — BUG-016 still exploitable) +- Staging: ✅ healthy, 1 replica, upgraded to staging-pdf (af76370) + +**Work Done:** + +### 1. Comprehensive Staging QA (sub-agent: snapapi-qa-65b) +- 55 checks across 6 categories +- **Result: ✅ PASS** — staging quality is good +- 2 low-severity bugs found: + - BUG-020 (LOW): /status returns 200 instead of 301 redirect (inconsistent with other clean URLs) + - BUG-021 (LOW): Long URL validation untestable via playground due to rate limit ordering +- All API endpoints, SSRF protection, 22 HTML pages, link audit, rate limiting: PASS + +### 2. PDF Output Feature (sub-agent: snapapi-dev-pdf-2) +- `format: "pdf"` option on POST/GET /v1/screenshot and playground +- PDF options: pdfFormat (a4/letter/legal/a3), pdfLandscape, pdfPrintBackground, pdfScale (0.1-2.0), pdfMargin +- Mutual exclusivity with selector/clip validated (400) +- Playground: PDF works, watermark skipped +- Content-Disposition: attachment; filename="screenshot.pdf" +- 16 new tests (TDD: RED → GREEN) +- Pushed: commit af76370 +- Deployed to staging, verified: 200 application/pdf + +**Test Suite:** 490 tests passing (up from 474) + +**Investor Test:** +1. Stranger trust with money? **Yes on staging, NO on production** +2. Data loss on crash? **No** (CNPG PostgreSQL) +3. Free tier abuse? **⚠️ YES on production** — BUG-016 still active +4. Key recovery? **Yes on staging** +5. All website features work? **Yes on staging** — PDF output, 4 blog posts, 16+ pages + +**Production Status:** ⛔ VULNERABLE — 37+ commits behind staging. Strongly recommend production deploy approval. + +--- + ## Session 64 — 2026-03-06 12:00 CET (Quality & SEO) **Goal:** OpenAPI spec cleanup + new blog post for SEO while blocked on production deploy. diff --git a/projects/snapapi/memory/state.json b/projects/snapapi/memory/state.json index 0b04c56..6d1d8aa 100644 --- a/projects/snapapi/memory/state.json +++ b/projects/snapapi/memory/state.json @@ -1,11 +1,11 @@ { "phase": "production-live", - "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.9.0-staging (474 tests)", + "version": "0.5.2-prod (VULNERABLE: free signup still live) / 0.10.0-staging (490 tests)", "staging": { "status": "running", "namespace": "snapapi-staging", "replicas": 1, - "image": "git.cloonar.com/openclawd/snapapi:staging-e7ef9d7", + "image": "git.cloonar.com/openclawd/snapapi:staging-pdf", "healthCheck": "passing" }, "production": { @@ -106,7 +106,10 @@ "Test suite: 459 tests passing (staging)", "OpenAPI spec cleanup: dynamic version from package.json, removed dead Signup tag, added cache to POST body (staging)", "Blog post: How to Capture Dark Mode Screenshots Automatically — darkMode parameter, CSS injection, dual OG images (staging)", - "Test suite: 474 tests passing (staging)" + "Test suite: 474 tests passing (staging)", + "PDF output: format=pdf with paper size (a4/letter/legal/a3), landscape, printBackground, scale, margin options (staging)", + "PDF in playground (no watermark), Content-Disposition header, mutual exclusivity with selector/clip (staging)", + "Test suite: 490 tests passing (staging)" ], "notDone": [ "Register Stripe webhook URL in Stripe Dashboard", @@ -129,6 +132,6 @@ "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS" } }, - "lastSession": "2026-03-06T11:00:00Z", + "lastSession": "2026-03-06T14:00:00Z", "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git" }