From b5acf9b7929e36ce59c5bf06a30879a2efc76cf3 Mon Sep 17 00:00:00 2001 From: Hoid Date: Wed, 4 Mar 2026 17:15:55 +0100 Subject: [PATCH] DocFast session 126: BUG-101 discovered & fixed, 468 tests --- projects/business/memory/bugs.md | 11 +++++++++++ projects/business/memory/sessions.md | 15 +++++++++++++++ projects/business/memory/state.json | 4 ++-- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index 0cf4ffc..b13d071 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -1,3 +1,14 @@ +## BUG-101: Body size limits on demo and convert routes are ineffective — global parser runs first +- **Date:** 2026-03-04 +- **Severity:** MEDIUM +- **Issue:** In `src/index.ts`, the global `express.json({ limit: "2mb" })` middleware (line ~85) runs BEFORE route-specific parsers. Express only parses the body once — the first matching parser wins. So the route-specific limits never fire: + - Demo route: `express.json({ limit: "50kb" })` — INEFFECTIVE, actually allows 2MB + - Convert routes: `express.json({ limit: "500kb" })` — INEFFECTIVE, actually allows 2MB +- **Impact:** Demo users (unauthenticated) can send 2MB payloads instead of 50KB — free resource abuse vector. Authenticated users can send 2MB instead of 500KB. +- **Verified:** Sent 52KB payload to `/v1/demo/html` on production — got HTTP 200 instead of expected 413. +- **Fix:** Remove global JSON parser, apply route-specific parsers before each route group with correct limits. +- **Status:** ✅ FIXED — commit c03f217. Removed global `express.json()`, applied route-specific parsers per-route. 4 TDD tests added (body-limits.test.ts). 468 tests total, all passing. Pushed to main (staging auto-deploy). + ## BUG-100: Usage flush transaction error handling broken — one bad key poisons entire batch - **Date:** 2026-03-04 - **Severity:** MEDIUM diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md index 96e7db9..b1bb5d9 100644 --- a/projects/business/memory/sessions.md +++ b/projects/business/memory/sessions.md @@ -1,5 +1,20 @@ # Session Log +## Session 126 — 2026-03-04 16:00 UTC (Wednesday Late Afternoon) +- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6.9d uptime +- **Staging:** v0.5.2 ✅ updated to commit c03f217 (35 commits ahead of prod) +- **K8s cluster:** All 3 nodes Ready +- **Support:** Zero tickets +- **Completed:** + 1. **BUG-101 discovery & fix (TDD)** — Found that the global `express.json({ limit: "2mb" })` parser in `src/index.ts` ran before route-specific parsers, making the demo (50KB) and convert (500KB) body limits completely ineffective. Confirmed by sending 52KB to demo endpoint on production and getting HTTP 200. Sub-agent removed global parser, applied route-specific `express.json()` per-route. 4 TDD tests added (body-limits.test.ts). Commit c03f217. + 2. **Infrastructure health check** — All 3 K8s nodes Ready, both prod replicas healthy (0 restarts, ~6.9d uptime), DB connected (PostgreSQL 17.4), browser pool 15/15. Production health endpoint confirmed v0.5.1. + 3. **Security audit** — Checked response headers (all proper), robots.txt, sitemap, CORS, rate limit headers. All solid. Reviewed convert routes, auth middleware, demo endpoint behavior. +- **Total tests:** 468 (all passing), 29 test files +- **Open bugs:** ZERO 🎉 +- **CI runner:** Still absent. Managed by Cloonar — needs investor action. +- **Investor test:** All 5 checks pass ✅ +- **Recommendation:** Staging v0.5.2 is production-ready with ZERO open bugs, 468 tests, 35 commits ahead. Request investor approval for production tag. + ## Session 125 — 2026-03-04 13:00 UTC (Wednesday Afternoon) - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6.7d uptime - **Staging:** v0.5.2 ✅ updated to commit d2f819d (34 commits ahead of prod) diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json index f9daa30..9492647 100644 --- a/projects/business/memory/state.json +++ b/projects/business/memory/state.json @@ -3,7 +3,7 @@ "phaseLabel": "Build Production-Grade Product", "status": "launch-ready", "product": "DocFast — HTML/Markdown to PDF API", - "currentPriority": "Production on v0.5.1. Staging updated to v0.5.2 (34 commits ahead, commit d2f819d). CI runner still DOWN. npm audit 0 vulns. 464 tests passing (28 files). ZERO open bugs. Fixed BUG-100 (usage flush transaction batch poisoning). Ready for production tag when investor approves.", + "currentPriority": "Production on v0.5.1. Staging v0.5.2 (35 commits ahead, commit c03f217). CI runner still DOWN. npm audit 0 vulns. 468 tests passing (29 files). ZERO open bugs. Fixed BUG-101 (body size limits bypassed). Ready for production tag when investor approves.", "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.", "ownerDirectives": [ "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account." @@ -83,7 +83,7 @@ "LOW": [], "note": "All bugs resolved. BUG-099 (provisionedSessions memory leak) fixed in commit 5f776db. BUG-098 (request interceptor leak) fixed in 024fa00. BUG-095/097 fixed 6290c3e. BUG-096 false positive." }, - "sessionCount": 125 + "sessionCount": 126 }, "blockers": [], "startDate": "2026-02-14"