openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DocFast session 126: BUG-101 discovered & fixed, 468 tests

Browse source
This commit is contained in:
Hoid 2026-03-04 17:15:55 +01:00
parent a9a6dc1e13
commit b5acf9b792
3 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
projects/business/memory/bugs.md
View file

@ -1,3 +1,14 @@
## BUG-101: Body size limits on demo and convert routes are ineffective — global parser runs first
- **Date:** 2026-03-04
- **Severity:** MEDIUM
- **Issue:** In `src/index.ts`, the global `express.json({ limit: "2mb" })` middleware (line ~85) runs BEFORE route-specific parsers. Express only parses the body once — the first matching parser wins. So the route-specific limits never fire:
- Demo route: `express.json({ limit: "50kb" })` — INEFFECTIVE, actually allows 2MB
- Convert routes: `express.json({ limit: "500kb" })` — INEFFECTIVE, actually allows 2MB
- **Impact:** Demo users (unauthenticated) can send 2MB payloads instead of 50KB — free resource abuse vector. Authenticated users can send 2MB instead of 500KB.
- **Verified:** Sent 52KB payload to `/v1/demo/html` on production — got HTTP 200 instead of expected 413.
- **Fix:** Remove global JSON parser, apply route-specific parsers before each route group with correct limits.
- **Status:** ✅ FIXED — commit c03f217. Removed global `express.json()`, applied route-specific parsers per-route. 4 TDD tests added (body-limits.test.ts). 468 tests total, all passing. Pushed to main (staging auto-deploy).
## BUG-100: Usage flush transaction error handling broken — one bad key poisons entire batch ## BUG-100: Usage flush transaction error handling broken — one bad key poisons entire batch
- **Date:** 2026-03-04 - **Date:** 2026-03-04
- **Severity:** MEDIUM - **Severity:** MEDIUM

15
projects/business/memory/sessions.md
View file

@ -1,5 +1,20 @@
# Session Log # Session Log
## Session 126 — 2026-03-04 16:00 UTC (Wednesday Late Afternoon)
- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6.9d uptime
- **Staging:** v0.5.2 ✅ updated to commit c03f217 (35 commits ahead of prod)
- **K8s cluster:** All 3 nodes Ready
- **Support:** Zero tickets
- **Completed:**
1. **BUG-101 discovery & fix (TDD)** — Found that the global `express.json({ limit: "2mb" })` parser in `src/index.ts` ran before route-specific parsers, making the demo (50KB) and convert (500KB) body limits completely ineffective. Confirmed by sending 52KB to demo endpoint on production and getting HTTP 200. Sub-agent removed global parser, applied route-specific `express.json()` per-route. 4 TDD tests added (body-limits.test.ts). Commit c03f217.
2. **Infrastructure health check** — All 3 K8s nodes Ready, both prod replicas healthy (0 restarts, ~6.9d uptime), DB connected (PostgreSQL 17.4), browser pool 15/15. Production health endpoint confirmed v0.5.1.
3. **Security audit** — Checked response headers (all proper), robots.txt, sitemap, CORS, rate limit headers. All solid. Reviewed convert routes, auth middleware, demo endpoint behavior.
- **Total tests:** 468 (all passing), 29 test files
- **Open bugs:** ZERO 🎉
- **CI runner:** Still absent. Managed by Cloonar — needs investor action.
- **Investor test:** All 5 checks pass ✅
- **Recommendation:** Staging v0.5.2 is production-ready with ZERO open bugs, 468 tests, 35 commits ahead. Request investor approval for production tag.
## Session 125 — 2026-03-04 13:00 UTC (Wednesday Afternoon) ## Session 125 — 2026-03-04 13:00 UTC (Wednesday Afternoon)
- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6.7d uptime - **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~6.7d uptime
- **Staging:** v0.5.2 ✅ updated to commit d2f819d (34 commits ahead of prod) - **Staging:** v0.5.2 ✅ updated to commit d2f819d (34 commits ahead of prod)

4
projects/business/memory/state.json
View file

@ -3,7 +3,7 @@
"phaseLabel": "Build Production-Grade Product", "phaseLabel": "Build Production-Grade Product",
"status": "launch-ready", "status": "launch-ready",
"product": "DocFast — HTML/Markdown to PDF API", "product": "DocFast — HTML/Markdown to PDF API",
"currentPriority": "Production on v0.5.1. Staging updated to v0.5.2 (34 commits ahead, commit d2f819d). CI runner still DOWN. npm audit 0 vulns. 464 tests passing (28 files). ZERO open bugs. Fixed BUG-100 (usage flush transaction batch poisoning). Ready for production tag when investor approves.", "currentPriority": "Production on v0.5.1. Staging v0.5.2 (35 commits ahead, commit c03f217). CI runner still DOWN. npm audit 0 vulns. 468 tests passing (29 files). ZERO open bugs. Fixed BUG-101 (body size limits bypassed). Ready for production tag when investor approves.",
"ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.", "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip. Remove items marked ✅ DONE/FIXED during housekeeping.",
"ownerDirectives": [ "ownerDirectives": [
"Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account." "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account."
@ -83,7 +83,7 @@
"LOW": [], "LOW": [],
"note": "All bugs resolved. BUG-099 (provisionedSessions memory leak) fixed in commit 5f776db. BUG-098 (request interceptor leak) fixed in 024fa00. BUG-095/097 fixed 6290c3e. BUG-096 false positive." "note": "All bugs resolved. BUG-099 (provisionedSessions memory leak) fixed in commit 5f776db. BUG-098 (request interceptor leak) fixed in 024fa00. BUG-095/097 fixed 6290c3e. BUG-096 false positive."
}, },
"sessionCount": 125 "sessionCount": 126
}, },
"blockers": [], "blockers": [],
"startDate": "2026-02-14" "startDate": "2026-02-14"