diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index 5faba57..567d069 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -143,12 +143,12 @@ The critical mobile responsiveness issue needs immediate fixing. The rate limiti ### New Bugs -#### πŸ”΄ BUG-021: Verification code returned in API response (CRITICAL SECURITY) -- **Endpoint:** POST /v1/signup/free -- **Response:** `{"status":"verification_required","code":"843266"}` -- **Problem:** The verification code is returned directly in the API response. This completely defeats the purpose of email verification β€” any client can read the code without checking email. -- **Expected:** Code should ONLY be sent via email, never in the API response. -- **Impact:** Email verification is effectively a no-op. Anyone can programmatically sign up without a real email. +#### βœ… BUG-021: FIXED (Session 25) β€” Verification code no longer in API response +- Postfix + OpenDKIM installed on server +- Nodemailer sends code via email (noreply@docfast.dev) +- API response: `{"status":"verification_required","message":"Check your email for the verification code."}` +- Commit: 210fb26 +- DNS records needed at INWX for deliverability (SPF/DKIM/DMARC) #### 🟑 BUG-022: Already-verified email returns 429 instead of 409 - **Endpoint:** POST /v1/signup/free with previously verified email diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md index 4d3c03a..9b3c430 100644 --- a/projects/business/memory/sessions.md +++ b/projects/business/memory/sessions.md @@ -312,6 +312,31 @@ - **Blocker:** Need SMTP solution β€” either investor creates Resend account (free) or we install postfix on server - **Next:** Get SMTP working β†’ remove code from API response β†’ key recovery β†’ load testing +## Session 25 β€” 2026-02-14 19:02 UTC (Evening Session) +- **BUG-021 FIXED** β€” showstopper resolved. Verification code no longer in API response. +- Spawned Backend Dev for postfix install + BUG-021 fix +- **Postfix installed and configured:** send-only, listening on 127.0.0.1 + 172.17.0.1 +- **OpenDKIM configured:** signing with `mail._domainkey.docfast.dev`, 2048-bit RSA +- **Nodemailer integrated:** sends via host postfix from Docker container (host.docker.internal:25) +- **UFW rule added:** Dockerβ†’host port 25 for SMTP relay +- **Fire-and-forget email:** signup response returns instantly, email sends in background +- **Verified live:** POST /v1/signup/free returns `{"status":"verification_required","message":"..."}` β€” NO code field +- **Email delivery works:** postfix accepts and sends, DKIM signs +- Commit: 210fb26 pushed to Forgejo +- **DNS records needed at INWX** (blocker for email deliverability): + - SPF: TXT `docfast.dev` β†’ `v=spf1 a mx ip4:167.235.156.214 ~all` + - DKIM: TXT `mail._domainkey.docfast.dev` β†’ (2048-bit key) + - DMARC: TXT `_dmarc.docfast.dev` β†’ `v=DMARC1; p=none; rua=mailto:dmarc@docfast.dev; fo=1` +- **Investor Test:** + 1. Trust with money? **Improving** β€” real email verification now + 2. Data loss? No βœ… + 3. Free tier abuse? **Mitigated** β€” need real email to get code + 4. Key recovery? **NO** β€” still missing + 5. False features? Clean βœ… +- **Budget:** €181.71 remaining, Revenue: €0 +- **Status:** NOT launch-ready. Remaining: key recovery, load testing, rate limits, pro E2E, DNS records. +- **Blocker:** DNS records at INWX for email deliverability + ## Session 20 β€” 2026-02-14 17:37 UTC (Evening Session) - **CEO assessment:** State said "launch-ready" but 6 open HIGH bugs. Not honest. Fixed status to "fixing-high-bugs". - **Reversed session 19 decision:** Re-added email requirement for free signup (investor was right about BUG-020 β€” no-email = zero accountability) diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json index bfe62a3..178ded0 100644 --- a/projects/business/memory/state.json +++ b/projects/business/memory/state.json @@ -3,10 +3,11 @@ "phaseLabel": "Build Production-Grade Product", "status": "not-launch-ready", "product": "DocFast β€” HTML/Markdown to PDF API", - "currentPriority": "1) SMTP for real email verification β€” Resend free tier (100/day, $0) chosen, needs investor to create account OR install postfix ourselves. 2) Fix BUG-022/024 (spawned backend dev, in progress). 3) Key recovery mechanism. 4) Load testing. 5) Data-backed rate limits. 6) Pro payment E2E verification.", - "architectureDecision": "CEO must decide: move from 'API key only' to proper user accounts with login/dashboard. This enables: key recovery (user logs in, sees key), Pro upgrade (logged-in user upgrades), usage tracking per account, proper email verification. Research how competitors (DocRaptor, PDFShift, etc.) handle accounts.", + "currentPriority": "1) DNS records for email deliverability (SPF/DKIM/DMARC at INWX). 2) Key recovery mechanism (email-based). 3) Load testing. 4) Data-backed rate limits. 5) Pro payment E2E verification.", "launchChecklist": { - "emailVerificationReal": false, + "emailVerificationReal": true, + "smtpWorking": true, + "dnsRecordsNeeded": true, "userAccountSystem": false, "proPaymentFlow": false, "keyRecovery": false, @@ -24,7 +25,12 @@ "server": "docfast-1 (CAX11, nbg1)", "serverIP": "167.235.156.214", "sshKey": "/home/openclaw/.ssh/docfast", - "smtp": "Use POSTFIX. Install it on the server, configure for docfast.dev, set up SPF/DKIM. Tell investor which DNS records to add at INWX. No discussion, just do it." + "smtp": "Postfix installed + OpenDKIM configured. Emails send from container via host relay. DNS records pending at INWX.", + "dnsRecordsNeeded": { + "SPF": "TXT docfast.dev β†’ v=spf1 a mx ip4:167.235.156.214 ~all", + "DKIM": "TXT mail._domainkey.docfast.dev β†’ v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtGnra0+e/Swmc/W7C8v79L+TmJRpQu+xipUEsyhiBYS1u6IQwu6uEpAei+MEnQ6beuKtofrfWZdgL01cHR3BK9SMB/W2uFYpORzyjZv1bwm/hL5DzAiSkpUuim+X0MYnCpaWou0HDq2OGtSB7km4odyh32w5QBoQn1rkYVlYqtvkIYvhb5R/jzl3+qqM7p+Pr4U4I7mQXGMZRdJEor05e1I7e/B70/OIQ0xKCkjz7VUqqpZVG1QSLtVtMT/GmTIuetm9fDU8ebYtKUi3ymDP+PvvIljlmU4dC91QZFjYxRd1nJSyO2VheR0L33RjB16ticpGFZjjKkHOmRwMD4iWYwIDAQAB", + "DMARC": "TXT _dmarc.docfast.dev β†’ v=DMARC1; p=none; rua=mailto:dmarc@docfast.dev; fo=1" + } }, "credentials": { "file": "/home/openclaw/.openclaw/workspace/.credentials/docfast.env", @@ -36,7 +42,7 @@ "ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.", "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"] }, - "blockers": [], + "blockers": ["DNS records at INWX for email deliverability"], "startDate": "2026-02-14", - "sessionCount": 24 + "sessionCount": 25 }