openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DocFast session 25: BUG-021 fixed, postfix+DKIM installed, email verification real

Browse source
This commit is contained in:
Hoid 2026-02-14 19:12:18 +00:00
parent 8be3dc60bf
commit b60f06ac22
3 changed files with 43 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

12
projects/business/memory/bugs.md
View file

@ -143,12 +143,12 @@ The critical mobile responsiveness issue needs immediate fixing. The rate limiti
### New Bugs ### New Bugs
#### 🔴 BUG-021: Verification code returned in API response (CRITICAL SECURITY) #### ✅ BUG-021: FIXED (Session 25) — Verification code no longer in API response
- **Endpoint:** POST /v1/signup/free - Postfix + OpenDKIM installed on server
- **Response:** `{"status":"verification_required","code":"843266"}` - Nodemailer sends code via email (noreply@docfast.dev)
- **Problem:** The verification code is returned directly in the API response. This completely defeats the purpose of email verification — any client can read the code without checking email. - API response: `{"status":"verification_required","message":"Check your email for the verification code."}`
- **Expected:** Code should ONLY be sent via email, never in the API response. - Commit: 210fb26
- **Impact:** Email verification is effectively a no-op. Anyone can programmatically sign up without a real email. - DNS records needed at INWX for deliverability (SPF/DKIM/DMARC)
#### 🟡 BUG-022: Already-verified email returns 429 instead of 409 #### 🟡 BUG-022: Already-verified email returns 429 instead of 409
- **Endpoint:** POST /v1/signup/free with previously verified email - **Endpoint:** POST /v1/signup/free with previously verified email

25
projects/business/memory/sessions.md
View file

@ -312,6 +312,31 @@
- **Blocker:** Need SMTP solution — either investor creates Resend account (free) or we install postfix on server - **Blocker:** Need SMTP solution — either investor creates Resend account (free) or we install postfix on server
- **Next:** Get SMTP working → remove code from API response → key recovery → load testing - **Next:** Get SMTP working → remove code from API response → key recovery → load testing
## Session 25 — 2026-02-14 19:02 UTC (Evening Session)
- **BUG-021 FIXED** — showstopper resolved. Verification code no longer in API response.
- Spawned Backend Dev for postfix install + BUG-021 fix
- **Postfix installed and configured:** send-only, listening on 127.0.0.1 + 172.17.0.1
- **OpenDKIM configured:** signing with `mail._domainkey.docfast.dev`, 2048-bit RSA
- **Nodemailer integrated:** sends via host postfix from Docker container (host.docker.internal:25)
- **UFW rule added:** Docker→host port 25 for SMTP relay
- **Fire-and-forget email:** signup response returns instantly, email sends in background
- **Verified live:** POST /v1/signup/free returns `{"status":"verification_required","message":"..."}` — NO code field
- **Email delivery works:** postfix accepts and sends, DKIM signs
- Commit: 210fb26 pushed to Forgejo
- **DNS records needed at INWX** (blocker for email deliverability):
- SPF: TXT `docfast.dev``v=spf1 a mx ip4:167.235.156.214 ~all`
- DKIM: TXT `mail._domainkey.docfast.dev` → (2048-bit key)
- DMARC: TXT `_dmarc.docfast.dev``v=DMARC1; p=none; rua=mailto:dmarc@docfast.dev; fo=1`
- **Investor Test:**
1. Trust with money? **Improving** — real email verification now
2. Data loss? No ✅
3. Free tier abuse? **Mitigated** — need real email to get code
4. Key recovery? **NO** — still missing
5. False features? Clean ✅
- **Budget:** €181.71 remaining, Revenue: €0
- **Status:** NOT launch-ready. Remaining: key recovery, load testing, rate limits, pro E2E, DNS records.
- **Blocker:** DNS records at INWX for email deliverability
## Session 20 — 2026-02-14 17:37 UTC (Evening Session) ## Session 20 — 2026-02-14 17:37 UTC (Evening Session)
- **CEO assessment:** State said "launch-ready" but 6 open HIGH bugs. Not honest. Fixed status to "fixing-high-bugs". - **CEO assessment:** State said "launch-ready" but 6 open HIGH bugs. Not honest. Fixed status to "fixing-high-bugs".
- **Reversed session 19 decision:** Re-added email requirement for free signup (investor was right about BUG-020 — no-email = zero accountability) - **Reversed session 19 decision:** Re-added email requirement for free signup (investor was right about BUG-020 — no-email = zero accountability)

18
projects/business/memory/state.json
View file

@ -3,10 +3,11 @@
"phaseLabel": "Build Production-Grade Product", "phaseLabel": "Build Production-Grade Product",
"status": "not-launch-ready", "status": "not-launch-ready",
"product": "DocFast — HTML/Markdown to PDF API", "product": "DocFast — HTML/Markdown to PDF API",
"currentPriority": "1) SMTP for real email verification — Resend free tier (100/day, $0) chosen, needs investor to create account OR install postfix ourselves. 2) Fix BUG-022/024 (spawned backend dev, in progress). 3) Key recovery mechanism. 4) Load testing. 5) Data-backed rate limits. 6) Pro payment E2E verification.", "currentPriority": "1) DNS records for email deliverability (SPF/DKIM/DMARC at INWX). 2) Key recovery mechanism (email-based). 3) Load testing. 4) Data-backed rate limits. 5) Pro payment E2E verification.",
"architectureDecision": "CEO must decide: move from 'API key only' to proper user accounts with login/dashboard. This enables: key recovery (user logs in, sees key), Pro upgrade (logged-in user upgrades), usage tracking per account, proper email verification. Research how competitors (DocRaptor, PDFShift, etc.) handle accounts.",
"launchChecklist": { "launchChecklist": {
"emailVerificationReal": false, "emailVerificationReal": true,
"smtpWorking": true,
"dnsRecordsNeeded": true,
"userAccountSystem": false, "userAccountSystem": false,
"proPaymentFlow": false, "proPaymentFlow": false,
"keyRecovery": false, "keyRecovery": false,
@ -24,7 +25,12 @@
"server": "docfast-1 (CAX11, nbg1)", "server": "docfast-1 (CAX11, nbg1)",
"serverIP": "167.235.156.214", "serverIP": "167.235.156.214",
"sshKey": "/home/openclaw/.ssh/docfast", "sshKey": "/home/openclaw/.ssh/docfast",
"smtp": "Use POSTFIX. Install it on the server, configure for docfast.dev, set up SPF/DKIM. Tell investor which DNS records to add at INWX. No discussion, just do it." "smtp": "Postfix installed + OpenDKIM configured. Emails send from container via host relay. DNS records pending at INWX.",
"dnsRecordsNeeded": {
"SPF": "TXT docfast.dev → v=spf1 a mx ip4:167.235.156.214 ~all",
"DKIM": "TXT mail._domainkey.docfast.dev → v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtGnra0+e/Swmc/W7C8v79L+TmJRpQu+xipUEsyhiBYS1u6IQwu6uEpAei+MEnQ6beuKtofrfWZdgL01cHR3BK9SMB/W2uFYpORzyjZv1bwm/hL5DzAiSkpUuim+X0MYnCpaWou0HDq2OGtSB7km4odyh32w5QBoQn1rkYVlYqtvkIYvhb5R/jzl3+qqM7p+Pr4U4I7mQXGMZRdJEor05e1I7e/B70/OIQ0xKCkjz7VUqqpZVG1QSLtVtMT/GmTIuetm9fDU8ebYtKUi3ymDP+PvvIljlmU4dC91QZFjYxRd1nJSyO2VheR0L33RjB16ticpGFZjjKkHOmRwMD4iWYwIDAQAB",
"DMARC": "TXT _dmarc.docfast.dev → v=DMARC1; p=none; rua=mailto:dmarc@docfast.dev; fo=1"
}
}, },
"credentials": { "credentials": {
"file": "/home/openclaw/.openclaw/workspace/.credentials/docfast.env", "file": "/home/openclaw/.openclaw/workspace/.credentials/docfast.env",
@ -36,7 +42,7 @@
"ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.", "ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.",
"specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"] "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"]
}, },
"blockers": [], "blockers": ["DNS records at INWX for email deliverability"],
"startDate": "2026-02-14", "startDate": "2026-02-14",
"sessionCount": 24 "sessionCount": 25
} }