DocFast Session 41: Fixed BUG-046/047/048, off-site backups, Pro plan pricing research
This commit is contained in:
Hoid
parent
f811b49c0d
commit
b8c8a44d96
3 changed files with 69 additions and 9 deletions
|
|
@ -285,6 +285,28 @@ Container restart appears to have been clean. All services came back online prop
|
|||
|
||||
# CEO Code Audit — 2026-02-16
|
||||
|
||||
## BUG-046: Usage Endpoint Leaks Other Users' Data
|
||||
- **Severity:** CRITICAL
|
||||
- **Endpoint:** `GET /v1/usage`
|
||||
- **Issue:** `getUsageStats()` returned ALL users' usage data to any authenticated user. GDPR violation.
|
||||
- **Fix:** Scoped `getUsageStats(apiKey)` to only return the authenticated user's data. Route passes `req.apiKeyInfo.key`.
|
||||
- **Status:** ✅ FIXED (Session 41)
|
||||
|
||||
## BUG-047: No Copy Button on Pro Key Success Page
|
||||
- **Severity:** HIGH
|
||||
- **Page:** `/v1/billing/success`
|
||||
- **Issue:** Pro key displayed but no visible copy button
|
||||
- **Fix:** Added visible "Copy" button that changes to "Copied!" on click
|
||||
- **Status:** ✅ FIXED (Session 41)
|
||||
|
||||
## BUG-048: Change Email Modal Never Opens
|
||||
- **Severity:** HIGH
|
||||
- **Issue:** Footer "Change Email" links used `href="/#change-email"` but lacked `class="open-email-change"` that JS targets
|
||||
- **Fix:** Added `class="open-email-change"` to all Change Email links across all 4 HTML pages
|
||||
- **Status:** ✅ FIXED (Session 41)
|
||||
|
||||
---
|
||||
|
||||
## BUG-040: SSRF Vulnerability in URL→PDF Endpoint
|
||||
- **Severity:** HIGH
|
||||
- **Endpoint:** `POST /v1/convert/url`
|
||||
|
|
|
|||
|
|
@ -786,3 +786,42 @@
|
|||
1. E2E Pro payment test (real €9 Stripe payment)
|
||||
2. 3 Forgejo repo secrets for CI/CD
|
||||
3. Off-site backup (Hetzner Storage Box, ~€3/mo — cannot provision via Cloud API, needs Robot API or manual)
|
||||
|
||||
## Session 41 — 2026-02-16 18:00 UTC (Monday Evening — Cron)
|
||||
- **Server health:** UP, PostgreSQL 16.11, pool 15/15, container healthy ✅
|
||||
- **Sub-agents deployed:**
|
||||
1. **Backend Dev (bugfix-046-047-048):** Fixed all 3 open bugs:
|
||||
- ✅ BUG-046 CRITICAL: Usage endpoint now scoped to authenticated user's key only
|
||||
- ✅ BUG-047 HIGH: Added visible copy button on Pro key success page
|
||||
- ✅ BUG-048 HIGH: Fixed Change Email modal by adding missing CSS class to links
|
||||
- All deployed, verified on live site, committed to Forgejo
|
||||
2. **DevOps (offsite-backup):** Off-site BorgBackup configured:
|
||||
- ✅ Borg repo initialized on Hetzner Storage Box (repokey-blake2)
|
||||
- ✅ Cron at 03:30 UTC (30 min after local)
|
||||
- ✅ Same 7d/4w/3m retention
|
||||
- ✅ Test backup successful (348 KB)
|
||||
- ⚠️ Found pg_dump auth failure — CEO fixed (wrong password in .pgpass)
|
||||
- **CEO actions:**
|
||||
1. Fixed pg_dump password in /root/.pgpass (was "docfast-backup-2026", should be "docfast")
|
||||
2. Researched competitor pricing for Pro plan limits decision
|
||||
3. **CEO Decision: Pro plan = 5,000 PDFs/month at €9/mo** (5x html2pdf.app's $9 tier, well within server capacity)
|
||||
- **Competitor Research:**
|
||||
| Competitor | $9/mo tier | PDFs/mo |
|
||||
| html2pdf.app | Startup $9 | 1,000 |
|
||||
| HTML2PDF API | Pro $17 | 5,000 |
|
||||
| PDFShift | Free | 50 |
|
||||
→ DocFast at €9/mo with 5,000 = clear value leader
|
||||
- **Investor Test:**
|
||||
1. Trust with money? **Almost** — all bugs fixed, needs E2E payment test
|
||||
2. Data loss? **YES, protected** ✅ — Local + off-site BorgBackup, pg_dump fixed
|
||||
3. Free tier abuse? **Mitigated** ✅
|
||||
4. Key recovery? **Yes** ✅
|
||||
5. False features? **Clean** ✅
|
||||
- **Budget:** €181.71 remaining, Revenue: €0
|
||||
- **Status:** ZERO open bugs. Off-site backups operational. Blocked on investor actions only.
|
||||
- **Open items (not blockers):**
|
||||
- Pro plan limit enforcement (5,000/mo) — needs code + landing page update
|
||||
- Website templating refactor (owner directive)
|
||||
- **Blockers:**
|
||||
1. E2E Pro payment test (real €9 Stripe payment)
|
||||
2. 3 Forgejo repo secrets for CI/CD
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
"phaseLabel": "Build Production-Grade Product",
|
||||
"status": "near-launch-ready",
|
||||
"product": "DocFast — HTML/Markdown to PDF API",
|
||||
"currentPriority": "1) E2E Pro payment test (real Stripe payment). 2) CI/CD secrets setup. 3) Off-site backup (Storage Box). 4) Marketing launch.",
|
||||
"currentPriority": "1) E2E Pro payment test (real Stripe payment). 2) CI/CD secrets setup. 3) Pro plan limits (5,000 PDFs/mo). 4) Website templating refactor. 5) Marketing launch.",
|
||||
"ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip.",
|
||||
"ownerDirectives": [
|
||||
"Stripe: owner has existing Stripe account from another project — use same account, just create separate Product + webhook endpoint for DocFast.",
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
"postgresqlMigration": true,
|
||||
"keyRecovery": true,
|
||||
"databaseBackups": true,
|
||||
"databaseBackupsNote": "BorgBackup: daily at 03:00 UTC, 7 daily + 4 weekly + 3 monthly retention. PostgreSQL dumps + Docker volumes + nginx + SSL + DKIM. LOCAL ONLY — needs off-site Storage Box.",
|
||||
"databaseBackupsNote": "BorgBackup: LOCAL daily at 03:00 UTC + OFF-SITE at 03:30 UTC to Hetzner Storage Box. 7 daily + 4 weekly + 3 monthly retention. PostgreSQL dumps + Docker volumes + nginx + SSL + DKIM.",
|
||||
"loadTested": true,
|
||||
"rateLimitsDataBacked": true,
|
||||
"landingPageHonest": true,
|
||||
|
|
@ -57,7 +57,7 @@
|
|||
"sshKey": "/home/openclaw/.ssh/docfast",
|
||||
"smtp": "Postfix + OpenDKIM configured. DKIM-signed emails working. SPF/DKIM/DMARC DNS records live.",
|
||||
"email": "noreply@docfast.dev",
|
||||
"backups": "BorgBackup daily at 03:00 UTC (local). PostgreSQL + Docker volumes + configs. Off-site: ssh -p23 u149513-sub11@u149513-sub11.your-backup.de (SSH key installed at /root/.ssh/id_ed25519). IMPORTANT: Create per-machine subdirectories (e.g. ./docfast-1/) — this Storage Box will be shared across multiple servers.",
|
||||
"backups": "BorgBackup LOCAL daily at 03:00 UTC + OFF-SITE at 03:30 UTC. Remote: ssh://u149513-sub11@u149513-sub11.your-backup.de:23/./docfast-1 (repokey-blake2 encryption). PostgreSQL dumps + Docker volumes + configs.",
|
||||
"cicd": "Forgejo Actions workflow (pending secrets setup)",
|
||||
"infraDocs": "infrastructure/ directory with full provisioning scripts"
|
||||
},
|
||||
|
|
@ -72,17 +72,16 @@
|
|||
"specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"]
|
||||
},
|
||||
"openBugs": {
|
||||
"CRITICAL": ["BUG-046: Usage endpoint leaks other users' data"],
|
||||
"HIGH": ["BUG-047: No copy button on Pro key page", "BUG-048: Change email broken"],
|
||||
"CRITICAL": [],
|
||||
"HIGH": [],
|
||||
"MEDIUM": [],
|
||||
"LOW": [],
|
||||
"note": "All bugs (040-045) resolved as of Session 40"
|
||||
"note": "All bugs (040-048) resolved as of Session 41. BUG-046 (usage data leak), BUG-047 (copy button), BUG-048 (change email) fixed."
|
||||
},
|
||||
"blockers": [
|
||||
"E2E Pro payment test (needs investor to make real test payment)",
|
||||
"CI/CD secrets (3 secrets in Forgejo repo settings)",
|
||||
"Off-site backup (Hetzner Storage Box, ~€3/mo)"
|
||||
"CI/CD secrets (3 secrets in Forgejo repo settings)"
|
||||
],
|
||||
"startDate": "2026-02-14",
|
||||
"sessionCount": 40
|
||||
"sessionCount": 41
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue