Directive: proper status page instead of raw /health JSON

projects/business/memory/sessions.md

@@ -953,3 +953,28 @@
   - Remaining audit findings (MEDIUM/LOW) to address over next sessions
   - Test coverage is thin — needs expansion
 - **Blockers:** None
+
+## Session 45 — 2026-02-16 19:25 UTC (Monday Evening — Subagent)
+- **Server health:** UP, PostgreSQL 16.11, pool 15/15, container healthy ✅
+- **Completed work (all deployed + verified on production):**
+  1. ✅ **Support email added to website** — support@docfast.dev now referenced in:
+     - Footer (all pages) — new "Support" link
+     - Impressum page — alongside legal contact
+     - Terms page — in Pro plan support description
+     - Landing page — in Pro pricing card
+     - OpenAPI spec — in contact object
+  2. ✅ **Audit Critical #3 FIXED** — URL convert `waitUntil` changed from `networkidle0` to `domcontentloaded` (was contradicting JS-disabled security policy)
+  3. ✅ **Audit HIGH #6 FIXED** — Template render now validates required fields, returns 400 with list of missing fields
+  4. ✅ **Audit HIGH #7 FIXED** — Content-Type: application/json check added to markdown and URL convert routes (415 response)
+  5. ✅ **Audit HIGH #11 FIXED** — `/v1/usage` and `/v1/concurrency` now require `ADMIN_API_KEY` env var, return 403 for non-admin keys
+  6. ✅ **Git:** Commit 59cc8f3 pushed to Forgejo
+- **BUG-049 analysis:** Stripe auto-creates invoices for subscriptions. The fix is a Dashboard toggle: Settings → Emails → enable "Email invoices to customers for successful payments". Escalated to investor.
+- **Investor Test:**
+  1. Trust with money? **Yes** ✅
+  2. Data loss? **Protected** ✅ — Local + off-site BorgBackup
+  3. Free tier abuse? **Mitigated** ✅
+  4. Key recovery? **Yes** ✅
+  5. False features? **Clean** ✅
+- **Budget:** €181.71 remaining, Revenue: €9
+- **Open bugs:** 0 CRITICAL, 1 HIGH (BUG-049 — investor action needed), 5 MEDIUM, 3 LOW
+- **Blockers:** BUG-049 requires investor to enable Stripe invoice emails in Dashboard

projects/business/memory/state.json

@@ -3,7 +3,7 @@
   "phaseLabel": "Build Production-Grade Product",
   "status": "near-launch-ready",
   "product": "DocFast \u2014 HTML/Markdown to PDF API",
-  "currentPriority": "1) CI/CD secrets setup. 2) Marketing launch. 3) Proactive improvements.",
+  "currentPriority": "1) BUG-049 invoice fix (investor action). 2) Marketing launch prep. 3) Remaining MEDIUM audit items.",
   "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip.",
   "ownerDirectives": [
     "Stripe: owner has existing Stripe account from another project \u2014 use same account, just create separate Product + webhook endpoint for DocFast.",
@@ -15,6 +15,7 @@
     "CI/CD PIPELINE: Forgejo Actions workflow created. Needs 3 repository secrets added in Forgejo settings (SERVER_HOST, SERVER_USER, SSH_PRIVATE_KEY).",
     "REPRODUCIBLE INFRASTRUCTURE: DONE \u2014 setup.sh, docker-compose, configs, disaster recovery docs all in infrastructure/ directory.",
     "PRO PLAN LIMITS: DONE \u2014 Set to 2,500 PDFs/month at \u20ac9/mo. Competitive with html2pdf.app. Enforced in code, updated on landing page + JSON-LD + Stripe.",
+    "STATUS PAGE: The health link on the website currently points to the raw API /health endpoint which returns JSON — unprofessional. Create a proper /status page with a nice UI showing service status, uptime, response time, etc. Keep the raw /health API endpoint for monitoring, but the public-facing link should be a styled status page.",
     "SUPPORT EMAIL LIVE: support@docfast.dev is now active in FreeScout. The CEO can spawn a support agent that accesses FreeScout via API to handle customer inquiries. Update the website contact/support references to use this address.",
     "BUG-049 HIGH: Pro customers do not receive an invoice after payment. This is legally required in Austria/EU. Stripe can auto-generate invoices for subscriptions \u2014 enable Stripe Invoicing or implement invoice generation. Customer must receive a proper invoice with: company name, ATU number, invoice number, date, amount, VAT breakdown.",
     "WEBSITE TEMPLATING: DONE \u2014 Build-time system with partials (nav/footer/styles). Source in public/src/, build with node scripts/build-html.cjs."
@@ -48,7 +49,9 @@
     "proLimitsSet": true,
     "proLimitsNote": "2,500 PDFs/month for Pro. Enforced in usage middleware. Landing page, JSON-LD, Stripe all consistent.",
     "websiteTemplating": true,
-    "websiteTemplatingNote": "Build-time HTML templating with shared nav/footer partials. npm run build:pages"
+    "websiteTemplatingNote": "Build-time HTML templating with shared nav/footer partials. npm run build:pages",
+    "supportEmailLive": true,
+    "supportEmailNote": "support@docfast.dev on footer, impressum, terms, openapi.json, landing page"
   },
   "loadTestResults": {
     "sequential": "~2.1s per PDF, ~28/min",
@@ -91,11 +94,21 @@
   "openBugs": {
     "CRITICAL": [],
     "HIGH": [
-      "BUG-049: No invoice sent to Pro customers after payment"
+      "BUG-049: No invoice email sent to Pro customers \u2014 needs Stripe Dashboard setting enabled"
     ],
-    "MEDIUM": [],
-    "LOW": [],
-    "note": "All bugs (040-048) resolved as of Session 41. BUG-046 (usage data leak), BUG-047 (copy button), BUG-048 (change email) fixed."
+    "MEDIUM": [
+      "Audit #10: Usage data written on every request (should batch)",
+      "Audit #12: In-memory caches can diverge from DB",
+      "Audit #14: No per-endpoint body size limits",
+      "Audit #15: Browser pool queue no per-key fairness",
+      "Audit #17: No duplicate session_id check on billing success"
+    ],
+    "LOW": [
+      "Audit #18: Rate limit store potential memory growth",
+      "Audit #22: Unused import in convert.ts",
+      "Audit #25: Inconsistent error response shapes"
+    ],
+    "note": "Session 45: Fixed audit #3 (Critical), #6, #7, #11 (HIGH). Added support@docfast.dev to all pages."
   },
   "blockers": [],
   "resolvedBlockers": [
@@ -104,5 +117,5 @@
     "Off-site backups \u2014 DONE 2026-02-16, Hetzner Storage Box configured with BorgBackup"
   ],
   "startDate": "2026-02-14",
-  "sessionCount": 44
+  "sessionCount": 45
 }