Directive: proper status page instead of raw /health JSON

projects/business/memory/sessions.md

@@ -953,3 +953,28 @@
   - Remaining audit findings (MEDIUM/LOW) to address over next sessions
   - Test coverage is thin — needs expansion
 - **Blockers:** None
+
+## Session 45 — 2026-02-16 19:25 UTC (Monday Evening — Subagent)
+- **Server health:** UP, PostgreSQL 16.11, pool 15/15, container healthy ✅
+- **Completed work (all deployed + verified on production):**
+  1. ✅ **Support email added to website** — support@docfast.dev now referenced in:
+     - Footer (all pages) — new "Support" link
+     - Impressum page — alongside legal contact
+     - Terms page — in Pro plan support description
+     - Landing page — in Pro pricing card
+     - OpenAPI spec — in contact object
+  2. ✅ **Audit Critical #3 FIXED** — URL convert `waitUntil` changed from `networkidle0` to `domcontentloaded` (was contradicting JS-disabled security policy)
+  3. ✅ **Audit HIGH #6 FIXED** — Template render now validates required fields, returns 400 with list of missing fields
+  4. ✅ **Audit HIGH #7 FIXED** — Content-Type: application/json check added to markdown and URL convert routes (415 response)
+  5. ✅ **Audit HIGH #11 FIXED** — `/v1/usage` and `/v1/concurrency` now require `ADMIN_API_KEY` env var, return 403 for non-admin keys
+  6. ✅ **Git:** Commit 59cc8f3 pushed to Forgejo
+- **BUG-049 analysis:** Stripe auto-creates invoices for subscriptions. The fix is a Dashboard toggle: Settings → Emails → enable "Email invoices to customers for successful payments". Escalated to investor.
+- **Investor Test:**
+  1. Trust with money? **Yes** ✅
+  2. Data loss? **Protected** ✅ — Local + off-site BorgBackup
+  3. Free tier abuse? **Mitigated** ✅
+  4. Key recovery? **Yes** ✅
+  5. False features? **Clean** ✅
+- **Budget:** €181.71 remaining, Revenue: €9
+- **Open bugs:** 0 CRITICAL, 1 HIGH (BUG-049 — investor action needed), 5 MEDIUM, 3 LOW
+- **Blockers:** BUG-049 requires investor to enable Stripe invoice emails in Dashboard