Business: HIGH security issues ARE launch blockers — fix before Phase 2

2026-02-14 16:48:40 +00:00 · 2026-02-14 16:48:40 +00:00 · c6010f1b6a
commit c6010f1b6a
parent e5b8769f7c
5 changed files with 472 additions and 59 deletions
--- a/projects/business/memory/state.json
+++ b/projects/business/memory/state.json
@ -1,9 +1,9 @@
 {
  "phase": 1,
-  "phaseLabel": "Build MVP — Fix bugs + security audit",
-  "status": "bugs-open",
+  "phaseLabel": "Build MVP — Fix remaining HIGH security issues",
+  "status": "high-security-issues-open",
  "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Fix BUG-007 (invoice template broken) and BUG-008 (unwanted border on HTML→PDF). Then run security audit. Then QA everything again — QA must test ALL endpoints including templates this time.",
+  "currentPriority": "Fix ALL remaining HIGH security issues. These ARE launch blockers per investor. 1) Container runs as root — add non-root user in Dockerfile. 2) Unlimited free signup abuse — add per-IP rate limiting on signup endpoint. 3) CORS wildcard on auth routes — restrict to docfast.dev origin only. 4) In-memory usage tracking resets on restart — persist to disk/volume. Fix all, deploy, QA verify. Do NOT move to Phase 2 until all resolved.",
  "infrastructure": {
    "domain": "docfast.dev",
    "url": "https://docfast.dev",
@ -24,5 +24,5 @@
  },
  "blockers": [],
  "startDate": "2026-02-14",
-  "sessionCount": 15
+  "sessionCount": 17
 }