openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deployment policy: CEOs deploy to staging only, never tag production

Browse source 
Both DocFast and SnapAPI SKILL.md updated with mandatory deployment rules.
Only investor can approve production releases.
This commit is contained in:
Hoid 2026-02-20 07:58:37 +00:00
parent f872a71e42
commit c984f260dd
8 changed files with 172 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

95
projects/business/memory/bugs.md
View file

@ -1,3 +1,98 @@
# DocFast QA Full Audit — 2026-02-20
**Tester:** QA Bot (subagent)
**Version:** 0.3.2
**URL:** https://docfast.dev
**Date:** 2026-02-20 07:00 UTC
---
## New Bugs Found
## BUG-079: Billing Checkout Endpoint Has No Authentication — CRITICAL
- **Date:** 2026-02-20
- **Severity:** CRITICAL
- **Endpoint:** `POST /v1/billing/checkout`
- **Issue:** The billing checkout endpoint creates Stripe checkout sessions without ANY authentication. No API key required, no validation of provided keys. Tested with: no auth header, fake key "completely_invalid", random string — all return a valid Stripe checkout URL.
- **Impact:** (1) Anyone can spam-create Stripe checkout sessions (Stripe rate limits apply but still abuse vector), (2) If someone pays through an unauthenticated session, the subscription cannot be linked to a user account — they pay but may never get a Pro key, (3) Potential for Stripe fee abuse
- **Fix needed:** Add authentication middleware to the checkout route. Require a valid API key so the Stripe session is linked to the correct user account. Return 401/403 for unauthenticated requests.
- **Status:** ✅ FIXED (v0.3.4) — Rate limited to 3/IP/hour, body size check (1KB max), IP logging. Auth not added (users don't have keys before checkout), but abuse vector mitigated.
---
## Test Results
| # | Test | Result | Notes |
|---|------|--------|-------|
| 1 | Landing page loads | ✅ PASS | All sections render, version 0.3.2 |
| 2 | Console errors (homepage) | ✅ PASS | Zero errors |
| 3 | Mobile 375×812 (iPhone) | ✅ PASS | Layout stacks properly, no overflow |
| 4 | Mobile 768×1024 (iPad) | ✅ PASS | Responsive layout good |
| 5 | Nav links (Features, Pricing, Docs) | ✅ PASS | All work |
| 6 | Footer links (Home, Docs, Status, Impressum, Privacy, Terms) | ✅ PASS | All 6 links work |
| 7 | Signup flow — modal opens | ✅ PASS | "Get Free API Key" opens dialog |
| 8 | Signup — invalid email client-side | ✅ PASS | Shows "Please enter a valid email address" |
| 9 | Signup — invalid email API | ✅ PASS | Returns `{"error":"A valid email address is required."}` |
| 10 | Recovery flow — modal opens | ✅ PASS | "Lost your API key?" opens recovery dialog |
| 11 | /docs page (Swagger UI) | ✅ PASS | Full API docs, all endpoint groups |
| 12 | /docs console errors | ✅ PASS | Zero errors |
| 13 | /docs SEO meta tags | ✅ PASS | description, og:, twitter: all present (BUG-059 fixed) |
| 14 | /docs footer legal links | ✅ PASS | Impressum, Privacy, Terms present (BUG-069 fixed) |
| 15 | /status page | ✅ PASS | Shows real data: DB connected, PDF engine ready, 15/15 pool |
| 16 | /status console errors | ✅ PASS | Zero errors |
| 17 | /impressum | ✅ PASS | Full legal info, correct company data |
| 18 | /privacy | ✅ PASS | GDPR-compliant, 11 sections |
| 19 | /terms | ✅ PASS | Renders properly |
| 20 | Console errors (all pages) | ✅ PASS | ZERO errors across all 6 pages |
| 21 | Skip-to-content link | ✅ PASS | Present on all pages (BUG-067 fixed) |
| 22 | Heading hierarchy | ✅ PASS | h1 → h2 → h3, no skips (BUG-063 fixed) |
| 23 | Modal aria-modal | ✅ PASS | Present (BUG-066 fixed) |
| 24 | Modal labels | ✅ PASS | 4 labels found (BUG-064 fixed) |
| 25 | Close button aria-label | ✅ PASS | aria-label="Close" (BUG-065 fixed) |
| 26 | Sitemap | ✅ PASS | Correct namespace, all 6 pages (BUG-056, BUG-061 fixed) |
| 27 | HTTP headers | ✅ PASS | No duplicates (BUG-051/052 fixed) |
| 28 | Sub-pages og: tags | ✅ PASS | Present on impressum (BUG-060 fixed) |
| 29 | Health endpoint | ✅ PASS | DB status included, PostgreSQL 17.4 |
| 30 | Billing checkout auth | 🔴 FAIL | No authentication — BUG-079 |
| 31 | Performance | ✅ PASS | Pages load fast, no layout shifts |
| 32 | Keyboard navigation | ✅ PASS | Tab order sensible, skip link works |
---
## Previously Reported Bugs — Status Check
| Bug | Status | Notes |
|-----|--------|-------|
| BUG-051 (duplicate headers) | ✅ FIXED | Single headers now |
| BUG-052 (duplicate cache-control) | ✅ FIXED | Single header |
| BUG-053 (JS not minified) | ⚠️ STILL OPEN | 520 lines / 17KB, low priority |
| BUG-056 (sitemap namespace) | ✅ FIXED | Correct sitemaps.org |
| BUG-059 (/docs SEO) | ✅ FIXED | Full meta tags |
| BUG-060 (sub-page og tags) | ✅ FIXED | og: tags present |
| BUG-061 (/status in sitemap) | ✅ FIXED | Added |
| BUG-062 (main wraps only hero) | ✅ FIXED | main has id="main-content" |
| BUG-063 (heading skip) | ✅ FIXED | h2 for "Hosted in EU" |
| BUG-064 (modal labels) | ✅ FIXED | Labels present |
| BUG-065 (close button aria) | ✅ FIXED | aria-label="Close" |
| BUG-066 (aria-modal) | ✅ FIXED | aria-modal present |
| BUG-067 (skip-to-content) | ✅ FIXED | Skip link on all pages |
| BUG-069 (/docs footer) | ✅ FIXED | Legal links added |
---
## Summary
- **Total tests:** 32
- **Passed:** 31
- **Failed:** 1 (BUG-079 — CRITICAL: unauthenticated billing checkout)
- **New bugs:** 1 (CRITICAL severity)
- **Previously open bugs now fixed:** 14
- **Still open from before:** BUG-053 (JS minification, LOW)
**Overall Quality Assessment:** The site is in excellent shape. Massive improvement since the Session 48 audit — 14 of 19 previously reported issues have been fixed. The one new CRITICAL finding (BUG-079: unauthenticated billing) needs immediate attention as it's a security/business logic flaw. Otherwise, the landing page, docs, status, legal pages, responsive design, accessibility, and SEO are all solid.
---
## BUG-078: SMTP Config Pointed to Old Server
- **Date:** 2026-02-19
- **Severity:** HIGH