From cbae35975cc7a92289df3919144aededda62b1b2 Mon Sep 17 00:00:00 2001 From: Hoid Date: Tue, 17 Feb 2026 08:08:54 +0000 Subject: [PATCH] Session 48: BUG-050 CRITICAL MX DNS, support ticket #370, state update --- projects/business/memory/bugs.md | 14 +++++++++ projects/business/memory/sessions.md | 27 +++++++++++++++++ projects/business/memory/state.json | 44 +++++++++++++++------------- 3 files changed, 65 insertions(+), 20 deletions(-) diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index c919128..bdfe8fb 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -119,6 +119,20 @@ The three reported bugs (BUG-032, BUG-035, BUG-037) are verified fixed (032, 035 --- +## BUG-050: Broken MX Record Causes Email Delivery Failures — CRITICAL +- **Severity:** CRITICAL +- **Issue:** MX record for docfast.dev resolves to `mail.cloonar.com.docfast.dev` (non-existent) instead of a valid mail server. This is a relative hostname in DNS that got appended to the zone. +- **Impact:** Any mail server doing sender address verification (like cloonar.com) rejects our emails. Customer #370 cannot receive verification codes. This likely affects other recipients too. +- **Root cause:** MX DNS record was entered as `mail.cloonar.com` without trailing dot, so Hetzner DNS appended `.docfast.dev` +- **Fix needed:** Investor must fix MX record in Hetzner DNS console: + - **Option A (recommended):** Set MX to `docfast.dev.` (point to own server, since Postfix runs there) + - **Option B:** Delete the broken MX record entirely (servers will fall back to A record) +- **Workaround applied:** Postfix now accepts local mail for noreply@docfast.dev (mydestination + virtual alias), but this only helps if the remote server can reach us — which it can't due to broken MX. +- **Status:** OPEN — requires investor DNS action +- **Discovered:** 2026-02-17 Session 48 + +--- + ## Test Results Summary | Test Category | Status | Details | diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md index 0ba0886..bfc714d 100644 --- a/projects/business/memory/sessions.md +++ b/projects/business/memory/sessions.md @@ -1041,3 +1041,30 @@ - **Budget:** €181.71 remaining, Revenue: €9 - **Open bugs:** 0 CRITICAL, 1 HIGH (BUG-049 — investor action), 0 MEDIUM, 2 LOW (#18, #25) - **Blockers:** BUG-049 requires investor to enable Stripe invoice emails in Dashboard + +## Session 48 — 2026-02-17 08:00 UTC (Tuesday Morning — Cron) +- **Server health:** UP, PostgreSQL 16.11, pool 15/15, container healthy, uptime ~8h ✅ +- **CRITICAL DISCOVERY: BUG-050 — Broken MX DNS Record** + - Customer (ticket #370, dominik.polakovics@cloonar.com) reported verification emails never arriving + - Investigated Postfix mail logs — found: `550 5.1.0 : Sender address rejected: User unknown` + - Root cause: MX record for docfast.dev resolves to `mail.cloonar.com.docfast.dev` (non-existent) — relative hostname in DNS got zone-appended + - Impact: ANY mail server doing sender address verification rejects our emails. This affects key recovery, signup verification, and any other email flows + - Workaround applied: Configured Postfix to accept local mail (mydestination + virtual alias for noreply@), but MX record still prevents remote verification callbacks + - **Fix needed from investor:** In Hetzner DNS console, fix MX record to point to `docfast.dev.` (with trailing dot) or delete the broken MX record +- **Support ticket #370:** Replied to customer explaining the issue and that we're fixing it +- **Flushed stuck mail queue:** Removed stuck test email to bench@test.local that was retrying endlessly +- **Sub-agents dispatched (still running):** + 1. Backend dev: Investigating email delivery + fixing Audit #18 (rate limit memory) + Audit #25 (inconsistent errors) + 2. QA auditor: Performance, SEO, accessibility, cross-page consistency audit +- **Investor Test:** + 1. Trust with money? **Yes** ✅ (payment works) + 2. Data loss? **Protected** ✅ — Local + off-site BorgBackup + 3. Free tier abuse? **Mitigated** ✅ + 4. Key recovery? **NO** ❌ — Emails don't arrive for servers doing sender verification (BUG-050) + 5. False features? **Partial** ⚠️ — Key recovery and signup exist but emails may not deliver +- **Budget:** €181.71 remaining, Revenue: €9 +- **Open bugs:** 1 CRITICAL (BUG-050), 1 HIGH (BUG-049), 0 MEDIUM, 2 LOW (#18, #25) +- **NOT launch-ready** — email delivery is broken for some recipients +- **Blockers:** + - BUG-050: Investor must fix MX DNS record in Hetzner DNS console + - BUG-049: Investor must enable Stripe invoice emails in Dashboard diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json index 8c95352..351db5b 100644 --- a/projects/business/memory/state.json +++ b/projects/business/memory/state.json @@ -2,24 +2,24 @@ "phase": 1, "phaseLabel": "Build Production-Grade Product", "status": "near-launch-ready", - "product": "DocFast \u2014 HTML/Markdown to PDF API", - "currentPriority": "1) BUG-049 invoice fix (investor action). 2) Marketing launch prep. 3) Remaining LOW audit items (#18, #25). 4) Test coverage expansion.", + "product": "DocFast — HTML/Markdown to PDF API", + "currentPriority": "1) BUG-050 CRITICAL: Fix MX DNS record (investor action). 2) BUG-049 invoice fix (investor action). 3) Sub-agents completing LOW fixes + QA audit.", "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip.", "ownerDirectives": [ - "Stripe: owner has existing Stripe account from another project \u2014 use same account, just create separate Product + webhook endpoint for DocFast.", - "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE \u2014 webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account.", - "OFF-SITE BACKUPS: BorgBackup installed and running locally. Need Hetzner Storage Box for true off-site. Ask investor to provision one (~\u20ac3/mo for 100GB).", - "BUG-046 CRITICAL SECURITY: Usage endpoint exposes OTHER users' API key usage data. This is a data leak / GDPR violation. Fix immediately \u2014 usage must be scoped to the authenticated user's keys only. Investigate why the security agent missed this. Review and harden all endpoints for proper auth scoping.", + "Stripe: owner has existing Stripe account from another project — use same account, just create separate Product + webhook endpoint for DocFast.", + "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account.", + "OFF-SITE BACKUPS: BorgBackup installed and running locally. Need Hetzner Storage Box for true off-site. Ask investor to provision one (~€3/mo for 100GB).", + "BUG-046 CRITICAL SECURITY: Usage endpoint exposes OTHER users' API key usage data. This is a data leak / GDPR violation. Fix immediately — usage must be scoped to the authenticated user's keys only. Investigate why the security agent missed this. Review and harden all endpoints for proper auth scoping.", "BUG-047: Pro key success page has no copy button for the API key. Add a click-to-copy button so users can easily copy their new key.", "BUG-048: Change email functionality is broken. Investigate and fix.", "CI/CD PIPELINE: Forgejo Actions workflow created. Needs 3 repository secrets added in Forgejo settings (SERVER_HOST, SERVER_USER, SSH_PRIVATE_KEY).", - "REPRODUCIBLE INFRASTRUCTURE: DONE \u2014 setup.sh, docker-compose, configs, disaster recovery docs all in infrastructure/ directory.", - "PRO PLAN LIMITS: DONE \u2014 Set to 2,500 PDFs/month at \u20ac9/mo. Competitive with html2pdf.app. Enforced in code, updated on landing page + JSON-LD + Stripe.", + "REPRODUCIBLE INFRASTRUCTURE: DONE — setup.sh, docker-compose, configs, disaster recovery docs all in infrastructure/ directory.", + "PRO PLAN LIMITS: DONE — Set to 2,500 PDFs/month at €9/mo. Competitive with html2pdf.app. Enforced in code, updated on landing page + JSON-LD + Stripe.", "DOCKER DISK CLEANUP: Server ran out of disk space from accumulated Docker images/build cache. Add 'docker system prune -f' to the deploy process (after build, before restart) to prevent recurrence. Also consider adding a weekly cron on the server itself.", - "STATUS PAGE: The health link on the website currently points to the raw API /health endpoint which returns JSON \u2014 unprofessional. Create a proper /status page with a nice UI showing service status, uptime, response time, etc. Keep the raw /health API endpoint for monitoring, but the public-facing link should be a styled status page.", + "STATUS PAGE: The health link on the website currently points to the raw API /health endpoint which returns JSON — unprofessional. Create a proper /status page with a nice UI showing service status, uptime, response time, etc. Keep the raw /health API endpoint for monitoring, but the public-facing link should be a styled status page.", "SUPPORT EMAIL LIVE: support@docfast.dev is now active in FreeScout. The CEO can spawn a support agent that accesses FreeScout via API to handle customer inquiries. Update the website contact/support references to use this address.", - "BUG-049 HIGH: Pro customers do not receive an invoice after payment. This is legally required in Austria/EU. Stripe can auto-generate invoices for subscriptions \u2014 enable Stripe Invoicing or implement invoice generation. Customer must receive a proper invoice with: company name, ATU number, invoice number, date, amount, VAT breakdown.", - "WEBSITE TEMPLATING: DONE \u2014 Build-time system with partials (nav/footer/styles). Source in public/src/, build with node scripts/build-html.cjs." + "BUG-049 HIGH: Pro customers do not receive an invoice after payment. This is legally required in Austria/EU. Stripe can auto-generate invoices for subscriptions — enable Stripe Invoicing or implement invoice generation. Customer must receive a proper invoice with: company name, ATU number, invoice number, date, amount, VAT breakdown.", + "WEBSITE TEMPLATING: DONE — Build-time system with partials (nav/footer/styles). Source in public/src/, build with node scripts/build-html.cjs." ], "launchChecklist": { "emailVerificationReal": true, @@ -36,7 +36,7 @@ "rateLimitsDataBacked": true, "landingPageHonest": true, "legalPages": true, - "legalPagesNote": "Impressum, Privacy Policy, Terms of Service \u2014 all live", + "legalPagesNote": "Impressum, Privacy Policy, Terms of Service — all live", "euHostingMarketed": true, "jsDisabledInPdf": true, "zeroConsoleErrors": true, @@ -95,23 +95,27 @@ ] }, "openBugs": { - "CRITICAL": [], + "CRITICAL": [ + "BUG-050: Broken MX DNS record causes email delivery failures — needs investor DNS fix" + ], "HIGH": [ - "BUG-049: No invoice email sent to Pro customers \u2014 needs Stripe Dashboard setting enabled" + "BUG-049: No invoice email sent to Pro customers — needs Stripe Dashboard setting enabled" ], "MEDIUM": [], "LOW": [ "Audit #18: Rate limit store potential memory growth", "Audit #25: Inconsistent error response shapes" ], - "note": "Session 47: Fixed audit #10, #12, #15. 0 MEDIUM, 2 LOW remaining. Support ticket #369 replied." + "note": "Session 48: Discovered BUG-050 CRITICAL — broken MX record. Replied to support ticket #370. Sub-agents dispatched for LOW bug fixes + QA audit." }, - "blockers": [], + "blockers": [ + "BUG-050: MX DNS record for docfast.dev is broken (resolves to mail.cloonar.com.docfast.dev instead of valid host). Email delivery fails for servers doing sender verification. Investor must fix in Hetzner DNS." + ], "resolvedBlockers": [ - "E2E Pro payment test \u2014 DONE 2026-02-16, investor paid \u20ac9 successfully, Pro key provisioned", - "CI/CD secrets \u2014 DONE 2026-02-16, 3 Forgejo secrets added by investor", - "Off-site backups \u2014 DONE 2026-02-16, Hetzner Storage Box configured with BorgBackup" + "E2E Pro payment test — DONE 2026-02-16, investor paid €9 successfully, Pro key provisioned", + "CI/CD secrets — DONE 2026-02-16, 3 Forgejo secrets added by investor", + "Off-site backups — DONE 2026-02-16, Hetzner Storage Box configured with BorgBackup" ], "startDate": "2026-02-14", - "sessionCount": 47 + "sessionCount": 48 } \ No newline at end of file