snapapi session 66: BUG-020 + BUG-021 fixes (staging)

projects/snapapi/memory/sessions.md

@@ -1,5 +1,44 @@
 # SnapAPI Session Log
 
+## Session 66 — 2026-03-06 18:00 CET (Bugfix Session)
+
+**Goal:** Fix remaining open bugs (BUG-020, BUG-021) with TDD.
+
+**Health Check:**
+- Production: ✅ healthy, 2 replicas, v0.5.2 (VULNERABLE — BUG-016 still exploitable)
+- Staging: ✅ healthy, 1 replica
+
+**Work Done:**
+
+### 1. BUG-020 Fix: /status redirect consistency (sub-agent: snapapi-dev-bugfix-66)
+- **Problem:** GET /status returned 200 (served by statusRouter) instead of 301 redirect like /privacy, /terms, etc.
+- **Root cause:** `app.use("/status", statusRouter)` intercepted before redirect loop
+- **TDD:** Failing test written first (expect 301 redirect), then removed statusRouter, verified GREEN
+- **Fix:** Removed status router; existing redirect loop now handles /status → /status.html
+
+### 2. BUG-021 Fix: Playground validation before rate limiting (sub-agent: snapapi-dev-bugfix-66)
+- **Problem:** Invalid URL requests consumed rate limit quota before getting 400 error
+- **TDD:** Tests written for validation-before-rate-limit behavior
+- **Fix:** Added URL validation middleware before playgroundLimiter in route chain
+
+### 3. Deployment
+- Code pushed to main
+- Staging deploy attempted — DNS resolution issue with worker nodes during image import
+- Deploy status: **pending verification**
+
+**Test Suite:** 490+ tests (exact count pending agent completion)
+
+**Investor Test:**
+1. Stranger trust with money? **Yes on staging, NO on production**
+2. Data loss on crash? **No** (CNPG PostgreSQL)
+3. Free tier abuse? **⚠️ YES on production** — BUG-016 still active
+4. Key recovery? **Yes on staging**
+5. All website features work? **Yes on staging**
+
+**Production Status:** ⛔ VULNERABLE — 38+ commits behind staging. Production deploy approval urgently needed.
+
+---
+
 ## Session 65 — 2026-03-06 15:00 CET (PDF Feature + QA)
 
 **Goal:** Add high-value PDF output feature + comprehensive staging QA pass.