diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index 2506a25..a024ca1 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -2,6 +2,20 @@ ## Open +### BUG-007: Invoice template endpoint not working +- **Found by:** Human (investor) +- **Date:** 2026-02-14 +- **Severity:** HIGH +- **Description:** Invoice template rendering doesn't work. QA failed to test this endpoint. Must test POST /v1/templates/invoice/render with sample data and verify it returns a valid PDF. +- **Status:** Open + +### BUG-008: HTML to PDF has unwanted border +- **Found by:** Human (investor) +- **Date:** 2026-02-14 +- **Severity:** MEDIUM +- **Description:** When converting HTML to PDF, there's a visible border around the content. This should either be removed by default or be an option (e.g. `"border": false` in the request body). +- **Status:** Open + ### BUG-006: Copy button lacks visual feedback - **Found by:** Hoid (QA via Playwright) - **Date:** 2026-02-14 diff --git a/projects/business/memory/state.json b/projects/business/memory/state.json index 7d3c132..755e70e 100644 --- a/projects/business/memory/state.json +++ b/projects/business/memory/state.json @@ -1,13 +1,9 @@ { - "phase": 2, - "phaseLabel": "Phase 2 — Launch & First Customers", - "status": "active", + "phase": 1, + "phaseLabel": "Build MVP — Fix bugs + security audit", + "status": "bugs-open", "product": "DocFast — HTML/Markdown to PDF API", - "currentPriority": "Get first customers — marketing, SEO, dev community outreach. Product is live and fully functional.", - "qaTools": { - "playwright": "Installed globally. Use: NODE_PATH=/usr/local/lib/node_modules node -e \"const {chromium}=require('playwright'); ...\"", - "note": "QA agents MUST test with Playwright to catch browser-only bugs like CSP violations" - }, + "currentPriority": "Fix BUG-007 (invoice template broken) and BUG-008 (unwanted border on HTML→PDF). Then run security audit. Then QA everything again — QA must test ALL endpoints including templates this time.", "infrastructure": { "domain": "docfast.dev", "url": "https://docfast.dev", @@ -23,7 +19,7 @@ "team": { "structure": "CEO + specialist sub-agents", "ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.", - "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Marketing Agent"], + "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"], "workflow": "CEO spawns specialists → specialists do work → CEO spawns QA → QA verifies → CEO reviews" }, "blockers": [], diff --git a/skills/business/SKILL.md b/skills/business/SKILL.md index cc53782..2bcf376 100644 --- a/skills/business/SKILL.md +++ b/skills/business/SKILL.md @@ -101,6 +101,33 @@ Write findings to projects/business/memory/bugs.md (append, don't overwrite). If everything passes, say so — but only if it ACTUALLY passes. ``` +### Security Expert +Spawn for: Security audits, hardening, vulnerability assessment, auth system review. +Task template: +``` +You are the Security Expert for DocFast (https://docfast.dev). +Server: 167.235.156.214, SSH key: /home/openclaw/.ssh/docfast +Forgejo repo: openclawd/docfast +Credentials: source /home/openclaw/.openclaw/workspace/.credentials/docfast.env (NEVER read this file directly) + +TASK: [specific task] + +Focus areas: +- API authentication and authorization +- Input validation and sanitization +- Rate limiting and abuse prevention +- CORS policy +- CSP and security headers +- Server hardening (SSH, firewall, Docker) +- Stripe webhook verification +- API key generation and storage security +- DoS protection (PDF generation is resource-intensive) +- Data privacy (GDPR compliance for EU) + +Report ALL findings with severity (CRITICAL/HIGH/MEDIUM/LOW) and recommended fixes. +Write findings to projects/business/memory/security-audit.md +``` + ### Marketing Agent Spawn for: SEO, content creation, dev community outreach. ONLY after QA passes. Task template: