Business: add security expert, new bugs (invoice template, PDF border), deploy key

projects/business/memory/state.json

@@ -1,13 +1,9 @@
 {
-  "phase": 2,
-  "phaseLabel": "Phase 2 — Launch & First Customers",
-  "status": "active",
+  "phase": 1,
+  "phaseLabel": "Build MVP — Fix bugs + security audit",
+  "status": "bugs-open",
   "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Get first customers — marketing, SEO, dev community outreach. Product is live and fully functional.",
-  "qaTools": {
-    "playwright": "Installed globally. Use: NODE_PATH=/usr/local/lib/node_modules node -e \"const {chromium}=require('playwright'); ...\"",
-    "note": "QA agents MUST test with Playwright to catch browser-only bugs like CSP violations"
-  },
+  "currentPriority": "Fix BUG-007 (invoice template broken) and BUG-008 (unwanted border on HTML→PDF). Then run security audit. Then QA everything again — QA must test ALL endpoints including templates this time.",
   "infrastructure": {
     "domain": "docfast.dev",
     "url": "https://docfast.dev",
@@ -23,7 +19,7 @@
   "team": {
     "structure": "CEO + specialist sub-agents",
     "ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.",
-    "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Marketing Agent"],
+    "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"],
     "workflow": "CEO spawns specialists → specialists do work → CEO spawns QA → QA verifies → CEO reviews"
   },
   "blockers": [],