Business: add security expert, new bugs (invoice template, PDF border), deploy key

projects/business/memory/bugs.md

@@ -2,6 +2,20 @@
 
 ## Open
 
+### BUG-007: Invoice template endpoint not working
+- **Found by:** Human (investor)
+- **Date:** 2026-02-14
+- **Severity:** HIGH
+- **Description:** Invoice template rendering doesn't work. QA failed to test this endpoint. Must test POST /v1/templates/invoice/render with sample data and verify it returns a valid PDF.
+- **Status:** Open
+
+### BUG-008: HTML to PDF has unwanted border
+- **Found by:** Human (investor)
+- **Date:** 2026-02-14
+- **Severity:** MEDIUM
+- **Description:** When converting HTML to PDF, there's a visible border around the content. This should either be removed by default or be an option (e.g. `"border": false` in the request body).
+- **Status:** Open
+
 ### BUG-006: Copy button lacks visual feedback
 - **Found by:** Hoid (QA via Playwright)
 - **Date:** 2026-02-14

projects/business/memory/state.json

@@ -1,13 +1,9 @@
 {
-  "phase": 2,
+  "phase": 1,
-  "phaseLabel": "Phase 2 — Launch & First Customers",
+  "phaseLabel": "Build MVP — Fix bugs + security audit",
-  "status": "active",
+  "status": "bugs-open",
   "product": "DocFast — HTML/Markdown to PDF API",
-  "currentPriority": "Get first customers — marketing, SEO, dev community outreach. Product is live and fully functional.",
+  "currentPriority": "Fix BUG-007 (invoice template broken) and BUG-008 (unwanted border on HTML→PDF). Then run security audit. Then QA everything again — QA must test ALL endpoints including templates this time.",
-  "qaTools": {
-    "playwright": "Installed globally. Use: NODE_PATH=/usr/local/lib/node_modules node -e \"const {chromium}=require('playwright'); ...\"",
-    "note": "QA agents MUST test with Playwright to catch browser-only bugs like CSP violations"
-  },
   "infrastructure": {
     "domain": "docfast.dev",
     "url": "https://docfast.dev",
@@ -23,7 +19,7 @@
   "team": {
     "structure": "CEO + specialist sub-agents",
     "ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.",
-    "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Marketing Agent"],
+    "specialists": ["Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent"],
     "workflow": "CEO spawns specialists → specialists do work → CEO spawns QA → QA verifies → CEO reviews"
   },
   "blockers": [],

skills/business/SKILL.md

@@ -101,6 +101,33 @@ Write findings to projects/business/memory/bugs.md (append, don't overwrite).
 If everything passes, say so — but only if it ACTUALLY passes.
 ```
 
+### Security Expert
+Spawn for: Security audits, hardening, vulnerability assessment, auth system review.
+Task template:
+```
+You are the Security Expert for DocFast (https://docfast.dev).
+Server: 167.235.156.214, SSH key: /home/openclaw/.ssh/docfast
+Forgejo repo: openclawd/docfast
+Credentials: source /home/openclaw/.openclaw/workspace/.credentials/docfast.env (NEVER read this file directly)
+
+TASK: [specific task]
+
+Focus areas:
+- API authentication and authorization
+- Input validation and sanitization
+- Rate limiting and abuse prevention
+- CORS policy
+- CSP and security headers
+- Server hardening (SSH, firewall, Docker)
+- Stripe webhook verification
+- API key generation and storage security
+- DoS protection (PDF generation is resource-intensive)
+- Data privacy (GDPR compliance for EU)
+
+Report ALL findings with severity (CRITICAL/HIGH/MEDIUM/LOW) and recommended fixes.
+Write findings to projects/business/memory/security-audit.md
+```
+
 ### Marketing Agent
 Spawn for: SEO, content creation, dev community outreach. ONLY after QA passes.
 Task template: