{ "phase": 1, "phaseLabel": "Build Production-Grade Product", "status": "near-launch-ready", "product": "DocFast — HTML/Markdown to PDF API", "currentPriority": "1) BUG-049 HIGH: Enable Stripe invoice emails (investor action). 2) Add customer.subscription.updated + customer.updated to Stripe webhook events (investor action). 3) Frontend polish: remaining LOW/INFO bugs from QA audit.", "ownerDirectives_PRIORITY": "Process these IN ORDER. Do not skip.", "ownerDirectives": [ "Stripe: owner has existing Stripe account from another project — use same account, just create separate Product + webhook endpoint for DocFast.", "Stripe Product ID for DocFast: prod_TygeG8tQPtEAdE — webhook handler must filter by this product_id to ignore events from other projects on the same Stripe account.", "OFF-SITE BACKUPS: BorgBackup installed and running locally. Need Hetzner Storage Box for true off-site. Ask investor to provision one (~€3/mo for 100GB).", "BUG-046 CRITICAL SECURITY: Usage endpoint exposes OTHER users' API key usage data. This is a data leak / GDPR violation. Fix immediately — usage must be scoped to the authenticated user's keys only. Investigate why the security agent missed this. Review and harden all endpoints for proper auth scoping.", "BUG-047: Pro key success page has no copy button for the API key. Add a click-to-copy button so users can easily copy their new key.", "BUG-048: Change email functionality is broken. Investigate and fix.", "CI/CD PIPELINE: Forgejo Actions workflow created. Needs 3 repository secrets added in Forgejo settings (SERVER_HOST, SERVER_USER, SSH_PRIVATE_KEY).", "REPRODUCIBLE INFRASTRUCTURE: DONE — setup.sh, docker-compose, configs, disaster recovery docs all in infrastructure/ directory.", "PRO PLAN LIMITS: DONE — Set to 2,500 PDFs/month at €9/mo. Competitive with html2pdf.app. Enforced in code, updated on landing page + JSON-LD + Stripe.", "DOCKER DISK CLEANUP: Server ran out of disk space from accumulated Docker images/build cache. Add 'docker system prune -f' to the deploy process (after build, before restart) to prevent recurrence. Also consider adding a weekly cron on the server itself.", "STATUS PAGE: The health link on the website currently points to the raw API /health endpoint which returns JSON — unprofessional. Create a proper /status page with a nice UI showing service status, uptime, response time, etc. Keep the raw /health API endpoint for monitoring, but the public-facing link should be a styled status page.", "SUPPORT EMAIL LIVE: support@docfast.dev is now active in FreeScout. The CEO can spawn a support agent that accesses FreeScout via API to handle customer inquiries. Update the website contact/support references to use this address.", "BUG-049 HIGH: Pro customers do not receive an invoice after payment. This is legally required in Austria/EU. Stripe can auto-generate invoices for subscriptions — enable Stripe Invoicing or implement invoice generation. Customer must receive a proper invoice with: company name, ATU number, invoice number, date, amount, VAT breakdown.", "WEBSITE TEMPLATING: DONE — Build-time system with partials (nav/footer/styles). Source in public/src/, build with node scripts/build-html.cjs.", "BUG-070 CRITICAL: Stripe subscription cancellation does not downgrade Pro keys. Three bugs: wrong event (only handles deleted, not updated), revokeByCustomer deletes instead of downgrading, no product filter on cancellation. Fix dispatched." ], "launchChecklist": { "emailVerificationReal": true, "smtpWorking": true, "dnsRecordsLive": true, "userAccountSystem": true, "proPaymentFlow": true, "proPaymentFlowNote": "E2E tested 2026-02-16. Payment + Pro key provisioning works. Copy button added (BUG-047 fixed). Pro limit 5,000/mo enforced.", "postgresqlMigration": true, "keyRecovery": true, "databaseBackups": true, "databaseBackupsNote": "BorgBackup: LOCAL daily at 03:00 UTC + OFF-SITE at 03:30 UTC to Hetzner Storage Box. 7 daily + 4 weekly + 3 monthly retention. PostgreSQL dumps + Docker volumes + nginx + SSL + DKIM.", "loadTested": true, "rateLimitsDataBacked": true, "landingPageHonest": true, "legalPages": true, "legalPagesNote": "Impressum, Privacy Policy, Terms of Service — all live", "euHostingMarketed": true, "jsDisabledInPdf": true, "zeroConsoleErrors": true, "mobileResponsive": true, "securityAuditPassed": true, "healthEndpointComplete": true, "cicdPipeline": true, "cicdPipelineNote": "Forgejo Actions workflow + rollback script created. 3 secrets added 2026-02-16. Pipeline operational.", "reproducibleInfra": true, "reproducibleInfraNote": "Full infrastructure/ directory with setup.sh, docker-compose, nginx, postfix configs, disaster recovery README.", "proLimitsSet": true, "proLimitsNote": "2,500 PDFs/month for Pro. Enforced in usage middleware. Landing page, JSON-LD, Stripe all consistent.", "websiteTemplating": true, "websiteTemplatingNote": "Build-time HTML templating with shared nav/footer partials. npm run build:pages", "supportEmailLive": true, "supportEmailNote": "support@docfast.dev on footer, impressum, terms, openapi.json, landing page", "statusPage": true, "statusPageNote": "Styled /status page live at https://docfast.dev/status. Auto-refreshes, shows DB + pool stats.", "userAccountSystemNote": "Signup, verification, key recovery all working. Change email removed (security decision). Email delivery working (BUG-050 FIXED)." }, "loadTestResults": { "sequential": "~2.1s per PDF, ~28/min", "concurrent": "3 safe, 5th fails at ~16s", "server": "CAX11 (2 vCPU ARM, 4GB RAM), container 512MB cap" }, "infrastructure": { "domain": "docfast.dev", "url": "https://docfast.dev", "server": "docfast-1 (CAX11, nbg1)", "serverIP": "167.235.156.214", "sshKey": "/home/openclaw/.ssh/docfast", "smtp": "Postfix + OpenDKIM configured. DKIM-signed emails working. SPF/DKIM/DMARC DNS records live.", "email": "noreply@docfast.dev", "supportEmail": "support@docfast.dev (managed via FreeScout, hoid user has access)", "backups": "BorgBackup LOCAL daily at 03:00 UTC + OFF-SITE at 03:30 UTC. Remote: ssh://u149513-sub11@u149513-sub11.your-backup.de:23/./docfast-1 (repokey-blake2 encryption). PostgreSQL dumps + Docker volumes + configs.", "cicd": "Forgejo Actions workflow operational. 3 secrets configured.", "infraDocs": "infrastructure/ directory with full provisioning scripts" }, "credentials": { "file": "/home/openclaw/.openclaw/workspace/.credentials/docfast.env", "keys": [ "HETZNER_API_TOKEN", "STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET" ], "NEVER_READ_DIRECTLY": true }, "team": { "structure": "CEO + specialist sub-agents", "ceo": "Plans, delegates, reviews. Does NOT code. Only one who makes financial decisions.", "specialists": [ "Backend Developer", "UI/UX Developer", "QA Tester", "Security Expert", "Marketing Agent" ] }, "openBugs": { "CRITICAL": [], "HIGH": [ "BUG-049: No invoice email sent to Pro customers — needs Stripe Dashboard setting enabled" ], "MEDIUM": [], "LOW": [], "note": "Session 49: BUG-050 FIXED (MX DNS record corrected by investor). BUG-049 remains (invoice emails). Webhook needs customer.subscription.updated + customer.updated events added in Stripe Dashboard. Frontend polish (LOW/INFO bugs) in progress." }, "blockers": [ "BUG-049: Stripe invoice emails not enabled — legally required in Austria/EU. Investor must enable in Stripe Dashboard.", "Stripe webhook events: investor must add customer.subscription.updated + customer.updated to webhook endpoint in Stripe Dashboard." ], "resolvedBlockers": [ "E2E Pro payment test — DONE 2026-02-16, investor paid €9 successfully, Pro key provisioned", "CI/CD secrets — DONE 2026-02-16, 3 Forgejo secrets added by investor", "Off-site backups — DONE 2026-02-16, Hetzner Storage Box configured with BorgBackup" ], "startDate": "2026-02-14", "sessionCount": 48 }