openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
config/projects/business/memory/decisions.md
Hoid c984f260dd Deployment policy: CEOs deploy to staging only, never tag production 
Both DocFast and SnapAPI SKILL.md updated with mandatory deployment rules.
Only investor can approve production releases.
2026-02-20 07:58:37 +00:00

7.2 KiB
Raw Blame History

Decisions Log

2026-02-20 — Remove Free Tier, Add Public Demo Endpoint (investor directive)

Free accounts removed entirely. Replaced with rate-limited public demo endpoint (5 req/hour/IP, watermarked PDFs). No signup needed for demo. Existing 56 free accounts were all test accounts — immediate cutoff, no migration needed. Pro plan (€9/mo) unchanged. Deployed as v0.4.0.

2026-02-14 — Product: PDF API (approved by user)

Chose HTML/Markdown to PDF API over webhook relay and JSON schema validation. Fastest to ship, proven demand, clear monetization.

2026-02-14 — Name: DocFast

Product name "DocFast" — short, memorable, describes value prop (fast document generation). Domain TBD.

2026-02-14 — Tech Stack: TypeScript + Express + Puppeteer

  • TypeScript for type safety and fast iteration
  • Express for simplicity (no framework overhead)
  • Puppeteer for high-fidelity PDF rendering (Chrome-based = pixel-perfect)
  • Marked for markdown parsing
  • Chose Puppeteer over wkhtmltopdf/pdfkit for better CSS support and template rendering quality

2026-02-14 — Templates: Invoice + Receipt first

Built-in invoice and receipt templates as differentiator. Most PDF API competitors are raw converters — templates add immediate value for common use cases.

2026-02-14 — Pricing model (planned)

  • Free tier: 100 PDFs/month
  • Pro: $9/mo for 5,000 PDFs
  • Business: $29/mo for 25,000 PDFs
  • Enterprise: custom Not yet implemented — need Stripe integration.

2026-02-14 — Phase 2: Go to market

QA Session 14 verified all 3 investor-reported bugs are fixed. 3 minor edge cases (BUG-004/005/006) logged but not blocking launch. Product is shippable — moving to marketing and customer acquisition.

2026-02-14 — Phase 2 confirmed after full Playwright QA

BUG-004 (CSP inline scripts) and BUG-005 (CSP inline onclick) both fixed and verified. Zero console errors, full signup+checkout+API flow works in real browser. Only BUG-006 (cosmetic copy feedback) remains — not blocking launch.

2026-02-14 — Free tier limit: 50 PDFs/month (in-memory tracking)

Reduced from 100 to 50 for free tier enforcement. In-memory tracking for MVP (resets on restart). Will need Redis or SQLite for production persistence. Pro keys bypass limits via PRO_KEYS env var.

2026-02-14 — URL→PDF endpoint added

High-demand feature that differentiates from simpler HTML-only converters. Validates URLs (http/https only), 30s timeout, configurable wait strategy. Security note: may need SSRF protection before production (block private IPs).

2026-02-14 — Phase 2: All bugs resolved, QA passed

After 4 QA rounds and multiple fix cycles, all 11 test cases pass. BUG-006 required CEO intervention — clipboard API fails silently in headless browsers, needed fallback with execCommand. Moving to security audit before marketing.

2026-02-14 17:21 UTC — Product decisions on BUG-012/013/014

BUG-012: Remove email requirement for free tier

Rationale: Collecting unverified emails adds friction with zero value. Fastest path to API key = more signups. Can add optional email later for recovery/marketing. Decision: instant key generation, no email needed.

BUG-013: Pro key delivery — success page display

The Stripe success redirect already shows a key. Verify this works end-to-end. For now, success page + copy button is sufficient. Email delivery deferred (no email infra).

BUG-014: Key recovery — deferred

Without email verification, secure recovery is impossible. Ship with a clear warning: "Save your API key — we can't recover it." Revisit after launch when we have email infra.

429 form handling

Frontend must show a user-friendly message when rate limited instead of hanging.

2026-02-14 17:37 UTC — Reversing BUG-012 decision: Email required again (BUG-020)

Session 19 removed email to reduce friction. But the investor correctly identified (BUG-020) that no-email = zero accountability. Anyone can generate unlimited keys from different IPs. Re-adding email requirement: email in → key out instantly (no verification yet), but one key per email. This gives us: accountability, a contact list for marketing/upsell, and abuse mitigation. Friction is minimal (one field).

2026-02-14 17:37 UTC — BUG-019: Remove "Custom templates" from Pro plan

We don't have custom templates. Listing them is false advertising. Removed from landing page. Can build the feature later and re-add when it actually works.

2026-02-14 17:37 UTC — BUG-015: Migrate to SQLite

File-based JSON won't survive concurrent requests. SQLite is the right choice for our scale (single server, <1000 users). No need for PostgreSQL yet. DB file on Docker volume for persistence.

2026-02-16 — Email Infrastructure: Scaling Strategy

Context: Currently running Postfix on the single app server (docfast-1). Investor asked how this scales behind a load balancer.

Options evaluated:

  • A) Dedicated mail server — Separate VM running Postfix/Exim. Centralizes DKIM/SPF/PTR config, app servers relay through it. Moderate cost (~€4/mo for CX22), full control.
  • B) External email service (Postmark, SES, SendGrid) — Best deliverability, no infra to manage, built-in analytics/bounce handling. ~$15-25/mo at our scale. Postmark recommended (focused on transactional email, excellent deliverability).
  • C) Keep Postfix on app server with relay — Each app server relays through a central SMTP. Quick to set up but still managing Postfix everywhere.

Recommendation: Option B (External service — Postmark)

Reasons:

  1. Deliverability — Services like Postmark have pre-warmed IPs with established reputation. We're fighting spam scores on a fresh Hetzner IP.
  2. Scaling — Zero config when adding app servers. Just use the API/SMTP credentials.
  3. Operational cost — No PTR/DKIM/SPF debugging. No Postfix maintenance. Engineer time > €15/mo.
  4. Analytics — Bounce rates, open tracking, delivery confirmation built-in.
  5. When to implement — After launch validation. Current Postfix setup is fine for MVP with the deliverability fixes applied today.

Migration path: Keep Postfix for now (with today's SPF/DMARC/PTR fixes). Switch to Postmark when we hit paid customers or add a second server, whichever comes first.

⚠️ SUPERSEDED (2026-02-20): All Postfix infrastructure was removed. SMTP is now managed by Cloonar via mail.cloonar.com:587 with authenticated relay. No mail infrastructure runs on K3s.

2026-02-16 — Email Deliverability Fixes (PTR, SPF, DMARC)

Problem: Emails scoring 10.90 spam score. Three issues identified:

  1. PTR record showing generic Hetzner hostname → changed to mail.docfast.dev
  2. SPF using ~all (softfail) → changing to -all (hardfail)
  3. DMARC using p=none → changing to p=quarantine

Status: PTR fixed via Hetzner Cloud API. SPF and DMARC require Hetzner DNS API token (not currently in credentials). A record for mail.docfast.dev also needed.

2026-02-14 17:37 UTC — Deferred items (with reasoning)

  • BUG-016 (backups): Deferred to next session. Need to research Hetzner object storage or simple cron+scp backup.
  • BUG-017 (benchmarking): Deferred. Need load testing tools, will do before scaling marketing.
  • BUG-018 (rate limits): Depends on BUG-017. Can't set data-backed limits without benchmarks.