- Remove verificationsCache array and loadVerifications() function from verification.ts
- Remove verifyToken() and verifyTokenSync() functions (multi-replica unsafe, never used)
- Remove createVerification() function (stores unused data)
- Remove GET /verify route and verifyPage() helper function
- Remove loadVerifications() call from startup
- Remove createVerification() usage from signup route
- Update imports and test mocks to match removed functions
- Keep active 6-digit code system intact (createPendingVerification, verifyCode, etc.)
All 559 tests passing. The active verification system using pending_verifications
table and 6-digit codes continues to work normally.
- updateEmailByCustomer: DB fallback when stripe_customer_id not in cache
- updateKeyEmail: DB fallback when key not in cache
- POST /v1/recover: DB fallback when email not in cache (was only on verify)
- 6 TDD tests added (keys-email-update.test.ts, recover-initial-db-fallback.test.ts)
- 547 tests total, all passing
/v1/email-change was missing from the restricted CORS list, getting
wildcard Access-Control-Allow-Origin: * instead of being restricted to
https://docfast.dev like other account management routes (signup,
recover, billing, demo). TDD: test added to app-routes.test.ts.
Remove fire-and-forget SIGTERM/SIGINT handlers from usage.ts (race condition
with pool.end() in index.ts). Instead, await flushDirtyEntries() in the
index.ts shutdown orchestrator between stopping the server and closing the
DB pool.
- downgradeByCustomer now queries DB when key not in memory cache,
preventing cancelled customers from keeping Pro access in multi-pod setups
- recover/verify endpoint falls back to DB lookup when cache miss on email
- Added TDD tests for both fallback paths (4 new tests)
- renderPdf() and renderUrlPdf() now return { pdf, durationMs }
- Timing wraps the actual render with Date.now()
- Log render duration via logger.info
- Add X-Render-Time response header in convert and demo routes
- Update all callers in convert, demo, templates routes
- Add TDD tests in render-timing.test.ts
- Update existing test mocks for new return shape
- Add 'URL to PDF' nav link and example section
- Show basic and advanced cURL examples for /v1/convert/url
- Include security notes (JS disabled, private URLs blocked)
- Add test coverage for the new section
- Go: replaced non-existent docfast-go SDK with net/http example
- PHP: replaced non-existent DocFast\Client SDK with file_get_contents example
- Removed fake Laravel facade example, added note instead
- Updated code labels to 'generate-pdf.go' and 'generate-pdf.php'
- Added test to prevent regression
- Section 2.1: Replace Free Tier with Demo (Free) - no account required,
5 req/hour, testing and evaluation only, no SLA/support
- Section 5.1: Change 'no SLA for free tier' to 'no SLA for demo usage'
- Add terms-content test to verify no Free Tier references remain
- Rebuild public/terms.html via build-html.cjs
Remove global express.json({ limit: '2mb' }) that preempted route-specific
parsers. Each route group now has its own express.json() with correct limit:
- Demo: 50KB, Convert: 500KB, Others: 2MB, Stripe webhook: unchanged
- Replace unbounded Set with Map<sessionId, timestamp> tracking insertion time
- Add periodic cleanup every hour to remove entries older than 24h
- Add on-demand cleanup before duplicate checks for timely cleanup
- Add comprehensive TDD tests verifying TTL behavior:
* Fresh entries work correctly
* Stale entries (>24h) get cleaned up
* Fresh entries survive cleanup
* Bounded size with many entries
- All 447 tests pass including 4 new TTL tests
- Memory leak fixed while preserving DB-level deduplication
When renderUrlPdf() sets up request interception for SSRF DNS pinning,
the interceptor and event listener were never cleaned up in recyclePage().
This could cause subsequent HTML-to-PDF conversions on the same pooled
page to have external resources blocked by the stale interceptor.
- Export recyclePage for testability
- Add removeAllListeners('request') + setRequestInterception(false)
- Add browser-recycle.test.ts with TDD (red→green verified)
Tests: 443 passing (was 442)
- basic-ftp: critical path traversal (GHSA-5rq4-664w-9x2c) - production dep via puppeteer
- rollup: high path traversal (GHSA-mw96-cpmx-2vgc) - dev dep via vitest
- npm audit now shows 0 vulnerabilities
- All 291 tests pass
