| 8 |
8 |
|
---
|
| 9 |
9 |
|
|
| 10 |
10 |
|
## Code Review Remediation — Deferred
|
| 11 |
|
- |
- [ ] Monitor scheduler.rs (1184), git/mod.rs (224), license_keys.rs (684) for growth
|
| 12 |
|
- |
- [ ] Consider splitting bin/mnw-admin.rs git-auth commands into separate module
|
|
11 |
+ |
- [ ] Monitor scheduler.rs (1249), git/mod.rs (624), license_keys.rs (684) for growth
|
| 13 |
12 |
|
|
| 14 |
13 |
|
---
|
| 15 |
14 |
|
|
| 16 |
15 |
|
## External Blockers
|
| 17 |
16 |
|
|
|
17 |
+ |
### Business Formation (Make Creative, LLC)
|
|
18 |
+ |
- [x] Register LLC in Colorado — SOS ID 20261524483, filed 2026-04-28
|
|
19 |
+ |
- [x] Get EIN — 42-2216443, issued 2026-04-28
|
|
20 |
+ |
- [ ] D-U-N-S number — Applied 2026-04-28, ~30 business days (blocks Google Play + Microsoft Partner Center)
|
|
21 |
+ |
- [ ] Operating agreement — Single-member template, do this week
|
|
22 |
+ |
- [ ] Business bank account — Bring Articles + EIN letter + ID to bank
|
|
23 |
+ |
|
|
24 |
+ |
### Platform Accounts (blocked on D-U-N-S)
|
|
25 |
+ |
|
| 18 |
26 |
|
| Blocker | Status | Blocks |
|
| 19 |
27 |
|
|---------|--------|--------|
|
| 20 |
|
- |
| Google Play Developer Account ($25) | Not started | GO/BB Android builds |
|
| 21 |
|
- |
| Windows code signing certificate (Authenticode) | Not started | GO/BB/AF Windows builds |
|
| 22 |
|
- |
| Microsoft Partner Center account | Not started | Windows Store distribution (optional) |
|
| 23 |
|
- |
| OAuth Provider Registration (Fastmail) | Waiting on Fastmail reply | GO Fastmail email OAuth |
|
|
28 |
+ |
| D-U-N-S number | Applied 2026-04-28, ~30 days | Google Play, Microsoft Partner Center |
|
|
29 |
+ |
| Google Play Developer Account ($25) | Blocked on D-U-N-S | GO/BB Android builds |
|
|
30 |
+ |
| Microsoft Partner Center account | Blocked on D-U-N-S | Windows Store distribution (optional) |
|
|
31 |
+ |
| Windows code signing certificate | Not started (individual or traditional cert — Azure Trusted Signing requires 3yr history) | GO/BB/AF Windows builds |
|
|
32 |
+ |
| OAuth Provider Registration (Fastmail) | Need to send registration info to partnerships@fastmailteam.com | GO Fastmail email OAuth |
|
| 24 |
33 |
|
|
| 25 |
34 |
|
---
|
| 26 |
35 |
|
|
| 127 |
136 |
|
- Rate limit IP extraction trusts X-Forwarded-For when traffic bypasses Cloudflare (helpers.rs). Fix requires splitting rate limit extraction by path: CF-Connecting-IP for public web routes, peer socket for internal/CLI/git. Needs careful routing since CLI, git smart HTTP, and SyncKit all hit the same server but some bypass Cloudflare.
|
| 128 |
137 |
|
- S3 key/file size UPDATE queries lack ownership in SQL -- defense-in-depth; callers verify ownership (db/items.rs)
|
| 129 |
138 |
|
|
|
139 |
+ |
## Sandbox Fuzz Findings (2026-04-28)
|
|
140 |
+ |
|
|
141 |
+ |
Four-agent adversarial audit of sandbox feature. 12 findings: mechanical fixes applied inline, remainder tracked below.
|
|
142 |
+ |
|
|
143 |
+ |
### Fixed (mechanical)
|
|
144 |
+ |
- [x] `check_not_sandbox()` added to: `add_domain`, `verify_domain`, `remove_domain` (domains.rs)
|
|
145 |
+ |
- [x] `check_not_sandbox()` added to: `create_repo` (projects.rs)
|
|
146 |
+ |
- [x] `check_not_sandbox()` added to: `start_import` (imports.rs)
|
|
147 |
+ |
- [x] `check_not_sandbox()` added to: `claim_purchase` (guest_checkout.rs)
|
|
148 |
+ |
- [x] Sandbox guard on blog publish side-effects: `send_blog_post_announcements` and `spawn_mt_thread_for_blog_post` skipped for sandbox users (blog.rs)
|
|
149 |
+ |
- [x] `is_sandbox` check on RSS feeds: user_rss_feed, project_rss_feed, project_blog_rss return 404 for sandbox users (feeds.rs)
|
|
150 |
+ |
- [x] `is_sandbox` check on item page: return 404 if item owner is sandbox (item.rs)
|
|
151 |
+ |
- [x] Creator `is_sandbox` check in subscription checkout: reject before passing fake Stripe price IDs to Stripe API (checkout/subscriptions.rs)
|
|
152 |
+ |
|
|
153 |
+ |
### Remaining
|
|
154 |
+ |
- [ ] **IP header mismatch in sandbox cap** — sandbox handler reads `cf-connecting-ip`, `track_session` reads `x-forwarded-for`. If they differ, sandbox accounts are invisible to the per-IP cap. Fix: pass extracted IP from sandbox handler to `track_session` (or unify extraction into shared function).
|
|
155 |
+ |
- [ ] **Race condition on per-IP cap** — two concurrent requests can both pass `count_active_sandboxes_by_ip` before either inserts. Partially mitigated by rate limiter (burst=2). Fix: PostgreSQL advisory lock keyed on IP hash, or accept minor overshoot.
|
|
156 |
+ |
- [ ] **Orphaned SyncKit/OTA S3 objects** — cleanup deletes `{user_id}/` and `projects/{project_id}/` prefixes but not `ota/{app_id}/` or `{app_id}/{user_id}/` (SyncKit blobs). Fix: query sync_apps before CASCADE delete, clean those prefixes too.
|
|
157 |
+ |
- [ ] **Dead sandbox file constants** — `SANDBOX_MAX_FILE_BYTES` (5MB) and `SANDBOX_MAX_STORAGE_BYTES` (50MB) are unreachable because `check_upload_allowed` rejects sandbox users at the `creator_subscriptions` check. Either add sandbox-aware upload path or remove dead constants.
|
|
158 |
+ |
|
|
159 |
+ |
### Accepted
|
|
160 |
+ |
- Git repo disk cleanup on sandbox expiry — repos on disk are not cleaned by S3 cleanup. Low volume (sandbox users unlikely to create repos), and existing git disk cleanup scheduled task handles orphans. Not worth dedicated sandbox cleanup code.
|
|
161 |
+ |
- Email to sandbox addresses — follower notifications could send to `sandbox_xxx@sandbox.local`. Mitigated by follows being blocked for sandbox users. Postmark rejects `.local` domains. Negligible risk.
|
|
162 |
+ |
|
|
163 |
+ |
## Code Fuzz Findings (2026-04-28)
|
|
164 |
+ |
|
|
165 |
+ |
Six-agent adversarial code review. 21 findings total: 20 fixed, 1 accepted. Fixed items: command injection in build_runner (validation + shell escaping), guest checkout PWYW validation (uses pricing::for_item now), guest checkout promo code reservation ordering, build staleness timeout, project image scan status gating + storage quota decrement, CSP media-src dynamic from config, idempotency cache UTF-8 safety, scan concurrency semaphore, unreachable!() replaced, blob TOCTOU, SSE ordering, OAuth form-encoded, process::exit flush, hx_toast warning, 2FA lockout re-check, N+1 project export (batch chapters/versions/keys/promo_codes/blog_posts/bundles), N+1 bulk ownership (single ANY query), N+1 purchase export (batch title lookup).
|
|
166 |
+ |
|
|
167 |
+ |
### Accepted
|
|
168 |
+ |
- Unbounded purchase export — intentional per creator trust audit (export limits removed 2026-04-27)
|
|
169 |
+ |
|
| 130 |
170 |
|
---
|
| 131 |
171 |
|
|
| 132 |
172 |
|
## Creator Trust Audit (2026-04-25, round 2 2026-04-26)
|
| 148 |
188 |
|
### Remaining
|
| 149 |
189 |
|
- [ ] **Legal/tax professional review** — prep doc at `docs/internal/legal_review_prep.md` with 41 specific questions across ToS, privacy, DMCA, payments, tax. Recommended: split engagement (internet attorney 3h + tax professional 1-2h)
|
| 150 |
190 |
|
|
|
191 |
+ |
## Creator Trust Audit (2026-04-27, round 6)
|
|
192 |
+ |
|
|
193 |
+ |
### Resolved
|
|
194 |
+ |
- [x] Stripe availability note on creators.html page (link to stripe.com/global)
|
|
195 |
+ |
- [x] Export limits removed: LIMIT clauses removed from sales (was 50k), followers (was 10k), subscribers (was 10k) export queries; file count cap (was 500) removed from content ZIP export (2GB memory safety cap retained)
|
|
196 |
+ |
- [x] Video added to item type table in getting-started.md
|
|
197 |
+ |
- [x] GDPR: SCC evaluation note + 30-day DSR response commitment added to privacy-policy.md [NEEDS LEGAL REVIEW]
|
|
198 |
+ |
- [x] Stripe rejection path documented in payouts.md (honest: no alternative processor yet, actively exploring)
|
|
199 |
+ |
- [x] Bandwidth policy already covered in tiers.md line 14
|
|
200 |
+ |
|
|
201 |
+ |
### Remaining
|
|
202 |
+ |
- [ ] **Incident notification system** — Let creators opt into status alerts (email or webhook) when platform status changes. Monitoring infra is solid (PoM + internal monitor both detect issues); missing piece is proactive notification to creators. Implementation: subscribe endpoint on /health, store preferences in DB, trigger email on status transition (Operational -> Degraded/Error and recovery). Could reuse existing email infrastructure (Postmark).
|
|
203 |
+ |
|
|
204 |
+ |
## Creator Trust Audit (2026-04-28, round 7)
|
|
205 |
+ |
|
|
206 |
+ |
### Resolved (docs)
|
|
207 |
+ |
- [x] **ToS general change notice bumped to 90 days** — Was 30 days, now matches pricing/privacy notice periods (terms-of-service.md)
|
|
208 |
+ |
- [x] **Data retention reconciled** — moderation.md now says 30 days (matching privacy-policy.md), with explicit exceptions for unethical content (immediate removal) and ban evasion records (2 years). Added unlisting as intermediate action.
|
|
209 |
+ |
- [x] **GDPR SCCs drafted** — privacy-policy.md international transfers section rewritten with SCC commitment [NEEDS LEGAL REVIEW]
|
|
210 |
+ |
- [x] **Buyer notification gap documented** — guarantees.md now notes that buyer notification email is not yet implemented, with [NEEDS LEGAL REVIEW] on template
|
|
211 |
+ |
- [x] **Free trial surfaced** — Added "Free trials available" link on landing page hero. Updated creators.html to mention free trial (2-6 weeks, no credit card) before sandbox.
|
|
212 |
+ |
- [x] **Tax/VAT guidance added** — New "VAT, GST, and Sales Tax" section in payments.md covering creator obligations, Stripe Tax, MoR status. Cross-linked from pricing.md See Also.
|
|
213 |
+ |
- [x] **Stale competition.md deleted** — Internal doc had 5+ shipped features still marked "Planned". Removed entirely rather than updating (public docs are source of truth).
|
|
214 |
+ |
- [x] **Creator count template variable verified** — `{{ total_creators }}` is populated from DB via `count_active_creators()`. Not a bug.
|
|
215 |
+ |
- [x] **Rejection info** — Will be included in rejection email itself, no separate doc needed.
|
|
216 |
+ |
|
|
217 |
+ |
### Remaining
|
|
218 |
+ |
- [x] **Buyer notification email** — Email sent to all buyers when a creator deletes their account. Fires from `delete_account()` via `tokio::spawn`. Query: `get_all_buyers_for_seller()` (bypasses contact sharing since this is a platform notification). Template: `send_creator_departure_notification()` in notifications.rs.
|
|
219 |
+ |
- [ ] **GDPR SCC execution** — Confirm SCCs are in place with Hetzner, AWS (S3), Stripe, Postmark. Part of legal review engagement.
|
|
220 |
+ |
- [ ] **Independent appeals review** — Planned guarantee (guarantees.md). Requires second person. Track which admin made original decision, enforce different reviewer for appeals.
|
|
221 |
+ |
- [ ] **COPPA/GDPR child consent** — Fan accounts allow 13+. EU sets digital consent at 16 in some member states. No parental consent mechanism exists. Part of legal review.
|
|
222 |
+ |
- [ ] **Indemnification clause** — ToS lacks mutual indemnification. Flagged in legal_review_prep.md. Part of legal review engagement.
|
|
223 |
+ |
|
| 151 |
224 |
|
## Creator Trust Audit (2026-04-27, round 4)
|
| 152 |
225 |
|
|
| 153 |
226 |
|
Resolved mechanically: fan-plus.md "not yet available" removed (feature is live). how-we-work.md video "not yet available" removed (video upload/playback works). roadmap.md embeds + video moved from Direction to What's Built. Vaporware table in todo-creator-trust-audit.md updated.
|
| 154 |
227 |
|
|
|
228 |
+ |
## Creator Trust Audit (2026-04-27, round 5)
|
|
229 |
+ |
|
|
230 |
+ |
Verified correct (audit false positives): IP retention cleanup IS implemented (scheduler.rs:932-982, two daily jobs + streaming session cleanup). HSTS IS implemented (Caddyfile, all 5 server blocks). Pricing calculator already shows breakeven note and 9-competitor comparison.
|
|
231 |
+ |
|
|
232 |
+ |
### Remaining
|
|
233 |
+ |
- [x] **Moderation warning system**: Renamed "Warning" to "Direct Message" across moderation.md, acceptable-use.md, code-of-conduct.md, copyright.md, and acceptable-use.html. Removed claims of formal warning records on account history. Now accurately describes what happens: an email explaining the issue, no formal tracking. Formal warning infrastructure can be added later when team grows.
|
|
234 |
+ |
|
| 155 |
235 |
|
### Docs — needs content decisions
|
| 156 |
236 |
|
- [x] **Tax documentation**: Already covered in payouts.md (lines 33-53) — US 1099-K, non-US guidance, Stripe links, "not tax advice" disclaimer. Pattern: statements + links to Stripe, avoids hardcoded thresholds.
|
| 157 |
237 |
|
- [x] **Support contact info**: Already covered — support/contact.md has 6 email addresses + response SLAs, dashboard has ticket form (user_support.html → WAM), forums exist
|
| 187 |
267 |
|
- [x] Human testing code review: all 99 checklist items verified in code (routes, handlers, templates all exist)
|
| 188 |
268 |
|
|
| 189 |
269 |
|
### Pre-Launch Remaining
|
| 190 |
|
- |
- [ ] Stripe live mode: confirm creator Stripe Connect onboarding complete (not test mode)
|
|
270 |
+ |
- [x] Stripe live mode: creator Stripe Connect onboarding complete
|
| 191 |
271 |
|
- [ ] Human testing: complete sign-off table in `deploy/human_testing.md` (code verified, needs manual walkthrough)
|
| 192 |
272 |
|
- [ ] Content seeding: at least one real creator with published content on discover page
|
| 193 |
273 |
|
- [ ] Content seeding items from Pre-Beta section above (subscription tier, license keys, discount codes, purchase flow tests)
|