# Blocked on Michael - Task Reference

*Last updated: 2026-02-10*
*Scannable reference for when you have dashboard access. Knock off quick wins in one session.*

---

## 🚀 Quick Wins (Under 5 Minutes Each)

### 1. **STRIPE_WEBHOOK_SECRET - Fix Payment Processing**
**What:** Stripe webhook secret is a placeholder. Without it, payment status updates won't sync.
**Why it matters:** Customers can pay but won't get service activation → lost revenue + support issues.
**Steps:**
1. **Stripe Dashboard:** https://dashboard.stripe.com → Developers → Webhooks
2. Find endpoint: `https://rivet.rateright.com.au/api/webhooks/stripe`
3. Click "Click to reveal" signing secret (starts with `whsec_`)
4. **VPS SSH:** `ssh root@134.199.153.159`
5. Edit: `nano /home/ccuser/the-50-dollar-app/.env.local`
6. Replace: `STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret_here` with your actual secret
7. Save: `Ctrl+X`, `Y`, `Enter`
8. Restart: `systemctl restart rateright-app`
**Time:** 3-4 minutes
**Priority:** HIGH - Payment processing broken

### 2. **Fix .next/ Ownership (Again)**
**What:** Health check cron creates root-owned files, blocking ccuser builds.
**Why it matters:** Builds fail, app can't restart automatically.
**Steps:**
```bash
ssh root@134.199.153.159
sudo chown -R ccuser:ccuser /home/ccuser/the-50-dollar-app/.next/
```
**Time:** 1 minute
**Priority:** HIGH - Blocks builds

### 3. **Update Health Check Cron to Run as ccuser**
**What:** Permanent fix for .next/ ownership issue.
**Why it matters:** Prevents recurrence of build failures.
**Steps:**
1. SSH into VPS
2. Edit cron: `crontab -e`
3. Replace current health check line with:
```bash
*/5 * * * * curl -sf http://127.0.0.1:3000 > /dev/null || su - ccuser -c 'cd /home/ccuser/the-50-dollar-app && pkill -f "next start"; sleep 2; NODE_ENV=production nohup npx next start -p 3000 > /tmp/next-app.log 2>&1 &'
```
4. Save and exit
**Time:** 2 minutes
**Priority:** MEDIUM - Prevents future issues

### 4. **Remove Unused RESEND_API_KEY**
**What:** Dead code in .env.local - email uses Supabase native auth, not Resend.
**Why it matters:** Cleaner config, reduces attack surface.
**Steps:**
1. SSH into VPS
2. Edit: `nano /home/ccuser/the-50-dollar-app/.env.local`
3. Remove line: `RESEND_API_KEY=...`
4. Save and restart: `systemctl restart rateright-app`
**Time:** 1 minute
**Priority:** LOW - Cleanup

---

## 📊 Dashboard Tasks (Stripe, Supabase)

### 1. **Create Supabase Storage Bucket "avatars"**
**What:** Worker profile view page has avatar upload but no bucket exists.
**Why it matters:** Profile picture uploads fail silently.
**Steps:**
1. **Supabase Dashboard:** https://supabase.com/dashboard → Your Project → Storage
2. Click "Create bucket"
3. Settings:
   - Name: `avatars`
   - Public: Yes
   - File size limit: 10MB (updated from 2MB for phone photos)
   - Allowed MIME types: `image/*`
4. Click "Create bucket"
**Time:** 2 minutes
**Priority:** MEDIUM - Profile feature incomplete

### 2. **Set Up Upstash Redis for Rate Limiting**
**What:** Current in-memory rate limiting won't work on Vercel. Need distributed Redis.
**Why it matters:** Rate limiting resets per serverless invocation → security risk.
**Steps:**
1. **Upstash:** https://console.upstash.com → Create Database
2. Region: `ap-southeast-2` (Sydney)
3. Plan: "Free Tier" (256MB, 500K commands/month - sufficient for launch)
4. Copy `UPSTASH_REDIS_REST_URL` and `UPSTASH_REDIS_REST_TOKEN`
5. **VPS:** Add to `/home/ccuser/the-50-dollar-app/.env.local`:
```
UPSTASH_REDIS_REST_URL="your_url_here"
UPSTASH_REDIS_REST_TOKEN="your_token_here"
```
6. Restart app: `systemctl restart rateright-app`
**Time:** 5 minutes
**Priority:** HIGH - Production readiness

### 3. **Rotate Supabase Service Key**
**What:** Security best practice - rotate service role key periodically.
**Why it matters:** Reduces risk if key was ever exposed (though git history is clean).
**Steps:**
1. **Supabase Dashboard:** Project Settings → API
2. Under "Project API keys", find "service_role" key
3. Click "Regenerate" (confirm action)
4. **VPS:** Update `.env.local` with new `SUPABASE_SERVICE_ROLE_KEY`
5. Restart app: `systemctl restart rateright-app`
**Time:** 3 minutes
**Priority:** MEDIUM - Security hygiene

### 4. **Run Pending Database Migrations (8 total)**
**What:** 8 database migrations ready in Supabase SQL Editor.
**Why it matters:** New features (job locking, enrichment, webhooks, etc.) won't work.
**Steps:**
1. **Supabase Dashboard:** SQL Editor
2. Run migrations in this order:
   - `20260202130000_create_job_locks_table.sql` (Job Locking)
   - `20260202060000_trade_tags.sql`
   - `20260202060100_playbook_sections.sql`
   - `20260202060200_team_permissions.sql`
   - `20260202060300_competitors.sql`
   - `20260202060400_import_export.sql`
   - `20260202060500_outbound_webhooks.sql`
   - `20260202060600_enrichment.sql`
3. Or use CLI: `npx supabase db push --linked`
**Time:** 10-15 minutes
**Priority:** MEDIUM - Feature completeness

---

## 💻 VPS Commands (Needs SSH Access)

### 1. **Increase Photo Upload Limit to 10MB**
**What:** Phone photos are 3-5MB, current 2MB limit causes upload failures.
**Why it matters:** Worker signup/profile updates fail silently.
**Steps:**
1. Already handled by creating `avatars` bucket with 10MB limit (above)
2. **Additional:** Check any client-side validation in code (CC VPS will handle)
**Time:** Included in bucket creation
**Priority:** MEDIUM - User experience

### 2. **Verify Git History is Clean**
**What:** CC VPS audit found .env.local was never committed, but good to verify.
**Why it matters:** Ensure no secrets were accidentally exposed.
**Steps:**
```bash
ssh root@134.199.153.159
cd /home/ccuser/the-50-dollar-app
git log --all --full-history -- .env.local
# Should show no commits
```
**Time:** 1 minute
**Priority:** LOW - Verification only

### 3. **Check App Health & Logs**
**What:** Verify app is running smoothly after changes.
**Why it matters:** Catch any issues from configuration changes.
**Steps:**
```bash
ssh root@134.199.153.159
systemctl status rateright-app
journalctl -u rateright-app -n 50 --no-pager
curl -f http://localhost:3000/api/health
```
**Time:** 2 minutes
**Priority:** LOW - Verification

---

## 🎯 Strategic Decisions (Needs Discussion)

### 1. **Email Functionality Strategy**
**What:** RESEND_API_KEY present but no email sending code found.
**Options:**
- A: Implement onboarding emails using Resend
- B: Rely solely on Supabase auth emails
- C: Build custom email sequences for user engagement
**Why it matters:** User onboarding and retention.
**Discussion needed:** Which email strategy aligns with product roadmap?

### 2. **Rate Limiting Implementation Approach**
**What:** Choose between Upstash Redis (recommended) vs other solutions.
**Options:**
- A: Upstash Redis (free tier → $180/month at 10K users)
- B: Vercel KV (deprecated, not recommended)
- C: Cloudflare Workers (requires platform change)
- D: Arcjet (serverless-first, $20+/month)
**Why it matters:** Scalability and cost at different user levels.
**Discussion needed:** Confirm Upstash Redis approach.

### 3. **Console.log Cleanup Priority**
**What:** 87 console.log statements across 44 files expose internal logic.
**Options:**
- A: Immediate cleanup (security/privacy)
- B: Post-launch cleanup
- C: Implement proper logging library (winston/pino)
**Why it matters:** Security + professional codebase.
**Discussion needed:** Timing and approach.

### 4. **Messaging API Hire Verification**
**What:** `/api/messages/start` doesn't verify payment status → $50 fee bypass possible.
**Options:**
- A: CC VPS implements fix (adds hire verification check)
- B: Manual review of implementation approach
**Why it matters:** Revenue protection.
**Discussion needed:** Confirm CC VPS should implement.

---

## 📋 Summary by Priority

### **DO NOW (Under 10 minutes total):**
1. STRIPE_WEBHOOK_SECRET (3 min) - **PAYMENTS BROKEN**
2. Fix .next/ ownership (1 min) - **BUILDS BROKEN**
3. Create Supabase avatars bucket (2 min)
4. Update health check cron (2 min)

### **DO TODAY:**
5. Set up Upstash Redis (5 min)
6. Run pending migrations (15 min)
7. Rotate Supabase service key (3 min)

### **DISCUSS:**
8. Email functionality strategy
9. Console.log cleanup priority
10. Rate limiting confirmation

---

## 🔗 Quick Reference Links

**Stripe Webhook:** https://dashboard.stripe.com/webhooks
**Supabase Dashboard:** https://supabase.com/dashboard
**Upstash Redis:** https://console.upstash.com
**VPS SSH:** `ssh root@134.199.153.159`
**App Directory:** `/home/ccuser/the-50-dollar-app`
**Env File:** `/home/ccuser/the-50-dollar-app/.env.local`
**Restart Command:** `systemctl restart rateright-app`
**Status Check:** `systemctl status rateright-app`

---

## 📝 Notes

- **All code changes** go through Claude Code (not Kimi agents)
- **Supabase service key** gives full DB access - can run migrations without Michael
- **Git history is clean** - .env.local was never committed (verified)
- **Payment flow is Option A** - charge at hire confirmation (documented)

*Knock out the Quick Wins first - they're under 10 minutes total and fix critical issues.*