Master Build Sequence

NowPage Infrastructure & Features — Feb 21, 2026 — 4 Sprints, 30 Items

COMPLETED

BUG FIXES LEFT

FEATURES

SPRINTS

Already Completed (This Session)

✓

Auth defaults — logged warnings, TODO markers for vault migration

DONE

✓

JSON parse catch — returns correct match group in updateRegistryMetadata

DONE

✓

Null domain guard — update-registry returns 404 instead of crash

DONE

✓

URL regex escaping — already escaped in existing code, verified

DONE

✓

Domain .maybeSingle() — explicit 404 on not-found

DONE

✓

Domain access short-circuit — returns 404 instead of falling through

DONE

✓

Empty tag filter — .filter(Boolean) on tag splitting

DONE

Sprint 1 — Bug Sweep & Pipeline Hardening

10 items • ~4 hours Ralph time • 1 Jason pause gate • Goal: zero known bugs

Stat counter regex — match class names regardless of order in core.ts:99-100

RALPH15m

Tag retry infinite loop — add max 5 retries in hc-publish.js:~446

RALPH15m

Day streak year boundary — fix date diff in update-registry:732-748

RALPH20m

Dashboard injection — inject both blockers AND actions in core.ts:~158

RALPH30m

Metadata dedup — dedup entries in hc-metadata JSON, not just HTML markers

RALPH30m

Registry type fallback — prevent cross-type registration in core.ts:564-587

RALPH20m

.env parser — handle = and quotes in values in hc-publish.js:~43

RALPH15m

SSRF protection — block internal IPs/localhost in webhook URLs in webhooks/fire.ts

RALPH30m

null expires_at — guard against Date(null) epoch in api-key.ts:41

RALPH10m

Concurrent publish versioning — atomic version increment in core.ts:490-505

RALPH30m

⚠ PAUSE GATE 1: Run full test suite (test-publish-api.js + test-mcp.py). Commit + push. Jason: verify live pages still render correctly.

Sprint 2 — Auth Middleware & Access Control

6 items • ~8 hours Ralph time • 3 Jason pause gates • Goal: auth skeleton wired to vault stubs

F5a

Auth middleware — Next.js middleware that checks session/token on protected routes. Uses credential-vault.ts stubs.

RALPH2h

F5b

Agent auth upgrade — Replace name-based password in registry-agent route with authenticateUser() from vault stubs

RALPH1h

⚠ PAUSE GATE 2: Jason: Test that chat agent still works with existing password flow (stubs return same result). Verify Forge VPS publish still works.

F8a

Bot allowlist middleware — Check bot tokens via validateBotToken(). Whitelist Forge VPS. Block unknown bots on API routes.

RALPH1.5h

F8b

robots.txt + bot detection — Dynamic robots.txt in app/robots.ts. Block scrapers. Allow approved bots.

RALPH30m

⚠ PAUSE GATE 3: Jason: Set FORGE_BOT_TOKEN env var on Vercel + Forge VPS. Test Forge publish still works through bot allowlist.

F7a

Page visibility field — Add visibility column to pages table (public | team | private). Default public.

JASON15m

↑ Requires Supabase SQL migration (Jason runs in SQL editor)

F7b

Serve route auth gate — Check visibility in app/serve/ route. Public pages served normally. Team/private pages require auth.

RALPH1.5h

⚠ PAUSE GATE 4: Full test suite. Commit. Jason: Verify all 116 existing pages still accessible (all default to public). Test setting one page to team visibility.

Sprint 3 — Quality of Life & Templates

5 items • ~6 hours Ralph time • 1 Jason pause gate • Goal: templates organized, notifications wired, BYOK ready

Template organization — Add metadata (category, description, preview) to each template. Search/filter API endpoint.

RALPH2h

Folder cleanup — Auto-folder by registry, orphan detection script, bulk re-organize endpoint.

RALPH1.5h

BYOK — Accept user API key in chat request. Route passes user key to provider, falls back to ours. Token count in response.

RALPH1h

Notification system — Webhook-based Slack/email notifications on publish events. Recipient config in DB.

RALPH2h

⚠ PAUSE GATE 5: Jason: Set Slack webhook URL in Vercel env. Test notification fires on publish. Review folder re-organization results before committing.

Notification routing — Recipient groups, registry-to-recipient mapping, per-build override.

RALPH1.5h

Sprint 4 — GUI Page Builder

4 items • ~16 hours Ralph time • 2 Jason pause gates • Goal: publish pages from dashboard without CLI

F1a

Template selector UI — Dashboard page: browse templates by category, preview, select. Uses F3 template metadata.

RALPH3h

F1b

Content editor — Form-based content input for each template section. HC metadata auto-generated. Live preview pane.

RALPH5h

⚠ PAUSE GATE 6: Jason: Review builder UX. Test creating a page from scratch. Check generated HTML quality matches CLI output.

F1c

Registry picker + publish flow — Select domain, folder, registry, tags. One-click publish. Post-publish: open live URL + notify.

RALPH3h

F1d

Design standards library — Saved color palettes, font stacks, layout presets. Apply to any template. Ties to F3 metadata.

RALPH4h

⚠ PAUSE GATE 7: Full regression test. Jason: Publish 3 real pages via GUI builder. Compare quality to CLI-published pages. Ship or iterate.

Blocked on External Dependencies

#	Item	Blocked By	When Unblocked
`F5c`	Replace vault stubs with real API calls	SUMIT Credential vault API ready	Swap `credential-vault.ts` functions, set `CREDENTIAL_VAULT_URL` env var
`C1-final`	Flip auth to deny-by-default	SUMIT Vault migrates existing keys with explicit scopes	Remove `TODO(credential-vault)` markers, flip `return true` to `return false`
`F5d`	OAuth UI (login page, token refresh)	SUMIT Vault OAuth flow spec	Build login page, redirect flow, token storage

Ralph Loop Execution Rules

Rule	Details
Commit cadence	Commit after every 2-3 items or at every PAUSE gate, whichever comes first
Branch strategy	Each sprint on `feat/sprint-N` branch. Merge to main at PAUSE gates after Jason approval.
Test requirement	Run `npx tsc --noEmit` after every item. Run full test suite at PAUSE gates.
Backup	Before any core.ts or update-registry changes, git commit the previous state first.
Rollback	If tests fail at a PAUSE gate, `git revert` back to last green commit. Don't debug in the loop.
SUMIT items	Skip and log as blocker. Move to next independent item. Don't stub beyond what's already in `credential-vault.ts`.
Context window	For big items (F1b, F1d), use sonnet agent. For bug fixes, haiku is fine.

Dependency Graph (Simplified)


Sprint 1 (Bugs)          Sprint 2 (Auth)           Sprint 3 (QoL)         Sprint 4 (Builder)
─────────────────        ─────────────────         ─────────────────      ─────────────────
H1 H4 H5 ─────┐         F5a ──── F5b              F3 ─────────┐         F1a ─── F1b
M1 M2 M3      │              │                     F4          │              │
M4 M5 M7      ├── GATE 1 ── F8a ── F8b             F6          ├── GATE 5    ├── GATE 6
H2 ────────────┘              │                     F2          │         F1c ─── F1d
                         GATE 2 ── GATE 3           F9 ─────────┘              │
                              │                                           GATE 7 ── SHIP
                         F7a (JASON SQL)
                              │
                         F7b ── GATE 4

                    [SUMIT VAULT] ──── F5c, F5d, C1-final (unblocked when ready)

Related Resources

Resource	URL
Issue Tracker / PRD	ideas.asapai.net/nowpage-issue-tracker-2026-02-20
HC Page Agent Architecture	ideas.asapai.net/hc-page-agent-architecture
Credential Vault Placeholder	`lib/auth/credential-vault.ts`
Agent Tools	`lib/agent/tools.ts` + `lib/agent/page-fetcher.ts`
Registry Agent Route	`app/api/hc/registry-agent/route.ts`