Master Build Sequence

NowPage Infrastructure & Features — Feb 21, 2026 — 4 Sprints, 30 Items
7
COMPLETED
10
BUG FIXES LEFT
9
FEATURES
4
SPRINTS

Already Completed (This Session)

C1
Auth defaults — logged warnings, TODO markers for vault migration
DONE
C2
JSON parse catch — returns correct match group in updateRegistryMetadata
DONE
C3
Null domain guard — update-registry returns 404 instead of crash
DONE
C4
URL regex escaping — already escaped in existing code, verified
DONE
H3
Domain .maybeSingle() — explicit 404 on not-found
DONE
H6
Domain access short-circuit — returns 404 instead of falling through
DONE
M6
Empty tag filter — .filter(Boolean) on tag splitting
DONE

Sprint 1 — Bug Sweep & Pipeline Hardening

10 items • ~4 hours Ralph time • 1 Jason pause gate • Goal: zero known bugs
1
H1
Stat counter regex — match class names regardless of order in core.ts:99-100
RALPH15m
2
H4
Tag retry infinite loop — add max 5 retries in hc-publish.js:~446
RALPH15m
3
H5
Day streak year boundary — fix date diff in update-registry:732-748
RALPH20m
4
M1
Dashboard injection — inject both blockers AND actions in core.ts:~158
RALPH30m
5
M2
Metadata dedup — dedup entries in hc-metadata JSON, not just HTML markers
RALPH30m
6
M3
Registry type fallback — prevent cross-type registration in core.ts:564-587
RALPH20m
7
M4
.env parser — handle = and quotes in values in hc-publish.js:~43
RALPH15m
8
M5
SSRF protection — block internal IPs/localhost in webhook URLs in webhooks/fire.ts
RALPH30m
9
M7
null expires_at — guard against Date(null) epoch in api-key.ts:41
RALPH10m
10
H2
Concurrent publish versioning — atomic version increment in core.ts:490-505
RALPH30m
PAUSE GATE 1: Run full test suite (test-publish-api.js + test-mcp.py). Commit + push. Jason: verify live pages still render correctly.

Sprint 2 — Auth Middleware & Access Control

6 items • ~8 hours Ralph time • 3 Jason pause gates • Goal: auth skeleton wired to vault stubs
11
F5a
Auth middleware — Next.js middleware that checks session/token on protected routes. Uses credential-vault.ts stubs.
RALPH2h
12
F5b
Agent auth upgrade — Replace name-based password in registry-agent route with authenticateUser() from vault stubs
RALPH1h
PAUSE GATE 2: Jason: Test that chat agent still works with existing password flow (stubs return same result). Verify Forge VPS publish still works.
13
F8a
Bot allowlist middleware — Check bot tokens via validateBotToken(). Whitelist Forge VPS. Block unknown bots on API routes.
RALPH1.5h
14
F8b
robots.txt + bot detection — Dynamic robots.txt in app/robots.ts. Block scrapers. Allow approved bots.
RALPH30m
PAUSE GATE 3: Jason: Set FORGE_BOT_TOKEN env var on Vercel + Forge VPS. Test Forge publish still works through bot allowlist.
15
F7a
Page visibility field — Add visibility column to pages table (public | team | private). Default public.
JASON15m
↑ Requires Supabase SQL migration (Jason runs in SQL editor)
16
F7b
Serve route auth gate — Check visibility in app/serve/ route. Public pages served normally. Team/private pages require auth.
RALPH1.5h
PAUSE GATE 4: Full test suite. Commit. Jason: Verify all 116 existing pages still accessible (all default to public). Test setting one page to team visibility.

Sprint 3 — Quality of Life & Templates

5 items • ~6 hours Ralph time • 1 Jason pause gate • Goal: templates organized, notifications wired, BYOK ready
17
F3
Template organization — Add metadata (category, description, preview) to each template. Search/filter API endpoint.
RALPH2h
18
F4
Folder cleanup — Auto-folder by registry, orphan detection script, bulk re-organize endpoint.
RALPH1.5h
19
F6
BYOK — Accept user API key in chat request. Route passes user key to provider, falls back to ours. Token count in response.
RALPH1h
20
F2
Notification system — Webhook-based Slack/email notifications on publish events. Recipient config in DB.
RALPH2h
PAUSE GATE 5: Jason: Set Slack webhook URL in Vercel env. Test notification fires on publish. Review folder re-organization results before committing.
21
F9
Notification routing — Recipient groups, registry-to-recipient mapping, per-build override.
RALPH1.5h

Sprint 4 — GUI Page Builder

4 items • ~16 hours Ralph time • 2 Jason pause gates • Goal: publish pages from dashboard without CLI
22
F1a
Template selector UI — Dashboard page: browse templates by category, preview, select. Uses F3 template metadata.
RALPH3h
23
F1b
Content editor — Form-based content input for each template section. HC metadata auto-generated. Live preview pane.
RALPH5h
PAUSE GATE 6: Jason: Review builder UX. Test creating a page from scratch. Check generated HTML quality matches CLI output.
24
F1c
Registry picker + publish flow — Select domain, folder, registry, tags. One-click publish. Post-publish: open live URL + notify.
RALPH3h
25
F1d
Design standards library — Saved color palettes, font stacks, layout presets. Apply to any template. Ties to F3 metadata.
RALPH4h
PAUSE GATE 7: Full regression test. Jason: Publish 3 real pages via GUI builder. Compare quality to CLI-published pages. Ship or iterate.

Blocked on External Dependencies

#ItemBlocked ByWhen Unblocked
F5c Replace vault stubs with real API calls SUMIT Credential vault API ready Swap credential-vault.ts functions, set CREDENTIAL_VAULT_URL env var
C1-final Flip auth to deny-by-default SUMIT Vault migrates existing keys with explicit scopes Remove TODO(credential-vault) markers, flip return true to return false
F5d OAuth UI (login page, token refresh) SUMIT Vault OAuth flow spec Build login page, redirect flow, token storage

Ralph Loop Execution Rules

RuleDetails
Commit cadenceCommit after every 2-3 items or at every PAUSE gate, whichever comes first
Branch strategyEach sprint on feat/sprint-N branch. Merge to main at PAUSE gates after Jason approval.
Test requirementRun npx tsc --noEmit after every item. Run full test suite at PAUSE gates.
BackupBefore any core.ts or update-registry changes, git commit the previous state first.
RollbackIf tests fail at a PAUSE gate, git revert back to last green commit. Don't debug in the loop.
SUMIT itemsSkip and log as blocker. Move to next independent item. Don't stub beyond what's already in credential-vault.ts.
Context windowFor big items (F1b, F1d), use sonnet agent. For bug fixes, haiku is fine.

Dependency Graph (Simplified)


Sprint 1 (Bugs)          Sprint 2 (Auth)           Sprint 3 (QoL)         Sprint 4 (Builder)
─────────────────        ─────────────────         ─────────────────      ─────────────────
H1 H4 H5 ─────┐         F5a ──── F5b              F3 ─────────┐         F1a ─── F1b
M1 M2 M3      │              │                     F4          │              │
M4 M5 M7      ├── GATE 1 ── F8a ── F8b             F6          ├── GATE 5    ├── GATE 6
H2 ────────────┘              │                     F2          │         F1c ─── F1d
                         GATE 2 ── GATE 3           F9 ─────────┘              │
                              │                                           GATE 7 ── SHIP
                         F7a (JASON SQL)
                              │
                         F7b ── GATE 4

                    [SUMIT VAULT] ──── F5c, F5d, C1-final (unblocked when ready)

Related Resources

ResourceURL
Issue Tracker / PRDideas.asapai.net/nowpage-issue-tracker-2026-02-20
HC Page Agent Architectureideas.asapai.net/hc-page-agent-architecture
Credential Vault Placeholderlib/auth/credential-vault.ts
Agent Toolslib/agent/tools.ts + lib/agent/page-fetcher.ts
Registry Agent Routeapp/api/hc/registry-agent/route.ts