StampReady — active brief

2026-06-04 — iOS v2.0.2 LIVE ON THE APP STORE. Approved 04:27 UTC (submission 6e288529-f935-4da1-963a-a990e76003e8, build #485), distributed and actively available. Devin confirmed. FREE forever (PAID_ENABLED=false, MCQ-only via mcq_vetted_pool, 25 disciplines, ~5,460 Qs). Marketing rule still holds: lead with paid web ($29/mo · $100/4mo · FIRST100); iOS is top-of-funnel, never the headline (memory: feedback_sr_funnel_not_just_ios.md). Decision logged: decisions/2026-06-04-sr-ios-live.md.

2026-06-03 end-of-day handoff → see HANDOFF-2026-06-03.md. TL;DR: TikTok cut v2.0 APPROVED by Devin ("looks fucking awesome") — paid_web_v2.0.mp4 (24.5s, build_tiktok_v6.py, VO paid-web-v2-raw.m4a 22.6s, 4 zoom punches at source markers ½/5/16, source 1.5x, CTA card synced to "FIRST100" beat). Then Devin sent a new screen rec (mobile, sign-in→file-picker→upload→answer cantilever-beam Q) and asked for v2.1: crop after source 35s, max 1.2x speedup, splash at end. v2.1 shipped (paid_web_v2.1.mp4 34.7s, build_tiktok_v7.py, no zooms — source IS the demo), awaiting Devin verdict. Mobile landing→app routing bug also FIXED + DEPLOYED 2026-06-03 (commit 3c1debf): post-login router was calling goPanel('signup') for /app.html#signup CTAs → blank app shell. Fix whitelists 8 real panel ids, falls through to dashboard.

Prior handoff (2026-06-02): TikTok v1.x iteration history, ASC v2.0.2 submission — see HANDOFF-2026-06-02.md.

Read first. Source of truth for "what is StampReady right now." Reference, don't duplicate. Cross-refs: projects/stampready.yaml (config), C:\Users\devin\StampReady\CLAUDE.md (legacy project memory), ~/.claude/projects/.../memory/ (cross-session memory), decisions/.

Canonical rule: CLAUDE.md is legacy project memory; active/stampready.md is current operating truth where explicitly marked. When a line here flags a CLAUDE.md statement as stale, this brief wins. Sections tagged (memory) come from cross-session memory and are not addressed by CLAUDE.md — trust but verify if stakes are high.

Product map — READ FIRST for any marketing / copy / video / ad work

StampReady is ONE brand with TWO products. They are NOT the same product. They have different features, different pricing, different audiences.

Surface	Web (stampready.app)	iOS app
Status	LIVE since 2026-05-23	v2.0.2 submitted to Apple 2026-06-01, awaiting review
Pricing	PAID — $29/mo or $100 for 4-month pass · promo FIRST100 (100% off, 1 month, cap 100)	FREE forever (Apple submission constraint)
Role in funnel	Revenue product — this is the offer	Top-of-funnel — try-before-you-commit
Question bank	Full bank: 12,798 approved Qs across PE Civil (5 depths), FE Civil (14 sections), PE non-Civil, FE non-Civil	MCQ-only, ~5,460 vetted Qs via mcq_vetted_pool DB view (25 disciplines)
NCEES-native AITs (drag/drop, point-click, fill-blank)	YES — 6,208 AIT items	NO
Upload your own PDFs / study materials	YES — IndexedDB persistence, client-side only (the differentiator)	NO
Reference panel + resource directory	YES	NO
Study Room (Realtime + Jitsi)	YES	NO
Scratch pad / calculator	YES	NO
Per-question explanations	YES	YES (subset of MCQs)
Feedback / Report-a-question	YES	YES
Stripe surfaces	YES (checkout, Pro tier, manage subscription)	NO — zero payment surfaces
Marketing copy allowed	"PE & FE exam prep, built by a licensed engineer," $29 vs $400 PPI/Kaplan framing, FIRST100, bring-your-own-PDFs, NCEES-native AITs	NO "NCEES-style" · NO "Full-length" · NO Pearson VUE name-drops · NO web-upsell · NO PE-license input · NO TBPE #
Visual destination in posts	stampready.app	App Store (only when post topic IS the iOS launch)

Marketing rules that fall out of this: - Default visual + verbal CTA = stampready.app (the paid web). Never lead with "Free on iOS" — that nukes the revenue product. See memory feedback_sr_funnel_not_just_ios.md. - "Free to try on iOS" is a near-close softener, not the headline. Use only after the web offer has landed. - Never describe iOS features that don't exist on iOS (no AITs, no upload-PDFs, no scratch pad). The iOS surface is intentionally feature-stripped — never imply parity. - Never describe web with iOS constraints (don't say "MCQ-only," "no Stripe," "no Pearson VUE-style" about the web — those are iOS-app sandbox rules, not the actual web product). - One exception to the "lead with web" rule: posts whose explicit topic IS the iOS launch announcement itself.

If you're drafting copy and find yourself blending features across the two surfaces, STOP and consult this table.

Current state (per CLAUDE.md)

• Live in production: stampready.app v3.0 / build 2026.05 on Cloudflare Workers (not GitHub Pages). HEAD: b311747 ([MARKET] LinkedIn launch: mark POSTED 2026-05-26). Paid surface (Stripe) LIVE on web since 2026-05-23.
• iOS app: ASC v2.0.2 RESUBMITTED 2026-06-02 15:13 UTC after a Guideline 2.3.7 rejection that morning. First submission 41a1c40f rejected 12:25 UTC for "Free practice for engineers" subtitle. Metadata-only fix (same build #485): subtitle → Built by a licensed P.E., deleted FREE TO USE description block, swapped PRIVACY + QUALITY — No ads. No data sales. → PRIVACY — Anonymous product analytics., dropped We read every message., stripped "free" from promotionalText. New reviewSubmission 6e288529-f935-4da1-963a-a990e76003e8, version state WAITING_FOR_REVIEW. Lint deliverables shipped (scripts/asc_metadata_lint.py + DOCS-asc_metadata_lint_v1.0_2026-06-02.md + LEGAL-asc_metadata_contractual_review_v1.0_2026-06-02.md) to prevent recurrence — last lint run 0 BLOCK / 0 WARN. reviewSubmission 41a1c40f. Build #485, full audit-payload sanitization pass completed pre-submit (see memory project_sr_ios_2_0_2_handoff.md). Earlier "staged + READY FOR SUBMIT" — un-paused per Devin's "complete the app submission" directive. Build #485 (commit dcf22dc, Codemagic 6a1df4cc4621ccbc019be30b, IPA uploaded 14:16 UTC) attached to ASC version 50d31c6a-4dcf-4bc8-a3c9-5feb8d42cd7b in state PREPARE_FOR_SUBMISSION. Apple still owes Devin one click — Submit for Review. Reviewer creds: [email protected] / StampReadyAppleReview2026! (verified via prod Supabase auth, persisted in ASC appStoreReviewDetail). 5 screenshots 1320×2868 RGB attached, all assetDeliveryState=COMPLETE. Native-mode constraints shipped through commit series fa17aff→aa23f1e→f11ce51→6037530→dcf22dc: FREE (PAID_ENABLED=false, no Stripe surfaces), MCQ-only (via mcq_vetted_pool DB view, mig 028, ~5,460 vetted MCQs across 25 disciplines), no scratch pad, no PE-license input, no Pearson VUE name-drops, no "Full-length"/"NCEES-style" copy, no "Free preview / get full bank on web" upsell, no TBPE #124920 license leak. Audit spec at tests/e2e/native-audit.spec.ts is 30/30 green across chromium + mobile-safari + mobile-chrome — runs full DOM-text scan against 8 banned patterns on every reachable surface (auth, signup, dashboard, simulator, diagnostic, checklist PE+FE, profile, avatar menu) + 0 console errors + 0 4xx/5xx network. Re-run anytime: npx playwright test tests/e2e/native-audit.spec.ts.
• Android app: AAB workflow ready in codemagic.yaml, not yet triggered. (Hold likely applies here too — verify with Devin before triggering.)
• Features live:
• Feedback — Supabase-backed, RLS enabled, rate-limited, hardened (migrations 003-009)
• GetHired — HIDDEN (per Devin 2026-05-23). Backend exists (BACKEND.gethired = true, 004_gethired.sql ran Apr 8, 2026) but feature is gated off in UI. Flagged as a potential growth opportunity — revisit when bandwidth allows. StampReady/CLAUDE.md says "GetHired: Live" — that line is stale; trust this brief over CLAUDE.md until Devin updates it.
• Study Room — collab.js + Supabase Realtime + Jitsi Meet video; Report/Block moderation
• Sentry — stampready-web project live at stampready.sentry.io, capturing JS errors
• Email infra: SPF + DMARC + DKIM all LIVE on stampready.app, stampready.org, kindredpics.com (verified 2026-05-28 via DNS). DMARC p=quarantine everywhere (CF audit 5/28).
• Domains: 4 zones consolidated. stampready.app canonical; .org + 2 others redirect.
• i18n: 201 keys × 2 languages (EN/ES) at 100% parity; partial ZH/TL/VI/AR.
• (memory) Supabase Pro acquired 2026-04-25 ($25/mo). HIBP leaked-password re-enabled 2026-05-28 (had drifted to disabled). Customer MFA UI deferred.
• (memory) Advisor state: 15 WARNs, all intentional. No ERRORs.

Current priority (memory — CLAUDE.md doesn't address)

1. AI buildout (Apr 2026 phase). Build order: (1) security regression scanner [no API], (2) morning brief — KILLED 2026-05-28 (CF Worker daily-life-reply + KV daily-life-replies deleted; AWS EC2/EIP teardown pending Devin), (3) per-question explanations [paywall hook]. (4) problem tutor — KILLED 2026-05-24, do not reference in marketing or roadmap.
2. Question bank growth — pivot to FE Mechanical. Market-weighted: FE Mech = 3,356 fails/yr; FE was underweighted 10-30×, PE overweighted. Next waves: FE Mech + FE E&C.
3. Attribution rollout — UTM-tagged Reddit/X/LinkedIn URLs landed 2026-05-26. Devin to edit live Reddit body with UTM link. Next: re-query PostHog utm_source cohorts ~2026-06-02 for first attribution baseline. (Marketing-mode funnel check invoked 2026-05-27 morning but interrupted by compact — resume there.) 3a. Report-a-question button — SHIPPED (uncommitted) 2026-05-27. Adds "Report a problem with this question" link in simulator post-submission feedback. Pre-fills feedback table with question_id, family_id, discipline, topic, user's answer letter, marked-correct letter, category=content-wrong. Surfaces in admin feedback inbox. Files: js/simulator.js, js/actions.js, js/support.js. Test before commit. Goal: real user defect reports replace expensive bank-wide LLM verification at N=1 customer.
4. iOS + Android submission — both on hold per Devin 2026-05-23; no timeline.

Architecture (per CLAUDE.md)

• Vanilla JS SPA, no frameworks. Single-page index.html with all panels inline.
• Mobile-first CSS, min-width breakpoints only (480 / 768 / 1024 / 1280). Never use max-width.
• Supabase backend with dual-mode API (online + fallback).
• File naming: kebab-case for new files; legacy snake_case (e.g., questions_transport.js) grandfathered — don't rename without updating all references.
• See StampReady/ai_docs/architecture.md for full architecture.

Repo

• Root: C:\Users\devin\StampReady
• Single remote: origin (StampReady/stampready.git — push to deploy via Cloudflare Workers). Legacy enterprise remote (GSR_admin/stampready.git) removed 2026-05-27 evening — org didn't exist on github.com (404).
• Default branch: main.
• Service-account identity on origin commits: StampReady <[email protected]> (not Devin's personal email).
• Commit prefix areas (per CLAUDE.md): WEB, APP, DB, FIX, STYLE, INFRA, SEO, DOCS, LEGAL, SEC, TASK, BRAND, UX, FEAT.

Files to read first

• StampReady/CLAUDE.md — canonical project memory; overrides anything in FounderOS that conflicts
• StampReady/README.md — directory map
• StampReady/ai_docs/architecture.md — full architecture
• StampReady/RUNBOOK.md — operational state, kill-switch, backups
• StampReady/.claude/commands/ — 21 slash commands (key ones: /deploy, /debug, /supabase, /qa, /security, /research)
• StampReady/docs/QUESTION_BANK_STATE.md — current bank counts + generation rules
• StampReady/docs/QC_QA_PLAN.md — wave QC gate
• StampReady/docs/vendor-references/ — consult before any vendor-dashboard prompt
• StampReady/scripts/generate_waves_batch.py — canonical wave generator (Batch API + Haiku 4.5)
• StampReady/scripts/sync_rebalance_to_db.py — PostgREST PATCH loop for bulk updates
• StampReady/scripts/verify_ui.py — headless Chromium smoke check
• projects/stampready.yaml — repo identity, env vars, paywall policy

Memory pointers (load on demand)

• project_session_2026-04-25_to_27.md — security hardening + go-live
• project_overnight_audit_2026-05-07.md — D: drive missing, organic users baseline
• project_credential_rotation_2026-05-07.md — 5 of 14 rotated; tracker at ~/rotation-2026-05-07.md
• project_question_bank.md + project_question_bank_growth_priority_2026-04-21.md + project_sprint_direction_2026-04-21.md
• project_ai_buildout_2026-04.md + project_ai_paywall_policy.md
• project_security_review_2026-04-25.md — external peer review; BFF scheduled post-launch wk 4-6
• project_apple_launch_strategy.md + project_testflight_readiness_2026-04-20.md

Do NOT

From CLAUDE.md: - Don't hardcode credentials in any file. - Don't use max-width media queries — mobile-first only (min-width). - Don't skip cache version bump on deploy (?v=X on all scripts + sw.js version must match). - Don't delete files — archive instead. - Don't push without syntax-checking all JS files (node -c <file>).

From memory: - Don't recommend Stripe — App Store IAP policy blocks digital goods; use Apple IAP / Play Billing / Paddle / LemonSqueezy. - Don't generate waves via Claude Code subagents — use scripts/generate_waves_batch.py (Batch API, ~13× cheaper). - Don't re-run safe_wave_insert on the same JSON without dedup — not idempotent (nearly shipped 390 dup Qs 2026-04-23). - Don't send default Python User-Agent to api.supabase.com — it 403s. Always custom UA. - Don't paywall explain-question — free at launch. Tutor / morning-brief killed; security-scan = paywalled day one. - Don't skip the Apple reviewer creds pre-flight before any TestFlight submit (password drift nearly caused 2.1 rejection 2026-05-08). - Don't touch ~/.claude-litigation-hold or run ~/scripts/rotate_claude_logs.sh — litigation hold still active.

i18n discipline

Every user-facing string needs data-i18n or t(). EN/ES at 100% parity (201 keys); ZH/TL/VI/AR partial. Don't introduce a string without a key.

Last handoff

Session 2026-05-24 — pre-launch buttoning + launch deploys: - Smoke suite ran clean against prod: 57/57 (chromium + mobile-safari + mobile-chrome). Covers RLS boundary (8 tests × 3 surfaces), auth card, reference viewer, landing/pricing visual baseline, CSP headers. - Founder headshot added: assets/marketing/founder-headshot.jpg wired into index.html "Built by an engineer" 4:5 portrait box. Commit 616bca6. - FE Reference Handbook 404 fixed (account.ncees.org/exam-prep/fe-reference-handbook → /exam-prep) in data/config/data.js:290. Same commit. - Follow-up sweep: 5 more sibling NCEES exam-prep/<subpath> 404s in data.js (PE Civil + FE marketplace listings + 3 state-checklist tasks) all collapsed to /exam-prep. Commit 78eb017. - Cache busts: data.js?v=56→58, sw.js v165→v167 across the 2 commits. - Edge function create-checkout-session success_url + cancel_url repointed from stampready.app/ → stampready.app/app (otherwise paid customers landed on marketing copy; pricing.js only loads on /app, so the toast + refreshTier() never fired). Source commit 686c1ab; live deployed via Supabase MCP as version 7. - Test profile for paid-tier verification: [email protected] user created with subscriptions row source='manual_grant', tier='pro', expires_at=2027-12-31. Creds in StampReady/.env as SR_TEST_EMAIL/SR_TEST_PASSWORD (gitignored). Designed for ongoing chrome-devtools MCP smoke runs. - Paid surface walkthrough verified via test profile: current_user_tier()='pro', pricing screen renders "Pro — active · Manage subscription" (no Upgrade CTA), 0 console errors, all network 200. - Stripe FIRST100 promo verified working in real checkout (no decrement-restoration needed per Devin). - Launch posts drafted for Reddit / X / LinkedIn. LinkedIn business page setup notes provided (existing footer link linkedin.com/company/stamp-ready needs claim-or-create check). - Reddit post landed; 0 new signups in first 24h window (most recent organic signup pre-post at 2026-05-22 17:48 UTC). Raw traffic not yet measurable — CF token is deploy-only, no PostHog API key on file. CORRECTED 2026-05-26: This was wrong on a longer window. r/PE_Exam post drove 1,200 views over 48h (89% US, 5.4% Spain, 2.4% Canada) and 2 organic signups landed mobile-direct: [email protected] (2026-05-24 23:23 UTC) + [email protected] (2026-05-25 06:52 UTC). Both heavy sessions in PostHog (96 + 47 events) were mistakenly dismissed as internal testing. Neither converted to paid (no subscriptions row, no canceled checkout); not a failure path, just free-tier sitting.

Open from this session: - Generate CF token with Analytics: Read OR get PostHog Personal API Key, so traffic can be queried in-session. - Future test-user signups: check "Auto Confirm User" in Supabase Dashboard to skip email_confirmed_at SQL fix.

Session 2026-05-24 evening — brand v2/v3 + LinkedIn page: - Brand v2 seal promoted then refined to v3 two-seal split. Canonical state: FLAT (navy disk + gold ring + 3-star + laurel + SR) drives icon-{16,32,180,192,256,512}.png (favicon/PWA chrome); POLISHED (transparent embossed gold seal with CERTIFIED/STAMPREADY ribbons) drives icon-1024.png + seal-1024.png + seal-512.png + seal-linkedin-{300,400}.png. Gemini sparkles stripped from both source files. Originals preserved at assets/src/. Prior versions in assets/archive/v2-colored-2026-05-24/ + assets/archive/all-gold-only-2026-05-24/ for fast revert. Commits 36069fe, 407def6, 883f33e. - Founder headshot wired into landing "Built by an engineer" portrait box (assets/marketing/founder-headshot.jpg, commit 616bca6). - LinkedIn business page CREATED at linkedin.com/company/118303907/ (slug stamp-ready was 404 — numeric slug is canonical until LinkedIn propagates). Logo (seal-linkedin-400.png), tagline ("PE & FE exam prep, built by a licensed engineer"), description (443 chars), website, industry (E-Learning), size (2-10), type (Self-Employed), year (2026), 5 specialties (PE Exam Prep, FE Exam Prep, Engineering Licensure, CBT Simulator, Engineering Education) all live. Banner staged at assets/linkedin-banner-2512x416.png (Gemini-sourced, 6:1) — NOT uploaded, LinkedIn gates cover uploads behind Premium Page tier. Commit b8b4a02. - LinkedIn domain verification: located at /company/118303907/admin/settings/manage-domains — optional, email-based ownership check (no DNS TXT needed); skipped this session. - OG image revamp PENDING: new Gemini source (Downloads/Gemini_Generated_Image_vksq1tvksq1tvksq.png, 1424×748, 1.904 aspect) is staged but unsaved to assets. Says "Free on iOS" which is FALSE while iOS app is on hold — needs regeneration or text-strip before replacing assets/og-preview.png.

Open from this session: - OG image: regenerate without "Free on iOS" line, OR strip it in PIL, then replace assets/og-preview.png + update <meta property="og:image"> refs + cache-bust. - Resend transactional email templates may still carry old branding — audit. - Marketing screenshot deck in assets/marketing/ (01-04 PNGs) still v1 chrome. - LinkedIn URL slug stamp-ready still pending propagation — re-check in a few hours.

Session 2026-05-24 late — NCEES AIT v4 polish + question loader (NO COMMITS): - Polished all 16 NCEES AIT v4 graphics (assets/ncees_ait_graphics_v4/): targeted label-overlap fixes on graphics 01/02/03/05/06/07/08/10/11/12/13. Schema gate passes 16/16. Source: assets/ncees_ait_graphics_v4.py (uncommitted). - Wrote loader scripts/content-bank/build_ncees_ait_v4_questions.py — generates 82 questions (42 fill_blank + 25 point_click + 15 drag_drop) from the 16 sidecars. Coord transform px→pct + radius_pct=4. Output: data/questions/_seeded/ncees-ait-v4-2026-05-24-*.json (16 files). Assets copied to data/questions/_images/ait_v4/ (32 files, SVG+PNG). - Verified AIT engine is LIVE in prod (simulator.js renderAITBody; bank already serves 6,208 AIT items: 3,225 fill_blank + 2,588 drag_drop + 228 multi_correct + 167 point_click). - To insert: python scripts/content-bank/load_ait_to_supabase.py --glob "data/questions/_seeded/ncees-ait-v4-2026-05-24-*.json" --commit. Not yet run.

Bank quality audit (Supabase queries, not executed): - Total approved: 12,798. PE Civil disciplines = LARGEST + LOWEST quality (PE Transportation 13% verified, PE Construction 21%, PE Water 42%, PE Geotech 40%, PE Structural 34%). FE + PE non-Civil = HIGH quality (FE Ethics 97%, PE Chemical 93%, PE Mech HVAC 90%, FE Mechanical 75%). - Zero-QA cohort: 5,938 (~46%) have empty board_verdict AND no verification confidence. - Two cut options modeled: bottom 10% per discipline (1,291 rows) OR all zero-QA (5,938). Neither executed — would use status='retired' (reversible, precedent: 2,373 already retired). DEFERRED — pending decision.

Board session (2026-05-24, declined): Took the proposal (retire 5,938 + narrow landing to PE Civil + FE Mech) to the board. Devin declined the board's recommendations and called the session. No deliverable written. Three board-suggested tasks for future reference: (a) install PostHog/CF Analytics, (b) DM 5 Reddit-post viewers, © spot-check 30 zero-QA questions. Not adopted.

Session 2026-05-25 — X relaunch prep: - Tutor killed and recorded in canonical: decisions/2026-05-24-sr-tutor-killed.md; struck from active build-order and from yaml current_focus + paywall_policy. Do not reference "AI tutor" in any future marketing copy. - Pricing landed in canonical (yaml): $29/mo · $100 for 4-month pass. Active promo: FIRST100 (live in Stripe per Devin, %-off scope not documented). - Analytics access broken — both deploy-paths: CF token in .env returns 401; PostHog project key is wired on app.html:1009 but NOT on landing index.html → Reddit→landing traffic invisible. Humblytics keys still in .env but 0 code refs (legacy). Best proxy: auth.users query (4 signups total in 7d, no Reddit-correlated bump). - X handle: @getstampready (per app.html:973). - Brand assets staged in StampReady repo (UNCOMMITTED): - assets/marketing/x-header-1500x500.png — letterboxed v3 banner; seal cropped off source Gemini_Generated_Image_kht6yl...png (2512×416, x>600), navy bg #0D1E33, 280px left-clear zone for X profile pic - assets/seal-x-400.png + assets/seal-x-512.png — polished gold seal on navy fabric (downsampled from icon-1024.png) for X profile (transparent variant wasn't rendering well per Devin) - assets/marketing/founder-headshot.jpg — Gemini watermark scrubbed from bottom-right (40×42 patch at 749,953 → cloned from adjacent suit fabric) - Locked X post (single tweet — "third time's the charm" relaunch nod): uses $29/mo · $100/4mo · FIRST100, lead deltas = rebuilt bank + NCEES-native AITs + redesigned UI + every problem solved step by step, hashtags #PEExam #buildinpublic (2 max for X algo reach; swap candidates documented). - Visible drift in canonical at session start: yaml last_main_commit: b8b4a02 was 5 commits behind reality. Synced to actual HEAD a672128. Brief was missing tutor-killed + pricing — both backfilled this session.

Open from this session: - Decide whether to commit the staged StampReady assets above (clean, isolated diff: 3 new + 1 modified) — separate from the unrelated NCEES AIT v4 work still uncommitted in working tree. - Post the X tweet (waiting on Devin). - Observability provisioning (Devin action — instructions in projects/stampready.yaml observability_setup block): Stripe restricted read-only key, PostHog Personal API key + project ID, CF token rotation to add Analytics:Read. Delete legacy Humblytics env vars after. - Wire PostHog snippet into index.html so landing-page visitors are tracked (currently only /app is instrumented).

Session 2026-05-25 — X relaunch LIVE + observability provisioned + overnight monitoring armed:

POST 1 WENT LIVE: 2026-05-25 ~05:45 UTC (~00:45 CT) per Devin "X and twitter are live". Exact post copy below.

OG image — fully fixed this session: - Diagnosis: og-preview.png was 1.11 MB (over X's ~1 MB soft cap) → X composer showed broken-image placeholder, not stale cache. - Fix: re-exported as og-preview.jpg (147 KB, q=88 progressive JPEG, 1200×630, fresh filename). Commits 06e5068 (PNG cache-bust attempt, didn't solve the size issue) + 6b83628 (JPEG swap, solved it). - Verified via opengraph.xyz: X card preview renders the gold-seal/Built-by-a-Licensed-P.E. composition cleanly. - Minor open: Gemini ✧ watermark in bottom-right of OG white panel — scrub flagged but not yet executed.

Observability provisioning (NEW this session — Devin completed Stripe + PostHog, CF rotation deferred): - STRIPE_RESTRICTED_KEY in StampReady/.env line 23 (live mode rk_live_*). Scopes expanded 2026-05-30 for KP Phase 3 build: still has all original SR diagnostic reads (Customers, Subscriptions, Coupons, Promotion codes, Charges, Checkout Sessions) PLUS writes (Products, Prices, Checkout Sessions, Webhook Endpoints, Coupons) verified via probe. Cross-venture key — used by both SR diagnostics and KP scan-request creation; tag everything with metadata.brand=SR or brand=KP. Test-mode counterpart at line 24 as STRIPE_TEST_RESTRICTED_KEY (same scopes + a few extras). FIRST100 promo last verified active, times_redeemed=1 (Devin's own 5/23 self-purchase), max 100, no expiry — changing account info doesn't void coupons. - POSTHOG_PERSONAL_API_KEY + POSTHOG_PROJECT_ID=436509 in .env. Verified live — HogQL queries return data. Past 7d shows 3 unique on 5/23, 2 on 5/24, 1 on 5/25 — all internal testing on /app.html. - PostHog wired onto landing (index.html) in commit 594bb80 — Reddit/X click-throughs now captured. Was a critical gap (landing was invisible before this). - CF token still 401 — DEFERRED. Will rotate later. - Humblytics env vars marked for deletion (0 code refs, displaced).

Truth check (run this session, ugly but important): - Total pro subs = 5, all internal: 2 manual_grant test accounts + 1 web_stripe active (Devin self) + 2 web_stripe refunded (Devin's own Stripe test charges per 2026-05-26 clarification — NOT real customer churn). The 1 FIRST100 redemption is Devin's 5/23 self-purchase. Real external paid customers: still 0. Real external free signups: ~10 to date (5/7 burst + 5/24-25 from Reddit). - Tonight's post 1 is the first real-traffic test.

Brand assets staged in SR repo (still UNCOMMITTED — Devin chose to upload to X directly without committing): - assets/marketing/x-header-1500x500.png — letterboxed banner, 280px navy clear-zone on left for profile pic - assets/seal-x-400.png + seal-x-512.png — polished gold seal on navy fabric - assets/marketing/founder-headshot.jpg — modified, Gemini watermark scrubbed

Overnight monitoring (cron + baseline): - Baseline snapshot at active/overnight-baseline-2026-05-25.md (auth.users=25, pro_subs=5, FIRST100 redemptions=1, captured 2026-05-25 05:09:30 UTC). - Cron 635aa2bb scheduled 07:13 CT 2026-05-25 (replaced earlier f9b61cb8 to add Stripe + PostHog queries). Will produce deliverables/OPS-overnight_post_report_2026-05-25.md with full funnel: impressions → signups → checkout starts → paid → FIRST100 redemptions, plus hourly timing cluster + referrer breakdown. Session-only — may die if Claude Code closes overnight, but baseline file is durable so any future session can compute the delta manually. - The cron prompt has all credentials referenced by env-var name from .env, NOT inline.

Post 1 copy (LIVE):

Third time's the charm — rebuilt StampReady ground-up.

Sharper question bank. NCEES-native AITs (drag/drop, point-click, fill-blank). Redesigned UI. Every problem solved.

$29/mo · $100/4mo · code FIRST100
stampready.app

#PEExam #FEExam #NCEES #EIT

Post 2 (DRAFTED, ready for morning):

PE Civil warmup:

Cantilever, L=10 ft.
P=5 kip at the free end.
Max moment at fixed support?

Reply with your answer. Step-by-step at stampready.app

$29/mo · $100/4mo · FIRST100

#PEExam #FEExam #NCEES #EIT

Session 2026-05-26 — LinkedIn banner prep + launch post:

• Devin signed up for the LinkedIn Premium Page 1-month free trial to (he assumed) unlock cover upload. Research this session confirmed: Premium is NOT required for static cover image — only for dynamic/rotating slideshow covers. So the trial is unrelated to the upload failure he hit.
• Banner source: Devin generated a new Gemini banner from a prompt I drafted — Downloads/Gemini_Generated_Image_qvehcdqvehcdqveh.png (2544×416, 6.115:1, contained "PASS THE PE & FE." + "Built by a licensed engineer." + bridge schematic + gold SR seal + StampReady wordmark + "STAMPREADY.APP" small caps + Gemini ✦ sparkle in bottom-right).
• Processed via scripts/linkedin_banner_compose.py (NEW, UNCOMMITTED): pixel-scanned sparkle to source (2470-2500, 340-380), tight bbox (2450, 325, 2520, 395), median-color ring fill + 2px feather. Cropped to clean 6:1 (2496×416), composition scaled to 3351×558 (LinkedIn's 80% mobile safe-zone, 900/1128), centered on 4200×700 navy #0D1E33 canvas.
• Output (UNCOMMITTED): assets/marketing/linkedin-banner-4200x700.png (1.32 MB) + .jpg (205 KB) — both under LinkedIn's 3 MB cap.
• Upload FAILED: LinkedIn returned "Cover image upload failed. Please refresh the page and try again." Per LinkedIn's official troubleshooting (help/answer/a565194): try PNG instead of JPG (documented workaround), clear cookies + sign back in, try different browser, disable popup blocker. Devin to try PNG next.
• I spun 4 iterations on composition fit (52% → 80% → 52% → 80%) chasing what I misread as a crop-fit problem in the upload modal preview. Actual issue is upload-step failure, not composition. The upload modal preview shows a tighter crop than the saved banner and is misleading — should be ignored.
• LinkedIn launch post drafted (current canonical wording, never posted yet — waiting on banner): rebuilt ground-up, $29/mo · $100/4mo · FIRST100, NCEES-native AITs, 3 hashtags (#PEExam #FEExam #EngineeringLicensure).
• Existing displayed banner on the page (visible in Devin's screenshot — "STAMPREADY™" wordmark + drafting tools + blueprint pattern) — provenance unknown. Either uploaded in a prior session, or LinkedIn default. New upload will replace it.

Open from this session: - Devin to try PNG upload (assets/marketing/linkedin-banner-4200x700.png, 1.32 MB) after page refresh - If PNG also fails: cookies / browser swap / popup blocker per LinkedIn troubleshooting - Once banner uploads successfully, post the LinkedIn launch text - All session assets STILL UNCOMMITTED (compose script + 2 banner files) — separate from the unrelated NCEES AIT v4 work also uncommitted in working tree

Session 2026-05-26 — PostHog audit + signup discovery + UTM scheme: - 2 real organic signups had landed unnoticed. Queried PostHog (project 436509, HogQL via POSTHOG_PERSONAL_API_KEY) and auth.users + public.subscriptions jointly. Found: [email protected] (5/24 23:23 UTC, mobile-direct, 96-event session) and [email protected] (5/25 06:52 UTC, mobile-direct, 47-event session). Both correspond to heavy PostHog sessions I had earlier mis-flagged as internal testing. - Both are free-tier, no subscriptions row, no canceled checkout, no Stripe failure event. Not a silent-fail at the paywall — they signed up and didn't pursue Pro. - Source = Reddit r/PE_Exam post (per Devin's screenshot of Reddit Post Insights, 2026-05-26 ~13:39 CT): 1,200 views over 48h, +24/hr still ticking, 89.2% US / 5.4% Spain / 2.4% Canada. Mobile-direct PostHog referrer is consistent with Reddit mobile app stripping the referrer header. X click-throughs (2 desktop @ t.co/5fhKQX7rXC on 5/25 11:49+11:50) produced 0 conversions. - Attribution gap diagnosed: none of the live social posts use UTM tags, so PostHog can't distinguish Reddit-mobile from X-mobile from organic-mobile. - UTM scheme adopted (campaign tag shared across all 3 channels for HogQL aggregation): - Reddit: https://stampready.app/?utm_source=reddit&utm_medium=social&utm_campaign=launch&utm_content=pe_exam_post - X: https://stampready.app/?utm_source=x&utm_medium=social&utm_campaign=launch - LinkedIn: https://stampready.app/?utm_source=linkedin&utm_medium=social&utm_campaign=launch - LinkedIn launch deliverable created: deliverables/MARKET-linkedin_launch_v1.0_2026-05-26.md — canonical re-draft (prior draft lost to compaction), UTM baked in, posting checklist + reshare-from-personal note included. - Today's mobile bouncer (5/26 00:09 UTC) reached /app#signup and left without submitting. No auth log entries — confirmed not a silent fail, just a real bounce. Sample size 1, watch but don't act.

Open from this session: - Devin: edit the live r/PE_Exam post body, swap bare stampready.app link for the UTM'd Reddit URL above. Future clicks become attributable; the 1,200 views already accrued are unrecoverable for attribution. - Devin: when LinkedIn banner upload succeeds, use the LinkedIn URL above in the post (already baked into MARKET-linkedin_launch_v1.0_2026-05-26.md). - Future X posts: use the X URL above. The live tweet is uneditable (no X Premium). - After UTM rollout, set a 7d cadence to re-query PostHog properties.utm_source cohort vs signups vs paid — first real attribution baseline lands one week from UTM-Reddit edit.

Session 2026-05-26 — canonical reconciliation sweep:

Devin called out "why are you missing so much?" after I shipped a LinkedIn post built on stale canonical data. Root cause: I treated yaml + active.md as durable truth instead of as a cache that needs live verification. Six items were stale; all now patched:

Item	Stale value	Live truth	Action
question_bank.approved_count (yaml:132)	~2,212	12,798	Patched (commit d91a8e9 earlier this session)
last_main_commit (yaml:113)	a672128	923a56c	Patched this turn
version (yaml:49)	v2.7.6 / build 34	v3.0 / build 2026.05 (per index.html:1248)	Patched this turn
payments (yaml:38)	"Apple IAP / Google Play (NO Stripe)"	Stripe LIVE on web (5 subs, FIRST100 working) — IAP planned for mobile when un-paused	Patched this turn
paid_enabled (yaml:47)	false	true (Stripe + FIRST100 live since 5/23)	Patched this turn
CF token status (yaml:62, 102)	"401 / rotate / DEFERRED"	FIXED per Devin 2026-05-26	Patched this turn
Humblytics env (yaml:103-105)	"legacy_to_delete"	Kept alongside PostHog (parallel run) per Devin	Patched this turn
observability_setup.status (yaml:65)	PENDING	COMPLETE (Stripe + PostHog + CF all provisioned)	Patched this turn
current_focus[0] (yaml:108)	"need CF token / PostHog Personal API Key"	Both provisioned; new focus = attribution rollout	Patched this turn
"Zero external paying customers ever" (active.md:175)	wording implied churn	Refunds = Devin's own Stripe tests, not customers; 0 external paid is still accurate but the 2 refunds were misleading without the test-clarification	Patched this turn
QUESTION_BANK_STATE.md	2,176 (April snapshot)	12,798 / detailed PE+FE table	Patched this session (commit 923a56c)

Analytics snapshot (live, 2026-05-26): - PostHog 14d: 5/26=15ev/5u · 5/25=57ev/8u · 5/24=97ev/2u · 5/23=74ev/3u. Pre-5/23 invisible because PostHog wasn't on landing yet. - auth.users: 22 rows total. External non-test: ~10 (huss.anasmd, sssjram, tzm11, sujansubedy, auben.mitchell, nicholas.benadof, susanmrajesh, lindseylew10, banalaly, lindseydavidson1087). 5/7 had a 7-row spike (unclear source — pre-PostHog so traffic invisible). - public.subscriptions: 5 rows, all internal (2 manual_grant test, 1 web_stripe active = Devin self, 2 web_stripe refunded = Devin self-tests).

Pattern to fix going forward: any numeric or status claim used in user-facing output gets a live verification call first. Canonical = starting point, not the answer. Memory entry added: feedback_verify_before_citing_canonical.md.

Session 2026-05-26 — channels live + first qualified-lead feedback:

• LinkedIn launch POSTED (company page linkedin.com/company/stamp-ready) 2026-05-26 evening. v3.0 body shipped (12,000+ Qs · diagnostic · heatmap · free-to-try · UTM=linkedin). Banner deferred.
• Reddit r/FE_Exam post LIVE with UTM link. 162 views in first ~30 min (denser pace than r/PE_Exam's 1.2k/48h on the prior post). Devin's actual posted copy (canonical from now on):
• Hashtags: #PE #FE #Engineer #Engineering (different from my earlier #PEExam #FEExam #EngineeringLicensure suggestion — defer to Devin's choice)
• Pricing line: "$29/mo or $100 for a 4-month pass. No upsells."
• Promo line: "First 100 users free with code FIRST100" — confirms FIRST100 = 100% off, cap 100. Patched yaml line 144.
• First qualified-lead feedback (user ohkjon on r/FE_Exam post): cited 3 UX gaps vs the actual NCEES CBT — (1) reference handbook position (CBT puts it on the LEFT, StampReady does not), (2) UI color (CBT uses a specific dark-blue; PPI mirrors it), (3) keyword search feature/UI parity with CBT. Devin's reply: "deliberately avoided mirroring for legal reasons, but tried to retain core concepts. Plan to incorporate feedback to refine over coming weeks." — Good defensive framing; keep on future legal-mirroring questions.
• Competitor named: PPI (Kaplan-owned Professional Publications Inc). First time canonical has logged PPI as a referenced competitor on a public-facing channel.
• Product backlog candidates from this feedback (not committed yet):
• Reposition reference handbook panel to the left (most-cited CBT UX detail; low trademark risk for layout-only)
• Dark-blue UI option / color theme
• Keyword-search UX parity (lower priority — feature gap, not visual mimicry)
• Memory adds: reference_subreddits_devin.md (r/PE_Exam + r/FE_Exam confirmed live posting channels), project_ncees_cbt_ui_parity.md (recurring feedback theme — handbook position is the recurring complaint).

Session 2026-05-26 evening — FIRST EXTERNAL STRIPE ACTIVATION + promo retune:

• First external Stripe activation in StampReady history. User [email protected] (self-identified Jason Laxdon, TX student) came from reddit.com (UTM=reddit on the r/FE_Exam launch post), signed up, completed Stripe checkout with FIRST100 — Pro tier provisioned through 2026-09-26. Funnel works end-to-end. $0 charged (FIRST100 = 100% off), but full Pro provisioning verified.
• Funnel timing — landing → paid in 7m 36s: 16:11:13 UTC landed → 16:11:20 clicked to /app#signup → 16:12:26 signup created → 16:18:49 Stripe checkout completed → 16:19:01 first Pro sign-in.
• Attribution proven: UTM=reddit is the first verified Reddit→paid path in PostHog data — exactly what the UTM rollout was for.
• LinkedIn traffic also flowing: 16:41 UTC first utm=linkedin pageview since the post went live.
• Caveat — disposable email: noyavip.com is a throwaway domain. boceg may be a coupon-farmer not a serious student. Watch their next-48h activity: if they actually use the platform, escalate; if no return visits, write off as freebie speculation.
• Bouncer #2: Another Reddit-mobile visitor at 16:16 UTC hit /app#signup and left. Two mobile bouncers in 24h on the signup screen — friction signal worth watching (sample still 2).
• FIRST100 promo retune (Devin 2026-05-26): Old coupon wARNgRBY = 100% off, 4 months repeating — too generous, since the marketing copy "First 100 users free with code FIRST100" never specified duration. Target = 100% off, 1 month. Existing 2 redemptions keep their 4-month benefit; new redemptions get 1-month only.
• Action (Devin, in Stripe Dashboard):
• Archive coupon wARNgRBY at https://dashboard.stripe.com/coupons/wARNgRBY (doesn't refund existing redemptions, just blocks new uses)
• Create new coupon: 100% off, Duration = Repeating, 1 month
• Create new promotion code with code=FIRST100, max_redemptions=98 (100 − 2 already redeemed)
• Email sent to [email protected] with these steps.

Session 2026-05-26 late — multi-agent buildout + AIT v4 math overhaul + marketing-director parked:

• Multi-agent research + 4 subagents drafted (NOT yet committed to git; live on disk in .claude/agents/):
• ~/.claude/agents/marketing-copywriter.md (user-global, opus) — channel-locked drafter, reads canonical first, emails drafts to Devin
• ~/.claude/agents/posthog-analyst.md (user-global, opus) — HogQL + Supabase + Stripe cross-check, anti-noise patterns
• StampReady/.claude/agents/qc-reviewer.md — gates question batches via 5-reviewer board, bucket-sorts into _approved/_revise/_rejected
• kindredpics-site/.claude/agents/bipa-auditor.md — pre-merge biometric/retention/consent audit against 30-day workspace lock
• AIT v4 question pipeline overhaul:
• QC ran on original 2026-05-24 drafts: 0/82 passed (graphic-labeling stems, empty distractors, no solutions). All 16 files moved to data/questions/_rejected/ait-v4/.
• Math audit on assets/ncees_ait_graphics_v4.py: 12/16 PASS, 4 need fixes — graphic_01 (R_A formula used wrong moment arm), graphic_02 (M_A sign convention made M(L)=-240 instead of 0), graphic_10 (F_JB compression-vs-tension arrow inconsistency), graphic_12 (I_2 = 0.5 should be 0.67 = ⅔).
• All 4 patched + sidecars regenerated: R_A=45.6, R_C=66.4, M_max=183.7, x_0=4.47 (was 74.4/37.6/346.9/6.87). Cantilever M_A=170 sagging-positive with M(L)=0 enforced. Truss FBD F_JB relabeled (T) + P_ext flipped down. Circuit I_2=0.67.
• Visual fixes: graphic_01 shear plot now has clean vertical step at x=4 (was a ramp due to np.where interpolation); graphic_01 M_B/M_max labels symmetric top-left/top-right; graphic_07 dashed y-axis line shortened so it doesn't bisect b_f + "y (weak axis)" labels, t_f label widened-into-canvas, table_x repositioned; graphic_12 R_3 label moved ABOVE resistor box (was crashing into I_2 label).
• Loader v2 shipped at scripts/content-bank/build_ncees_ait_v4_questions.py (LLM-driven via Haiku 4.5, generates 5 assessment-grade questions per sidecar: 2 fill_blank + 2 point_click + 1 drag_drop). v1 backed up at .v1.py.bak. Dry-run on graphic_01: 5/5 valid with real formulas + distractor mapping + NCEES references.
• Status: uncommitted in StampReady working tree. Devin reviewing PNGs on phone; graphic_07 confirmed re-fixed via email 19e6644efe151aad. 15 sidecars NOT yet run through loader v2 (would cost ~$0.50 API). Pending Devin's final visual verdict before commit + bulk-run.
• Email messages sent this session (per feedback_email_action_items.md):
• 19e65f76f29aced4 — initial 16 graphics for visual confirm
• 19e66219f6639635 — revised 16 graphics after 3 visual fixes (shear step + moment labels + R₃ label)
• 19e6644efe151aad — graphic_07 repatched after Devin's annotated screenshot (4 specific fixes: y-axis bisection × 2, t_f canvas clip, designation box layout)
• Marketing-director agent IDEA researched + parked at FounderOS/ideas/2026-05-26-marketing-director-agent.md. Revival trigger: 100 paying users OR post-October 2026 PE cycle. Build cost when revived: ~3–4 hr + ~$8/mo Anthropic API. Skips \(1,250–\)8K/mo human CMO and \(500–\)2K/mo packaged AI-CMO products (NoimosAI, Improvado AI CMO — overkill at n=10 external users).
• Social-orchestrator agent IDEA also parked at FounderOS/ideas/2026-05-26-social-orchestrator-agent.md. Drafter+poster automation via Telegram+X-API+LinkedIn-API+Reddit-one-tap-URL. Revival when posts/week >10 or copy-paste drag >30min/wk.
• New FounderOS/ideas/ folder convention — parking-lot for researched-but-unbuilt concepts, distinct from decisions/ (decided) and deliverables/ (shipped). README documents the structure.
• FounderOS commits this session (pushed to origin/main): 3e35885 FO hygiene + .gitignore, 26e2d16 KP canonical (OTP+pw, nanny-pics deleted), 1dff5a3 SR active brief sync to v3.0/b311747. NEW uncommitted FO state: ideas/README.md + 2 idea files, active/stampready.md (this block), MEMORY.md updated.
• Memory adds: reference_ideas_folder.md (parking-lot convention pointer).

Session 2026-05-27 — legal-ip-researcher subagent shipped:

• Reddit fan-out clarified: profile post → r/PE_Exam crosspost → r/FE_Exam crosspost. View counts as of this session: profile=258, r/PE_Exam=1.6k (was 1.2k), r/FE_Exam=497 (was 162, now tagged "Brand Affiliate" by Reddit's disclosure system).
• New comment thread on profile post: u/MessageOk1085 asked "source of all the questions" — Devin replied with the multi-agent AI pipeline framing + introduced the "upload your own practice materials" as biggest differentiator. Converted skeptic to "wow comprehensive answer."
• Upload-your-own-materials feature is REAL (CSV/JSON questions via app.html:338 triggerUpload + PDF viewer at assets/pdfjs/web/viewer.html + Reference pane tab in js/reference.js). Devin's "side-by-side with the handbook" framing = tab-switchable inside the simulator workspace, not literal dual-pane. NOT an overclaim.
• BUT — legal status of the upload-PDFs differentiator is unresolved. That's why it's never been product-forward in marketing to date. Devin has a lawyer meeting in pipeline. Do NOT lead with this differentiator in X / Reddit / LinkedIn copy until legal clears it.
• New subagent: legal-ip-researcher at ~/.claude/agents/legal-ip-researcher.md (user-global, opus). Cross-venture (SR + KP + future). Produces structured legal-research briefs for attorney review — statutes, case law, risk matrices, lawyer-meeting question lists. Never produces legal advice. Tools: Read, Write, Bash, WebSearch, WebFetch. Exception to the "ship one subagent first" rule (memory feedback_ship_one_subagent_first.md) granted because cross-venture utility for all current + future businesses.

Open from this session: - First test run for legal-ip-researcher: SR PDF/textbook user-upload IP risk (DMCA §512 safe harbor + §107 fair use + NCEES copyright posture). - X #2: still drafted as cantilever warmup (not the differentiator version). Pending Devin's pick of next firing. - FIRST100 Stripe retune (Devin Dashboard action): archive wARNgRBY coupon → create 1-month-repeating 100%-off coupon → new FIRST100 promo with max_redemptions=97 (3 already redeemed including boceg). Email sent 2026-05-26. - boceg activity post-signup: 0 PostHog events in 48h → coupon-farmer thesis confirmed. Not a real student. Mark FIRST100 redemption #3 as bad-fit.

Session 2026-05-27 — legal-ip-researcher first run + IP gap remediation (UNCOMMITTED):

• First production run of legal-ip-researcher complete — brief at StampReady/deliverables/LEGAL-user_uploaded_pdf_dmca_v1.0_2026-05-27.md. Email 19e6a01f611c327a. Headline reframe: SR's PDF-upload architecture is client-side only (IndexedDB + in-memory via FileReader, NO Supabase Storage / R2 server upload). That's Sony / Cartoon Network v. CSC, not Viacom. DMCA §512© likely doesn't apply because there's nothing server-side to immunize. Real risk = Grokster inducement, which lives in marketing copy.
• Three concrete gaps flagged + remediated where possible:
• stampready.app/terms returned 404 → fixed: new terms/index.html with §512(i) repeat-infringer policy + DMCA notice procedure + user-upload representations (mirrors privacy/index.html styling, marked "DRAFT — attorney review pending")
• In-app attestation at js/simulator.js:340-351 called SR "a passive storage service" (architecturally inaccurate; legal brief flagged) → fixed: rewritten attestation reflects client-side-only architecture + strengthens permission language ("YOU HAVE THE LEGAL RIGHT to use this material...")
• PDF upload at js/reference.js:pickLocalPdf had NO permission attestation → fixed: new confirm()-based gate added, first-time only, matching the question-upload pattern
• Devin-required follow-ups (email 19e6a0a5ed1efed8 sent to [email protected]):
• Register DMCA designated agent at copyright.gov/dmca-directory ($6 / 3-yr, preserves §512© optionality)
• Set up [email protected] email alias
• Review + commit the 3-file diff (js/simulator.js, js/reference.js, terms/index.html)
• Cache-bust + deploy
• Bring legal brief to attorney meeting (6 specific questions in email body)
• Marketing implication: upload-PDFs differentiator can go forward IF marketing copy is Grokster-aware ("upload your own study materials" ≠ "upload pirated textbooks"). Attorney to confirm copy guardrails before X/Reddit/LinkedIn use.

Session 2026-05-27 — full IP audit + 5 source-code patches + deliverable hardening:

• 2 parallel audits via legal-ip-researcher agent:
• deliverables/LEGAL-entity_ip_protection_audit_v1.0_2026-05-27.md (email 19e6a7da64a3eeab) — what each entity (NCEES, PPI/Kaplan, School of PE, Pearson VUE, AASHTO/AISC/ACI/ASCE/TRB-HCM/ICC) protects + Doe v. GitHub case status (direct copyright claims DISMISSED). Big reframes: Pearson VUE CBT UI mimicry = LOW (Lotus, Google v. Oracle); formulas/data = LOW (§102(b) + Feist); NCEES = HIGH ($800K + $880K confidential settlements + Cameron-Ortiz $1M+ judgment).
• deliverables/LEGAL-codebase_ip_audit_v1.0_2026-05-27.md (email 19e6a81fa8cb0f0b) — 4 HIGH / 5 MED / 10 LOW findings. Critical defensive posture confirmed in code: simulator layout is question-LEFT / reference-RIGHT (OPPOSITE of NCEES CBT), color palette cream/amber/navy (not NCEES dark-blue). DO NOT act on ohkjon's "put reference handbook on left" Reddit feedback — it would destroy the documented "deliberately avoided mirroring" trade-dress defense.
• 5 source-code IP edits shipped (UNCOMMITTED):
• js/i18n.js:27 "mirrors Pearson VUE" → "exam-day style" (EN)
• js/i18n.js:217 "replica Pearson VUE" → "estilo día del examen" (ES)
• js/marketplace.js:179 comment "NCEES product card style" → "discipline-specific palette"
• data/config/data.js:493 "StampReady calculator replicates the TI-36X Pro" → "Use the same model you will bring to the exam"
• js/simulator.js:1663 comment "Mirrors NCEES Pearson VUE's pre-exam tutorial" → "Pre-exam tutorial that walks candidates through the CBT UI"
• 3 deliverables hardened:
• MARKET-social_bios_v1.0_2026-04-27.md → archived, replaced by MARKET-social_bios_v1.1_2026-05-27.md (drops "mirrors Pearson VUE", bumps Q-count 2,200→12,800, adds pricing, switches Reddit hashtags to confirmed #PE #FE #Engineer #Engineering)
• MARKET-social_content_batch1_v1.0_2026-05-03.md → archived, replaced by v1.1 (Post 3 reframed to "Similar CBT exam interface"; Post 10 reframed to "BRING YOUR OWN REFERENCES" matching upload-PDFs architecture)
• deliverables/post3.html patched in place
• Live-channel scan via WebFetch:
• stampready.app landing: clean — no audit phrases visible
• linkedin.com/company/stamp-ready: already softened to "Similar CBT exam interface" when Devin posted (deliverable was draft, live wording diverged in his favor) — no exposure
• x.com/getstampready: 402 / unauthenticated — DEVIN TO VERIFY MANUALLY (bio + pinned tweet)
• Reddit posts at u/Numerous-Ad-1225: unable to fetch bodies — DEVIN TO VERIFY MANUALLY
• H4-H5 pending (codebase audit): data/config/data.js:135-280 sections[] reproduces AISC/ACI/ASCE/AASHTO/OSHA tables (no signed licenses on file, only draft license-request letters in legal/). Selection-and-arrangement = real risk vector. Attorney meeting prep first; rewrite-to-paraphrase or external-link replacement is ~30-min refactor.
• 17 attorney questions queued across the 3 LEGAL briefs (7 entity-IP + 10 codebase-audit).
• Memory adds: none this session — patterns already covered by feedback_verify_before_citing_canonical.md (canonical = cache, verify live) and feedback_no_unverified_bank_quality_claims.md (audit findings ≠ live reality).

Session 2026-05-27 — handoff state (UNCOMMITTED in StampReady working tree):

• IP / legal: 5 source-code patches above + terms/index.html (new draft ToS) + 2 attestation gates (js/simulator.js rewrite + new js/reference.js PDF gate) + 3 deliverable changes + 2 audit deliverables
• NCEES AIT v4 graphics + loader v2: still uncommitted from prior session (16 graphic PY + sidecars + loader script + 16 _seeded JSONs + 32 _images)
• Multi-agent files: ~/.claude/agents/legal-ip-researcher.md (NEW user-global), marketing-copywriter.md, posthog-analyst.md, StampReady/.claude/agents/qc-reviewer.md, kindredpics-site/.claude/agents/bipa-auditor.md. Heads-up: newly-created user-global agents need a Claude Code session restart before they appear in the Agent(subagent_type=...) registry. Workaround used this session: invoke via general-purpose with skill-file path in the prompt.
• Marketing: held — X #2 still drafted (cantilever warmup), upload-PDFs differentiator still product-only pending attorney
• Devin pending actions (emails sent — all in inbox):
• 19e6a01f611c327a — first legal brief (PDF/DMCA architecture)
• 19e6a0a5ed1efed8 — DMCA registration steps + commit checklist
• 19e6a7da64a3eeab — entity-IP audit
• 19e6a81fa8cb0f0b — codebase IP audit (Devin-actionable)
• Manually verify X bio + 3 Reddit post bodies don't contain "mirrors Pearson VUE"
• Stripe FIRST100 retune optional cleanups (leave as-is per Devin's earlier "leave 3 over")

Next-session restart priorities: 1. Devin to commit + cache-bust + deploy the IP source-code patches (5 files) 2. Devin to send terms/index.html draft + 17 lawyer questions to attorney 3. After lawyer meeting: decide on AISC/ACI/ASCE table rewrite (H4) + whether upload-PDFs can go marketing-forward 4. Resume marketing (X #2 + r/FE_Exam follow-up) once IP posture is locked 5. FIRST100 promo timing — 1-month duration is live, monitor next paid activation (boceg confirmed coupon-farmer, 0 return visits in 48h)

Session 2026-05-27 evening — reference panel pivot to upload-only + persistence + resource directory (PUSHED to origin/main):

• Persistence shipped (commit 3eab4a2): user-uploaded PDF library now persists across sessions in IndexedDB (was in-memory only, wiped every reload). Store stampready_local_pdfs/pdfs, hydrates on script load, navigator.storage.persist() opt-in for Safari background-eviction. PostHog reference_upload_completed event added (file_type, size_kb, library_size). Verified end-to-end via chrome-devtools MCP (CRUD round-trip + post-reload hydration + close/clear sync). IP posture unchanged — IndexedDB is still client-side, no server touch.
• All preloaded reference content stripped (commit de54969): removed 117 lines of curated formulas + tables + embedded public-domain PDFs from data/config/data.js REF_CATALOG. Eliminates the H4 selection-and-arrangement risk from the codebase IP audit. Catalog now metadata-only (13 entries: title, abbr, version, source, downloadUrl, purchaseUrl, cost, description, customPane='upload_prompt'). renderRefContent simplified to a single "Bring your own copy" pane with publisher CTA + "Load your PDF" handoff. AISC description softened ("LRFD/ASD" → "Steel design code"). All formula leak checks pass.
• Supabase Storage bucket stampready-refs/ flushed: 15 PDFs deleted (12 MUTCD parts + FHWA HIF-24-002 + HIF-24-054 + DoD UFS 3-220-10). All were federal/§105 public-domain so legally harmless, but Devin chose clean-cut posture: zero hosted content. Both subfolders empty, empty bucket retained as no-op.
• Resource directory in My PDF empty state (commit aa6694c): blank "Choose PDF" screen now shows a grid of refs scoped to the active discipline (cards: FREE/PROVIDED vs PURCHASE pill, title, abbr, cost, Download/Purchase CTA → publisher's official URL). Pure factual aggregation, no copyrighted content, no logos. Helper _buildResourceGrid(disc) consumes DISC_REFS[disc] + REF_CATALOG metadata; grid hidden once any PDF is loaded. Verified scoping across transport (5 cards), structural (4), fe_civil (1 fe_handbook only), water (3).
• Cache busts (all shipped): reference.js v58→v61, data/config/data.js v59→v60, sw.js v178→v181.
• AIT v4 working tree declared garbage by Devin; uncommitted files left alone (not deleted in this session, not committed).
• Enterprise remote removed: github.com/GSR_admin/stampready.git 404'd (org doesn't exist on github.com — likely never set up or pre-rename). Removed via git remote remove enterprise. Origin alone now.
• Board session at start of work: product-only scrutiny of upload-content as differentiator (transcript inline in chat). Three Sarah Chen tasks: instrument PostHog upload events (DONE), document upload surface (partially: brief covers it), persist last-page-viewed per PDF (DEFERRED — pdf.js hook for pagechange event, ~50 lines).

Open from this session: - Push to deploy verification (Cloudflare ~1-2 min): hard-refresh /app, click any ref tab → "Bring your own copy" pane; My PDF tab → resource grid + upload button; upload a PDF, reload → confirm persists. - Persist last-page-viewed per PDF (board task #3, deferred). - Enterprise mirror remote fix.

Open decisions

• LLC + EIN + business checking — COMPLETE 2026-05-29 — Single-Member LLC TX/Tarrant filed, EIN obtained 2026-05-14 (default disregarded entity), business checking opened. First CPA meeting with Mikel Shelton complete.
• Spouse-as-LLC-member / S-corp election (Form 2553) / multi-member conversion (Form 8832) — open for follow-up CPA discussion.
• Customer MFA UI — Pro feature unlocked but no UI; ~30-min build deferred.
• Strict CSP migration — replace 'unsafe-inline' with nonce-{rand} + strict-dynamic. Post-launch wk 2-3.
• BFF/Worker proxy — biggest architecture pivot from peer review. Post-launch wk 4-6. Will close the 14 SECURITY DEFINER advisor WARNs.
• Mobile resume — iOS + Android both on hold. No timeline set; Devin's call when to un-pause.
• DKIM — scheduled but not yet live on .app / .org.

Cloudflare hardening (applied 2026-05-28 via API)

• SSL: flexible → full (stampready.app)
• min_tls_version: 1.0 → 1.2 (stampready.app + .org)
• Bot Fight Mode + Block AI bots + Crawler Protection: enabled (stampready.app)
• nanny.stampready.app removed: CNAME deleted from DNS + custom domain removed from kindredpics Pages project
• Stale google-site-verification TXT on stampready.app — RESOLVED 2026-05-28 by Devin (per services audit deliverable #6).
• Audit doc: deliverables/OPS-cloudflare_audit_v1.0_2026-05-28.md
• Quarterly DR drill — next due late July 2026.