What shipped today

Massive day running a two-tab workflow: tab1 (grinder) implemented and merged code, tab2 (thinker) reviewed PRs and prepped the entire upcoming issue queue. Six feature branches went through multiple rounds of code review and landed on main, while the Apple app roadmap was fully specced out for grinding.

Merged to main (6 PRs)

The headline feature is the circuit breaker system (GH-432) — per-workspace AI cost caps and abuse throttles. Every workspace now has a daily spend cap based on its plan ($0.50 trial, $0.05 free, $5 pro, $10 team), enforced at the engine level with a 60-second cache. Chat has hourly rate limits (30 trial, 120 pro), feed discovery respects plan caps, and the command poller surfaces budget-exceeded errors to users via activity_logs. The daily spend query uses explicit UTC boundaries to stay consistent with the admin dashboard.

The conversion funnel (GH-366) shipped with Stripe checkout sessions, webhook handling for subscription lifecycle, trial expiration cron (06:00 UTC daily), and upgrade/expired-trial banners. Review caught three critical issues that were fixed: missing trial expiration cron (trials would have run forever), checkout sessions that didn’t verify workspace membership, and a hardcoded subscription_status: "active" that ignored Stripe’s actual status.

On the security front: GH-425 added domain-based email loop guards (preventing Maya from replying to her own bounces), XSS protection in email link replacement with scheme rejection for javascript: URIs, and SSRF protection in feed discovery with hostname resolution and private IP rejection. GH-418 shipped admin briefing content management with DOMPurify sanitization. GH-422 added the workspaceId guard in onboarding. GH-139 fixed email template double-escaping by making fallback values plain text.

Review process

The two-tab review workflow proved its value today. Multiple rounds of review caught issues that would have shipped broken: the trial expiration cron was entirely missing from GH-366, the SSRF protection in feed discovery was absent from GH-425’s first submission, and the checkout session didn’t verify workspace membership. One friction point: review agents kept reading stale local files instead of actual PR diffs, requiring manual verification via gh pr diff.

Issue prep and milestone organization

Tab2 prepped 10 issues with detailed specs including API surface audits, file lists, and acceptance criteria:

• GH-366 — Full payment funnel spec with Stripe integration details
• GH-410 — ICS calendar feed spec, created GH-430 for future two-way CalDAV sync
• GH-432 — Circuit breakers spec with daily caps, chat throttles, feed caps
• GH-389 — Consolidated Apple app Phase 1 (merged GH-395-399 into single issue)
• GH-390 through GH-393, GH-409 — Apple app Phases 2-6 fully specced with API audits confirming all endpoints exist

Created milestones v1-apple and v1-marketing to separate web app, Apple app, and marketing work. Filed GH-436 (TTS endpoint has zero auth — launch-blocker) and GH-437 (sidebar onboarding score). Closed GH-241 (already done), GH-412/429 (Vercel preview deploy noise), GH-395-399 (incorporated into 389).

Completed

• GH-139 — Brand consolidation and email notification fix
• GH-366 — Signup, plan, payment: complete the conversion funnel
• GH-395 — Apple app nav shell (incorporated into GH-389)
• GH-396 — Apple app Supabase auth (incorporated into GH-389)
• GH-397 — Apple app workspace selector (incorporated into GH-389)
• GH-398 — Apple app API client (incorporated into GH-389)
• GH-399 — Apple app core models (incorporated into GH-389)
• GH-418 — Admin briefing content management UI (MOTD, promos, tips)
• GH-419 — PostHog tracking, security fixes (accepted in review)
• GH-422 — Replace onboarding wizard with name + website screen
• GH-425 — Route briefing email replies through Maya chat
• GH-432 — Circuit breakers: per-workspace AI cost caps and abuse throttles
• GH-241 — Closed (already done)
• GH-412, GH-429 — Closed (Vercel preview deploy noise)

Carry-over

• GH-423 (aggressive onboarding bootstrap) and GH-424 (briefing template slots) are in-progress but not yet reviewed
• GH-436 (TTS auth) and GH-437 (sidebar onboarding score) are filed and specced but not started
• GH-410 (ICS calendar feed) is prepped and ready to grind
• All 6 Apple app phases (GH-389, 390, 391, 392, 393, 409) are fully specced and ready for tab1

Risks

• Six squash merges landed in quick succession — verify Vercel deployment succeeded and no runtime regressions
• The briefing_template.py change trusts admin MOTD/tips HTML (skip escaping) — if the admin API is ever called directly without DOMPurify, this is an XSS vector
• Review agents reading stale local files instead of PR diffs caused false rejections — need a more reliable review workflow

Flags and watch-outs

• Daily spend cap resets at midnight UTC — workspaces in far-west timezones see reset mid-afternoon local time
• Trial expiration sets subscription_status = 'expired' — confirm the UI handles this alongside 'free'
• Briefing pipeline healthy for tomorrow (11:00 UTC / 6:00 AM ET) — all changes on main are stable
• System messages in briefings are now plain text only (decision made during review discussion)

Next session

• Verify all 6 merged features work on production (circuit breakers, billing flow, admin content, onboarding wizard, email replies, notifications)
• Review GH-423 and GH-424 when they come back for review
• Grind GH-436 (TTS auth — launch-blocker, one file fix) and GH-437 (sidebar onboarding score)
• Start Apple app Phase 1 (GH-389) — fully specced with scaffolding, auth, API client, models, nav shell, and podcast feed
• GH-410 (ICS calendar) is prepped and ready whenever there’s bandwidth
• v1 milestone has 10 open issues, v1-apple has 6 — all grindable with detailed specs