XJobsFinder · tester preview

Career Optimization, Agentic · last updated Monday, June 9, 2026

JOB EXCHANGE LLC · Jorge Reyes
Pilot readiness · final testing + Conversational AVA & QA program (in dev, branch)

📈 Strategy War Room

Living go-to-market strategy for the independent-consultant wedge — the plan, the numbers, the rivals, and the first feature. Read anytime.

🖨️ Printable field sheet 🎯 Self-Audit teaser

Click a document above to read it.

🧪 QA Board

Live test results — automated agent runs + manual checks. Auto-refreshes every 10s while open. Source: /api/test-results.

loading…

Loading…

📋 Changelog & Daily Log

The living record of what shipped, day by day — updated daily. Replaces the old Word-doc handoffs.

Loading…

💳 Payments & Paywall

Every paid gate at a glance — does the paywall fire, does paying unlock it, and can anything be reached without paying (or without even logging in). Verified 2026-06-25; re-run the scripts at the bottom to refresh.

The four paid features

Feature$ / usePaywall firesPaying unlocks
ATS Scan$5✅ 6/6✅ 5/5
Customize$5✅ 6/6✅ 5/5
Interview$5–15 (by gaps)✅ 6/6✅ 5/5
AI Résumé$5✅ 6/6✅ 5/5

Free allowance is set per-feature in Admin → plan limits. Prod = 0 (paywall on first use). Local = 1 (one free, then paywall). Pro = $19.99/mo. Usage tracked in feature_usage; the free run in subscription_cycles.

How paying works

  • Per-use ($5) → Stripe Checkout → on payment the webhook writes a paid grant → the feature unlocks once.
  • Pro ($19.99/mo) → Stripe → activate-subscription flips the user to Pro (now auth-gated, Tier 1).
  • Stripe is in TEST mode — card 4242 4242 4242 4242. Locally the webhook needs stripe listen --forward-to localhost:4000/api/stripe/webhook.

🔒 Anonymous bypass status

Can a request with no login at all reach a paid endpoint? (probe: scripts/paywall-anon-probe.js)

EndpointStatus
Activate Pro🟢 gated — Tier 1 ✓
Reset usage🟢 gated — auth + subscribers only (free user → 403)
Usage · Cycle create🟢 gated
Interview chat / questions / score🟢 gated — Tier 2 ✓
Customize download🟢 gated — Tier 2 ✓
Résumé DOCX (download)🟢 gated — Tier 2 ✓ (post-signup)
AVA chat (builder)🟢 open by design — anonymous build funnel; rate-limited 50/15min per IP

Tier 1 ✓ — locked activate-subscription (was: anyone could flip any account to Pro with no payment). Tier 2 (in progress) — a global auth-attach wrapper makes every logged-in /api/ call carry the token, then each delivery endpoint is gated. Hardening complete. 9 of 10 endpoints are auth-gated; the 10th — AVA chat, the anonymous "build before you sign up" funnel — stays open by design but is now rate-limited (50 requests / 15 min per IP) to cap the Claude-cost abuse vector. activate-subscription ✓ (Tier 1) and reset-usage ✓ (now auth + subscribers-only — a free user POSTing it gets 403, verified) are both closed.

Re-run the checks

node scripts/paywall-gate-check.js        # paywall fires (all 4)
node scripts/paywall-pay-check.js ats     # paying unlocks (per feature)
node scripts/paywall-anon-probe.js        # anonymous bypass status

# against prod:
BASE=https://xjobs-final-production.up.railway.app node scripts/paywall-gate-check.js

Full writeup: Documentation/Testing/Paywall-Gate-Tests.md.

🦸 SUPER QA

The single source of truth. Every QA agent — each tester's Sidekick plus the automated suites — is a child that reports up to the SUPER QA, which consolidates everything into one deduped, prioritized defect list (same bug from 3 testers → 1 defect), each carrying the screenshot of what was seen.

👋 New here? How this works — in 10 seconds

You don't need to decode the diagram below. Your only job: when something looks broken, confusing, or just off — click the red 🐞 “Found a bug?” button. This page is simply where every report lands, sorted so we fix the most important things first.

1️⃣  You spot something 🐞
Click the red “Found a bug?” button in the corner. It auto-grabs a screenshot, the page, and your browser — you don't lift a finger. Just say what you expected vs. what happened.
2️⃣  It flows up to SUPER QA 🦸
Your report joins everyone else's — every tester's reports and the automated tests — gathered into this one place. Nothing gets lost in email or chat.
3️⃣  Sorted into one list 📋
SUPER QA merges duplicates (same bug from 3 people → 1 item), ranks by severity, and shows each with its screenshot. Click 🦸 Consolidate below to build it.
💡 Bottom line: report freely, big or small — every single one helps. The system does the organizing.
🦸 SUPER QA one source of truth · consolidates & prioritizes
children report up — each with its screenshot
🐞 Jorge
Sidekick
🐞 Oli
Sidekick
🐞 Oscar
Sidekick
🤖 Automated
financial · E2E
🤖 Health Sentinel
live error watch

Click 🦸 Consolidate and the SUPER QA will read every child's findings and build the prioritized defect list.

📖 Product Walkthrough — SME Agent

How to run the Interview Trainer end to end — present it live, or hand it to a tester. open the raw doc ↗

Loading…

🩺 Health Console

Live status of every process — a flight board for the app. 🟢 healthy · 🟡 degraded · 🔴 down. Auto-refreshes every 15s, fed by the 🤖 Health Sentinel. (Interim home — moving behind the Admin gate post-pilot.)

Loading process health…

⚡ Recent runtime errors (last 30m)
⏱ Typical phase timings (warm avg ± stddev · cold = first uncached run, excluded)

🧪 Button Traceability Matrix

Every clickable handler in the app — 439 of them — mapped by flow → screen → button and PASS/FAIL on whether it's wired to a live function. Static analysis; catches dead buttons that would throw on click (e.g. the _tdStatus crash class). Re-run anytime with node scripts/qa/button-matrix.js.

439 handlers
439 PASS
0 FAIL
4 review
↗ Open full matrix

📜 Audit Log

The full change trail from git — every change, newest first, with type, files touched, and lines added/removed. 🗑 marks removals/cleanups. Each hash links to the exact diff on GitHub. This is the immutable record: nothing changes without a commit here. Refresh with node scripts/qa/audit-log.js.

How the audit trail works — every change is a small, single-purpose commit, so you can see exactly what each one touched and roll back any one without losing the others. Removals are paired with a regression check: npm run verify runs the Button Matrix on every commit and fails the deploy if any handler goes dead.

💾 Backups & Restore

A MASTER BACKUP is a full, restorable snapshot of the entire codebase — code, git history, and all assets. If anything ever breaks, you can roll back to a known-good state yourself, without help. Every restore is reversible (it snapshots your current state first).

📦 Latest master backup — 06-26-26
GitHub tagmaster-backup-06-26-26✓ offsite
GitHub branchbackup/master-06-26-26✓ offsite
Full tarball~/xjobs-backups/MASTER BACK UP 06-26-26.tar.gz239 MB · local
▶ Restore it yourself — one command

Open a terminal in the project folder and run this. It lists every backup, lets you pick one, and saves your current state first so you can always undo:

bash scripts/restore-backup.sh
The script offers two safe modes:
  1) Git tag — resets the code in place to a backup (fast, reversible — it tags your current HEAD as a rescue point first).
  2) Tarball — extracts a full snapshot to a new folder, so your live repo is never touched.
Why a button can't do this here: restoring the codebase rewrites files on the developer machine — a web page can't (and for security shouldn't) reach into your filesystem. So restore runs from the terminal with the script above. This panel is the shareable record of what backups exist and exactly how to roll back.

🗺️ Flow Blueprint

The map of every user journey — read left-to-right. Forks (⑂) show where a path diverges into alternative avenues that reconverge (⨝) before moving on. Each step is color-coded by how we cover it.

Coverage: ✅ auto — a runner tests it 🔧 todo — automatable, not built yet 👁️ manual — a human must judge ⑂ fork / ⨝ converge

Loading the blueprint…

🎬 Teleprompter

Open this on a second device (iPad / phone) beside your screen, hit ▶ Play, and read the walkthrough naturally while you screen-record the live app. Toggle Tester (includes the report-a-bug part) vs Pilot (product only).

Tip: press Space to play/pause, R to restart. The controls live on your iPad — they won't appear in your screen recording (you record the Mac, not the iPad).

Overview

Live activity + status — auto-derived in real time (no manual updates)

🛰 Live Project Status · auto-derived, no manual updates

loading…
Fetching live git + findings state…

🚀 Today's deploys Jun 9 · branch in dev

Most recent first · all auto-deployed to Railway on push to main
0fef342 · branch
Jun 9 · IN DEV (not deployed)
Conversational AVA + interview polish + QA program — on branch feature/ava-conversational, NOT yet on main/prod. AVA is now a full voice-first guided conversation (talk or type → résumé built live): typed/verified contact card, guided industry→role→experience chips, skills checklist, structured role form (Present-default dates), sample-accomplishment picker with [bracket] metric placeholders highlighted yellow + a fill-in helper, review/edit-redact, 3-style template picker (recolors the .docx too), and DB-persisted résumés. No double-charge: re-entry offers free Edit (capped at 3) vs paid Build new; interview is a separate gate. Interview Confidence Builder gets a live traffic-light scorecard (amber-not-red, coaches not grades), pacing controls (Next question / Next skill), and one-click/Enter submit. Edge-TTS (natural female voice) crypto fix.
on branch · HEAD 0fef342 (8 commits) · main untouched (1e05be7) · prod unaffected · founder-validated on localhost · QA program designed → Documentation/QA/Test-Agent-Strategy.md
Remaining before swap-in: template pick (gallery skipped), paywall/free-run on the finalize path, end-to-end pass → merge to main. Old wizard kept intact as instant fallback.
8a6df4e
Jun 7 · last deploy
Pilot-readiness marathon. Identity capture at flow entry (Quick Match / Gmail / SME) with the anonymous résumé carried into the new account on signup; results-page redesign (jobs-first control strip, below-80 always shown); the Vault — 📁 My Résumés artifact tree (IndexedDB) with downloads + improvement arc; Gmail registration wall now Google-only (kills the register-vs-scan email mismatch); strong-match interview fallback (matched/required skills) so zero-gap jobs still launch; PDF/.doc customize rebuild; scanned-PDF message; Cancel→Home; interviewer greeting.
by Jorge + Claude · deployed · commits 24b31ee · 2b55538 · c36372b · 802d0e8 · 7dddc01 · 8a6df4e · all verified on localhost
Also: run-aware in-place spelling fix (Word run-splitting); /?gmail=connected token-wipe guard; Gmail test bed (seed scripts). Pre-pilot to-do: add testers as Google OAuth test users (Testing-mode 7-day token caveat). Parked: session-staleness redesign (replace cheesy re-auth gate with idle timeout).
7e398f9
Day 37 · May 31
ATS Compliance — integrity & quality pass. B1: stopped fabricating user data (no more fake phone/email/degree/skills — gaps stay blank). B2: download now serves the genuinely OPTIMIZED resume, not the original-with-watermark. S2: real spell-check with red-strikethrough highlights + corrections (was hardcoded 5/5). S1: leads with the ATS result, not the job-finder. S5: softened "will pass" claim. N1/N2: score voiced /100, removed alert() popup.
by Jorge + Claude · deployed · commits b7433d2 · 9c0893b · 5aa271b · 7e398f9 · detail: Documentation/Audit/pilot-flows/01-ATS-flow-audit.md
Deferred post-pilot (documented w/ severity): S3 consistency sub-score (Med), S6 PDF deliverable (Should-fix), S4 paywall visibility (Low). Also built this session: SME Topic Trainer — human avatar + premium ElevenLabs voice + scored cheatsheet.
292ec94
Day 23 · 12:45 PM
fix(resume): F217 - replace fabricated ATS-optimized resume template with real resumeData (summary, workHistory, skills); remove embedded pricing section
by Jorge - deployed - 5 edits, -2143 bytes net (more code removed than added). Discovered during F216 root-cause read of Oscar's optimized DOCX.
Day 27 - May 14, 2026 - 8:00 AM
F221 logged - parsing determinism. Same resume produces inconsistent resumeData across runs (skills count, experience years, title, workHistory all vary). Probable root cause: temperature: 0 is not truly deterministic. Day 27+ P0.
by Jorge - logged for tracking, not yet fixed
Day 26 - May 13, 2026 - 7:00 PM
docs(copy): subtitle hygiene after F220 path consolidation - "Upload" instead of "Upload or paste"
by Jorge - deployed - polish
Day 26 - May 13, 2026 - 6:30 PM
feat(quick-match): F220 - upload-only path, file guardrails, JD signal-word check, resume-similarity hard reject, low-match warn modal (Oscar tester surfaced the failure class)
by Jorge - deployed - largest splice of the day, 6 anchor points, 4 new helper functions, ~120 lines
Day 26 - May 13, 2026 - 4:30 PM
fix(ux): F218 - graceful Quick Match JD validation, replaces browser alert with inline error and preserves user input
by Jorge - deployed - prepared the ground for F220
Day 26 - May 13, 2026 - 2:15 PM
fix(api): F216 - /parse-jd returns HTTP 500 on failure instead of silent "Target Position" placeholder (Oscar tester surfaced)
by Jorge - deployed - exposed Oscar root cause
Day 26 - May 13, 2026 - 1:00 PM
fix(cache): F215 - refuse to cache resume parses with empty skills (poisoning protection - first investigation finding)
by Jorge - deployed - server/cache.js setCache() now refuses to persist parses with missing/empty skills
Day 25 - May 12, 2026 - 10:55 PM
by Jorge - deployed - production verified both paths (Incognito email-entry and regular Chrome account picker)
Day 25 - May 12, 2026 - 9:30 PM
feat(dashboard): Submit a Test Run section with embedded Tally form - closes the WhatsApp loop, auto-logs to Google Sheet, emails Jorge instantly
by Jorge - deployed - end-to-end pipeline verified with smoke test
Day 23 - May 11, 2026 - 11:17 PM
fix(quick-match): F208 — rehydrate resume before match, defensive guard against null skills (Oli tester crash)
by Jorge · deployed · production verified
91ddbc5
Day 23 · 7:37 AM
Revert 'fix(routing): dashboard.xjobsfinder.com → app.html' — restore project-status routing
by Jorge · deployed
944b7fd
Day 23 · 7:32 AM
fix(routing): dashboard.xjobsfinder.com and /dashboard now serve app.html (reverted at 7:37 AM, was wrong scope)
by Jorge · deployed (then reverted)
e849c20
Day 23 · 6:50 AM
fix(session): F194 — both F189 wipes now conditional on session health (preserves JWT + resume on auth reload)
by Jorge · deployed · production verified

⚡ Today's activity 9 events

Real-time feed · deploys, verifications, findings, decisions
🧪
tester
Day 23 · 1:00 PM · Oli
Reported Quick Match crash: 'Match analysis failed: Cannot read properties of null (reading skills)'. F208 logged.
🚀
deploy
Day 23 · 1:15 PM · Jorge
F208 fix deployed (2c49408): Quick Match now rehydrates resume from server + defensive guard. Awaiting Oli re-test confirmation.
🧭
decision
Day 23 · 3:00 PM · Jorge + AI
Architectural session: 5 E2E flows defined (A Quick Match, B Scan Gmail, C Ava, D ATS, E Interview). F209-F213 logged. Interview Agent Framework v1.0 authored (28-page DOCX). Member archive thesis identified as core moat.
🔎
finding
Day 23 · 3:15 PM · Jorge
F211 reframed: FIFO+cap rejected based on founder use case (100 resumes/year). Real need is findability + outcome tracking. Data-model migration scoped pre-pilot.
📊
diagnostic
Day 23 · 8:06 AM · Jorge
env-status.sh run — ALL THREE IN SYNC at 91ddbc5. Working tree clean.
🧭
decision
Day 23 · 7:45 AM · Jorge
Dashboard scope clarified: dashboard.xjobsfinder.com remains the project-status URL (separate from main app at xjobs-final-production.up.railway.app).
🚀
deploy
Day 23 · 7:37 AM · Jorge
Routing revert pushed (91ddbc5). dashboard.xjobsfinder.com restored to project-status page.
verify
Day 23 · 7:30 AM · Jorge
F194 verified in production: hard-refresh preserves JWT + activeResume + resumeCache. Tester scenario closed.
🚀
deploy
Day 23 · 6:55 AM · Jorge
F194 fix deployed (e849c20). Conditional F189 wipes — preserves session on auth reload.

📋 Open actions by role what's needed from each person right now

If you see your name, here's what's on your plate. Report status in #xjobsfinder-pilot-bugs (once set up) or via email reply.

Founder (Jorge)

  • Send Pilot Test Quickstart V2 to Oli + Oscar with production URL + credentials
  • Set up Slack channel #xjobsfinder-pilot-bugs (private; Oli + Oscar + Jorge)
  • Investigate F207 — paywall fires earlier than expected for fresh production users
  • Investigate F206 — post-Google-signin lands on voice/mike page instead of dashboard
  • Begin Quick Match flow on fix/resume-quick-match branch (cherry-pick F201/F202/F194 to sync with main first)
  • Explore MCP connectors at https://claude.ai/settings/connectors (Linear / Slack / GitHub)

Oli (Tester)

  • Run Scenario 1 (ATS resume flow) end-to-end against production. ~10 min. Production URL: https://xjobs-final-production.up.railway.app
  • Run Scenario 1B (Auth flows: Forgot Password + Continue with Google) ~5 min
  • Report any P0 flag (Scenario 1 steps 10, 12, 14, 15, 17, 19 / Scenario 1B steps B, C, D, G) immediately via #xjobsfinder-pilot-bugs once channel exists
  • Stripe receipt photo: keep for reimbursement

Oscar (Tester)

  • Same as Oli — independent run of Scenario 1 + Scenario 1B against production
  • Use credentials tester+oscar-pilot1@gmail.com / TestF193!2026
  • Note any UX friction beyond the 28 steps — first-time-user perspective valuable
📊 Reference status — phase progress, KPIs, week narrative (click to expand)
Hi tester — thanks for being here. This is a behind-the-scenes look at where XJobsFinder stands today. We're 15 days from pilot launch (May 26, 2026). The pre-pilot fix sprint shipped 9 defects to production over Day 21-23 — the full ATS resume optimization flow (signup → upload → analyze → optimize → pay → download → re-download) has been validated end-to-end in production by the founder. The pilot quickstart is ready; tester rotations resume against this stable build. This dashboard shows you exactly what's happening, day by day. Click around — everything is read-only.

Phase progress7 phases · launch May 26

Phase 0 — Hygiene + auth100%
Phase 1 — Local audit100%
Phase 1.5 — Surgical zombie deletion80%
Phase 2 — AKA Identity refactor100%
Phase 2.5 — Regression audit + baseline100%
Phase 3 — Polish + pre-pilot fixes85%
Pilot launch · May 26T-15
Days to pilot
15
Pilot launch May 26
Pre-pilot fixes shipped
9
Day 21-23 sprint
Sessions tracked
26
All with closeout
Documents produced
38
Strategy + audit + close-outs

What's happening this week

Production is stable. Over Day 21-23 the pre-pilot fix sprint closed 9 defects in the ATS resume optimization flow: auth-gated Stripe checkout (F74), authenticated-email pre-fill (F192), durable paid_grants entitlement (F193 + F124), re-downloadable preview (F197), HTML cache headers (F198), session-preserving hard refresh (F194), forgot-password UX (F201 + F202), plus Stripe webhook routing repaired. Every fix verified end-to-end in production by the founder. The remaining open items (F199, F200, F203-F207) are tracked in the Findings section.

What you can do for now

Run the pilot quickstart — Jorge has sent you the 28-step test plan covering the ATS flow and auth flows. ~15-20 minutes total. Production URL: https://xjobs-final-production.up.railway.app. Any RED flag at the P0 checks (steps marked with stars) gets reported immediately. Everything else goes into the bug channel for triage. Thank you — your eyes catch what the founder's can't.

Product Vision

The canonical product principles and roadmap for XJobs. Read these to understand what we are building and why.

📜 Career Optimization, Agentic

Five Career Optimization Agents (Ava Resume Builder, ATS Compliance, Job Exchange, Interview Prep, Tracker). Five operating principles: each agent stands alone; in-place modification with yellow highlights, never parallel rewrite; watermark as legal frame; hand-hold without coupling (dating model); memory is the moat. Top-up credits, not subscription.

v0.1 · Day 27 · 230 lines

→ Read on GitHub

🗺️ Product Roadmap

F225-F239 sequenced priorities. P0 pre-pilot blockers (ATS rebuild, watermark port, session leak). P1 foundational (memory layer, history dashboard, top-up pricing). P2 strategic value-adds. P3 long-range (Application Agent, bilingual, B2B).

v0.1 · Day 27 · 171 lines

→ Read on GitHub

Project timeline

Gantt overview · Day 1 → Day 26 cards · gaps marked for backfill

Reading the Gantt: Each row is a project phase. Diamonds are milestones — click any of them to jump to the relevant section. The vertical "Today" line shows where we are right now (Day 23). The vertical "Pilot" line on the right is May 26.
Project Gantt — May 2 to May 26 pilot
Click any milestone to jump to its detail
PHASE May 2 May 8 May 14 May 20 May 26 Today (Day 23) Pilot Phase 0 hygiene Done Phase 1 audit 100% Phase 1.5 deletion 80% Phase 2 identity DONE Phase 2.5 regression DONE ★ v2.0-baseline Polish + testers 85% pre-pilot fixes shipped Buffer + rotation 3
Audit
Deletion
Refactor
Regression
Polish + testers
Buffer

Day-by-day cards

backfill needed

Day 1 — Project kickoff

~Apr 20, 2026

Initial project conception, vision, founder commitment. Specifics to be reconstructed from memory + any early notes.

no closeout doc
backfill needed

Days 2–7 — Initial development sprint

Apr 21–26, 2026

First wave of development. Resume builder, ATS analysis, basic UI. Vendor integrations stood up (Google OAuth, Stripe, Anthropic, ElevenLabs). Specifics need reconstruction from git log.

no closeout docs

Day 8 — April 27 sprint

Apr 27, 2026

Sprint shipping multiple fixes including the Remotive job-board fallback for empty Gmail scans, scoreJob null guard, and several UI polish items. Sprint report generated. Several of these fixes were silently reverted by later cousin sessions — a pattern that drove the May 2 strategic pivot.

sprint reportlater regressed
backfill needed

Day 9 — Tester rotation 1 begins

Apr 28, 2026

First tester rotation. Initial feedback gathered. Specifics need reconstruction.

no closeout doc

Day 10 — Anatomy + lean-down plan

Apr 29, 2026

First strategic anatomy doc — XJobs codebase decomposed into 8 frontend modules. The "destination map" for eventual modularization. Phase 4 (frontend modularization) explicitly deferred to post-pilot during this work.

strategycloseout doc

Day 11 — Refactor planning

Apr 30, 2026

Refactoring plan v2 drafted. AKA Identity Model spec written. Phase 2 execution plan articulated. Bug audit begun.

strategycloseout doccloseout part II

Day 12 — System architecture diagram

May 1, 2026

5-layer architecture diagram produced. Layer 1 (Browser) → Layer 2 (Frontend) → Layer 3 (Server) → Layer 4 (Postgres) → Layer 5 (Vendors). This becomes the framework for the May 2 Phase 1 audit.

architecturecloseoutevening closeout

Day 13 — Strategic pivot day

May 2, 2026

Morning walkthrough surfaces 14 production bugs. Mid-walkthrough, founder reframes the entire problem: "local is the baseline, prod is bloated by cousin contamination." Strategic pivot adopted: clean local first, fresh prod redeploy. Phase 1 audit begins. 18 findings catalogued by EOD afternoon. Master close-out + RAID register established.

strategic pivotphase 1 begunmaster closeoutraid register

Day 13 PM — Audit acceleration

May 2, 2026 PM

Evening side-quest: working local demo confirmed. OAuth redirect URI fixed in Google Cloud Console. ScoreJob null guard re-applied (regression from April 27 confirmed). New issues logged: I10 (stale JWT cross-environment), I11 (double Google OAuth flow). Master close-out doc with embedded dashboard, scorecard, and Gantt produced.

working demoregression confirmedvisual artifacts

Day 14 — Layer 2 deep dive

May 3, 2026

JS function inventory completed (~290 functions across 26 clusters). All 66 fetch() calls audited — 31 unique endpoints catalogued, the complete Layer 2 → Layer 3 contract. localStorage subsystem fully mapped: 85 touchpoints, 17 new findings (F38–F54). F55 logged: missing session housekeeping pattern, root cause of "user always logged in" mystery. Three governance artifacts produced: Best Practices Playbook, Agent Briefing Template, Compliance Checklist.

governance builtlayer 2 = 85%17 new findingsi12 logged

Day 15 — Layer 3 audit (server)

May 4, 2026

Audited api.js (2,065 lines), auth.js, email.js, index.js. Cross-referenced against Day 14's 31-endpoint frontend contract. F129/F130/F143/F147 logged. F143 resolved during session (Resend domain verified as xjobsfinder.com). Layer 3 reached 88% by EOD.

layer 3 serverF143 resolvedenv-cluster surfaced

Day 15 PM — Recovery + cluster-bounding

May 4, 2026 PM

Late-session base64 paste corrupted phase1audit.md (49 lines mojibake appended). Clean recovery via head -n 801 truncation; forensic backup retained. Env-validation cluster definitively bounded at 3 vars (F129 + F130 + F147). Lesson logged: chunked base64 file-transfer method retired.

recovery cleancluster boundedlayer 3 = 95%method retired

Day 16 — Layer 4/5 audit + governance docs

May 5, 2026

Postgres + vendor audit completed. Phase 1 reaches 100% by EOD. Founder articulates governance need: an 'agent onboarding contract' so future agents inherit context instead of starting cold. Foundation laid for permanent governance documents.

phase 1 = 100%layer 4 + 5governance scoped

Day 17 — Phase 1.5 deletion + early identity work

May 6, 2026

Phase 1.5 surgical deletion: confirmed duplicate-ID zombies removed (F5, F9, F11, F13). Started groundwork on the AKA Identity refactor: localStorage subsystem cleanup planning, identification of every state-leak surface.

phase 1.5 in progressidentity scoped

Day 18 — Recurring JWT bug + late-night governance ship

May 6, 2026

Recurring Gmail OAuth JWT bug surfaced for the third time across sessions (F181). Root cause finally traced: 6 frontend call sites all manually passed userId; missing one silently produced orphan tokens. Surgical fix: server-side JWT verification on /gmail/authorize, single source of truth. Late-night session also produced two permanent governance documents: AGENT-ONBOARDING.md + HANDOFF.md.

F181 structural fixgovernance docs shippedlate-night session

Day 19 — JWT push + smoke test reveals new findings

May 7, 2026

F181 (server-side JWT verification) + F171 (double Gmail scan elimination) pushed to production. Production smoke test verified both fixes working. Test surfaced two pre-pilot blockers: F183 (resume state lost during user flow), F184 (signup gate not enforced). Evening: F183 v2 + F186 housekeeping shipped end-to-end. v2.0-baseline effectively delivered.

F181 + F171 LIVEF183 logged criticalF186 housekeeping LIVEv2.0-baseline reached

Day 20 — Polish + Part C cleanup

May 8, 2026

Part C of F186 housekeeping: user-scope the 6 remaining untagged resume writes + 4 gmail writes. F184 signup gate enforcement. Tester re-engagement message (Oli + Oscar) drafted.

phase 1.5 → 100%F184 closetesters re-engage

Day 21 — Pre-pilot bugfix sprint begins

May 9, 2026

F74 (auth on Stripe create-checkout-session), F124 (webhook idempotency), F192 (paywall email correctness), F193 design (paid_grants entitlement system) — scoped, branched (fix/resume-ats-compliance), and three landed locally with stripe-cli forwarding validation. F197 + F198 also shipped (re-downloadable preview + HTML cache headers). 4 commits on branch by EOD.

5 fixes localfix/resume-ats-compliancestripe-cli verified

Day 22 — Production ship + 9 fixes verified

May 10, 2026

Marathon session: F193 + F124 + db-init repair committed. F201 + F202 (Forgot Password UX) committed. Branch pushed, PR opened, merged to main. Stripe webhook re-routed to Railway endpoint. paid_grants table created in production DB. Production end-to-end validated by founder: signup → resume → ATS → paywall → $5 → DOCX → re-download. Tester quickstart V2 generated. 9 findings closed total over 2 days.

9 fixes LIVEstripe → Railwayprod E2E validatedtester quickstart ready

Day 26 - five-deploy bug cluster fix (Oscar investigation)

May 13, 2026

Oscar reported Quick Match returning 0% with broken UI (Target Position placeholder). Investigation cascaded through five distinct bugs across cache, server, frontend, and UX layers - all shipped same day. F215 cache poisoning protection (cf7dedb). F216 /parse-jd silent placeholder fallback replaced with proper HTTP 500 (66f5865). F218 browser alert replaced with inline error and input preservation (c920664). F220 - the big one: paste path removed, upload guardrails (file size, extension, text length, JD signal-words, resume-similarity hard reject), low-match warn modal at <30% threshold, Tips section above upload area (465fc8d). Plus subtitle copy hygiene (a41d3ed). FIVE production deploys in one day, all clean, all verified. F217 (ATS hallucinating fake experience claims for users) discovered during investigation - logged, deferred to Day 27 as P0.

F215 LIVEF216 LIVEF218 LIVEF220 LIVEF217 OPEN5 deploysOscar canary
May 12, 2026

Test-run intake pipeline built and deployed: Tally form embedded on dashboard (Submit a run section), Google Sheet retrofitted with 19 historical findings as RUN-0001 through RUN-0019, Tally-to-Sheets integration verified with smoke test. Loop closed: tester submits then email to Jorge then row in sheet. Same night, Oli reported F214 (Continue with Google missing on download-gate modal) - diagnosed, fixed via continueWithGoogleForDownload() wrapper calling existing googleSignIn() handler, deployed (a501d35), and personally verified on production through BOTH paths (Incognito email-entry plus regular Chrome account picker). Bug-to-fix-to-prod: under 4 hours.

F214 LIVETally pipelinesheet retrofitboth OAuth paths verified

Day 23 — F194 close + dashboard refresh (today)

May 11, 2026

F194 closed: both F189 wipes now conditional on session health. Hard refresh preserves JWT + activeResume + resumeCache. Verified end-to-end on production. Dashboard (this page) refreshed from Day 14 → Day 23 content. New Findings section added so testers see open issues + recent resolutions at a glance.

F194 LIVEdashboard refreshfindings section added

Days 24-25 — Final polish + Quick Match sprint start

May 12-13, 2026

Remaining open findings F199 (per-resume entitlement) + F200 (lifetime free quota) addressed. F206 (Google-signin redirect) + F207 (paywall premature trigger) — small surgical fixes. Quick Match flow scaffolding begins on fix/resume-quick-match branch. Tester rotation 3 feedback intake.

F199 + F200F206 + F207Quick Match begins

Days 26-34 — Pre-launch + buffer

May 14-25, 2026

DMARC. npm audit. Pre-launch polish. Pilot invitations sent. Soft launch prep. MCP connector exploration (Linear/Slack/GitHub) if time allows.

pre-launchsecurity audit

Day 38 — Pilot launch · BIG BANG

May 26, 2026

Pilot launches. 5+ weeks of disciplined founder work, 50+ findings catalogued and resolved or queued, complete audit trail, governance system in place. The discipline is the differentiator.

pilot day 1

Findings

Open issues + recently resolved · what testers see, what's next, what's deferred

How to read this section. Each finding has an ID (F-number), a one-line title, a severity, a status, and a target date or closure date. We log every defect — testers' reports, founder discoveries, and audit findings — into one numbered system so nothing slips. The list below is filtered to what matters today: everything resolved during the pre-pilot fix sprint (Day 19-23) plus everything still open going into pilot. The full audit history (50+ findings) lives in phase1audit.md.
16
Resolved
5
Open
2
Deferred post-pilot
ID Title Severity Status Target/Closed
F255 3-pane overwrites green "resume fixed" screen after optimization — analyzeATSStandards recalculates raw score (65) via setTimeout, stomping the optimized score (95) green card high resolved closed Day 37 · Jun 2
After processATSAfterPayment optimized the resume and re-scored to 95, showJobSourceSelector correctly rendered the green "score >= 80" card with Quick Match. But showAtsResultView fired via setTimeout(0) and recalculated from analyzeATSStandards() which returns the raw structural score (65), overwriting the green card with the yellow warning + purple button. Fix: skip the 3-pane re-render when window.atsOptimized is true. Found via [TRACER] logs during E2E testing.
F254 fireAts auto-runs full ATS optimization pipeline (animations, TTS, 3-pane view) on post-OAuth return — user only wanted to download high resolved closed Day 36 · May 30
runAtsPathBAfterAuth called processATSAfterPayment() which ran the full pipeline: processing animation, optimizeResume(), TTS voice narration, and showJobSourceSelector() with the 3-pane result view. User had already seen all of this pre-auth — they just needed the download. Fix: replaced processATSAfterPayment() with silent optimizeResume() + analyzeATSCompliance(), letting the existing previewId poll handle the download. Found during E2E Test 2.7.
F253 Late housekeeping IIFE wipes localStorage during OAuth landing — destroys resumeCache + pendingAts before post-OAuth handler stores token high resolved closed Day 36 · May 30
F189 early-wipe had OAuth guard (auth_token in URL → defer), but the second housekeeping IIFE at line ~15663 did not. It saw "no token" and called clearAllUserState, wiping resumeCache, pendingAts flag, and QM results before the post-OAuth handler could store the JWT. Fix: added same auth_token URL check to late housekeeping IIFE. Found during E2E Test 2.7.
F74 Stripe create-checkout-session requires auth high resolved closed Day 21 · May 9
Pre-fix, anyone could create a Stripe checkout in any user's name. Now requires valid JWT.
F124 Webhook idempotency on stripe_session_id medium resolved closed Day 22 · May 10
UNIQUE constraint + ON CONFLICT DO NOTHING. Event replay no longer produces duplicate grants.
F157 Stripe webhook routing → Railway endpoint high resolved closed Day 22 · May 10
Production webhook moved from defunct GCF endpoint to Railway. Events reach the new server.
F183 Resume hydrates from DB on every page load high resolved closed Day 19 · May 7
New /api/resume/current endpoint; refreshUserProfile writes to both window and module scopes. Fixes 'resume lost' during OAuth round-trip.
F186 Session housekeeping pattern high resolved closed Day 19 · May 7
clearAllUserState() called on logout, auth-failure, no-token init, and page-load. Closes F55/F177/F182.
F192 Paywall uses authenticated email, not parsed resume medium resolved closed Day 21 · May 9
Stripe modal pre-fills auth user's email. Privacy/correctness fix.
F193 paid_grants entitlement + post-payment download high resolved closed Day 22 · May 10
Webhook writes paid_grants row; verify-session is the backstop. Replaces in-memory paidSessions Set with durable DB-backed entitlement.
F194 Conditional wipes preserve session on hard refresh high resolved closed Day 23 · May 11
Both F189-early-wipe and F189-wipe-on-load now conditional on session health. JWT + resume survive Cmd+Shift+R.
F220 Quick Match accepted any input including resume-as-JD, produced inconsistent matches and used a browser alert() on failure high resolved
F219 Quick Match scoring non-deterministic - same input produced 85% then 63% on consecutive attempts with inverted Skills/Experience breakdown medium closed-by-feature-improvement
F218 Quick Match used browser-native alert() dialog on JD parse failure - off-brand, no input preservation, no actionable guidance medium resolved
F221 Resume parse determinism - same resume produces inconsistent resumeData (skills count, experience years, title, workHistory) across runs, causing downstream matching variance. Probable cause: temperature: 0 is not truly deterministic in LLM extraction critical open
F217 ATS-optimized resume template fabricated content for every user: hardcoded "5+ years experience", "revenue 30%+", "$1M+ budgets", 5 fake Key Achievements bullets, embedded pricing section. NO skills section. Real workHistory never rendered. Now replaced with real resumeData iteration. critical resolved
F216 /parse-jd endpoint silently returned placeholder Target Position/skills=[] on any failure - frontend trusted as valid data and rendered broken UI high resolved
F215 Disk cache (server/cache.js) persisted resume parses with empty/missing skills arrays - once cached, every re-upload returned broken empty-skills result forever high resolved
F214 Continue with Google missing on download-gate registration modal high resolved
F208 Quick Match crashed on null resumeData high resolved closed Day 23 · May 11
Reported by tester (Oli) during Day-23 production rotation. Match analyzer threw 'Cannot read properties of null (reading skills)'. Fix: runQuickMatch now rehydrates from /api/resume/current if resumeData is null/empty, falls back to friendly 'Please upload resume first' alert. Plus defensive guard at top of calculateQuickMatchScore.
F197 Re-downloadable preview (24h TTL) medium resolved closed Day 22 · May 10
Once paid for an ATS optimization, user can re-download the same resume. One $5 = unlimited re-downloads of that preview.
F198 No-cache headers on all HTML routes medium resolved closed Day 22 · May 10
no-store / no-cache / must-revalidate on every HTML response. Testers always see fresh HTML after deploy.
F201 Forgot Password echoes entered email back low resolved closed Day 22 · May 10
Reset success message reads 'If an account exists for <typed-email>...' Catches typos at submit time.
F202 OAuth-only users get Google-hint, not silent skip medium resolved closed Day 22 · May 10
Forgot Password on Google-signed-up account shows blue 'Use Sign in with Google' panel. Acceptable enumeration trade-off.
F199 paid_grant not pegged to resume_id high open target: Day 24-25
Affects Quick Match flow when shipped — user pays for resume A, gets free downloads of resume B. Doesn't impact current ATS flow.
F200 Free quota refreshes every 30 days medium open target: Day 24-25
cycleStart math gives lifetime → 30 days. Slow leak; won't show in pilot but contradicts product model.
F203 Signup accepts typo'd email domains medium open target: Post-pilot
gmaiil, yahpo, gnail etc. accepted without warning. Phantom users created. Founder hit this 3 times in one debugging session.
F206 Post-Google-signin lands on voice/mike page low open target: Day 24
Cosmetic but visible. Should land on dashboard. Trace /api/auth/google/callback redirect target.
F207 Paywall fires earlier than expected for fresh users low open target: Day 24
Observed during Day 22 production validation. Paywall on FIRST download instead of second. Likely cycleStart math or plan_limits fallback.
F204 No email confirmation at signup medium deferred target: Post-pilot
Security hardening. Add verification flow before public launch.
F205 No password-reset audit table low deferred target: Post-pilot
Debugging requires server log scrape + Resend dashboard. Polish item.

Test results

What was tested · where · how it behaved · honest pass-fail tracking

What this section shows. Every fix we ship gets exercised in two environments before testers see it: local (the founder's dev box with stripe-cli forwarding webhooks) and production (the Railway-deployed build with the real Stripe webhook endpoint). The matrix below shows the most recent observed result per fix per environment, with the verification notes that justify it. Where a row says not yet for production, the code path is the same as local and we presume it stable but flag it for tester rotation 3 to confirm.
15/16
LOCAL passing
10/16
PRODUCTION passing
5
Awaiting prod re-test

Environments under test

Field Local (dev box) Production (Railway)
URLhttp://localhost:4000https://xjobs-final-production.up.railway.app (also https://dashboard.xjobsfinder.com → project status page)
Buildfix/resume-ats-compliance @ 608b6b7 then e849c20 (F194)main @ e849c20 (F194 LIVE) + 91ddbc5 (dashboard routing revert) + Day-23 commits
Tested byFounder (Jorge)Founder live walkthrough Day 22 (Stripe test mode, real card)
Test datesDay 21 (May 9) + Day 22 (May 10) + Day 23 (May 11)Day 22 (May 10) end-to-end + ad-hoc verifications Day 23
Stripe modetest, stripe-cli forwarding to localhost:4000/api/stripe/webhooktest, Railway webhook endpoint at https://xjobs-final-production.up.railway.app/api/stripe/webhook
NotesDeep test bench. Every fix verified here BEFORE production deploy. Console logs captured per scenario.F201, F202, F1, F10, F163 not yet re-verified in production — same code path as local, no schema diff, presumed stable. Tester rotation 3 will close these as PASS.

Scenario 1 — ATS resume flow + auth flows

ID Test case LOCAL PRODUCTION
F74 Stripe checkout requires auth (401 without Bearer) PASS PASS
Local: /api/stripe/create-checkout-session returns 401 with no Bearer token; 200 with valid JWT.
Production: Verified live: tester paid $5 successfully, no auth-bypass possible.
F124 Webhook idempotency on stripe_session_id PASS PASS
Local: UNIQUE constraint + ON CONFLICT DO NOTHING. Re-running same event = no dup row.
Production: Production webhook deliveries return 200; no duplicate grants observed.
F183 Resume hydrates from DB on every page load RESOLVED PASS
Local: Pre-F194 was BLOCKED — early-wipe destroyed state before hydrate could fire. Post-F194 verified: console shows [F183] resume hydrated (both scopes), skills: 5 after hard refresh.
Production: Live tester verified: 15 skills hydrate after hard refresh; dashboard shows resume.
F186 Session housekeeping (clearAllUserState) RESOLVED PASS
Local: Was over-firing on authenticated reload (F194 root). Now conditional on session health.
Production: Production hard-refresh preserves JWT + user record + activeResume key.
F192 Paywall uses authenticated email, not parsed resume PASS PASS
Local: Stripe modal pre-fills auth user's email even when resume contained a different email.
Production: Live tester verified: Stripe email matched signup, not the email in their resume.
F193 paid_grants entitlement + post-payment download PASS PASS
Local: Local stripe-cli forwarded webhook; paid_grants row created; download succeeded.
Production: Live tester paid $5, DOCX auto-downloaded, no 'still syncing' alert. Webhook 200 returned.
F194 Hard refresh preserves JWT + resume cache RESOLVED PASS
Local: Both F189 wipes now conditional. Console shows '[F189] healthy auth reload — preserved state (F194 fix)'.
Production: Production: 4 keys (xjobs_token, xjobs_user, activeResume_<id>, resumeCache_<file>) survive Cmd+Shift+R.
F197 Re-downloadable preview (24h TTL) PASS PASS
Local: After paying, 2nd/3rd/4th download succeed without paywall.
Production: curl returns count=2 for 'F197: preview persists' marker in prod HTML. Live tester re-downloaded successfully.
F198 No-cache headers on HTML routes PASS PASS
Local: Response includes cache-control: no-store, no-cache, must-revalidate.
Production: Production curl confirms headers present on /api/v1/health and root HTML.
F201 Forgot Password echoes entered email back PASS not yet
Local: Test 1 (typo): green message echoes 'bogus.typo@gmaiil.com'. Test 3 (real user): green message echoes 'jorgenreyes@yahoo.com'.
Production: Not yet re-verified in production. Same code path as local; presumed stable but flag if you observe.
F202 OAuth-only users get Google-hint PASS not yet
Local: jorgenoelreyes@gmail.com (Google-only user) → blue 'Use Sign in with Google' panel with email echoed back. Continue with Google → picker → signed in.
Production: Not yet re-verified in production. Same code path as local; presumed stable but flag if you observe.
Continue with Google OAuth account picker (regular Chrome with Google session) PASS not yet
Local: Day-22 false alarm closed. Code at server/auth.js:317 has prompt: 'select_account' correctly set.
Production: Tester should verify in regular Chrome (not incognito) with active Google session.
F1 ATS scan quota meters synchronous PASS not yet
Local: Multiple meters showing identical values (1 free run). No visible discrepancy.
Production: Re-check during pilot rotation.
F10 Single ATS panel rendered (no duplicates) PASS not yet
Local: Single ATS panel visible. No duplicate panels.
Production: Re-check during pilot rotation.
F102 Server-side pricing source-of-truth PARTIAL PARTIAL
Local: Server now requires auth + uses authenticated email; PRODUCTS table has no canonical price column so client-supplied amountCents still consulted. Full server-side authority deferred.
Production: Same partial state in production. Not pilot-blocking; flag for post-pilot.
F163 ATS analysis no longer crashes on render PASS PASS
Local: ATS analysis completed without crash from renderATSCompliance.
Production: Live tester ran ATS analysis to completion in production.

Reading the table. A green PASS or RESOLVED means the case was actively verified in that environment on the listed date. PARTIAL means the case passes for the user-visible flow but has a known caveat tracked elsewhere. BLOCKED means another finding is preventing the case from being verified — when that blocker closes, this case is re-run. "not yet" means the code path is shared with local (so we presume parity) but we haven't re-verified in production specifically. Tester rotation 3 will close those out and update this matrix.

Submit a test run

Closing the loop, every test execution flows through here, auto-logs to the team sheet, email lands in Jorge inbox

Where submissions live: all responses auto-append to the XJobs Test Runs Google Sheet (public read access). Two tabs: Sheet1 has 19 retrofitted historical findings; Form Submissions is where new entries from this form land.

Test scripts — Master Test Pack

One standardized script per flow · the single source of truth · same scripts for testers and the pilot group · report via the 🐞 button (rolls up to SUPER QA)

👋 Testers & pilot group — start here. Use the 🧪 Pilot Test Pack card just below — 7 standardized scripts, one per flow (Auth · Resume·Fix · Resume·Build · Jobs · Match→Exchange · Land·Interview · Payments). Open the 📖 Cover & how-to-run first, then your assigned flow. Run against https://xjobs-final-production.up.railway.app and report via the 🐞 Found a bug? button on any screen (it rolls up to SUPER QA), or the Submit a run tab.

🌐 Cross-browser coverage by design. We are deliberately testing across browsers to catch browser-specific issues that one tester alone would miss. Assignments for this round: Oli on Chrome (Cmd+Shift+N for Incognito), Oscar on Firefox (Cmd+Shift+P for Private), Jorge on Safari (Cmd+Shift+N for Private). Edge coverage queued for pilot v2.

⚠️ Browser hygiene matters. Always test in a fresh Incognito / Private window. Regular browsers accumulate state across sessions — old tokens, cached resumes, quota counters — which can cause confusing behavior that is not actually a bug. If a bug only appears in one browser, that is valuable signal — note your browser when submitting findings. If a bug reproduces across browsers, that is a real code issue worth fixing.

🧪 Pilot Test Pack — the standard set (one script per flow)

Everyone — testers and pilot group — runs these 7 scripts the same way and reports with the 🐞 Found a bug? button (rolls up to SUPER QA). Read the cover first, then your assigned flow. 📖 Cover & how-to-run →

#FlowScriptVideo~Time
1Auth & Recoveryopen8m
2Resume · Fix it (ATS)open12m
3Resume · Build it (AVA)open10m
4Jobs · Find (Gmail/Yahoo/Boards)open8m
5Match · Quick Match → Exchangeopen12m
6Land · Interview (SME/Coach/Trainer)open12m
7Payments · Paywall & Upgradeopen8m

Browsers: Oli = Chrome · Oscar = Firefox · pilot = your own. ⭐ steps = report immediately. Each script has a 🎥 "what to record" section — drop the video link into this table as you record. Status: 2026-06-25 · all 7 drafted.

📋 Action Items — what to prioritize

The live backlog: due dates, % complete, mark-done. Sorted soonest-first. Editable right here — and a floating dock keeps the top priorities in view on every screen.

Loading…

Roadmap

Product items tracked by phase · pre-pilot → pilot → post-pilot Q3 → post-pilot Q4+

How to read this section. Every product item — bugs, features, structural improvements, communications work — lands here organized by phase. Pre-pilot items must ship before May 26. Pilot items get attention during the May 26 - June 9 window. Q3 items are the big post-pilot builds (most notably F209 Interview Agent rebuild, with full spec authored Day 23). Q4+ items are membership-tier work and security hardening. Status pills: scheduled = work queued; spec authored = design doc written, implementation pending; logged = captured but not yet scoped; deferred = explicitly chosen to wait.

🔴 Pre-pilot (must land by May 26)

ID Title Priority Status ETA
tester-quickstart Send pilot quickstart to Oli + Oscar critical scheduled Day 23-24 ASAP
Highest-leverage pending action. 5 minutes of founder time = ~30 hours of tester coverage. V2 quickstart docx already exists.
F211-data Tracker data-model migration high scheduled Day 24-25
Add role_title, outcome, notes, last_accessed_at columns to resumes table. Update Customize flow to write at row creation. ~1 hour. Protects 15 days of pilot data quality.
slack-channel Slack #xjobsfinder-pilot-bugs high scheduled Day 23-24
Channel for parallel tester reports. Without it, reports queue in email. 90 seconds to set up. Compounds for 15 days.
F207 Paywall premature trigger investigation low scheduled Day 24
Observed during Day-22 production validation. Diagnostic needed. ~30 min.
F206 Post-Google-signin redirect fix low scheduled Day 24
Lands on /voice page instead of dashboard. ~10 min single-line fix in auth.js callback.

🟡 Pilot window (May 26 - Jun 9)

ID Title Priority Status ETA
F203 Email typo domain validation medium logged during pilot
Signup accepts gmaiil/yahpo/etc. Phantom users created. Founder hit 3 in one debugging session.
F199 paid_grant pegged to resume_id high logged Q3 early
Affects Quick Match — user pays for resume A, gets free downloads of resume B. Blocks Quick Match v2 GA.
F200 Free quota refresh lifetime (not monthly) medium logged during pilot
cycleStart math gives 30-day refresh; should be lifetime. Slow leak; won't show in pilot but contradicts product model.

🟢 Post-pilot Q3 (Jun-Aug 2026)

ID Title Priority Status ETA
F209 Interview Agent — top-level CTA + Builder high spec authored Q3 2026
Repositioning Interview from end-of-funnel buried feature to first-class revenue surface. Conversational Builder (5-7 Qs), three entry points, cheatsheet artifact. Full spec: Interview-Agent-Framework-Spec-v1.0-2026-05-11.docx
F211-ui Tracker findability UI (search + filter + sort) high logged Q3 2026
Power-user findability. Search across JD + resume + company. Filter by company / role / date / outcome. Sort by recency / score / outcome. Data model lands pre-pilot; UI here.
F212 Outcome tracking UI medium logged Q3 2026
Status dropdown on each tracker row (callback / interview / offer / declined / no_response / waiting / withdrew). Drives long-tail member value.
mcp-connectors MCP connectors (Linear / Slack / GitHub) low logged Q3 2026
Compounding leverage: bug-in-Slack → automatic Linear issue → patch → push. ~30 min setup once.

🔵 Post-pilot Q4+ (Sep+ 2026)

ID Title Priority Status ETA
F213 Pro / Consultant tier UX + entitlement gating medium logged Q4 2026
Tier-aware UI views, Pro/Consultant upgrade pages, entitlement-check middleware. Schema ready (users.role + paid_grants), UX work needed.
voice-mode Voice mode for Interview Agent low logged TBD evaluate
Practice out loud with the agent (ElevenLabs already wired). Defer; let pilot data signal demand.
F204 Email confirmation at signup medium deferred post-pilot
Security hardening. Add verification flow before public launch.
F205 Password-reset audit table low deferred post-pilot
Debugging quality. Track every password reset request server-side.

Decisions log

Strategic pivots and architectural calls · with rationale and quote when relevant

Quick Match rebuilt as honest, job-history-aware matching (v2)

June 3-4, 2026

Killed substring matching (Go matched MonGOdb, Java matched JavaScript). New /api/match/deep judges the JD's real requirements against what the candidate ACTUALLY DID per role (the bullets) — met/gap + evidence (which role) + recency — and scores RELEVANT (not total) experience + seniority + role/title fit; off-target experience isn't credited. parse-jd owns clean atomic skill extraction; the deep matcher matches verbatim. Headline score is now the weighted blend (skills + experience + location + salary…), so a strong-skills/low-seniority candidate reads honestly in the 60s, not skill-only in the 100s. UI: gap-only, full-width color-coded collapsible category matrix with checkboxes, credentials greyed (can't manufacture a CFA), live header score. The gap→Customize→interview handoff is untouched. Proven on the real SMBC JD + résumé, zero false positives. Docs: QuickMatch-v2-Engine.md, PILOT-Build-2026-06-04.md. Tag pilot-1.0.

"Those buckets don't do justice… we need to go through each job and see what the candidate did… for every job description we need the key words and then go fish them in the resume or fuzzy match them." — and: "match RELEVANT experience, not total. 20 years in the market but only the last 2 jobs were as a developer."

Interview agent made human + multilingual; voice moved to free Edge neural

June 4, 2026

The brain emoji is gone; the interviewer is a human photo with a name and a persona by vertical, with a GENDER-MATCHED voice (face and voice are one unit), and a speaking glow while it talks. Gaps drive it: 5 questions per gap → 3 gaps = 15. The whole experience runs in the user's chosen language — set once globally and persisted — across questions (Claude), voice, mic, AND displayed agent prose (QM note, customized bullets, ATS recommendations), via a cached /api/translate + a MutationObserver that auto-localizes any .i18n element. Voice default flipped to FREE Microsoft Edge neural (~100 languages, no key); ElevenLabs is an optional premium toggle; Azure Neural is the cheap supported path at scale. Docs: Interview-Agent-v2.md, Multilingual-Architecture.md.

"The BRAIN has got to go… we need someone more trustworthy… choose a picture and a voice by vertical." — and: "All of these APIs amount to a higher price for me, especially when we go global, which is immediately. Is there a free voice like 11 Labs?"

Interview priced by gap count, server-enforced

June 4, 2026

The intended model (1-3 gaps $5, 4-6 $10, 7+ $15) existed in pricing.js but was DEAD CODE — the actual charge was a flat salary-tier price the client sent and Stripe trusted. Fixed: the checkout now derives the amount from getFeaturePrice('interview', gapCount) server-side (correct AND tamper-proof), and the Practice Interview button shows the right tier live as gaps are checked.

ATS rebuilt as a real, honest gate (four-pillar engine)

June 1-2, 2026

Killed the "lipstick on the pig" scorecard (fake categories, auto-awarded format points). Rebuilt the ATS as a four-pillar engine — Format, Completeness, Quality, Integrity — calibrated to documented real-world ATS behavior. Added REAL .docx inspection (tables, columns, images, text boxes, header/footer contact, fonts) with a hard-fail cap, the founder's date-gap / recency / "last 10-12 years" Integrity checks, a "see your resume as the ATS reads it" robot view, honest projected scores (no resume is "invincible"), and a not-a-resume upload guard. Pass bar held at 80. Spec: Documentation/Audit/pilot-flows/01-ATS-calibration-2026-06-01.md. Guards: e2e 07/08/09.

"The ATS gate is a credibility deposit, not the product. If we clear a resume that a real employer's ATS rejects, the user never trusts the job-finding engine. We must be the harsher gate." — and: "NO RESUME IS PERFECT... you don't want to soup up the user's head to make him think his resume is invincible."

Local-as-baseline strategic pivot

May 2, 2026

Halted all production patching. Adopted: clean local first, fresh prod redeploy from clean baseline. Tag v2.0-baseline at end of Phase 2.5.

"Our local version is the baseline. The server version was somehow contaminated by cousin. Prod is the mere result of a BLOATED local code so it is misbehaving inherently."

Production frozen until v2.0-baseline ships

May 2, 2026

No production deploys allowed during architectural cleanup. Tester comms drafted to communicate freeze. Prevents drift between local cleanup and prod state.

Phase 4 (frontend modularization) deferred to post-pilot

May 2, 2026

8-module decomposition (per Anatomy doc) is the target architecture but will not happen pre-pilot. Phase 1.5 + Phase 2 alone deliver enough cleanup for a clean baseline. Modularization can happen post-launch.

Audit organized by 5 architectural layers, not flat type taxonomy

May 2, 2026

Per Day 12 system diagram. Each layer audited independently before crossing boundaries. Better than alphabetical or chronological organization for surfacing structural issues.

Three-document governance system established

May 3, 2026

Best Practices Playbook (founder reference) + Agent Briefing Template (paste at session start) + Session Compliance Checklist (end-of-session audit). Together: complete agent-partnership governance with full enforcement via end-of-session ritual.

"It is probably a bit of a maintenance nightmare but worth the investment upfront." — founder articulating the discipline tradeoff

F55 + I12 logged — "user always logged in" mystery diagnosed

May 3, 2026

Connected F38 (auth in localStorage) + F50 (5 writes / 1 cleanup) + F51 (PII never cleared) + F54 (logout incomplete) into a single architectural diagnosis: missing session housekeeping pattern. Resolution queued to Phase 2.

Pre-pilot fix sprint — ship pay flow end-to-end

May 9, 2026 (Day 21)

Adopted: spend Day 21-22 closing the ATS-compliance flow defects so testers can run a complete journey in production. F74, F124, F192, F193, F197, F198 scoped as one branch (fix/resume-ats-compliance). Locally verified via stripe-cli forwarding before merge to main.

Stripe webhook routing moved from defunct GCF to Railway

May 10, 2026 (Day 22)

Production webhook endpoint was still pointed at us-central1-xjobs-app.cloudfunctions.net (disabled). New endpoint added in Stripe dashboard pointing at Railway. STRIPE_WEBHOOK_SECRET env var updated. Old GCF endpoint left disabled (F157 closed).

paid_grants entitlement DB table created in production

May 10, 2026 (Day 22)

Production Postgres was missing paid_grants. CREATE TABLE run via Railway's Postgres query interface. db:init script doesn't run on Railway deploys; one-off SQL is acceptable when schema additions are idempotent (CREATE IF NOT EXISTS).

F189-early-wipe is now CONDITIONAL on session health

May 11, 2026 (Day 23)

Original F189 wiped localStorage on every page load to close session-bleed. Side effect: legitimate hard-refresh destroyed JWT + activeResume keys, kicking authenticated users to login. Fix: wipe only fires when (a) no token + orphan state, (b) token without user record, (c) corrupt user record. Healthy auth reload preserves everything; server validation via refreshUserProfile is the correct gate.

We need the dashboard to be independent so that the testers and I can see it and track bugs and project updates through it — founder, clarifying scope after a misread routing change

dashboard.xjobsfinder.com kept as project-status URL

May 11, 2026 (Day 23)

Custom domain serves Documentation/Dashboard/XJobs-Tester-Preview.html (this page), not app.html. App stays at xjobs-final-production.up.railway.app. Two URLs, two audiences. Tester quickstart references both clearly.

Interview Agent Framework v1.0 — product spec authored

May 11, 2026 (Day 23 PM)

Full architectural spec for repositioning Interview Agent from end-of-funnel buried feature to first-class top-level CTA. Covers: three entry points (standalone, post-customization, pre-ATS), conversational Interview Builder (Ava-style 5-7 questions producing framework object), cheatsheet artifact as parallel to customized resume, tracker integration, entitlement model + future Pro/Consultant tiering. Spec deliverable: Interview-Agent-Framework-Spec-v1.0-2026-05-11.docx in repo Documentation/Specs/. Implementation deferred to Q3 (post-pilot). Cross-references findings F209, F210, F211, F212, F213.

$5 transactions are the funnel. The accumulating tracker is why members stay. — Day-23 architectural session, identifying the member-archive thesis

F211 reframed: FIFO rejected, findability + outcome tracking adopted

May 11, 2026 (Day 23 PM)

Initial F211 design proposed a 5-resume cap with FIFO auto-archive. Founder use case (100 resumes/year as consultant) revealed this would actively harm the power-user persona. Reframed: NO cap on tracker. Findability via search + filter + sort. Outcome tracking column (F212) on every row. Pre-pilot work: data-model columns must land before May 26 so retroactive data is captured correctly (role_title, outcome, notes, last_accessed_at). UI work post-pilot Q3.

I literally create about 100 resumes per year as an independent consultant — that is one of the BIGGEST pain points as I don't remember when, who and what. — founder identifying himself as the customer voice that overrides the elegant-but-wrong FIFO design

How we work

The discipline behind the build · why every session counts

26
Sessions tracked
5
Governance docs in place
100%
Sessions with closeout
15
Days to pilot

Why this matters for you

You're testing a product built by one founder partnered with AI. Most people assume that means low quality. We're proving the opposite. Every session is documented. Every decision is captured. Every risk is tracked. When you see a feature change, a tester pause, or a release date — there's a paper trail behind it.

The rhythm

Daily: Each working session ends with a written closeout. State of the project, decisions made, what's next. No mental TODO lists.

Weekly: Strategic review. Phase progress assessed. Risks updated. Tester feedback integrated.

Per release: Tagged baseline. Tested smoke paths. Then deployed. Never the other way around.

What this looks like in practice

When you report a bug, it gets logged with an ID, a severity, and a phase target. You can see when it'll be addressed. When we pause testing, you know why and when it resumes. When the pilot launches May 26, it'll be against a baseline we've audited end-to-end — not a hopeful guess.

Document library

Strategic and project documents · evidence of the work

Pilot build — Quick Match v2 + Interview + Multilingual

  • Pilot Build Log (master)Jun 4
  • Quick Match v2 — Engine, Gap Matrix, Scoring & PricingJun 4
  • Interview Agent v2 — Human, Persona-Matched, MultilingualJun 4
  • Multilingual Architecture + Voice ProvidersJun 4

Strategy + planning

  • App Development Best Practices Playbookv1.0
  • Agent Briefing Templatev1.0
  • Session Compliance Checklistv1.0
  • Local-Baseline Reset (the pivot)May 2
  • Anatomy + Lean-Down PlanApr 29
  • Refactoring Plan v2May 2
  • Phase 2 Execution Planv1
  • Roadmap Enhancementsv1.2

Daily close-outs

  • Day 10 Close-OutApr 30
  • Day 11 Close-Out Part IIApr 30
  • Day 12 Close-Out + EveningMay 1
  • Day 13 Close-Out + PM MasterMay 2
  • Day 14 Close-OutMay 3
  • Day 15 + 15 PM Close-OutsMay 4
  • Day 16 PM MasterMay 5
  • Day 18 Master + AddendumMay 6
  • Day 19 MasterMay 7
  • Day 21 HandoffMay 9
  • Day 22 Production ValidationMay 10
  • Day 23 Dashboard RefreshMay 11

Product specifications

Tester materials

  • Pilot Test Tester Quickstart (FINAL V2)May 10
  • TestExec Audit (Jorge)May 9
  • Regression Matrix (xlsx)May 9

Reports

  • Sprint Report (April 27)Apr 27
  • Email Infrastructure Setup RecordMay 1
  • Stripe Webhook Re-routing RecordMay 10
  • F194 Session Preservation SurgeryMay 11
  • F208 Quick Match Null-Resume FixMay 11

This dashboard

  • Tester preview (this page)v1.3
  • Last refreshedMay 11
  • Refresh cadenceper session

Operations - Founder Reference

Hidden by default. Bookmark this URL with #operations on the end.

You found the secret room. This section exists for the founder - quick reference for daily work, situational diagnostics, command cheatsheet. Hidden from testers via URL fragment gate.

Quick reference - the things you forget

Production URLhttps://xjobs-final-production.up.railway.app
Domain (when configured)https://xjobsfinder.com/dashboard#operations
Repo path~/xjobs-final/
Run env-sync checkbash scripts/env-status.sh
Production version endpoint/api/version
Local server startnode server/index.js
Pilot launchMonday, May 26, 2026 (Day 38)
Earliest rollback tagpre-jwt-f171-push (c015542)

Daily open ritual (5 min)

1
cd ~/xjobs-final && bash scripts/env-status.sh - confirm clean state. If verdict is not ALL THREE IN SYNC, fix that first.
2
Open HANDOFF.md - read CURRENT STATE block + most recent session log entry to remember where things left off.
3
Open SPRINT.md - read today's day card to see what's planned.
4
Check Railway dashboard for any overnight alerts or deploy issues.
5
Pull any tester reports submitted overnight (email).

Daily close ritual (15-25 min target)

1
bash scripts/env-status.sh - paste output verbatim into HANDOFF.md CURRENT STATE block.
2
Update HANDOFF.md narrative below env block - what shipped today, what got tested, open threads.
3
Append to phase1audit.md if findings changed.
4
Append today's day card to SPRINT.md.
5
Refresh dashboard if status changed materially.
6
git add -A && git commit -m "daily(DAY-N): ..." && git push
7
Re-run env-status.sh. Verdict must be ALL THREE IN SYNC before session is closed.

Situational - what to do when things look wrong

SymptomWhat to do
"User logged in" in fresh incognitoF177/F182 family - should be closed by F186. Run env-status, hard-refresh, check console for [housekeeping] line.
Match scores all 50% / 0/NF183 regression. Check console for [F183] resume hydrated (both scopes). If missing, /api/resume/current is failing.
Connect Gmail shows sign-in formF181 regression. Check /gmail/authorize route in api.js still has JWT verification.
env-status.sh shows DRIFT (production)Railway deploy may have failed. Wait 2 min, re-run. If persists, check Railway logs.
env-status.sh shows DRIFT (local vs origin)You forgot to push, OR you pulled changes you don't have. git status + git log --oneline -5 tells the truth.
"This used to work" reportF180 foot-cannon. First check: URL bar - localhost or file://? File:// = stale Downloads copy. NOT a real bug.
Local server EADDRINUSE port 4000Another node process running. lsof -ti :4000 | xargs kill -9
Production looks broken1) env-status to confirm what's deployed. 2) If genuinely broken: git revert <bad-commit> && git push.

The 4 canonical documents

DocumentWhen to updateUse it for
AGENT-ONBOARDING.mdOnly when patterns changeThe contract every agent reads. 19 sections.
HANDOFF.mdEvery session closeCURRENT STATE block + append-only session log.
phase1audit.mdWhen findings changeThe truth about every bug. Append-only.
SPRINT.mdEnd of every working dayDay-by-day plan. Replaces old DAY-N-MASTER pattern.

Quick commands - copy-pasteable

NeedCommand
Check env syncbash ~/xjobs-final/scripts/env-status.sh
What's the current production SHAcurl -s https://xjobs-final-production.up.railway.app/api/version | python3 -m json.tool
What's my local HEADcd ~/xjobs-final && git log --oneline -1
Recent commitsgit log --oneline -10
Working tree statusgit status
Start local servercd ~/xjobs-final && node server/index.js
Kill stuck server on port 4000lsof -ti :4000 | xargs kill -9
Find a finding in the auditgrep -n "F183" ~/xjobs-final/Documentation/Audit/phase1audit.md

Canonical documents - one-click access

Click any document to open it in a new tab. Use Cmd+A then Cmd+C to copy the entire contents, then paste into a new agent chat as needed.

DocumentUse it forOpen
AGENT-ONBOARDING.mdThe contract every new agent reads first. Paste into chat at session start.Open in tab
HANDOFF.mdCurrent state + per-session log. Paste into chat at session start, after onboarding.Open in tab
SPRINT.mdDay-by-day plan from Day 20 to pilot. Day cards show what is planned.Open in tab
phase1audit.md1758 lines of finding history. Reference when investigating known bugs.Open in tab

Tip: to start a new agent session quickly, open AGENT-ONBOARDING.md and HANDOFF.md, copy each into the new chat in that order. The agent now has full context.

Recent close-outs - last 5 in Documentation/Weekly/

Auto-populated from the repo. Most recently modified files first. Older files stay in the repo as archive but stop appearing here once newer ones are added.

FilenameModifiedOpen
Loading...

"Slowly but surely beats the race."