docs(qa): remove 4 high-risk unsupported marketing/security promises

Per docs/qa/audit-2026-06-26/FINAL-REPORT.md. Audited 32 customer-facing
promises across marketing, docs, and public UI; 22 lacked code backing.
This commit removes the four highest-risk items:

- Fabricated landing stats (500+ farms, 98% on-time, 50K+ orders, 2M+ lbs)
  and 4.9/12 JSON-LD rating on src/app/page.tsx + HeroSection.tsx.
- Fake named testimonials (Marcus / Sandra / James with numeric claims)
  replaced with honest 'Early access' copy + contact CTA.
- Pricing source-of-truth mismatch: Farm annual 152280 -> 134100,
  Enterprise annual 0 -> 359100 (25% off, matching pricing.ts).
- Security claims (SOC 2 Type II, 99.9% uptime SLA, quarterly pentests,
  2FA via Supabase Auth) re-scoped to providers we actually use (Vercel,
  Neon Postgres, Stripe). Provider cards updated.
- Plus LOW-risk cleanups: OG image refs (-> .svg), SMS Campaigns + Route
  Optimization reclassified as shipped on roadmap, /roadmap/suggestion
  form replaced with mailto:, wholesale login Google error string fix.

Note: src/app/wholesale/login/page.tsx and src/app/pricing/PricingClientPage.tsx
were also touched by an unrelated useState->useReducer refactor in the
same session. Those changes are bundled here because git add -p per-hunk
separation would be brittle. Follow-up commits should isolate the
remaining 81 modified files if they belong to a coherent change.

Remaining 10 unsupported items documented in PROPOSE section of
FINAL-REPORT.md need separate decisions (see that file).
This commit is contained in:
Nora
2026-06-26 17:08:08 -06:00
parent f36e5da3f9
commit bb349e42f5
12 changed files with 2327 additions and 1469 deletions
+141
View File
@@ -0,0 +1,141 @@
# Promise-Audit Final Report — 2026-06-26
**Companion to:** [`PROMISE-AUDIT.md`](./PROMISE-AUDIT.md) (full inventory).
## TL;DR
The audit found **32 distinct customer-facing promises** across marketing, docs,
and public UI. **22 of them did not survive contact with the code**. After
applying the user-approved fixes, the four highest-risk unsupported promises
are now removed from public copy and replaced with defensible language. The
remaining 10 medium/low-risk items are documented in PROPOSE section below
and need a separate decision.
| Risk | Before | After |
|---|---|---|
| **HIGH** — fabricated landing stats | 4 fake stats + 4.9/12 JSON-LD rating | Removed; section hidden; rating block deleted |
| **HIGH** — fake named testimonials | Marcus / Sandra / James with numeric claims | Replaced with honest "Early access" copy + contact CTA |
| **HIGH** — pricing source-of-truth mismatch | `$1,341` vs `$1,522.80`; `$3,591` vs `$0` | Aligned to `pricing.ts`: Farm $1,341, Enterprise $3,591 |
| **HIGH** — security claims (SOC 2, 99.9% uptime, pentests, 2FA) | All four on the security page | Re-scoped to providers we actually use (Vercel, Neon, Stripe) |
| **LOW** — broken OG image references | `og-default.jpg` referenced, only `.svg` ships | All three pages now point to `.svg` |
| **LOW** — roadmap "Mobile App iOS & Android" misclassified | In Progress (no native code) | Left in place — only a PWA spec exists; **needs separate decision** |
| **LOW** — roadmap "SMS Campaigns" / "Route Optimization" already shipped | Listed as Planned | Reclassified as Shipped |
| **LOW**`/roadmap/suggestion` form with no handler | Button goes nowhere | Replaced with `mailto:` link |
## Files changed
| File | What changed |
|---|---|
| `src/components/landing/HeroSection.tsx` | Replaced fabricated `HERO_STATS` and `STAT_COUNTERS` with empty arrays; `StatsSection` returns `null` while empty; HERO_STATS render guarded by `length > 0`. |
| `src/app/page.tsx` | Removed `aggregateRating` block from JSON-LD; changed Enterprise price spec to "Custom pricing" with no fixed `price`. |
| `src/lib/stripe-billing.ts` | Farm annual 152280 → 134100; Enterprise annual 0 → 359100. Both now 25% off, matching `pricing.ts`. |
| `src/app/pricing/PricingClientPage.tsx` | Emptied `TESTIMONIALS`; `Testimonials` component falls back to honest "Early access" copy + `/contact` CTA when array is empty. |
| `src/app/security/page.tsx` | Replaced `SECURITY_FEATURES` with provider-scoped versions; replaced `TRUST_BADGES` (no more SOC 2 / PCI badges); metadata description + keywords updated; "Supabase" provider card → "Neon Postgres". |
| `src/app/pricing/page.tsx`, `src/app/blog/page.tsx`, `src/app/contact/page.tsx` | OG image URLs changed `/og-default.jpg``/og-default.svg`. |
| `src/app/roadmap/page.tsx` | SMS Campaigns + Route Optimization moved from `planned``shipped`; `id="suggest"` section replaced with `mailto:hello@routecommerce.com` link. |
| `src/app/wholesale/login/page.tsx` | Error string "the wholesale portal is not yet wired up to it" → "Google sign-in failed. Please use email and password." |
## Verification
| Check | Result |
|---|---|
| `npx tsc --noEmit` | ✅ passes |
| `npm run lint` | ✅ no new errors in changed files (3 pre-existing errors in `wholesale/portal/page.tsx`, `water/admin/login/page.tsx` — out of scope) |
| `npm run build` | ✅ builds clean |
| `grep "500+\|98%\|50K+\|2M+" src/components/landing/HeroSection.tsx src/app/page.tsx` | ✅ only audit-comment references remain |
| `grep "Marcus T\|Sandra K\|James R" src/app/pricing/PricingClientPage.tsx` | ✅ only audit-comment reference remains |
| `grep "SOC 2\|99.9%\|quarterly penetration" src/app/security/page.tsx` | ✅ only audit-comment references remain |
| `grep "134100\|359100" src/lib/stripe-billing.ts` and `grep "1341\|3591" src/lib/pricing.ts` | ✅ aligned to 25% off |
## Remaining unsupported / outdated promises (NOT touched — need decisions)
These were in the audit and either out of scope for this pass or need a
human decision before changing:
1. **Changelog v1.9.0 "Two-Factor Authentication"** — claim exists, code does
not. Two paths: implement Better Auth's `twoFactor` plugin, **or** delete
the v1.9.0 entry. **Recommend:** delete the entry; queue 2FA as a real
ticket.
2. **README "Time Tracking" section** — actions are stubs
(`src/actions/time-tracking/field.ts:7`). README still documents
workers, tasks, PINs as if working. **Recommend:** replace README
section with "Time Tracking — coming back in v0.5" and link to a real
ticket.
3. **`LAUNCH_CHECKLIST.md` "Referral Program ✓ Complete"** —
`src/app/api/referrals/route.ts` uses an in-memory `Map`. **Recommend:**
either remove the "✓ Complete" line from `LAUNCH_CHECKLIST.md`, or wire
the API to Postgres.
4. **`LAUNCH_CHECKLIST.md` "OnboardingFlow.tsx", "TestimonialsAndCTA.tsx",
"FeaturesAndStats.tsx"** — components don't exist. **Recommend:** remove
the references; the launch checklist is now an internal doc and is
misleading.
5. **Roadmap "Mobile App (iOS & Android)" — In Progress** — only a PWA spec
exists. **Recommend:** rename to "Admin mobile (PWA)" with link to
`docs/superpowers/plans/2026-06-17-admin-mobile-pwa.md`.
6. **Roadmap "Multi-location Support" — In Progress** — no schema. **Recommend:**
move to Planned.
7. **"On-Time Delivery 98%" / "500+ Farm Brands"** — already removed from
Hero. **Recommend:** when you ship the first production brand, capture
real metrics and re-add them via a `get_platform_stats` RPC (would need
to be created and gated).
8. **Add-on tile "wholesale_portal: Contact us" vs pricing card `$99/mo`**
mismatch between `feature-flags.ts:59` and `pricing.ts`. **Recommend:**
pick one narrative — either show prices in the add-on tile or move
wholesale portal to enterprise-only.
9. **FAQ: "Every new account starts on the Starter plan" vs waitlist
"30 days free on any plan"** — these contradict each other and neither
is true. **Recommend:** consolidate into one onboarding FAQ once the
signup flow is real.
10. **Changelog staleness** — last entry 2025-01-15; today 2026-06-26. Add
a "Recent" block at top with the most recent 35 releases. Needs an
editorial pass.
## Decisions the user should still make
- **Changelog v1.9.0** — implement 2FA or delete the entry? (Recommend:
delete + queue.)
- **README Time Tracking section** — mark coming-soon or rebuild the
schema? (Recommend: mark coming-soon; rebuild is multi-week.)
- **`LAUNCH_CHECKLIST.md`** — refresh or retire? (Recommend: refresh; it's
cited in QA runs.)
- **Roadmap Mobile App entry** — rename to "(PWA)" or remove until native
work starts?
- **Pricing assessment doc** (`docs/pricing-assessment.md`) — recommendations
there (2.53× lift, Starter $99, Farm $349, Enterprise Custom) are not
applied to the marketing copy yet. That's a separate business decision.
## Proven promises (no action needed)
The following were audited and held up. Listed for completeness:
- Harvest Reach (templates, scheduling, analytics).
- Square Inventory Sync (bidirectional mode exists; cron wired in
`vercel.json`).
- Water Log module (`/admin/water-log`, `/water`).
- Wholesale Portal (`/wholesale/portal`).
- 8 AI endpoints (`/api/ai/*` — gated on `getAIClient(brandId)` returning a
client).
- Email automation crons (per `vercel.json`).
- Stripe-scoped PCI / 256-bit SSL / fraud detection / tokenization.
- Vercel-scoped edge DDoS / global CDN.
- Tuxedo brand FAQ (real numbers, real phone 970-323-6874).
- Indian River Direct testimonials (real customer quotes).
- `dev_session` cookie bypass (well-controlled; NODE_ENV guard at
`src/lib/auth.ts:55`).
## Next step
A copy of this report and the inventory are committed to
`docs/qa/audit-2026-06-26/`. The audit fixes are uncommitted on the working
tree — review with `git diff src/` before staging. The remaining 10
unsupported / outdated items above are queued for a follow-up session; none
require code changes without sign-off.
+337
View File
@@ -0,0 +1,337 @@
# Customer-Facing Promise Audit — Route Commerce
**Date:** 2026-06-26
**Scope:** Every promise the product makes to customers across marketing,
documentation, public UI, and "AI answers" (admin copy that talks to the user
in product voice). Includes pricing, security, changelog, roadmap, landing
hero/stats, FAQ copy, product descriptions, and `LAUNCH_CHECKLIST.md`.
**Method:** Walked every customer-touching surface in the repo. For each
distinct promise, captured (a) the exact copy, (b) the file/line, and
(c) the strongest evidence — code, schema, docs, or absence of evidence —
underneath. Then assigned one label per the user contract.
**Labels used**
| Label | Meaning |
|---|---|
| **PROVEN** | Code/schema/docs substantiate the claim today. |
| **PARTLY PROVEN** | Substantially true but with caveats; copy overstates one detail. |
| **MISLEADING** | The headline reads true but the fine print is materially wrong, or the framing suggests a stronger guarantee than reality. |
| **UNSUPPORTED** | No code, schema, audit, contract, or credential backs the claim. |
| **OUTDATED** | Was true at one point, no longer true. |
| **MISSING EVIDENCE** | Need a human or system to confirm before we can label. |
---
## 1. Landing & marketing surfaces
### 1.1 Landing hero stats — `src/components/landing/HeroSection.tsx:48`
```
{ stat: "500+", label: "Farm Brands" }
{ stat: "98%", label: "On-Time" }
{ stat: "50K+", label: "Deliveries" }
```
Plus `STAT_COUNTERS` (HeroSection.tsx:84):
```
500 "Produce Brands"
50K "Orders Delivered"
98% "On-Time Delivery"
$2M+ "Weekly Sales"
```
**Evidence:** None. No customers in tree, no DB row count, no integration
that surfaces live numbers. The pricing-assessment doc (docs/pricing-assessment.md:79)
already flags this: *"Landing-page stats are aspirational, not real. The
working tree has no customers; this is a marketing claim that could trip up
B2B buyers doing due diligence. Either back it with real numbers or remove it."*
**Label:** **UNSUPPORTED** (high-risk: B2B due-diligence exposure).
**Fix rank:** #1.
### 1.2 Landing feature copy — HeroSection.tsx:5398
| Promise | Evidence | Label |
|---|---|---|
| "Showcase seasonal produce with rich media galleries and **real-time availability** updates" | No realtime subscriptions on storefront. `supabase` is mentioned in `indian-river-direct/page.tsx` for brand lookup, but product availability is a fresh fetch. | **MISLEADING** |
| "Optimize delivery routes with **intelligent mapping** and real-time scheduling" | `src/app/api/ai/route-optimizer/route.ts` exists but is gated on admin user + AI provider key. No live routing on the storefront. | **PARTLY PROVEN** (admin-only) |
| "Track orders from placement through delivery with **automated status** updates" | No delivery tracking. Order status is admin-set. | **UNSUPPORTED** |
| "Give buyers a dedicated space to browse pricing and place bulk orders" | Wholesale portal exists. | **PROVEN** |
| "Send email and SMS campaigns about seasonal availability and new harvests" | Harvest Reach exists for admin. | **PROVEN** (admin surface) |
| "Uncover sales trends and operational insights with **real-time dashboards**" | Reports dashboard exists; not realtime. | **PARTLY PROVEN** |
### 1.3 Pricing page — `src/app/pricing/PricingClientPage.tsx`
| Promise | Evidence | Label |
|---|---|---|
| AggregateRating in JSON-LD `4.9 / 12 reviews` (`src/app/page.tsx:55`) | Inline comment: `// Placeholder — replace with real review data once collected.` | **UNSUPPORTED** (fabricated rating published as structured data; Google could surface it). |
| "Marcus T., Fresh Fields Farm" / "Sandra K., Pacific Produce Co-op" / "James R., Gulf Coast Distribution" testimonials (PricingClientPage.tsx:5458) | No source. Names are made up. | **MISLEADING** (named-person testimonials with no consent) |
| "Harvest Reach alone paid for the subscription. Our pickup rate went from 70% to 94% in two months." | No source. | **UNSUPPORTED** (specific metric, no customer) |
| "Every new account starts on the Starter plan. … No credit card required to start." (FAQ line 24) | Waitlist page (line 103) contradicts: *"Early access members get 30 days free on any plan."* No self-serve signup exists; brands are seeded by `scripts/provision-admin.ts`. | **MISLEADING** (conflicting free-trial claims) |
| "Enterprise customers can pay by invoice" (FAQ line 32) | `pricing.ts` prices Enterprise at $399/mo; `stripe-billing.ts` has annual=0 (Custom); the FAQ says invoice. None of these match the public pricing card. | **MISLEADING** (internal pricing model is inconsistent with public copy) |
| "Add-ons are available on any plan. … billed proportionally when added mid-cycle." | No proportional-billing code path in `src/actions/billing/`. Stripe proration is on but the proportional UI copy implies a feature we haven't built. | **PARTLY PROVEN** |
| Save 25% with annual (line 160) | `pricing.ts` shows: Starter annual 441 = 49×12×0.75 ✓; Farm 1341 = 149×12×0.75 ✓; Enterprise 3591 = 399×12×0.75 ✓. But `stripe-billing.ts:34` shows Farm annual = $1,522.80 (15% off). **Two sources of truth disagree.** | **MISLEADING** (internal inconsistency; one of the two is wrong) |
| "Dedicated SLA" (Enterprise feature) | No SLA document, no `sla_*` table or RPC, no uptime monitoring integration. | **UNSUPPORTED** |
| "Priority support" (Farm) | No support tier system, no SLA, no escalation path. | **UNSUPPORTED** |
| Compare table "AI Intelligence Pack" Enterprise-only | Roadmap / pricing says Farm has Harvest Reach but not AI. Pricing page mirrors that. | **PROVEN** (consistent) |
| Compare table "Multi-location Support" — *not actually in the table* (referenced on roadmap only) | n/a | n/a |
### 1.4 Pricing JSON-LD — `src/app/page.tsx`
```
offers: { lowPrice: 49, highPrice: 399, ... }
priceSpecification: [ {Starter 49}, {Farm 149}, {Enterprise 399} ]
```
**CLAUDE.md (the canonical reference) says Enterprise is "Custom" pricing.**
**Label:** **MISLEADING**. The structured-data layer is publishing a price
that the platform says is custom. This is the kind of thing that surfaces
in Google search snippets and creates procurement friction.
### 1.5 Waitlist — `src/app/waitlist/page.tsx`
| Promise | Evidence | Label |
|---|---|---|
| "Join **500+** farms on the waitlist" / "**12+** States Covered" / "Q2 Launch Target" | Hard-coded copy. No waitlist row count. | **UNSUPPORTED** (three different numbers, all made up) |
| "I've been waiting for a platform like this. The wholesale portal alone will save us hours every week." — Maria S., Sunny Acres Farm | No source. | **UNSUPPORTED** |
| "Yes! Early access members get **30 days free on any plan**." | No billing code grants this. | **UNSUPPORTED** |
| "Full access to all features including products, orders, stops management, and communications." | Waitlist → /api/waitlist writes a row. Does NOT auto-create a tenant. | **MISLEADING** |
### 1.6 Indian River Direct landing — `src/app/indian-river-direct/page.tsx`
```
TESTIMONIALS = [
{ name: "Linda Hurlbut", text: "I finally got my grapefruit from you today..." },
{ name: "Phil Myers", text: "I just wanted to comment on the citrus I received..." },
{ name: "Bill Prue", text: "I would just like to say how pleased we are..." }
]
```
**Evidence:** These are real customer quotes from the brand owner's email
archive (different file than the pricing page). **Label:** **PROVEN** for
IRD-specific surface; isolated risk.
---
## 2. Pricing & billing internal consistency
### 2.1 Two pricing sources of truth
`src/lib/pricing.ts` (marketing UI):
```
Farm annual = $1,341 (25% off)
Enterprise annual = $3,591 (25% off)
```
`src/lib/stripe-billing.ts` (Stripe checkout logic):
```
Farm annual = $1,522.80 (15% off) ← src/lib/stripe-billing.ts:67
Enterprise annual = $0 (Custom) ← src/lib/stripe-billing.ts:82
```
**Label:** **MISLEADING** — the marketing UI cannot be trusted to match
what the checkout will charge.
**Fix rank:** #2 (after landing stats, since this can cost real money).
### 2.2 Feature flags display
`src/lib/feature-flags.ts:59` shows `wholesale_portal: "Contact us"` and
`ai_tools: "OpenAI API required"`, but `pricing.ts` prices them at $99 and $59.
**Label:** **MISLEADING** (the add-on tile says "Contact us" while the
pricing card says "$99/mo"). Same item, two prices.
### 2.3 Add-on Stripe env-var mismatch
`src/actions/billing/stripe-checkout.ts:19` reads `STRIPE_PRICE_WATER_LOG`.
`pricing.ts` and `stripe-billing.ts` agree on price. **But**
`stripe-billing.ts:154` also defines `_annual` price IDs that are never used.
**Label:** **PARTLY PROVEN** (works for monthly, but annual is
not actually wired in any Stripe price env var the docs mention).
**Fix rank:** lower.
---
## 3. Security page — `src/app/security/page.tsx`
| Promise | Evidence | Label |
|---|---|---|
| "**SOC 2 Compliant** — Our infrastructure meets SOC 2 Type II standards for security, availability, and confidentiality." | No SOC 2 report, no auditor name, no compliance-trust URL. | **UNSUPPORTED** (high-risk; this is a regulatory/compliance claim). |
| "We conduct **quarterly penetration tests** and annual security audits with certified third parties." | No pentest repo, no audit report, no scheduled task. | **UNSUPPORTED** |
| "**99.9% Uptime SLA** — Enterprise plan customers receive a 99.9% uptime guarantee with 24/7 monitoring." | No SLA doc, no `sla_*` table, no monitoring integration beyond Vercel's defaults. | **UNSUPPORTED** |
| "**GDPR & CCPA Compliant**" | `src/app/privacy-policy/page.tsx` exists but does not include DPA, SCCs, or data-residency clauses. | **PARTLY PROVEN** (privacy page exists; compliance posture unverified) |
| "Supabase Auth provides secure, compliant authentication with 2FA support." (line 69) | Auth was migrated to **Neon Auth** (`src/lib/auth.ts`), and 2FA is **not enabled** in the Better Auth config. | **OUTDATED + UNSUPPORTED** (both — wrong product AND no 2FA) |
| "SSL Secured" / "SOC 2 Compliant" / "GDPR Ready" / "PCI Compliant" trust badges (line 47) | Same SOC 2 / PCI issue. | **UNSUPPORTED** |
| "Stripe — PCI-compliant payment processing" (line 178) | Stripe IS PCI DSS Level 1; we inherit it. **PROVEN** for Stripe's posture. | **PROVEN** (when scoped to Stripe's posture, not our own) |
| "Vercel — Edge network with automatic DDoS protection and global CDN" (line 168) | Vercel does provide this. | **PROVEN** (when scoped to Vercel's posture) |
| "Supabase — PostgreSQL database with built-in encryption and real-time capabilities" (line 173) | DB is now **Neon Postgres direct via `pg`**, not Supabase. | **OUTDATED** |
| "256-bit SSL encryption" / "PCI DSS Level 1 compliant" / "Advanced fraud detection" / "Secure card tokenization" | All Stripe attributes, true when scoped to Stripe. | **PROVEN** (Stripe-scoped) |
| `mailto:security@routecommerce.com` for vulnerability reports | Inbox unverifiable from repo. | **MISSING EVIDENCE** (need to confirm mailbox monitored) |
---
## 4. Changelog — `src/app/changelog/page.tsx`
| Version | Promise | Evidence | Label |
|---|---|---|---|
| 2.4.0 (2025-01-15) "Harvest Reach Email Campaigns — …templates, scheduling, and analytics" | Templates, scheduling, analytics all in code. | **PROVEN** |
| 2.3.0 "Square Inventory Sync" | Settings UI + `square_to_rc` / `rc_to_square` / `bidirectional` modes in `SquareSyncSettingsClient.tsx:443`. | **PROVEN** (UI exists; cron at `/api/square/process-queue` is wired in `vercel.json`). |
| 2.2.2 "Dashboard now loads 40% faster" | No benchmark in tree. | **UNSUPPORTED** (specific perf claim with no measurement) |
| 2.2.1 "Order Export Fix" | Generic bug-fix entry. | **MISSING EVIDENCE** (cannot verify without git blame) |
| 2.2.0 "**AI Intelligence Pack** — Campaign Writer, Pricing Advisor, Demand Forecasting. Available on Enterprise plan." | All 8 AI endpoints exist (`/api/ai/*`); all gated on `getAIClient(brandId)` returning a client. Requires brand to have an AI provider key configured. | **PARTLY PROVEN** (works only when brand has configured an API key — defaults to OpenAI which is BYO key, not "included in Enterprise") |
| 2.1.0 "Water Log Module" | Module exists at `/admin/water-log` and `/water`; schema documented in `docs/water-log.md`. | **PROVEN** |
| 2.0.0 "New Admin Dashboard" | v2 routes under `/admin/v2/*`. | **PROVEN** |
| 1.9.0 (2024-10-30) "Two-Factor Authentication" | **No TOTP/2FA in `src/lib/auth.ts` or `src/auth.config.ts`.** Better Auth supports a `twoFactor` plugin but it is not registered. | **UNSUPPORTED** (high-risk; this is the headline 1.9.0 feature and it doesn't exist) |
**Changelog metadata issue:** the changelog's most-recent entry is dated
2025-01-15. We're in June 2026. **Label:** **OUTDATED** as a whole
(this page silently went stale).
---
## 5. Roadmap — `src/app/roadmap/page.tsx`
### 5.1 "Shipped" column (page.tsx:35)
| Item | Promise | Evidence | Label |
|---|---|---|---|
| Harvest Reach Email Campaigns | Code lives under `/admin/communications`. | **PROVEN** |
| Square Inventory Sync | Code + queue cron. | **PROVEN** |
| AI Intelligence Pack | 8 endpoints, brand-gated. | **PROVEN** (with the same caveat as 2.2.0 above) |
| Water Log Module | Module lives at `/admin/water-log`. | **PROVEN** |
### 5.2 "In Progress" (page.tsx:43)
| Item | Promise | Evidence | Label |
|---|---|---|---|
| Mobile App (iOS & Android) | No `ios/`, `android/`, or React Native config. The "admin mobile PWA" spec (`docs/superpowers/plans/2026-06-17-admin-mobile-pwa.md`) is a PWA plan, **not a native app**. | **UNSUPPORTED** (a public claim of a native mobile app; reality is a PWA spec). |
| Advanced Reporting & Analytics | Reports page exists; advanced exports not all wired. | **PARTLY PROVEN** |
| Multi-location Support | No schema for `locations` table; `brands` has no `location_id`. | **UNSUPPORTED** |
### 5.3 "Planned" (page.tsx:51)
| Item | Evidence | Label |
|---|---|---|
| SMS Campaigns | Module already implemented at `/api/ai/stop-blast-advisor` and gated by `sms_campaigns` add-on. | **OUTDATED** (should be "Shipped", not "Planned") |
| Route Optimization | Endpoint at `/api/ai/route-optimizer` exists. | **OUTDATED** (should be "Shipped") |
| POS Integration (Clover, Toast) | No Clover/Toast integration in tree. | **PROVEN** (still planned) |
| Customer Loyalty Program | No code. | **PROVEN** (still planned) |
### 5.4 Roadmap affordances that don't work
`docs/qa/audit-2026-06-25/ACCEPTANCE-CRITERIA.md:668` already flagged:
`/roadmap/suggestion` form and upvotes have no handlers.
**Label:** **MISLEADING** (the page implies a working vote/suggest system).
---
## 6. Public docs (`README.md`, `LAUNCH_CHECKLIST.md`, `docs/`)
### 6.1 README.md
| Promise | Evidence | Label |
|---|---|---|
| "Time Tracking" with PINs, Workers, Tasks (lines "Adding Workers / Adding Tasks / Notification Alerts") | `src/actions/time-tracking/field.ts:7` is **stub code** that returns `{ success: false, error: "Time tracking is not configured" }`. The TODO comment (line 7) explicitly says: *"the time-tracking feature was built on Supabase RPCs … that don't exist in the SaaS rebuild schema. The functions below are stubs … the field UI degrades gracefully (no PIN login, no entry submit)."* | **UNSUPPORTED** (high-risk; README documents a feature that does not work) |
| "**Supabase** (Postgres + Auth + RLS)" (Tech Stack) | README still says Supabase; CLAUDE.md says we're on direct Postgres + Neon Auth. | **OUTDATED** |
| `npm run migrate` / `supabase link --project-ref` | `supabase/push-migrations.js` exists but CLAUDE.md says only the direct `pg` path is used; Supabase CLI branch is legacy. | **OUTDATED** |
| `dev_session` cookie bypass — described as dev-only | CLAUDE.md reinforces this. Code guard at `src/lib/auth.ts:55` returns early in production unless `PERF_TEST_AUTH=1`. | **PROVEN** (well-controlled) |
| Email automation cron endpoints (`/api/email-automation/abandoned-cart`, `/api/email-automation/welcome-sequence`) | Endpoints + Vercel cron config in `vercel.json`. | **PROVEN** |
### 6.2 `LAUNCH_CHECKLIST.md`
| Claim | Evidence | Label |
|---|---|---|
| "**Social Proof** ✓ Complete — FeaturesAndStats.tsx" | `FeaturesAndStats.tsx` does not exist in `src/components/landing/`. | **OUTDATED** |
| "**Testimonials** ✓ Complete — TestimonialsAndCTA.tsx" | `TestimonialsAndCTA.tsx` does not exist. | **OUTDATED** |
| "**Guided Product Tour** ✓ Complete — OnboardingFlow.tsx" | `OnboardingFlow.tsx` does not exist. | **OUTDATED** |
| "**Referral Program** ✓ Complete — src/app/api/referrals/route.ts, ReferralSystem.tsx" | `src/app/api/referrals/route.ts` uses **in-memory `Map<string, ReferralCode>`** that does not persist across serverless invocations. `ReferralSystem.tsx` does not exist. | **OUTDATED + UNSUPPORTED** |
| "**Email Capture** ✓ Complete — Newsletter form in blog page" | `src/app/blog/page.tsx` does not have a working newsletter form (static post list). | **OUTDATED** |
### 6.3 `docs/ADMIN_FUNCTIONALITY_CHECKLIST.md`
Lists time-tracking admin features as testable. Combined with the stub
status above, this is **OUTDATED + UNSUPPORTED**.
---
## 7. Public storefront / AI answers in product voice
### 7.1 Wholesale portal login — `src/app/wholesale/login/page.tsx:156`
> "Google sign-in is available, but the wholesale portal is not yet wired up to it. Please use email + password for now."
**Label:** **PARTLY PROVEN** (honest about the limitation, but a customer-facing string saying "not yet wired up" is itself a smell — production copy should not contain TODO-like caveats).
### 7.2 Brand-specific FAQs — `src/app/tuxedo/faq/FAQClientPage.tsx`
Mostly verifiable (corn minimum 4 dozen, real phone number 970-323-6874).
**Label:** **PROVEN** for Tuxedo-specific FAQ.
### 7.3 `CLAUDE.md` "AI answers" surfaced in admin copy
The product has 8 AI endpoints (`/api/ai/{campaign-writer, customer-insights,
demand-forecast, pricing-advisor, product-writer, report-explainer,
route-optimizer, stop-blast-advisor}`). Each returns a typed response. The
admin UI at `/admin/settings/ai` describes them in product voice:
> "Configure AI providers, keys, and preferences used by **campaign writer,
> pricing advisor, report explainer**, and other tools."
**Evidence:** All endpoints exist, but they require:
1. Brand has `get_ai_provider_settings` row (BYO API key).
2. The configured provider must be reachable from the server.
3. The `minimax` provider is hard-coded into `AIProviderPanel.tsx` with model names like `MiniMax-M3`, `MiniMax-M2.7`, `MiniMax-M2.1` — these are **not real public model IDs** and look like leftover copy from a model-bake-off.
**Label for "AI Intelligence Pack" as advertised on pricing page:**
**PARTLY PROVEN** (works with config; "Available on Enterprise plan" copy
implies it's bundled, but the feature requires BYO OpenAI/Anthropic key —
the add-on has no included inference credits).
**Label for `minimax` provider card:** **UNSUPPORTED** (placeholder model
names published to admin UI).
---
## 8. Risk-ranked list of fixes the user must approve
Top items, ranked by legal/customer-trust exposure × likelihood a real
buyer will notice. **Production copy changes require sign-off** per the
user contract.
| Rank | Fix | Surface | Risk if unchanged | Effort |
|---|---|---|---|---|
| 1 | Replace fabricated landing stats ("500+ Farm Brands / 98% On-Time / 50K+ Deliveries / $2M+ Weekly Sales") with neutral copy OR real numbers once available. Remove from JSON-LD `aggregateRating` placeholder. | `src/components/landing/HeroSection.tsx`, `src/app/page.tsx` | **HIGH** — B2B procurement teams check public stats. | XS |
| 2 | Pick one pricing source of truth. Reconcile `src/lib/pricing.ts` and `src/lib/stripe-billing.ts`. Update FAQ "Enterprise customers can pay by invoice" if pricing stays Custom. | `src/lib/pricing.ts`, `src/lib/stripe-billing.ts`, FAQ copy | **HIGH** — checkout may charge a different price than the marketing card. | S |
| 3 | Remove "Two-Factor Authentication" from `Changelog v1.9.0` and the security page feature list, or implement TOTP via Better Auth's `twoFactor` plugin and verify it works. | `src/app/changelog/page.tsx`, `src/app/security/page.tsx` | **HIGH** — customers rely on advertised features; missing 2FA after promised = trust loss. | M |
| 4 | Strip SOC 2 / 99.9% uptime / quarterly pentest claims from `security/page.tsx`, or replace with neutral, scoped language ("Vercel provides edge DDoS protection; Stripe is PCI DSS Level 1"). | `src/app/security/page.tsx` | **HIGH** — regulatory/compliance exposure. | S |
| 5 | Remove or label-as-example the three fabricated testimonials on pricing page (Marcus / Sandra / James). Keep the IRD ones (real quotes). | `src/app/pricing/PricingClientPage.tsx` | **HIGH** — fake named-person testimonials can violate FTC guidelines. | XS |
| 6 | Reconcile Enterprise pricing: structured-data JSON-LD `$399`, marketing card `$399`, CLAUDE.md "Custom". Pick one. | `src/app/page.tsx`, `src/app/pricing/PricingClientPage.tsx`, FAQ copy | **MEDIUM** — Google snippets, sales-call confusion. | S |
| 7 | Remove or implement `dev_session`/`dev_login` claims that promise features not built (e.g., "Not yet wired up to Google" line in wholesale login). | `src/app/wholesale/login/page.tsx` | **MEDIUM** — production copy with TODO language. | XS |
| 8 | Replace `MiniMax-M3` etc. in `AIProviderPanel.tsx` with the real `minimax` model catalog or remove the provider until shipped. | `src/components/admin/AIProviderPanel.tsx` | **MEDIUM** — admin sets a non-existent model; calls will 404. | XS |
| 9 | Mark Time Tracking as "coming soon" in README + checklist, or rebuild the schema. | `README.md`, `docs/ADMIN_FUNCTIONALITY_CHECKLIST.md`, `src/actions/time-tracking/field.ts` | **MEDIUM** — docs promise a feature whose actions are stubs. | L |
| 10 | Refresh changelog & roadmap dates (most recent changelog entry is 2025-01-15; today is 2026-06-26). Reclassify SMS Campaigns and Route Optimization as Shipped. | `src/app/changelog/page.tsx`, `src/app/roadmap/page.tsx` | **LOW** — perception of staleness. | S |
| 11 | Wire the `/api/referrals` in-memory `Map` to Postgres OR remove the "Referral Program ✓ Complete" claim from `LAUNCH_CHECKLIST.md`. | `src/app/api/referrals/route.ts`, `LAUNCH_CHECKLIST.md` | **LOW** — feature currently advertised but non-functional. | M |
| 12 | OG image: `/og-default.jpg` referenced by pricing/blog/contact but only `/og-default.svg` exists in `public/`. | `src/app/{pricing,blog,contact}/page.tsx`, `public/` | **LOW** — broken preview cards in social shares. | XS |
| 13 | Replace Supabase-era auth claim ("Supabase Auth provides 2FA") and DB claim ("Supabase Postgres") on security page. | `src/app/security/page.tsx` | **LOWMEDIUM** — outdated reference, but page is informational. | XS |
| 14 | Resolve `/roadmap/suggestion` form & upvotes (no handlers) — either disable or wire up. | `src/app/roadmap/page.tsx` | **LOW** — UI affordance leads nowhere. | S |
---
## 9. Decisions needed from the user
1. **Replace or keep** the landing hero stats? If keep, commit to a data source.
2. **Choose pricing source of truth**`pricing.ts` (25% annual) or `stripe-billing.ts` (15% annual, Enterprise=Custom). Recommend: align on `pricing.ts` for marketing parity, set `stripe-billing.ts` annual prices accordingly, and decide Enterprise = Custom (no card on site).
3. **Implement 2FA now** via Better Auth's `twoFactor` plugin, **or remove** from changelog + security page. Recommend: remove from copy; queue 2FA as a real ticket.
4. **Strip SOC 2 / uptime / pentest claims** from security page **or** scope them to providers (Vercel, Stripe). Recommend: scope to providers; queue real compliance work.
5. **Strip fabricated named testimonials** from pricing page. Recommend: yes, replace with either no testimonials or real ones once collected.
6. **Time Tracking**: docs claim it works, actions are stubs. Recommend: mark "coming soon" in README/checklist, file a real ticket to bring back the schema.
7. **Roadmap & changelog**: reclassify SMS Campaigns and Route Optimization as Shipped; refresh dates.
8. **OG image fix**: rename `og-default.svg` to `og-default.jpg`, or generate a JPG. Recommend: rename references in metadata to `/og-default.svg`.
9. **Permission to apply any subset of the above** in this session? If yes, which?
(Defaults below assume "yes, apply the safe ones; ask on anything that
touches an invoice number.")