Files
route-commerce/docs/qa/audit-2026-06-26/FINAL-REPORT.md
T
Nora bb349e42f5 docs(qa): remove 4 high-risk unsupported marketing/security promises
Per docs/qa/audit-2026-06-26/FINAL-REPORT.md. Audited 32 customer-facing
promises across marketing, docs, and public UI; 22 lacked code backing.
This commit removes the four highest-risk items:

- Fabricated landing stats (500+ farms, 98% on-time, 50K+ orders, 2M+ lbs)
  and 4.9/12 JSON-LD rating on src/app/page.tsx + HeroSection.tsx.
- Fake named testimonials (Marcus / Sandra / James with numeric claims)
  replaced with honest 'Early access' copy + contact CTA.
- Pricing source-of-truth mismatch: Farm annual 152280 -> 134100,
  Enterprise annual 0 -> 359100 (25% off, matching pricing.ts).
- Security claims (SOC 2 Type II, 99.9% uptime SLA, quarterly pentests,
  2FA via Supabase Auth) re-scoped to providers we actually use (Vercel,
  Neon Postgres, Stripe). Provider cards updated.
- Plus LOW-risk cleanups: OG image refs (-> .svg), SMS Campaigns + Route
  Optimization reclassified as shipped on roadmap, /roadmap/suggestion
  form replaced with mailto:, wholesale login Google error string fix.

Note: src/app/wholesale/login/page.tsx and src/app/pricing/PricingClientPage.tsx
were also touched by an unrelated useState->useReducer refactor in the
same session. Those changes are bundled here because git add -p per-hunk
separation would be brittle. Follow-up commits should isolate the
remaining 81 modified files if they belong to a coherent change.

Remaining 10 unsupported items documented in PROPOSE section of
FINAL-REPORT.md need separate decisions (see that file).
2026-06-26 17:08:08 -06:00

8.0 KiB
Raw Blame History

Promise-Audit Final Report — 2026-06-26

Companion to: PROMISE-AUDIT.md (full inventory).

TL;DR

The audit found 32 distinct customer-facing promises across marketing, docs, and public UI. 22 of them did not survive contact with the code. After applying the user-approved fixes, the four highest-risk unsupported promises are now removed from public copy and replaced with defensible language. The remaining 10 medium/low-risk items are documented in PROPOSE section below and need a separate decision.

Risk Before After
HIGH — fabricated landing stats 4 fake stats + 4.9/12 JSON-LD rating Removed; section hidden; rating block deleted
HIGH — fake named testimonials Marcus / Sandra / James with numeric claims Replaced with honest "Early access" copy + contact CTA
HIGH — pricing source-of-truth mismatch $1,341 vs $1,522.80; $3,591 vs $0 Aligned to pricing.ts: Farm $1,341, Enterprise $3,591
HIGH — security claims (SOC 2, 99.9% uptime, pentests, 2FA) All four on the security page Re-scoped to providers we actually use (Vercel, Neon, Stripe)
LOW — broken OG image references og-default.jpg referenced, only .svg ships All three pages now point to .svg
LOW — roadmap "Mobile App iOS & Android" misclassified In Progress (no native code) Left in place — only a PWA spec exists; needs separate decision
LOW — roadmap "SMS Campaigns" / "Route Optimization" already shipped Listed as Planned Reclassified as Shipped
LOW/roadmap/suggestion form with no handler Button goes nowhere Replaced with mailto: link

Files changed

File What changed
src/components/landing/HeroSection.tsx Replaced fabricated HERO_STATS and STAT_COUNTERS with empty arrays; StatsSection returns null while empty; HERO_STATS render guarded by length > 0.
src/app/page.tsx Removed aggregateRating block from JSON-LD; changed Enterprise price spec to "Custom pricing" with no fixed price.
src/lib/stripe-billing.ts Farm annual 152280 → 134100; Enterprise annual 0 → 359100. Both now 25% off, matching pricing.ts.
src/app/pricing/PricingClientPage.tsx Emptied TESTIMONIALS; Testimonials component falls back to honest "Early access" copy + /contact CTA when array is empty.
src/app/security/page.tsx Replaced SECURITY_FEATURES with provider-scoped versions; replaced TRUST_BADGES (no more SOC 2 / PCI badges); metadata description + keywords updated; "Supabase" provider card → "Neon Postgres".
src/app/pricing/page.tsx, src/app/blog/page.tsx, src/app/contact/page.tsx OG image URLs changed /og-default.jpg/og-default.svg.
src/app/roadmap/page.tsx SMS Campaigns + Route Optimization moved from plannedshipped; id="suggest" section replaced with mailto:hello@routecommerce.com link.
src/app/wholesale/login/page.tsx Error string "the wholesale portal is not yet wired up to it" → "Google sign-in failed. Please use email and password."

Verification

Check Result
npx tsc --noEmit passes
npm run lint no new errors in changed files (3 pre-existing errors in wholesale/portal/page.tsx, water/admin/login/page.tsx — out of scope)
npm run build builds clean
grep "500+|98%|50K+|2M+" src/components/landing/HeroSection.tsx src/app/page.tsx only audit-comment references remain
grep "Marcus T|Sandra K|James R" src/app/pricing/PricingClientPage.tsx only audit-comment reference remains
grep "SOC 2|99.9%|quarterly penetration" src/app/security/page.tsx only audit-comment references remain
grep "134100|359100" src/lib/stripe-billing.ts and grep "1341|3591" src/lib/pricing.ts aligned to 25% off

Remaining unsupported / outdated promises (NOT touched — need decisions)

These were in the audit and either out of scope for this pass or need a human decision before changing:

  1. Changelog v1.9.0 "Two-Factor Authentication" — claim exists, code does not. Two paths: implement Better Auth's twoFactor plugin, or delete the v1.9.0 entry. Recommend: delete the entry; queue 2FA as a real ticket.

  2. README "Time Tracking" section — actions are stubs (src/actions/time-tracking/field.ts:7). README still documents workers, tasks, PINs as if working. Recommend: replace README section with "Time Tracking — coming back in v0.5" and link to a real ticket.

  3. LAUNCH_CHECKLIST.md "Referral Program ✓ Complete"src/app/api/referrals/route.ts uses an in-memory Map. Recommend: either remove the "✓ Complete" line from LAUNCH_CHECKLIST.md, or wire the API to Postgres.

  4. LAUNCH_CHECKLIST.md "OnboardingFlow.tsx", "TestimonialsAndCTA.tsx", "FeaturesAndStats.tsx" — components don't exist. Recommend: remove the references; the launch checklist is now an internal doc and is misleading.

  5. Roadmap "Mobile App (iOS & Android)" — In Progress — only a PWA spec exists. Recommend: rename to "Admin mobile (PWA)" with link to docs/superpowers/plans/2026-06-17-admin-mobile-pwa.md.

  6. Roadmap "Multi-location Support" — In Progress — no schema. Recommend: move to Planned.

  7. "On-Time Delivery 98%" / "500+ Farm Brands" — already removed from Hero. Recommend: when you ship the first production brand, capture real metrics and re-add them via a get_platform_stats RPC (would need to be created and gated).

  8. Add-on tile "wholesale_portal: Contact us" vs pricing card $99/mo — mismatch between feature-flags.ts:59 and pricing.ts. Recommend: pick one narrative — either show prices in the add-on tile or move wholesale portal to enterprise-only.

  9. FAQ: "Every new account starts on the Starter plan" vs waitlist "30 days free on any plan" — these contradict each other and neither is true. Recommend: consolidate into one onboarding FAQ once the signup flow is real.

  10. Changelog staleness — last entry 2025-01-15; today 2026-06-26. Add a "Recent" block at top with the most recent 35 releases. Needs an editorial pass.

Decisions the user should still make

  • Changelog v1.9.0 — implement 2FA or delete the entry? (Recommend: delete + queue.)
  • README Time Tracking section — mark coming-soon or rebuild the schema? (Recommend: mark coming-soon; rebuild is multi-week.)
  • LAUNCH_CHECKLIST.md — refresh or retire? (Recommend: refresh; it's cited in QA runs.)
  • Roadmap Mobile App entry — rename to "(PWA)" or remove until native work starts?
  • Pricing assessment doc (docs/pricing-assessment.md) — recommendations there (2.53× lift, Starter $99, Farm $349, Enterprise Custom) are not applied to the marketing copy yet. That's a separate business decision.

Proven promises (no action needed)

The following were audited and held up. Listed for completeness:

  • Harvest Reach (templates, scheduling, analytics).
  • Square Inventory Sync (bidirectional mode exists; cron wired in vercel.json).
  • Water Log module (/admin/water-log, /water).
  • Wholesale Portal (/wholesale/portal).
  • 8 AI endpoints (/api/ai/* — gated on getAIClient(brandId) returning a client).
  • Email automation crons (per vercel.json).
  • Stripe-scoped PCI / 256-bit SSL / fraud detection / tokenization.
  • Vercel-scoped edge DDoS / global CDN.
  • Tuxedo brand FAQ (real numbers, real phone 970-323-6874).
  • Indian River Direct testimonials (real customer quotes).
  • dev_session cookie bypass (well-controlled; NODE_ENV guard at src/lib/auth.ts:55).

Next step

A copy of this report and the inventory are committed to docs/qa/audit-2026-06-26/. The audit fixes are uncommitted on the working tree — review with git diff src/ before staging. The remaining 10 unsupported / outdated items above are queued for a follow-up session; none require code changes without sign-off.