bb349e42f5
Per docs/qa/audit-2026-06-26/FINAL-REPORT.md. Audited 32 customer-facing promises across marketing, docs, and public UI; 22 lacked code backing. This commit removes the four highest-risk items: - Fabricated landing stats (500+ farms, 98% on-time, 50K+ orders, 2M+ lbs) and 4.9/12 JSON-LD rating on src/app/page.tsx + HeroSection.tsx. - Fake named testimonials (Marcus / Sandra / James with numeric claims) replaced with honest 'Early access' copy + contact CTA. - Pricing source-of-truth mismatch: Farm annual 152280 -> 134100, Enterprise annual 0 -> 359100 (25% off, matching pricing.ts). - Security claims (SOC 2 Type II, 99.9% uptime SLA, quarterly pentests, 2FA via Supabase Auth) re-scoped to providers we actually use (Vercel, Neon Postgres, Stripe). Provider cards updated. - Plus LOW-risk cleanups: OG image refs (-> .svg), SMS Campaigns + Route Optimization reclassified as shipped on roadmap, /roadmap/suggestion form replaced with mailto:, wholesale login Google error string fix. Note: src/app/wholesale/login/page.tsx and src/app/pricing/PricingClientPage.tsx were also touched by an unrelated useState->useReducer refactor in the same session. Those changes are bundled here because git add -p per-hunk separation would be brittle. Follow-up commits should isolate the remaining 81 modified files if they belong to a coherent change. Remaining 10 unsupported items documented in PROPOSE section of FINAL-REPORT.md need separate decisions (see that file).
337 lines
24 KiB
Markdown
337 lines
24 KiB
Markdown
# Customer-Facing Promise Audit — Route Commerce
|
||
|
||
**Date:** 2026-06-26
|
||
**Scope:** Every promise the product makes to customers across marketing,
|
||
documentation, public UI, and "AI answers" (admin copy that talks to the user
|
||
in product voice). Includes pricing, security, changelog, roadmap, landing
|
||
hero/stats, FAQ copy, product descriptions, and `LAUNCH_CHECKLIST.md`.
|
||
|
||
**Method:** Walked every customer-touching surface in the repo. For each
|
||
distinct promise, captured (a) the exact copy, (b) the file/line, and
|
||
(c) the strongest evidence — code, schema, docs, or absence of evidence —
|
||
underneath. Then assigned one label per the user contract.
|
||
|
||
**Labels used**
|
||
|
||
| Label | Meaning |
|
||
|---|---|
|
||
| **PROVEN** | Code/schema/docs substantiate the claim today. |
|
||
| **PARTLY PROVEN** | Substantially true but with caveats; copy overstates one detail. |
|
||
| **MISLEADING** | The headline reads true but the fine print is materially wrong, or the framing suggests a stronger guarantee than reality. |
|
||
| **UNSUPPORTED** | No code, schema, audit, contract, or credential backs the claim. |
|
||
| **OUTDATED** | Was true at one point, no longer true. |
|
||
| **MISSING EVIDENCE** | Need a human or system to confirm before we can label. |
|
||
|
||
---
|
||
|
||
## 1. Landing & marketing surfaces
|
||
|
||
### 1.1 Landing hero stats — `src/components/landing/HeroSection.tsx:48`
|
||
|
||
```
|
||
{ stat: "500+", label: "Farm Brands" }
|
||
{ stat: "98%", label: "On-Time" }
|
||
{ stat: "50K+", label: "Deliveries" }
|
||
```
|
||
|
||
Plus `STAT_COUNTERS` (HeroSection.tsx:84):
|
||
```
|
||
500 "Produce Brands"
|
||
50K "Orders Delivered"
|
||
98% "On-Time Delivery"
|
||
$2M+ "Weekly Sales"
|
||
```
|
||
|
||
**Evidence:** None. No customers in tree, no DB row count, no integration
|
||
that surfaces live numbers. The pricing-assessment doc (docs/pricing-assessment.md:79)
|
||
already flags this: *"Landing-page stats are aspirational, not real. The
|
||
working tree has no customers; this is a marketing claim that could trip up
|
||
B2B buyers doing due diligence. Either back it with real numbers or remove it."*
|
||
|
||
**Label:** **UNSUPPORTED** (high-risk: B2B due-diligence exposure).
|
||
**Fix rank:** #1.
|
||
|
||
### 1.2 Landing feature copy — HeroSection.tsx:53–98
|
||
|
||
| Promise | Evidence | Label |
|
||
|---|---|---|
|
||
| "Showcase seasonal produce with rich media galleries and **real-time availability** updates" | No realtime subscriptions on storefront. `supabase` is mentioned in `indian-river-direct/page.tsx` for brand lookup, but product availability is a fresh fetch. | **MISLEADING** |
|
||
| "Optimize delivery routes with **intelligent mapping** and real-time scheduling" | `src/app/api/ai/route-optimizer/route.ts` exists but is gated on admin user + AI provider key. No live routing on the storefront. | **PARTLY PROVEN** (admin-only) |
|
||
| "Track orders from placement through delivery with **automated status** updates" | No delivery tracking. Order status is admin-set. | **UNSUPPORTED** |
|
||
| "Give buyers a dedicated space to browse pricing and place bulk orders" | Wholesale portal exists. | **PROVEN** |
|
||
| "Send email and SMS campaigns about seasonal availability and new harvests" | Harvest Reach exists for admin. | **PROVEN** (admin surface) |
|
||
| "Uncover sales trends and operational insights with **real-time dashboards**" | Reports dashboard exists; not realtime. | **PARTLY PROVEN** |
|
||
|
||
### 1.3 Pricing page — `src/app/pricing/PricingClientPage.tsx`
|
||
|
||
| Promise | Evidence | Label |
|
||
|---|---|---|
|
||
| AggregateRating in JSON-LD `4.9 / 12 reviews` (`src/app/page.tsx:55`) | Inline comment: `// Placeholder — replace with real review data once collected.` | **UNSUPPORTED** (fabricated rating published as structured data; Google could surface it). |
|
||
| "Marcus T., Fresh Fields Farm" / "Sandra K., Pacific Produce Co-op" / "James R., Gulf Coast Distribution" testimonials (PricingClientPage.tsx:54–58) | No source. Names are made up. | **MISLEADING** (named-person testimonials with no consent) |
|
||
| "Harvest Reach alone paid for the subscription. Our pickup rate went from 70% to 94% in two months." | No source. | **UNSUPPORTED** (specific metric, no customer) |
|
||
| "Every new account starts on the Starter plan. … No credit card required to start." (FAQ line 24) | Waitlist page (line 103) contradicts: *"Early access members get 30 days free on any plan."* No self-serve signup exists; brands are seeded by `scripts/provision-admin.ts`. | **MISLEADING** (conflicting free-trial claims) |
|
||
| "Enterprise customers can pay by invoice" (FAQ line 32) | `pricing.ts` prices Enterprise at $399/mo; `stripe-billing.ts` has annual=0 (Custom); the FAQ says invoice. None of these match the public pricing card. | **MISLEADING** (internal pricing model is inconsistent with public copy) |
|
||
| "Add-ons are available on any plan. … billed proportionally when added mid-cycle." | No proportional-billing code path in `src/actions/billing/`. Stripe proration is on but the proportional UI copy implies a feature we haven't built. | **PARTLY PROVEN** |
|
||
| Save 25% with annual (line 160) | `pricing.ts` shows: Starter annual 441 = 49×12×0.75 ✓; Farm 1341 = 149×12×0.75 ✓; Enterprise 3591 = 399×12×0.75 ✓. But `stripe-billing.ts:34` shows Farm annual = $1,522.80 (15% off). **Two sources of truth disagree.** | **MISLEADING** (internal inconsistency; one of the two is wrong) |
|
||
| "Dedicated SLA" (Enterprise feature) | No SLA document, no `sla_*` table or RPC, no uptime monitoring integration. | **UNSUPPORTED** |
|
||
| "Priority support" (Farm) | No support tier system, no SLA, no escalation path. | **UNSUPPORTED** |
|
||
| Compare table "AI Intelligence Pack" Enterprise-only | Roadmap / pricing says Farm has Harvest Reach but not AI. Pricing page mirrors that. | **PROVEN** (consistent) |
|
||
| Compare table "Multi-location Support" — *not actually in the table* (referenced on roadmap only) | n/a | n/a |
|
||
|
||
### 1.4 Pricing JSON-LD — `src/app/page.tsx`
|
||
|
||
```
|
||
offers: { lowPrice: 49, highPrice: 399, ... }
|
||
priceSpecification: [ {Starter 49}, {Farm 149}, {Enterprise 399} ]
|
||
```
|
||
|
||
**CLAUDE.md (the canonical reference) says Enterprise is "Custom" pricing.**
|
||
**Label:** **MISLEADING**. The structured-data layer is publishing a price
|
||
that the platform says is custom. This is the kind of thing that surfaces
|
||
in Google search snippets and creates procurement friction.
|
||
|
||
### 1.5 Waitlist — `src/app/waitlist/page.tsx`
|
||
|
||
| Promise | Evidence | Label |
|
||
|---|---|---|
|
||
| "Join **500+** farms on the waitlist" / "**12+** States Covered" / "Q2 Launch Target" | Hard-coded copy. No waitlist row count. | **UNSUPPORTED** (three different numbers, all made up) |
|
||
| "I've been waiting for a platform like this. The wholesale portal alone will save us hours every week." — Maria S., Sunny Acres Farm | No source. | **UNSUPPORTED** |
|
||
| "Yes! Early access members get **30 days free on any plan**." | No billing code grants this. | **UNSUPPORTED** |
|
||
| "Full access to all features including products, orders, stops management, and communications." | Waitlist → /api/waitlist writes a row. Does NOT auto-create a tenant. | **MISLEADING** |
|
||
|
||
### 1.6 Indian River Direct landing — `src/app/indian-river-direct/page.tsx`
|
||
|
||
```
|
||
TESTIMONIALS = [
|
||
{ name: "Linda Hurlbut", text: "I finally got my grapefruit from you today..." },
|
||
{ name: "Phil Myers", text: "I just wanted to comment on the citrus I received..." },
|
||
{ name: "Bill Prue", text: "I would just like to say how pleased we are..." }
|
||
]
|
||
```
|
||
|
||
**Evidence:** These are real customer quotes from the brand owner's email
|
||
archive (different file than the pricing page). **Label:** **PROVEN** for
|
||
IRD-specific surface; isolated risk.
|
||
|
||
---
|
||
|
||
## 2. Pricing & billing internal consistency
|
||
|
||
### 2.1 Two pricing sources of truth
|
||
|
||
`src/lib/pricing.ts` (marketing UI):
|
||
```
|
||
Farm annual = $1,341 (25% off)
|
||
Enterprise annual = $3,591 (25% off)
|
||
```
|
||
|
||
`src/lib/stripe-billing.ts` (Stripe checkout logic):
|
||
```
|
||
Farm annual = $1,522.80 (15% off) ← src/lib/stripe-billing.ts:67
|
||
Enterprise annual = $0 (Custom) ← src/lib/stripe-billing.ts:82
|
||
```
|
||
|
||
**Label:** **MISLEADING** — the marketing UI cannot be trusted to match
|
||
what the checkout will charge.
|
||
**Fix rank:** #2 (after landing stats, since this can cost real money).
|
||
|
||
### 2.2 Feature flags display
|
||
|
||
`src/lib/feature-flags.ts:59` shows `wholesale_portal: "Contact us"` and
|
||
`ai_tools: "OpenAI API required"`, but `pricing.ts` prices them at $99 and $59.
|
||
|
||
**Label:** **MISLEADING** (the add-on tile says "Contact us" while the
|
||
pricing card says "$99/mo"). Same item, two prices.
|
||
|
||
### 2.3 Add-on Stripe env-var mismatch
|
||
|
||
`src/actions/billing/stripe-checkout.ts:19` reads `STRIPE_PRICE_WATER_LOG`.
|
||
`pricing.ts` and `stripe-billing.ts` agree on price. **But**
|
||
`stripe-billing.ts:154` also defines `_annual` price IDs that are never used.
|
||
|
||
**Label:** **PARTLY PROVEN** (works for monthly, but annual is
|
||
not actually wired in any Stripe price env var the docs mention).
|
||
**Fix rank:** lower.
|
||
|
||
---
|
||
|
||
## 3. Security page — `src/app/security/page.tsx`
|
||
|
||
| Promise | Evidence | Label |
|
||
|---|---|---|
|
||
| "**SOC 2 Compliant** — Our infrastructure meets SOC 2 Type II standards for security, availability, and confidentiality." | No SOC 2 report, no auditor name, no compliance-trust URL. | **UNSUPPORTED** (high-risk; this is a regulatory/compliance claim). |
|
||
| "We conduct **quarterly penetration tests** and annual security audits with certified third parties." | No pentest repo, no audit report, no scheduled task. | **UNSUPPORTED** |
|
||
| "**99.9% Uptime SLA** — Enterprise plan customers receive a 99.9% uptime guarantee with 24/7 monitoring." | No SLA doc, no `sla_*` table, no monitoring integration beyond Vercel's defaults. | **UNSUPPORTED** |
|
||
| "**GDPR & CCPA Compliant**" | `src/app/privacy-policy/page.tsx` exists but does not include DPA, SCCs, or data-residency clauses. | **PARTLY PROVEN** (privacy page exists; compliance posture unverified) |
|
||
| "Supabase Auth provides secure, compliant authentication with 2FA support." (line 69) | Auth was migrated to **Neon Auth** (`src/lib/auth.ts`), and 2FA is **not enabled** in the Better Auth config. | **OUTDATED + UNSUPPORTED** (both — wrong product AND no 2FA) |
|
||
| "SSL Secured" / "SOC 2 Compliant" / "GDPR Ready" / "PCI Compliant" trust badges (line 47) | Same SOC 2 / PCI issue. | **UNSUPPORTED** |
|
||
| "Stripe — PCI-compliant payment processing" (line 178) | Stripe IS PCI DSS Level 1; we inherit it. **PROVEN** for Stripe's posture. | **PROVEN** (when scoped to Stripe's posture, not our own) |
|
||
| "Vercel — Edge network with automatic DDoS protection and global CDN" (line 168) | Vercel does provide this. | **PROVEN** (when scoped to Vercel's posture) |
|
||
| "Supabase — PostgreSQL database with built-in encryption and real-time capabilities" (line 173) | DB is now **Neon Postgres direct via `pg`**, not Supabase. | **OUTDATED** |
|
||
| "256-bit SSL encryption" / "PCI DSS Level 1 compliant" / "Advanced fraud detection" / "Secure card tokenization" | All Stripe attributes, true when scoped to Stripe. | **PROVEN** (Stripe-scoped) |
|
||
| `mailto:security@routecommerce.com` for vulnerability reports | Inbox unverifiable from repo. | **MISSING EVIDENCE** (need to confirm mailbox monitored) |
|
||
|
||
---
|
||
|
||
## 4. Changelog — `src/app/changelog/page.tsx`
|
||
|
||
| Version | Promise | Evidence | Label |
|
||
|---|---|---|---|
|
||
| 2.4.0 (2025-01-15) "Harvest Reach Email Campaigns — …templates, scheduling, and analytics" | Templates, scheduling, analytics all in code. | **PROVEN** |
|
||
| 2.3.0 "Square Inventory Sync" | Settings UI + `square_to_rc` / `rc_to_square` / `bidirectional` modes in `SquareSyncSettingsClient.tsx:443`. | **PROVEN** (UI exists; cron at `/api/square/process-queue` is wired in `vercel.json`). |
|
||
| 2.2.2 "Dashboard now loads 40% faster" | No benchmark in tree. | **UNSUPPORTED** (specific perf claim with no measurement) |
|
||
| 2.2.1 "Order Export Fix" | Generic bug-fix entry. | **MISSING EVIDENCE** (cannot verify without git blame) |
|
||
| 2.2.0 "**AI Intelligence Pack** — Campaign Writer, Pricing Advisor, Demand Forecasting. Available on Enterprise plan." | All 8 AI endpoints exist (`/api/ai/*`); all gated on `getAIClient(brandId)` returning a client. Requires brand to have an AI provider key configured. | **PARTLY PROVEN** (works only when brand has configured an API key — defaults to OpenAI which is BYO key, not "included in Enterprise") |
|
||
| 2.1.0 "Water Log Module" | Module exists at `/admin/water-log` and `/water`; schema documented in `docs/water-log.md`. | **PROVEN** |
|
||
| 2.0.0 "New Admin Dashboard" | v2 routes under `/admin/v2/*`. | **PROVEN** |
|
||
| 1.9.0 (2024-10-30) "Two-Factor Authentication" | **No TOTP/2FA in `src/lib/auth.ts` or `src/auth.config.ts`.** Better Auth supports a `twoFactor` plugin but it is not registered. | **UNSUPPORTED** (high-risk; this is the headline 1.9.0 feature and it doesn't exist) |
|
||
|
||
**Changelog metadata issue:** the changelog's most-recent entry is dated
|
||
2025-01-15. We're in June 2026. **Label:** **OUTDATED** as a whole
|
||
(this page silently went stale).
|
||
|
||
---
|
||
|
||
## 5. Roadmap — `src/app/roadmap/page.tsx`
|
||
|
||
### 5.1 "Shipped" column (page.tsx:35)
|
||
|
||
| Item | Promise | Evidence | Label |
|
||
|---|---|---|---|
|
||
| Harvest Reach Email Campaigns | Code lives under `/admin/communications`. | **PROVEN** |
|
||
| Square Inventory Sync | Code + queue cron. | **PROVEN** |
|
||
| AI Intelligence Pack | 8 endpoints, brand-gated. | **PROVEN** (with the same caveat as 2.2.0 above) |
|
||
| Water Log Module | Module lives at `/admin/water-log`. | **PROVEN** |
|
||
|
||
### 5.2 "In Progress" (page.tsx:43)
|
||
|
||
| Item | Promise | Evidence | Label |
|
||
|---|---|---|---|
|
||
| Mobile App (iOS & Android) | No `ios/`, `android/`, or React Native config. The "admin mobile PWA" spec (`docs/superpowers/plans/2026-06-17-admin-mobile-pwa.md`) is a PWA plan, **not a native app**. | **UNSUPPORTED** (a public claim of a native mobile app; reality is a PWA spec). |
|
||
| Advanced Reporting & Analytics | Reports page exists; advanced exports not all wired. | **PARTLY PROVEN** |
|
||
| Multi-location Support | No schema for `locations` table; `brands` has no `location_id`. | **UNSUPPORTED** |
|
||
|
||
### 5.3 "Planned" (page.tsx:51)
|
||
|
||
| Item | Evidence | Label |
|
||
|---|---|---|
|
||
| SMS Campaigns | Module already implemented at `/api/ai/stop-blast-advisor` and gated by `sms_campaigns` add-on. | **OUTDATED** (should be "Shipped", not "Planned") |
|
||
| Route Optimization | Endpoint at `/api/ai/route-optimizer` exists. | **OUTDATED** (should be "Shipped") |
|
||
| POS Integration (Clover, Toast) | No Clover/Toast integration in tree. | **PROVEN** (still planned) |
|
||
| Customer Loyalty Program | No code. | **PROVEN** (still planned) |
|
||
|
||
### 5.4 Roadmap affordances that don't work
|
||
|
||
`docs/qa/audit-2026-06-25/ACCEPTANCE-CRITERIA.md:668` already flagged:
|
||
`/roadmap/suggestion` form and upvotes have no handlers.
|
||
|
||
**Label:** **MISLEADING** (the page implies a working vote/suggest system).
|
||
|
||
---
|
||
|
||
## 6. Public docs (`README.md`, `LAUNCH_CHECKLIST.md`, `docs/`)
|
||
|
||
### 6.1 README.md
|
||
|
||
| Promise | Evidence | Label |
|
||
|---|---|---|
|
||
| "Time Tracking" with PINs, Workers, Tasks (lines "Adding Workers / Adding Tasks / Notification Alerts") | `src/actions/time-tracking/field.ts:7` is **stub code** that returns `{ success: false, error: "Time tracking is not configured" }`. The TODO comment (line 7) explicitly says: *"the time-tracking feature was built on Supabase RPCs … that don't exist in the SaaS rebuild schema. The functions below are stubs … the field UI degrades gracefully (no PIN login, no entry submit)."* | **UNSUPPORTED** (high-risk; README documents a feature that does not work) |
|
||
| "**Supabase** (Postgres + Auth + RLS)" (Tech Stack) | README still says Supabase; CLAUDE.md says we're on direct Postgres + Neon Auth. | **OUTDATED** |
|
||
| `npm run migrate` / `supabase link --project-ref` | `supabase/push-migrations.js` exists but CLAUDE.md says only the direct `pg` path is used; Supabase CLI branch is legacy. | **OUTDATED** |
|
||
| `dev_session` cookie bypass — described as dev-only | CLAUDE.md reinforces this. Code guard at `src/lib/auth.ts:55` returns early in production unless `PERF_TEST_AUTH=1`. | **PROVEN** (well-controlled) |
|
||
| Email automation cron endpoints (`/api/email-automation/abandoned-cart`, `/api/email-automation/welcome-sequence`) | Endpoints + Vercel cron config in `vercel.json`. | **PROVEN** |
|
||
|
||
### 6.2 `LAUNCH_CHECKLIST.md`
|
||
|
||
| Claim | Evidence | Label |
|
||
|---|---|---|
|
||
| "**Social Proof** ✓ Complete — FeaturesAndStats.tsx" | `FeaturesAndStats.tsx` does not exist in `src/components/landing/`. | **OUTDATED** |
|
||
| "**Testimonials** ✓ Complete — TestimonialsAndCTA.tsx" | `TestimonialsAndCTA.tsx` does not exist. | **OUTDATED** |
|
||
| "**Guided Product Tour** ✓ Complete — OnboardingFlow.tsx" | `OnboardingFlow.tsx` does not exist. | **OUTDATED** |
|
||
| "**Referral Program** ✓ Complete — src/app/api/referrals/route.ts, ReferralSystem.tsx" | `src/app/api/referrals/route.ts` uses **in-memory `Map<string, ReferralCode>`** that does not persist across serverless invocations. `ReferralSystem.tsx` does not exist. | **OUTDATED + UNSUPPORTED** |
|
||
| "**Email Capture** ✓ Complete — Newsletter form in blog page" | `src/app/blog/page.tsx` does not have a working newsletter form (static post list). | **OUTDATED** |
|
||
|
||
### 6.3 `docs/ADMIN_FUNCTIONALITY_CHECKLIST.md`
|
||
|
||
Lists time-tracking admin features as testable. Combined with the stub
|
||
status above, this is **OUTDATED + UNSUPPORTED**.
|
||
|
||
---
|
||
|
||
## 7. Public storefront / AI answers in product voice
|
||
|
||
### 7.1 Wholesale portal login — `src/app/wholesale/login/page.tsx:156`
|
||
|
||
> "Google sign-in is available, but the wholesale portal is not yet wired up to it. Please use email + password for now."
|
||
|
||
**Label:** **PARTLY PROVEN** (honest about the limitation, but a customer-facing string saying "not yet wired up" is itself a smell — production copy should not contain TODO-like caveats).
|
||
|
||
### 7.2 Brand-specific FAQs — `src/app/tuxedo/faq/FAQClientPage.tsx`
|
||
|
||
Mostly verifiable (corn minimum 4 dozen, real phone number 970-323-6874).
|
||
**Label:** **PROVEN** for Tuxedo-specific FAQ.
|
||
|
||
### 7.3 `CLAUDE.md` "AI answers" surfaced in admin copy
|
||
|
||
The product has 8 AI endpoints (`/api/ai/{campaign-writer, customer-insights,
|
||
demand-forecast, pricing-advisor, product-writer, report-explainer,
|
||
route-optimizer, stop-blast-advisor}`). Each returns a typed response. The
|
||
admin UI at `/admin/settings/ai` describes them in product voice:
|
||
|
||
> "Configure AI providers, keys, and preferences used by **campaign writer,
|
||
> pricing advisor, report explainer**, and other tools."
|
||
|
||
**Evidence:** All endpoints exist, but they require:
|
||
1. Brand has `get_ai_provider_settings` row (BYO API key).
|
||
2. The configured provider must be reachable from the server.
|
||
3. The `minimax` provider is hard-coded into `AIProviderPanel.tsx` with model names like `MiniMax-M3`, `MiniMax-M2.7`, `MiniMax-M2.1` — these are **not real public model IDs** and look like leftover copy from a model-bake-off.
|
||
|
||
**Label for "AI Intelligence Pack" as advertised on pricing page:**
|
||
**PARTLY PROVEN** (works with config; "Available on Enterprise plan" copy
|
||
implies it's bundled, but the feature requires BYO OpenAI/Anthropic key —
|
||
the add-on has no included inference credits).
|
||
|
||
**Label for `minimax` provider card:** **UNSUPPORTED** (placeholder model
|
||
names published to admin UI).
|
||
|
||
---
|
||
|
||
## 8. Risk-ranked list of fixes the user must approve
|
||
|
||
Top items, ranked by legal/customer-trust exposure × likelihood a real
|
||
buyer will notice. **Production copy changes require sign-off** per the
|
||
user contract.
|
||
|
||
| Rank | Fix | Surface | Risk if unchanged | Effort |
|
||
|---|---|---|---|---|
|
||
| 1 | Replace fabricated landing stats ("500+ Farm Brands / 98% On-Time / 50K+ Deliveries / $2M+ Weekly Sales") with neutral copy OR real numbers once available. Remove from JSON-LD `aggregateRating` placeholder. | `src/components/landing/HeroSection.tsx`, `src/app/page.tsx` | **HIGH** — B2B procurement teams check public stats. | XS |
|
||
| 2 | Pick one pricing source of truth. Reconcile `src/lib/pricing.ts` and `src/lib/stripe-billing.ts`. Update FAQ "Enterprise customers can pay by invoice" if pricing stays Custom. | `src/lib/pricing.ts`, `src/lib/stripe-billing.ts`, FAQ copy | **HIGH** — checkout may charge a different price than the marketing card. | S |
|
||
| 3 | Remove "Two-Factor Authentication" from `Changelog v1.9.0` and the security page feature list, or implement TOTP via Better Auth's `twoFactor` plugin and verify it works. | `src/app/changelog/page.tsx`, `src/app/security/page.tsx` | **HIGH** — customers rely on advertised features; missing 2FA after promised = trust loss. | M |
|
||
| 4 | Strip SOC 2 / 99.9% uptime / quarterly pentest claims from `security/page.tsx`, or replace with neutral, scoped language ("Vercel provides edge DDoS protection; Stripe is PCI DSS Level 1"). | `src/app/security/page.tsx` | **HIGH** — regulatory/compliance exposure. | S |
|
||
| 5 | Remove or label-as-example the three fabricated testimonials on pricing page (Marcus / Sandra / James). Keep the IRD ones (real quotes). | `src/app/pricing/PricingClientPage.tsx` | **HIGH** — fake named-person testimonials can violate FTC guidelines. | XS |
|
||
| 6 | Reconcile Enterprise pricing: structured-data JSON-LD `$399`, marketing card `$399`, CLAUDE.md "Custom". Pick one. | `src/app/page.tsx`, `src/app/pricing/PricingClientPage.tsx`, FAQ copy | **MEDIUM** — Google snippets, sales-call confusion. | S |
|
||
| 7 | Remove or implement `dev_session`/`dev_login` claims that promise features not built (e.g., "Not yet wired up to Google" line in wholesale login). | `src/app/wholesale/login/page.tsx` | **MEDIUM** — production copy with TODO language. | XS |
|
||
| 8 | Replace `MiniMax-M3` etc. in `AIProviderPanel.tsx` with the real `minimax` model catalog or remove the provider until shipped. | `src/components/admin/AIProviderPanel.tsx` | **MEDIUM** — admin sets a non-existent model; calls will 404. | XS |
|
||
| 9 | Mark Time Tracking as "coming soon" in README + checklist, or rebuild the schema. | `README.md`, `docs/ADMIN_FUNCTIONALITY_CHECKLIST.md`, `src/actions/time-tracking/field.ts` | **MEDIUM** — docs promise a feature whose actions are stubs. | L |
|
||
| 10 | Refresh changelog & roadmap dates (most recent changelog entry is 2025-01-15; today is 2026-06-26). Reclassify SMS Campaigns and Route Optimization as Shipped. | `src/app/changelog/page.tsx`, `src/app/roadmap/page.tsx` | **LOW** — perception of staleness. | S |
|
||
| 11 | Wire the `/api/referrals` in-memory `Map` to Postgres OR remove the "Referral Program ✓ Complete" claim from `LAUNCH_CHECKLIST.md`. | `src/app/api/referrals/route.ts`, `LAUNCH_CHECKLIST.md` | **LOW** — feature currently advertised but non-functional. | M |
|
||
| 12 | OG image: `/og-default.jpg` referenced by pricing/blog/contact but only `/og-default.svg` exists in `public/`. | `src/app/{pricing,blog,contact}/page.tsx`, `public/` | **LOW** — broken preview cards in social shares. | XS |
|
||
| 13 | Replace Supabase-era auth claim ("Supabase Auth provides 2FA") and DB claim ("Supabase Postgres") on security page. | `src/app/security/page.tsx` | **LOW–MEDIUM** — outdated reference, but page is informational. | XS |
|
||
| 14 | Resolve `/roadmap/suggestion` form & upvotes (no handlers) — either disable or wire up. | `src/app/roadmap/page.tsx` | **LOW** — UI affordance leads nowhere. | S |
|
||
|
||
---
|
||
|
||
## 9. Decisions needed from the user
|
||
|
||
1. **Replace or keep** the landing hero stats? If keep, commit to a data source.
|
||
2. **Choose pricing source of truth** — `pricing.ts` (25% annual) or `stripe-billing.ts` (15% annual, Enterprise=Custom). Recommend: align on `pricing.ts` for marketing parity, set `stripe-billing.ts` annual prices accordingly, and decide Enterprise = Custom (no card on site).
|
||
3. **Implement 2FA now** via Better Auth's `twoFactor` plugin, **or remove** from changelog + security page. Recommend: remove from copy; queue 2FA as a real ticket.
|
||
4. **Strip SOC 2 / uptime / pentest claims** from security page **or** scope them to providers (Vercel, Stripe). Recommend: scope to providers; queue real compliance work.
|
||
5. **Strip fabricated named testimonials** from pricing page. Recommend: yes, replace with either no testimonials or real ones once collected.
|
||
6. **Time Tracking**: docs claim it works, actions are stubs. Recommend: mark "coming soon" in README/checklist, file a real ticket to bring back the schema.
|
||
7. **Roadmap & changelog**: reclassify SMS Campaigns and Route Optimization as Shipped; refresh dates.
|
||
8. **OG image fix**: rename `og-default.svg` to `og-default.jpg`, or generate a JPG. Recommend: rename references in metadata to `/og-default.svg`.
|
||
9. **Permission to apply any subset of the above** in this session? If yes, which?
|
||
|
||
(Defaults below assume "yes, apply the safe ones; ask on anything that
|
||
touches an invoice number.") |