Micro-Startup Sprint — Control

Ops (live) → status: running

Current day

Day 4

Spend used vs cap

$0 / $25

projected next: $0

Active blockers

0

Last updated

2026-06-02

Next action

Ops dashboard shipped: apps/dashboard migrated to adapter-cloudflare with a live, Access-gated /ops view (per-app payments wiring, signups, visits, compute, D1 free-tier headroom) backed by the Cloudflare GraphQL Analytics API + a read-only ANALYTICS_CLOUDFLARE_* token. Waitlist storage consolidated into ONE shared D1 (micro_waitlist) — created, migrated, FaviconFast's 3 rows imported, back to 1/10 of the free-tier cap. /ops is fail-closed in production (403 to the public). Remaining: (1) finish the Cloudflare Access app/policy so gabrigmm@gmail.com can reach /ops; (2) redeploy FaviconFast from its dir so its live waitlist writes to micro_waitlist; (3) delete the old faviconfast_waitlist once /ops shows the 3 signups. The 9 held apps still await deploy approval (each binds micro_waitlist when deployed from its own dir). See docs/DECISIONS.md (2026-06-02) + RUNBOOK.

Missing / needed checklist

Decisions

  • Spend cap chosen: $25 hard cap for the initial sprint.
  • Stripe mode policy: start in test mode only.
  • Domain policy: Cloudflare Pages subdomains only unless approved.
  • Email policy: no live transactional email without approval.
  • Public/content policy: no public launch claims without approval.
  • Focus tradeoff approved for Day 1 only; reassess again before Day 2.
  • Dashboard visibility: Cloudflare Pages subdomain is acceptable for Day 0 dashboard; no public launch claims.
  • Customer-facing products require dedicated *.pages.dev URLs, complete working core functionality, and waitlist/intent capture before pricing or fake-door CTAs.

Accounts / secrets

  • GitHub auth available (gh authenticated as nkwib; git identity configured).
  • Cloudflare auth present in .env (CLOUDFLARE_ACCOUNT_ID + CLOUDFLARE_API_TOKEN); whoami verifies without printing secrets.
  • Ops analytics token present (ANALYTICS_CLOUDFLARE_ACCOUNT_ID + ANALYTICS_CLOUDFLARE_API_TOKEN, read-only) and set as dashboard Pages secrets.
  • Stripe test key/app secret presence confirmed in project env; test mode only.
  • Anthropic runtime key presence confirmed; do not use before approved AI day.
  • Resend key presence confirmed; live send still needs explicit approval.

Day 0 build

  • Initialize repo scaffold at ~/code/micro-startups.
  • Add apps/dashboard SvelteKit shell.
  • Add packages/boilerplate with PRCompass-derived env reader.
  • Add packages/ui with landing/CTA/card primitives.
  • Add packages/stripe skeleton with test-mode safety checks.
  • Add packages/cloudflare env helper/readme.
  • Add docs/RUNBOOK.md, PROGRESS.md, BLOCKERS.md, DECISIONS.md, DAY_TEMPLATE.md.
  • Add data/sprint.json seed.
  • Add script to validate/regenerate dashboard data from docs/data.
  • Verify dashboard renders/builds locally.
  • Verify Cloudflare whoami and deploy Day 0 dashboard to Pages.
  • Add static security headers via Cloudflare Pages _headers file.

Future blockers

  • Cloudflare Pages project naming collision handling.
  • Stripe idempotent product/payment-link lookup by metadata/name.
  • D1/KV binding strategy before Day 4.
  • Upload/storage strategy before Day 6.
  • Abuse/rate-limit strategy before Day 7.
  • Webhook local testing strategy before Day 8.
  • Scheduled Worker + email approval boundary before Day 10.

Day grid (Day 0–10)

Day 0 · Dashboard + Scaffold shipped

dashboard-scaffold

payment
none
verified
yes
decision
pause
url
live

new: pnpm + Turborepo monorepo, SvelteKit 2 + Tailwind v3 dashboard, packages/boilerplate runtime env reader, packages/ui primitives, packages/stripe test-mode skeleton, packages/cloudflare env helper, docs control plane + data/sprint.json, Cloudflare Pages deployment + HTTPS verification, live /ops observability view (adapter-cloudflare; Cloudflare GraphQL Analytics; Cloudflare Access OTP gate; fail-closed in prod)

Day 1 · FaviconFast shipped

faviconfast

payment
pricing-only
verified
yes
decision
continue
url
live

new: dedicated apps/faviconfast product app, dedicated Cloudflare Pages product project faviconfast, Cloudflare D1 database faviconfast_waitlist, text/image/SVG favicon generation, SVG/PNG/ICO downloads, D1-backed waitlist/intent capture API

reused: SvelteKit + Tailwind app scaffold, Cloudflare Pages adapter, Cloudflare D1 waitlist pattern

Day 2 · TweetProof building

tweetproof

payment
pricing-only
verified
no
decision
continue

new: client-side canvas tweet→image editor (text/avatar/theme, PNG @1x/2x), Swiss-minimalist design system

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton

Day 3 · MoodboardJPG building

moodboardjpg

payment
pricing-only
verified
no
decision
continue

new: client-side multi-image moodboard JPG composer (layouts/palette/title), warm-gallery design system

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton, @micro/ui StatusBadge

Day 4 · WaitlistKit building

waitlistkit

payment
none
verified
no
decision
continue

new: packages/waitlist shared hardened waitlist factory + client + migration renderer, dedicated apps/waitlistkit product app (dogfoods the package), Content-Length guard + per-IP rate limit (portable D1 fixed-window counter) + Turnstile-ready server verify, config-driven D1 migration generator (single source of truth, no drift)

reused: hardened waitlist endpoint pattern (FaviconFast Day 1), Cloudflare Pages adapter + local D1 platformProxy pattern, packages/ui StatusBadge primitive

Day 5 · DomainVibes building

domainvibes

payment
pricing-only
verified
no
decision
continue

new: client-side brandable domain generator (vibes + TLD picks), synthwave-terminal design system, key-gated /api/availability scaffold (DOMAINR_API_KEY)

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton

Day 6 · AltTextly building

alttextly

payment
pricing-only
verified
no
decision
continue

new: AI alt-text endpoint (Claude vision, key-gated, Content-Length + size + max_tokens guardrails), client-side image downscale, accessibility-first design system

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton

Day 7 · ColdReplyAI building

coldreplyai

payment
pricing-only
verified
no
decision
continue

new: AI cold-reply endpoint (Claude, key-gated, input caps), glassmorphism SaaS design system

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton

Day 8 · ShipReceipts building

shipreceipts

payment
pricing-only
verified
no
decision
continue

new: client-side receipt/invoice generator (live preview, PNG + print-to-PDF), fintech receipt-paper design system, Stripe Payment-Link fake-door placeholder (no live resources)

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton, @micro/stripe test-mode guard (available)

Day 9 · LaunchChecklist building

launchchecklist

payment
pricing-only
verified
no
decision
continue

new: client-side launch checklist (localStorage progress), pastel-productivity design system, premium fake-door → waitlist

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton, @micro/stripe test-mode guard (available)

Day 10 · RefundGuard building

refundguard

payment
pricing-only
verified
no
decision
continue

new: client-side refund-risk scorer (heuristic demo), security-dashboard dark design system, Stripe/alerts fake-door → waitlist (no live email, no cron)

reused: @micro/waitlist hardened endpoint + client (dogfooded), Cloudflare Pages adapter + local D1 platformProxy pattern, WaitlistKit app skeleton, @micro/stripe test-mode guard (available)

Active blockers

No active blockers.

Reusable infra extracted

packages/boilerplate env reader extracted

readRuntimeEnv(platform) reads platform.env ?? process.env; required/optional secret checks emit a missing-secret blocker list.

packages/ui primitives extracted

Landing hero, CTA button, pricing/feature card, status badge.

packages/stripe skeleton extracted

assertTestMode() rejects sk_live_; no live calls in Day 0.

packages/cloudflare helper extracted

Cloudflare env-name constants + presence reader; no API calls.

apps/dashboard extracted

SvelteKit 2 + Tailwind v3 control plane. Public / renders data/sprint.json (prerendered); Access-gated /ops is a live observability view (adapter-cloudflare) querying the Cloudflare GraphQL Analytics API + shared D1 for payments wiring, signups, visits, compute, and D1 free-tier headroom.

shared D1 (micro_waitlist) live

One Cloudflare D1 database for all products, discriminated by source_product (schema identical across apps; rate-limit key already product-namespaced). Replaces ten per-app DBs to stay within the free-tier 10-database cap and make cross-product aggregation a single query.

@micro/ui charts extracted

Dependency-free, server-renderable inline-SVG primitives (BarChart, MeterBar, Sparkline) for the ops dashboard — CSP-safe, no JS chart lib.

packages/waitlist extracted

Configurable, dependency-free, abuse-hardened waitlist/intent-capture: server handler factory (Content-Length guard, idempotent upsert, validation+clipping, honeypot, salted IP hash, Turnstile-ready, per-IP rate limit), client submitWaitlist, and a config-driven D1 migration renderer. Consumed by apps/waitlistkit; later products reuse it instead of re-implementing the endpoint.

Evidence feed

  • reusable-infra

    Day 0 scaffold built: monorepo, env reader, UI primitives, Stripe test-mode skeleton, Cloudflare helper, control-plane docs, and a dashboard that renders data/sprint.json.

    2026-06-01

  • reusable-infra

    Day 0 dashboard deployed and HTTP-verified at https://micro-startups-dashboard.pages.dev/; latest immutable deployment receipt https://2b32ec77.micro-startups-dashboard.pages.dev/; local data/typecheck/build also passed.

    2026-06-01· link

  • reusable-infra

    Day 1 FaviconFast built as a static SvelteKit route (/faviconfast) reusing packages/ui: client-side favicon generator (editable brand/initials, color themes, shape, live preview, SVG data-URL download) plus a fake-door pricing CTA that records intent locally only. No backend, no payment, no email, no tracking. Verified locally via data:check, typecheck, build; deploy pending Hermes.

    2026-06-01

  • feedback

    Day 1 FaviconFast shipped and HTTP-verified at https://micro-startups-dashboard.pages.dev/faviconfast; deployment receipt https://2b32ec77.micro-startups-dashboard.pages.dev. Static client-side SVG/favicon generator with pricing-only fake door. No backend, no payment, no email, no tracking.

    2026-06-01· link

  • feedback

    Quality bar corrected: customer-facing micro-startups need dedicated *.pages.dev product URLs, working core functionality rather than mockups, obvious input modes such as image/SVG upload for FaviconFast, no internal experiment copy on product pages, and working waitlist/intent capture before pricing or fake-door CTAs.

    2026-06-01

  • reusable-infra

    Day 1 FaviconFast was rebuilt locally as a dedicated apps/faviconfast SvelteKit product with text/image/SVG favicon generation, live previews, SVG/PNG/ICO downloads, and D1-backed waitlist intent capture. Local typecheck/build/data checks passed; browser QA verified the core path and local D1 stored required waitlist fields. Remote ship is blocked by missing Cloudflare D1 token permissions / remote database UUID, so no liveUrl is recorded.

    2026-06-01

  • feedback

    Day 1 FaviconFast shipped at https://faviconfast.pages.dev/: dedicated Cloudflare Pages product URL, text/image/SVG favicon generation, live previews, SVG/PNG/ICO downloads, and D1-backed waitlist intent capture. Live verification passed for markers, security headers, browser text/raster/SVG/download flows, POST /api/waitlist, and remote D1 stored required fields.

    2026-06-01· link

  • feedback

    Day 1 FaviconFast post-ship fix: the live page was unstyled because the root +layout.svelte never imported app.css, so no stylesheet shipped. Fixed the import and redesigned the landing page into a neo-brutalist Launch Arcade look (markup-only restyle). Re-verified live: stylesheet served (HTTP 200 text/css), all five markers present, security headers intact, desktop + mobile renders confirmed.

    2026-06-01· link

  • feedback

    Day 1 FaviconFast post-ship fix #2: text-mode SVG/PNG/ICO downloads rendered differently (Inter font fallback varied per renderer; dominant-baseline and letter-spacing rasterized inconsistently across engines, one engine dropping a letter). Made the text deterministic (alphabetic-baseline centering, generic font stack, no letter-spacing, weight 800) and broadened the ICO to 16-256px; verified the glyph renders consistently across Chrome and a second SVG engine for 1/2/3-letter cases. SVG kept as true vector.

    2026-06-01· link

  • staff-evidence

    Security review of the D1 waitlist endpoint (POST /api/waitlist). Network/volumetric DDoS is covered automatically by Cloudflare; code is already solid (parameterized queries, idempotent upsert that prevents row growth from repeat emails, validation + length clipping, honeypot, salted IP hash, POST-only). Residual risk is L7 abuse: unbounded writes via unique emails (no rate limit/bot challenge) can exhaust free-tier D1/Functions quotas (DoS) or cost money on a paid plan, plus unbounded body parsing. Documented a hardened reusable endpoint pattern (Content-Length guard + Cloudflare rate-limit rule + Turnstile + *_IP_SALT) in RUNBOOK/SECURITY for Day 4 WaitlistKit and all later products. FaviconFast Day 1 ships without the extra hardening: accepted documented risk for a noindex experiment; harden before promotion or real traffic.

    2026-06-01

  • reusable-infra

    Day 4 WaitlistKit built LOCALLY (deploy held for approval). Extracted packages/waitlist: a configurable, dependency-free, abuse-hardened waitlist handler factory (Content-Length guard before parse, parameterized idempotent upsert on a UNIQUE natural key, strict validation + length clipping, honeypot, salted SHA-256 IP hash, Turnstile-ready server verify, per-IP rate limit via a portable D1 fixed-window counter), a client submitWaitlist helper, and a config-driven migration renderer (single source of truth, no schema drift). apps/waitlistkit is the first consumer and dogfoods the live hardened form. Verified locally: repo typecheck + build, CSS ships (stylesheet link in built index.html), CSP all 'self', endpoint stores to local D1 with idempotent upsert (duplicate email = 1 row, field updated, created_at preserved), honeypot/oversized(413)/invalid(400, per-field)/non-JSON/405 rejected, rate limit triggers (5/60s -> 429), salted 64-hex ip_hash never raw, and zero horizontal overflow at 320/360/390/414. Remote D1 creation, remote migration, secrets, and Pages deploy intentionally NOT done today.

    2026-06-01

  • reusable-infra

    Bootstrapped the remaining 8 sprint products locally (Days 2,3,5,6,7,8,9,10), each a distinct-styled SvelteKit + Cloudflare Pages app dogfooding @micro/waitlist: TweetProof (Swiss-minimal tweet→image), MoodboardJPG (warm-gallery moodboard JPG), DomainVibes (synthwave domain generator), AltTextly (accessible AI alt-text, key-gated), ColdReplyAI (glassy AI cold-reply, key-gated), ShipReceipts (fintech receipt/invoice + print-to-PDF), LaunchChecklist (pastel checklist w/ localStorage), RefundGuard (security-dashboard refund-risk scorer). Verified locally for all 8: repo typecheck (15/15) + build, CSS ships + CSP all-'self' + noindex + no internal copy, /api/waitlist smoke 5/5 (405/400/honeypot/valid-store/no-store) against local D1, and 0 horizontal page-overflow at 320/360/390/414. All external calls (AI/Stripe/email/cron) are gated behind absent keys and stay inert — $0 spend, nothing deployed. Built via parallel subagent orchestration + an adversarial review pass.

    2026-06-01

  • reusable-infra

    AltTextly (Day 6) and ColdReplyAI (Day 7) AI cores verified working LOCALLY via the opencode Go subscription. Both endpoints are provider-agnostic (OpenAI-compatible /chat/completions, env-configurable AI_BASE_URL/AI_MODEL/AI_API_KEY+OPENCODE_API_KEY); default to https://opencode.ai/zen/go/v1 with qwen3.6-plus (one open model that is both vision-capable for alt text and clean for text replies). End-to-end through the app endpoints: AltTextly returned correct alt text for a test image and ColdReplyAI returned clean reply drafts, both HTTP 200 at cost 0 (covered by the Go subscription). Key kept in gitignored .dev.vars; never printed or committed. Still env-overridable to metered opencode Zen or any OpenAI-compatible gateway. Deploy + public-traffic caveats (subscription usage limits, gate the endpoint) recorded in BLOCKERS.

    2026-06-01

  • reusable-infra

    Ops dashboard + shared D1. Consolidated the ten per-app *_waitlist databases into one micro_waitlist (created, migrated, FaviconFast's 3 rows imported — verified faviconfast|3 via remote query; back to 1/10 of the free-tier cap). Migrated apps/dashboard to adapter-cloudflare and added an Access-gated /ops view (server-rendered, csr=false) showing per-app payments wiring, signups (shared D1), visits, Pages compute, and D1 free-tier headroom via the Cloudflare GraphQL Analytics API; added dependency-free SVG charts to @micro/ui. Auth = Cloudflare Access OTP (allowlist gabrigmm@gmail.com) with an in-app fail-closed backstop (403 in prod without the cf-access email header). Deployed + verified: / 200 public, /ops 403 to the public; analytics token is a read-only ANALYTICS_CLOUDFLARE_* Pages secret, separate from the deploy token. $0 spend.

    2026-06-02· link

Private control plane · no public launch claims · data from data/sprint.json