← All projects
Session Handoff · GEO-Agency

Session Handoff — AmplifAI Visibility BUILT + LIVE + safety-hardened (2026-07-12)

Saved 2026-07-12

Paste it into a fresh Claude Code session and say “resume from this handoff.” It's briefing only — Claude will wait for your next instruction.

Session Handoff — AmplifAI Visibility BUILT + LIVE + safety-hardened (2026-07-12)

TL;DR

The GEO lead-magnet website is LIVE at https://visibility.amplifaiyourbusiness.com — built, deployed, live-verified end-to-end (real email landed in Sondra's Gmail), independently safety-reviewed (FIX-FIRST), and all blockers fixed + redeployed in the same session. Remaining: Sondra's 30-second human pass of the bot check, then announce.

ACTIVE MODES (re-invoke in a fresh session before continuing this work)

fable-mode · premium-web-design · conversion-landing-page · amplifai-video-studio-theme · ponytail full (hook-enforced)

What shipped

Safety check (last major verdict — embed, don't lose)

Independent app-reviewer agent, adversarial: FIX-FIRST → all blockers fixed + redeployed same session:

  1. CRITICAL /api/unlock had no rate limit (email-bomb / Resend-quota-burn from her domain) → 10/IP/day cap + idempotency (unlocked:{reportId}:{emailHash}; one email + one lead per pair EVER; repeats return the report free — probe-verified: 10×200 → 11th 429 → repeat-after-cap 200).
  2. CRITICAL global cap was racy KV (eventually consistent — botnet could blow past) → atomic Durable Object reserve/release; slots refunded when Claude-side scoring fails; fresh-scan-through-DO verified (score 43).
  3. CRITICAL no privacy policy on an email-capture site → canonical ai.sondraverva.com/privacy linked in footer + report email (verified in live bundle).
  4. HIGH IP salt was a public constant (rainbow-table-able) → random IP_HASH_SECRET worker secret.
  5. Reviewer confirmed solid: no secrets in client bundle, XSS closed (React + esc(), both layers), SSRF guards, UUIDv4 report ids never in URLs, no CORS surface, no stack-trace leaks. Deferred (non-blocking): MEDIUM #6 — Resend/Supabase failures only console.error (no owner alert; candidate: Telegram/CommandOS webhook, batch later).

Verified live (evidence, not intention)

Sondra's steps (the only open items)

  1. 30-second human test: open https://visibility.amplifaiyourbusiness.com, tick "Verify you are human", scan any site, unlock with an email — the ONE box automation can't check. If the widget misbehaves for real humans, say so → next lever is Turnstile mode/domain settings.
  2. Read your own site's report in Gmail — it's a genuine to-do list for amplifaiyourbusiness.com (schema, llms.txt content, OG tags).
  3. Announce (Skool/FB) when happy — it's unannounced until you share the link.
  4. Swap the funnel CTA anytime in ONE spot: app/worker/config.ts → redeploy (npm run build && npx wrangler deploy).

v2 backlog (decided, not started)

Blog traffic layer on the same domain (sleegeo pattern — plan: PROJECTS/GEO-Agency/blog-strategy.md) · paid deep report using /seo DataForSEO + PDF · Stripe · owner-alert on send failures · CEO-dashboard project card (not yet added to ceo-dashboard/data/projects.json).

State / housekeeping

Generated for the CEO Dashboard · source: PROJECTS/GEO-Agency/handoffs/amplifai-visibility-built-live-2026-07-12.md 🤍