# AI Editor RSP — Closeout compliance recheck - Task: `t_ddd7fb7c` - Role: 墨盾 / Compliance recheck after closeout - Production: https://aieditorrsp.net - Repo: `/root/projects/aieditorrsp` - Checked at: 2026-06-03 14:03 UTC - Current source HEAD: `a94048436c43b8264a81a6dbfda059de8ee2c4e6` - Latest listed Cloudflare Worker deployment: `0ef466aa-e99f-4a31-a766-99380298cf81` at 2026-06-03T13:39:32Z, Source=`Unknown (deployment)` - Verdict: `COMPLIANCE_NO_GO` This is a practical compliance review, not formal legal advice. ## Blocking issues ### C-01 — Third-party official/affiliation wording remains visible Severity: P0 compliance blocker before public launch. Production homepage visible text contains: > “Adjust technical prompt parameters without leaving the editor-console feel from the official Stitch system.” Risk: “official Stitch system” can imply official status, endorsement, or affiliation with a third-party brand/tool. This conflicts with the no-brand-riding / no-official-claim rule. It should be replaced with neutral product copy such as “the deployed editor-console system” or “the editor-console workflow.” Evidence: - Production scan: `/` contains `official Stitch system`. - Source: `/root/projects/aieditorrsp/src/app/page.tsx` line 30. ### C-02 — Legal pages do not identify the operating company / jurisdiction Severity: P0/P1 launch blocker for a paid product. Production legal pages mention AI Editor RSP and support email, but do not clearly identify the operator as `Nextfield Labs LLC`, Wyoming, USA, and Terms do not state governing law/operator support boundary. Risk: Paid checkout, receipts, tax/refund handling, user rights requests, and disputes need a clear contracting/operator identity. “AI Editor RSP” alone is not enough as the legal counterparty. Affected pages checked: - `/privacy` - `/terms` - `/cookie-policy` - `/refund` - `/contact` Expected fix: - Add operator identity: `AI Editor RSP is operated by Nextfield Labs LLC, Wyoming, USA.` - Add Terms governing-law/support clause appropriate for Wyoming LLC operation. - Keep support contact as `support@aieditorrsp.net`. ### C-03 — Refund policy lacks a clear request window and processing timeframe Severity: P1 launch compliance blocker unless Owner explicitly waives. Current `/refund` says refunds are “reviewed” against receipt / entitlement / credit usage, but does not specify a refund request window or processing timeframe. Risk: For Stripe paid subscriptions and credit packs, users should see a concrete refund request window, what is refundable/non-refundable, and expected handling time. This reduces chargeback/support risk and aligns pricing, checkout, and refund expectations. Expected fix: - Add a refund request window, e.g. “within 7 days of purchase or renewal” if that is the intended business rule. - Add processing timeframe, e.g. “we review eligible requests within 5–10 business days.” - State consumed successful credits are generally non-refundable; failed generations that returned no usable provider result should not consume paid credits or should be reviewed for correction. ## Passed checks ### OAuth / checkout route policy Pass. - `/auth`: `308` → `/api/auth/login?return_to=%2Fpricing` - `/api/checkout/stripe?plan=monthly` unauthenticated: `302` → `/api/auth/login?return_to=%2Fapi%2Fcheckout%2Fstripe%3Fplan%3Dmonthly` - `/checkout`: `308` → `/pricing` Interpretation: direct route policy is now coherent. Checkout requires Google login before Stripe. ### Payment/tax disclosure in code and production pages Pass with above legal-page caveats. Confirmed in source and production page text: - Pricing states Google login is required for paid checkout. - Pricing states Stripe Checkout uses automatic tax, billing address, and tax ID collection fields. - Checkout route sets: - `automatic_tax[enabled]=true` - `billing_address_collection=required` - `tax_id_collection[enabled]=true` - Billing disclosure states Stripe is payment processor, not Merchant of Record. - `/api/credits` production response shows `paid_enabled: true` and checkout links for monthly/yearly/credit_pack. ### Paid claims / credits language Pass except C-01. No production hits found for the stale launch-blocking paid-disabled copy: - `Paid checkout is disabled` - `PLANNED / DISABLED` - `paid credits remain disabled` - `provider pending` - `not enabled yet` - `If payments are enabled later` - `Private preview` - `Preview access` Good guardrail language remains visible: - Plans are credit-capped. - No unlimited-use claims. - Outputs depend on provider/source/safety checks. - No guarantee that every prompt will produce a usable result. ### Legal routes and support contact Pass with C-02/C-03 caveats. Production routes return 200: - `/privacy` - `/terms` - `/cookie-policy` - `/refund` - `/contact` Footer/legal links present on checked pages: - `/privacy` - `/terms` - `/cookie-policy` - `/refund` - `/contact` Contact email is domain email: - `support@aieditorrsp.net` ### Secrets leakage scan Pass. Source scan found no obvious committed secret values matching: - `sk_live_`, `sk_test_`, `whsec_`, `rk_live_` - Google API key pattern - private key headers - `.env`-style `STRIPE_SECRET_KEY=`, `GOOGLE_CLIENT_SECRET=`, `FAL_KEY=`, `CLOUDFLARE_API_TOKEN=` - long `Bearer ...` token pattern Production HTML/API pages checked did not expose Stripe secret/webhook secret/provider keys. ## Parent evidence accepted - Backend closeout `t_e0c8225c`: production OAuth login and authenticated Checkout session creation were previously verified; real live payment is Owner-waived; signed webhook smoke `t_0d6831d7` is accepted as launch-gate evidence under Owner decision. - Frontend closeout `t_66fe8331`: Plausible/Clarity runtime, LCP, mobile editor Generate visibility, and `/auth` `/checkout` route policy were verified; GA4 remains an external blocker due missing Measurement ID / Analytics Admin permission. ## Residual risk - Real paid `checkout.session.completed` entitlement crediting remains post-launch P1 monitoring because Owner waived real live payment. - GA4 remains externally blocked; Privacy/Cookie wording uses “may use GA4/Clarity when configured,” which is acceptable from compliance if final QA/Product accept the analytics waiver. - Legal page operator identity and refund-window gaps should be fixed before Owner Gate. ## Follow-up created Created remediation task: - `t_a64b01f1` — AI Editor RSP — Fix closeout compliance copy blockers - Assignee: `mojie` ## Required next inputs - Frontend/legal copy remediation from `t_a64b01f1`, committed + pushed + deployed from the same code commit. - Fresh compliance recheck after remediation. ## Checks run - `kanban_show(t_ddd7fb7c)` - Read continuation brief: `/root/.hermes/reports/aieditorrsp-hero-optimization-20260603/final-qa-no-go-continuation-brief-20260603.md` - Read parent artifacts: - `/root/.hermes/reports/aieditorrsp-hero-optimization-20260603/frontend-analytics-perf-mobile-closeout.md` - `/root/projects/aieditorrsp/docs/backend-auth-stripe-e2e-closeout.md` - `/root/projects/aieditorrsp/docs/stripe-webhook-smoke-no-real-payment.md` - `/root/projects/aieditorrsp/docs/frontend-auth-affordance-closeout.md` - Source review: - `src/components/PublicPages.tsx` - `src/app/auth/route.ts` - `src/app/checkout/route.ts` - `src/app/api/checkout/stripe/route.ts` - `src/app/privacy/page.tsx` - `src/app/terms/page.tsx` - `src/app/cookie-policy/page.tsx` - `src/app/refund/page.tsx` - Production route/content checks for `/`, `/pricing`, `/privacy`, `/terms`, `/cookie-policy`, `/refund`, `/contact`, `/auth`, `/checkout`, `/api/checkout/stripe?plan=monthly`, `/api/credits`, `/api/health` - Source forbidden/secrets scan via `search_files` - `npx wrangler deployments list --config wrangler.jsonc` - `git status --short --branch && git rev-parse HEAD`