From 136196c6b63651075e8825dbe6a6a13669f60e10 Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Mon, 2 Mar 2026 00:05:36 -0500
Subject: [PATCH 01/10] hardening: g14 secure recording access UX

---
 README.md                                 |  6 ++-
 app/api/leads/[leadId]/recording/route.ts | 57 +++++++++++++++++++++++
 app/app/leads/[leadId]/page.tsx           | 13 +++++-
 lib/recording-access.ts                   | 18 +++++++
 tests/recording-access.test.ts            | 44 +++++++++++++++++
 5 files changed, 135 insertions(+), 3 deletions(-)
 create mode 100644 app/api/leads/[leadId]/recording/route.ts
 create mode 100644 lib/recording-access.ts
 create mode 100644 tests/recording-access.test.ts

diff --git a/README.md b/README.md
index 94fb231..e03420c 100644
--- a/README.md
+++ b/README.md
@@ -262,13 +262,14 @@ Current behavior:
 
 - Forwarded calls are recorded via TwiML `<Dial record="record-from-answer-dual">`
 - The app stores recording metadata on `Call` (`recordingSid`, `recordingUrl`, `recordingStatus`, `recordingDurationSeconds`) when Twilio posts recording callbacks to `/api/twilio/status`
-- The app does **not** proxy/download recording audio files; recordings remain hosted in Twilio unless you add a separate ingestion/storage pipeline
+- Recording audio remains hosted in Twilio; CallbackCloser exposes a server-mediated redirect route for authenticated in-app access
 
 Where to access recordings:
 
+- Lead detail page (`/app/leads/[leadId]`) shows recording status/duration and an authenticated `Open recording` action
+- Recording links are mediated through `/api/leads/[leadId]/recording`, which checks the signed-in owner and lead business before redirecting
 - Twilio Console -> Monitor -> Calls (or Call Logs / Recordings, depending on account UI)
 - Database (`Call.recording*` fields) for metadata lookup / correlation
-- The app does not currently surface recordings in the dashboard UI
 
 ## Billing Gating Behavior
 
@@ -318,6 +319,7 @@ Prisma models included:
 - `/api/twilio/voice` - Twilio voice webhook
 - `/api/twilio/status` - Twilio dial action callback
 - `/api/twilio/sms` - Twilio SMS webhook
+- `/api/leads/[leadId]/recording` - authenticated recording redirect for lead owners
 - `/api/stripe/webhook` - Stripe webhook
 
 ## Notes / MVP Constraints
diff --git a/app/api/leads/[leadId]/recording/route.ts b/app/api/leads/[leadId]/recording/route.ts
new file mode 100644
index 0000000..f70fc15
--- /dev/null
+++ b/app/api/leads/[leadId]/recording/route.ts
@@ -0,0 +1,57 @@
+import { auth } from '@clerk/nextjs/server';
+import { NextResponse } from 'next/server';
+
+import { db } from '@/lib/db';
+import { resolveRecordingAccessReason } from '@/lib/recording-access';
+import { absoluteUrl } from '@/lib/url';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+export async function GET(_request: Request, { params }: { params: { leadId: string } }) {
+  const { userId } = await auth();
+  if (!userId) {
+    return NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 });
+  }
+
+  const lead = await db.lead.findUnique({
+    where: { id: params.leadId },
+    select: {
+      id: true,
+      business: {
+        select: {
+          ownerClerkId: true,
+        },
+      },
+      call: {
+        select: {
+          recordingUrl: true,
+        },
+      },
+    },
+  });
+
+  if (!lead) {
+    return NextResponse.json({ error: 'Lead not found' }, { status: 404 });
+  }
+
+  const accessReason = resolveRecordingAccessReason({
+    requestUserId: userId,
+    businessOwnerClerkId: lead.business.ownerClerkId,
+    recordingUrl: lead.call?.recordingUrl ?? null,
+  });
+
+  if (accessReason === 'wrong_business') {
+    return NextResponse.json({ error: 'Lead not found' }, { status: 404 });
+  }
+
+  if (accessReason === 'recording_unavailable') {
+    return NextResponse.json({ error: 'Recording not available for this lead' }, { status: 404 });
+  }
+
+  if (accessReason !== 'ok') {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  return NextResponse.redirect(lead.call!.recordingUrl!, { status: 303 });
+}
diff --git a/app/app/leads/[leadId]/page.tsx b/app/app/leads/[leadId]/page.tsx
index bdf24be..99052dc 100644
--- a/app/app/leads/[leadId]/page.tsx
+++ b/app/app/leads/[leadId]/page.tsx
@@ -92,7 +92,7 @@ export default async function LeadDetailPage({ params, searchParams }: { params:
           <Card>
             <CardHeader>
               <CardTitle>Call Record</CardTitle>
-              <CardDescription>Twilio voice callback data for the originating call.</CardDescription>
+              <CardDescription>Twilio voice callback data and recording metadata for the originating call.</CardDescription>
             </CardHeader>
             <CardContent className="space-y-2 text-sm">
               {lead.call ? (
@@ -102,6 +102,17 @@ export default async function LeadDetailPage({ params, searchParams }: { params:
                   <div className="grid grid-cols-2 gap-2"><span className="text-muted-foreground">Answered</span><span>{lead.call.answered ? 'Yes' : 'No'}</span></div>
                   <div className="grid grid-cols-2 gap-2"><span className="text-muted-foreground">Missed</span><span>{lead.call.missed ? 'Yes' : 'No'}</span></div>
                   <div className="grid grid-cols-2 gap-2"><span className="text-muted-foreground">Duration</span><span>{lead.call.callDurationSeconds ?? 0}s</span></div>
+                  <div className="grid grid-cols-2 gap-2"><span className="text-muted-foreground">Recording status</span><span>{lead.call.recordingStatus || 'not_available'}</span></div>
+                  <div className="grid grid-cols-2 gap-2"><span className="text-muted-foreground">Recording duration</span><span>{lead.call.recordingDurationSeconds ?? 0}s</span></div>
+                  <div className="pt-1">
+                    {lead.call.recordingUrl ? (
+                      <form action={`/api/leads/${lead.id}/recording`} method="get">
+                        <Button type="submit" variant="outline">Open recording</Button>
+                      </form>
+                    ) : (
+                      <p className="text-xs text-muted-foreground">Recording link unavailable until Twilio recording metadata is received.</p>
+                    )}
+                  </div>
                 </>
               ) : (
                 <p className="text-muted-foreground">No call record linked.</p>
diff --git a/lib/recording-access.ts b/lib/recording-access.ts
new file mode 100644
index 0000000..f96aa3f
--- /dev/null
+++ b/lib/recording-access.ts
@@ -0,0 +1,18 @@
+export type RecordingAccessReason =
+  | 'ok'
+  | 'unauthenticated'
+  | 'wrong_business'
+  | 'recording_unavailable';
+
+export function resolveRecordingAccessReason(input: {
+  requestUserId: string | null | undefined;
+  businessOwnerClerkId: string | null | undefined;
+  recordingUrl: string | null | undefined;
+}): RecordingAccessReason {
+  if (!input.requestUserId) return 'unauthenticated';
+  if (!input.businessOwnerClerkId || input.businessOwnerClerkId !== input.requestUserId) {
+    return 'wrong_business';
+  }
+  if (!input.recordingUrl) return 'recording_unavailable';
+  return 'ok';
+}
diff --git a/tests/recording-access.test.ts b/tests/recording-access.test.ts
new file mode 100644
index 0000000..3fd8364
--- /dev/null
+++ b/tests/recording-access.test.ts
@@ -0,0 +1,44 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+
+import { resolveRecordingAccessReason } from '../lib/recording-access.ts';
+
+test('recording access denies unauthenticated requests', () => {
+  const reason = resolveRecordingAccessReason({
+    requestUserId: null,
+    businessOwnerClerkId: 'user_123',
+    recordingUrl: 'https://api.twilio.com/recordings/abc',
+  });
+
+  assert.equal(reason, 'unauthenticated');
+});
+
+test('recording access denies users outside the lead business', () => {
+  const reason = resolveRecordingAccessReason({
+    requestUserId: 'user_123',
+    businessOwnerClerkId: 'user_456',
+    recordingUrl: 'https://api.twilio.com/recordings/abc',
+  });
+
+  assert.equal(reason, 'wrong_business');
+});
+
+test('recording access denies when no recording URL is present', () => {
+  const reason = resolveRecordingAccessReason({
+    requestUserId: 'user_123',
+    businessOwnerClerkId: 'user_123',
+    recordingUrl: null,
+  });
+
+  assert.equal(reason, 'recording_unavailable');
+});
+
+test('recording access allows authenticated owner with recording URL', () => {
+  const reason = resolveRecordingAccessReason({
+    requestUserId: 'user_123',
+    businessOwnerClerkId: 'user_123',
+    recordingUrl: 'https://api.twilio.com/recordings/abc',
+  });
+
+  assert.equal(reason, 'ok');
+});

From 6bc928ef5656db1681e55be28f74c58ff79d5b72 Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Mon, 2 Mar 2026 00:05:53 -0500
Subject: [PATCH 02/10] docs: mark g14 done in production readiness log

---
 docs/PRODUCTION_READINESS_GAPS.md | 32 +++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/docs/PRODUCTION_READINESS_GAPS.md b/docs/PRODUCTION_READINESS_GAPS.md
index 9989ecd..bf55331 100644
--- a/docs/PRODUCTION_READINESS_GAPS.md
+++ b/docs/PRODUCTION_READINESS_GAPS.md
@@ -483,3 +483,35 @@ Dependencies: G4 (recommended)
     - `npm run env:check` -> PASS
   - Notes:
     - No functional regressions observed in local validation gates.
+
+- 2026-03-02 - G14 (DONE)
+  - Branch: `hardening/g14-recordings-ux`
+  - What changed:
+    - Added access-control helper for recording links in `lib/recording-access.ts`:
+      - only authenticated owner of the lead's business can open recordings
+      - blocks wrong-business and missing-recording cases
+    - Added server-mediated recording access route:
+      - `app/api/leads/[leadId]/recording/route.ts`
+      - validates auth + business ownership before redirecting to Twilio recording URL
+      - hides cross-business lead access behind `404`
+    - Updated lead detail UI (`app/app/leads/[leadId]/page.tsx`) to show:
+      - recording status
+      - recording duration
+      - gated `Open recording` action (uses server route, not raw URL)
+    - Added focused access-control tests in `tests/recording-access.test.ts`.
+    - Updated recording docs in `README.md` to reflect the in-app gated flow.
+  - Commands run + results:
+    - `npm test` -> PASS (38/38)
+    - `npm run lint` -> PASS
+    - `npm run build` -> PASS
+    - `npm run typecheck` -> PASS
+    - `npm run env:check` -> PASS
+  - Files touched:
+    - `lib/recording-access.ts`
+    - `app/api/leads/[leadId]/recording/route.ts`
+    - `app/app/leads/[leadId]/page.tsx`
+    - `tests/recording-access.test.ts`
+    - `README.md`
+    - `docs/PRODUCTION_READINESS_GAPS.md`
+  - Commit SHA:
+    - `4e8f4d8`

From 51796f76a9d8fa0cb2e8a4c332a1f22b5acfae81 Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Mon, 2 Mar 2026 13:32:47 -0500
Subject: [PATCH 03/10] chore: production roadmap + P0 security hardening

---
 app/api/health/route.ts          |  73 +++++
 app/api/stripe/checkout/route.ts |  50 +++-
 app/api/stripe/portal/route.ts   |  47 ++-
 docs/PRODUCTION_ROADMAP.md       | 496 +++++++++++++++++++++++++++++++
 lib/audit-log.ts                 |  33 ++
 lib/request-origin.ts            |  41 +++
 lib/security-headers.ts          |  28 ++
 middleware.ts                    |  11 +-
 tests/request-origin.test.ts     |  39 +++
 tests/security-headers.test.ts   |  19 ++
 10 files changed, 821 insertions(+), 16 deletions(-)
 create mode 100644 app/api/health/route.ts
 create mode 100644 docs/PRODUCTION_ROADMAP.md
 create mode 100644 lib/audit-log.ts
 create mode 100644 lib/request-origin.ts
 create mode 100644 lib/security-headers.ts
 create mode 100644 tests/request-origin.test.ts
 create mode 100644 tests/security-headers.test.ts

diff --git a/app/api/health/route.ts b/app/api/health/route.ts
new file mode 100644
index 0000000..f8438de
--- /dev/null
+++ b/app/api/health/route.ts
@@ -0,0 +1,73 @@
+import { NextResponse } from 'next/server';
+
+import { db } from '@/lib/db';
+import { getConfiguredAppBaseUrl } from '@/lib/env.server';
+import { getCorrelationIdFromRequest, withCorrelationIdHeader } from '@/lib/observability';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+const DB_PROBE_TIMEOUT_MS = 2000;
+
+function withTimeout<T>(promise: Promise<T>, timeoutMs: number) {
+  return Promise.race<T>([
+    promise,
+    new Promise<T>((_, reject) => {
+      const timer = setTimeout(() => {
+        reject(new Error(`timeout_after_${timeoutMs}ms`));
+      }, timeoutMs);
+      timer.unref?.();
+    }),
+  ]);
+}
+
+function hasValue(value: string | undefined) {
+  return Boolean(value?.trim());
+}
+
+function getEnvChecks() {
+  return {
+    appUrl: Boolean(getConfiguredAppBaseUrl()),
+    databaseUrl: hasValue(process.env.DATABASE_URL),
+    directDatabaseUrl: hasValue(process.env.DIRECT_DATABASE_URL),
+    clerk: hasValue(process.env.CLERK_SECRET_KEY) && hasValue(process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY),
+    stripe: hasValue(process.env.STRIPE_SECRET_KEY) && hasValue(process.env.STRIPE_WEBHOOK_SECRET),
+    twilio: hasValue(process.env.TWILIO_ACCOUNT_SID) && hasValue(process.env.TWILIO_AUTH_TOKEN),
+  };
+}
+
+async function getDatabaseCheck() {
+  try {
+    await withTimeout(db.$queryRaw`SELECT 1`, DB_PROBE_TIMEOUT_MS);
+    return { ok: true as const, detail: 'ok' };
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : 'db_probe_failed';
+    return { ok: false as const, detail };
+  }
+}
+
+export async function GET(request: Request) {
+  const correlationId = getCorrelationIdFromRequest(request);
+  const withCorrelation = (response: NextResponse) => withCorrelationIdHeader(response, correlationId);
+  const envChecks = getEnvChecks();
+  const dbCheck = await getDatabaseCheck();
+  const envReady = Object.values(envChecks).every(Boolean);
+  const ready = envReady && dbCheck.ok;
+
+  return withCorrelation(
+    NextResponse.json(
+      {
+        status: ready ? 'ok' : 'degraded',
+        timestamp: new Date().toISOString(),
+        checks: {
+          env: {
+            ready: envReady,
+            ...envChecks,
+          },
+          database: dbCheck,
+        },
+      },
+      { status: ready ? 200 : 503 }
+    )
+  );
+}
diff --git a/app/api/stripe/checkout/route.ts b/app/api/stripe/checkout/route.ts
index 1f69e6c..49bf24c 100644
--- a/app/api/stripe/checkout/route.ts
+++ b/app/api/stripe/checkout/route.ts
@@ -1,7 +1,11 @@
 import { auth } from '@clerk/nextjs/server';
 import { NextResponse } from 'next/server';
 
+import { logAuditEvent } from '@/lib/audit-log';
 import { db } from '@/lib/db';
+import { getConfiguredAppBaseUrl } from '@/lib/env.server';
+import { getCorrelationIdFromRequest, reportApplicationError, withCorrelationIdHeader } from '@/lib/observability';
+import { isAllowedRequestOrigin } from '@/lib/request-origin';
 import { getStripe } from '@/lib/stripe';
 import { absoluteUrl } from '@/lib/url';
 import { checkoutSchema } from '@/lib/validators';
@@ -14,25 +18,32 @@ function errorRedirect(message: string) {
 }
 
 export async function POST(request: Request) {
+  const correlationId = getCorrelationIdFromRequest(request);
+  const withCorrelation = (response: NextResponse) => withCorrelationIdHeader(response, correlationId);
+
+  if (process.env.NODE_ENV === 'production' && !isAllowedRequestOrigin(request, getConfiguredAppBaseUrl())) {
+    return withCorrelation(NextResponse.json({ error: 'Invalid request origin' }, { status: 403 }));
+  }
+
   const { userId } = await auth();
   if (!userId) {
-    return NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 }));
   }
 
   const business = await db.business.findUnique({ where: { ownerClerkId: userId } });
   if (!business) {
-    return NextResponse.redirect(absoluteUrl('/app/onboarding'), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl('/app/onboarding'), { status: 303 }));
   }
 
   const formData = await request.formData();
   const parsed = checkoutSchema.safeParse(Object.fromEntries(formData));
   if (!parsed.success) {
-    return errorRedirect('Invalid Stripe price selection');
+    return withCorrelation(errorRedirect('Invalid Stripe price selection'));
   }
 
   const allowedPrices = [process.env.STRIPE_PRICE_STARTER, process.env.STRIPE_PRICE_PRO].filter(Boolean);
   if (!allowedPrices.includes(parsed.data.priceId)) {
-    return errorRedirect('Price ID is not allowed');
+    return withCorrelation(errorRedirect('Price ID is not allowed'));
   }
 
   try {
@@ -65,12 +76,37 @@ export async function POST(request: Request) {
     });
 
     if (!session.url) {
-      return errorRedirect('Stripe did not return a checkout URL');
+      return withCorrelation(errorRedirect('Stripe did not return a checkout URL'));
     }
 
-    return NextResponse.redirect(session.url, { status: 303 });
+    logAuditEvent({
+      event: 'billing.checkout_session_created',
+      actorType: 'user',
+      actorId: userId,
+      businessId: business.id,
+      targetType: 'stripe_checkout_session',
+      targetId: session.id,
+      correlationId,
+      metadata: {
+        priceId: parsed.data.priceId,
+        hasExistingStripeCustomer: Boolean(business.stripeCustomerId),
+      },
+    });
+
+    return withCorrelation(NextResponse.redirect(session.url, { status: 303 }));
   } catch (error) {
+    reportApplicationError({
+      source: 'stripe.checkout',
+      event: 'route_error',
+      correlationId,
+      error,
+      metadata: {
+        userId,
+        businessId: business.id,
+      },
+      alert: false,
+    });
     const message = error instanceof Error ? error.message : 'Failed to create Stripe checkout session';
-    return errorRedirect(message);
+    return withCorrelation(errorRedirect(message));
   }
 }
diff --git a/app/api/stripe/portal/route.ts b/app/api/stripe/portal/route.ts
index f9a1ad5..0b4de04 100644
--- a/app/api/stripe/portal/route.ts
+++ b/app/api/stripe/portal/route.ts
@@ -1,22 +1,35 @@
 import { auth } from '@clerk/nextjs/server';
 import { NextResponse } from 'next/server';
 
+import { logAuditEvent } from '@/lib/audit-log';
 import { db } from '@/lib/db';
+import { getConfiguredAppBaseUrl } from '@/lib/env.server';
+import { getCorrelationIdFromRequest, reportApplicationError, withCorrelationIdHeader } from '@/lib/observability';
+import { isAllowedRequestOrigin } from '@/lib/request-origin';
 import { getStripe } from '@/lib/stripe';
 import { absoluteUrl } from '@/lib/url';
 
 export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
 
-export async function POST() {
+export async function POST(request: Request) {
+  const correlationId = getCorrelationIdFromRequest(request);
+  const withCorrelation = (response: NextResponse) => withCorrelationIdHeader(response, correlationId);
+
+  if (process.env.NODE_ENV === 'production' && !isAllowedRequestOrigin(request, getConfiguredAppBaseUrl())) {
+    return withCorrelation(NextResponse.json({ error: 'Invalid request origin' }, { status: 403 }));
+  }
+
   const { userId } = await auth();
   if (!userId) {
-    return NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 }));
   }
 
   const business = await db.business.findUnique({ where: { ownerClerkId: userId } });
   if (!business?.stripeCustomerId) {
-    return NextResponse.redirect(absoluteUrl('/app/billing?error=No%20Stripe%20customer%20for%20this%20business'), { status: 303 });
+    return withCorrelation(
+      NextResponse.redirect(absoluteUrl('/app/billing?error=No%20Stripe%20customer%20for%20this%20business'), { status: 303 })
+    );
   }
 
   try {
@@ -26,9 +39,33 @@ export async function POST() {
       return_url: absoluteUrl('/app/billing'),
     });
 
-    return NextResponse.redirect(session.url, { status: 303 });
+    logAuditEvent({
+      event: 'billing.portal_session_created',
+      actorType: 'user',
+      actorId: userId,
+      businessId: business.id,
+      targetType: 'stripe_portal_session',
+      targetId: business.stripeCustomerId,
+      correlationId,
+      metadata: {
+        returnUrl: absoluteUrl('/app/billing'),
+      },
+    });
+
+    return withCorrelation(NextResponse.redirect(session.url, { status: 303 }));
   } catch (error) {
+    reportApplicationError({
+      source: 'stripe.portal',
+      event: 'route_error',
+      correlationId,
+      error,
+      metadata: {
+        userId,
+        businessId: business.id,
+      },
+      alert: false,
+    });
     const message = error instanceof Error ? error.message : 'Failed to open billing portal';
-    return NextResponse.redirect(absoluteUrl(`/app/billing?error=${encodeURIComponent(message)}`), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl(`/app/billing?error=${encodeURIComponent(message)}`), { status: 303 }));
   }
 }
diff --git a/docs/PRODUCTION_ROADMAP.md b/docs/PRODUCTION_ROADMAP.md
new file mode 100644
index 0000000..f968604
--- /dev/null
+++ b/docs/PRODUCTION_ROADMAP.md
@@ -0,0 +1,496 @@
+# CallbackCloser Production Readiness Roadmap
+
+Date: March 2, 2026  
+Target: Launch to paying customers in next release
+
+## 1) Current State Snapshot
+
+### Stack + deploy target
+
+- Framework: Next.js 14 App Router + TypeScript
+- UI: Tailwind + shadcn-style components
+- Auth: Clerk
+- Billing: Stripe subscriptions + portal
+- Telephony/SMS: Twilio Voice + Messaging webhooks
+- Data: Prisma + Postgres (Neon-oriented config)
+- Deploy target: Vercel (`vercel.json`, Vercel-specific docs/runbooks)
+
+### Provider integrations in code
+
+- Clerk
+  - Protected app shell and Stripe mutation routes via `middleware.ts`
+  - Server-side owner/business checks in `lib/auth.ts`
+- Stripe
+  - Checkout: `app/api/stripe/checkout/route.ts`
+  - Webhook: `app/api/stripe/webhook/route.ts`
+  - Billing portal: `app/api/stripe/portal/route.ts`
+- Twilio
+  - Voice webhook: `app/api/twilio/voice/route.ts`
+  - Dial status/recording callback: `app/api/twilio/status/route.ts`
+  - SMS webhook: `app/api/twilio/sms/route.ts`
+  - Signature/token verification: `lib/twilio-webhook.ts`
+- Database
+  - Prisma schema/migrations: `prisma/schema.prisma`, `prisma/migrations/*`
+
+### Key env vars (shipping-critical)
+
+Required in production (enforced by `lib/env.server.ts` + `scripts/check_env.ts`):
+
+- App/platform
+  - `NEXT_PUBLIC_APP_URL`
+- Database
+  - `DATABASE_URL`
+  - `DIRECT_DATABASE_URL`
+- Clerk
+  - `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY`
+  - `CLERK_SECRET_KEY`
+- Stripe
+  - `STRIPE_SECRET_KEY`
+  - `STRIPE_WEBHOOK_SECRET`
+  - `STRIPE_PRICE_STARTER`
+  - `STRIPE_PRICE_PRO`
+- Twilio
+  - `TWILIO_ACCOUNT_SID`
+  - `TWILIO_AUTH_TOKEN`
+  - `TWILIO_WEBHOOK_AUTH_TOKEN`
+  - `TWILIO_VALIDATE_SIGNATURE=true` in production
+
+Operationally recommended
+
+- `ALERT_WEBHOOK_URL`, `ALERT_WEBHOOK_TOKEN`, `ALERT_WEBHOOK_TIMEOUT_MS`
+- Rate limit tuning vars: `RATE_LIMIT_*`
+- `DEBUG_ENV_ENDPOINT_TOKEN` (locks `/api/debug/env` in prod)
+
+### Current production posture summary
+
+- Strengths
+  - Production env validation present
+  - Stripe + Twilio webhook signature checks present
+  - Twilio/Stripe rate limiting present
+  - Correlation IDs on Twilio/Stripe webhooks
+  - Legal pages exist (`/terms`, `/privacy`, `/refund`, `/contact`)
+- Gaps (remaining)
+  - No Sentry-style external error monitor yet (only alert webhook)
+  - No explicit uptime monitor wiring documented
+  - Audit logging is lightweight log-only (no durable audit table)
+  - Product/commercial boundaries still need owner signoff
+
+## 2) Definition of Production Ready (DoPR)
+
+CallbackCloser is **production ready** when all acceptance criteria below are true:
+
+1. Environment + deployment
+- Production and preview envs are configured and validated (`npm run env:check` passes in CI and prod runtime boots without env errors).
+- Migration workflow is deterministic (`npx prisma migrate deploy` succeeds on target DB).
+
+2. Security + access control
+- All tenant reads/writes are constrained by business ownership checks.
+- Twilio webhook requests require valid signature in production.
+- Stripe webhooks require valid signature.
+- Protected mutation routes (`/api/stripe/checkout`, `/api/stripe/portal`) enforce same-origin in production.
+- Security headers are present on app/API responses.
+
+3. Payments + entitlements
+- Checkout -> webhook -> subscription state -> feature gating works for Starter and Pro.
+- Failed payment and canceled subscription states reliably pause automation.
+- Billing portal path works for active customers.
+
+4. Twilio operations
+- Voice/status/sms webhook flows are idempotent under retries.
+- Missed-call SMS automation only runs when entitled.
+- STOP/START/HELP compliance behavior verified.
+
+5. Data safety
+- Backups and restore drill are documented and tested.
+- Data retention policy for PII/call metadata is explicitly approved.
+
+6. Observability + incident response
+- Structured logs include correlation IDs and core entity IDs.
+- Alerting is enabled and tested for critical failures.
+- `/api/health` is monitored for uptime/readiness.
+
+7. Customer ops
+- Legal/support pages are public and accurate.
+- Support SLA and incident runbook are documented for first customers.
+
+## Owner Decision Needed (must be resolved before GA)
+
+### Pricing/tier boundaries (Stripe model)
+
+- Option 1 (recommended for current code): Starter vs Pro
+  - Starter: 1 owner seat, base monthly conversation cap
+  - Pro: higher cap + team features when RBAC ships
+- Option 2: Trial -> Paid
+  - Trial period or usage-based trial before paid tier required
+- Option 3: Single paid tier + usage add-ons
+  - Simplest launch messaging, lower packaging complexity
+
+Decision owner inputs required:
+- Price points
+- Included conversation limits
+- Refund policy window language
+
+### Data retention policy
+
+- Option 1 (recommended): 12-month default retention for lead/message metadata; manual deletion path
+- Option 2: 6-month rolling retention for cost/privacy minimization
+- Option 3: customer-selectable retention tiers (post-launch)
+
+## 3) Phased Roadmap (Specific, Testable, Prioritized)
+
+## P0 Launch Blockers (must-have)
+
+### Environments & config (A)
+
+- [ ] `P0-A1` Production env parity gate in CI
+  - File/area: `.github/workflows/ci.yml`, `scripts/check_env.ts`
+  - Why it matters: Prevents broken deploys from missing critical env config.
+  - Verify:
+    - Command: `npm run env:check`
+    - Expected: `Result: PASS`
+
+- [ ] `P0-A2` Release checklist requires explicit Preview vs Production var review
+  - File/area: `RUNBOOK.md`, `docs/PRODUCTION_ENV.md`
+  - Why it matters: Avoids writing Twilio webhooks to preview URLs or wrong keys.
+  - Verify:
+    - Command: manual checklist execution before deploy
+    - Expected: checklist artifact attached to release ticket
+
+### Authn/Authz + security (B)
+
+- [x] `P0-B1` Add global security headers
+  - File/area: `lib/security-headers.ts`, `middleware.ts`
+  - Why it matters: reduces clickjacking/MIME-sniffing/header-based attack surface.
+  - Verify:
+    - Command: `curl -I http://localhost:3000 | egrep 'X-Frame-Options|X-Content-Type-Options|Referrer-Policy|Permissions-Policy'`
+    - Expected: headers present with configured values
+
+- [x] `P0-B2` Same-origin validation on authenticated Stripe mutation routes (CSRF hardening)
+  - File/area: `lib/request-origin.ts`, `app/api/stripe/checkout/route.ts`, `app/api/stripe/portal/route.ts`
+  - Why it matters: reduces risk of cross-site POST abuse against billing actions.
+  - Verify:
+    - Command: `node --test --experimental-strip-types --experimental-specifier-resolution=node tests/request-origin.test.ts`
+    - Expected: all tests pass
+
+- [ ] `P0-B3` Tenant authz regression tests for lead access boundaries
+  - File/area: `app/app/leads/*`, `app/app/leads/actions.ts`, new integration tests
+  - Why it matters: prevents cross-business data leaks (support/legal risk).
+  - Verify:
+    - Command: add and run tenant-boundary tests
+    - Expected: unauthorized cross-tenant reads/writes return 404/redirect/error
+
+- [ ] `P0-B4` Dependency vulnerability gate
+  - File/area: `package.json`, CI workflow
+  - Why it matters: catches known CVEs before release.
+  - Verify:
+    - Command: `npm audit --production --audit-level=high`
+    - Expected: no high/critical vulnerabilities
+
+### Payments & entitlements (C)
+
+- [x] `P0-C1` Correlation IDs + structured errors for checkout/portal routes
+  - File/area: `app/api/stripe/checkout/route.ts`, `app/api/stripe/portal/route.ts`
+  - Why it matters: faster incident debugging for billing failures.
+  - Verify:
+    - Command: run checkout/portal flows locally; inspect server logs
+    - Expected: `X-Correlation-Id` on responses and structured `app.error` for failures
+
+- [x] `P0-C2` Audit log events for billing session creation
+  - File/area: `lib/audit-log.ts`, `app/api/stripe/checkout/route.ts`, `app/api/stripe/portal/route.ts`
+  - Why it matters: support traceability for "I clicked buy/manage billing" tickets.
+  - Verify:
+    - Command: run billing actions and inspect logs
+    - Expected: `app.audit` entries with event + actor + business
+
+- [ ] `P0-C3` Stripe live-mode readiness checklist
+  - File/area: `docs/EXTERNAL_SETUP_CHECKLIST.md`, new section in `docs/PRODUCTION_ENV.md`
+  - Why it matters: avoids mixing test/live keys and webhook endpoints.
+  - Verify:
+    - Command: manual checklist + Stripe dashboard verification
+    - Expected: live keys, live webhook endpoint, expected event set
+
+- [ ] `P0-C4` Owner final decision on tier boundaries + prices
+  - File/area: pricing docs + Stripe product config
+  - Why it matters: prevents sell/fulfillment mismatch and refund disputes.
+  - Verify:
+    - Command: owner signoff record
+    - Expected: finalized tier doc and matching Stripe Price IDs
+
+### Twilio operational readiness (D)
+
+- [ ] `P0-D1` Twilio signature+retry+idempotency smoke in production-like env
+  - File/area: `app/api/twilio/*`, `lib/twilio-webhook.ts`, `lib/twilio-webhook-retry.ts`
+  - Why it matters: prevents missed leads and duplicate messaging.
+  - Verify:
+    - Command: Twilio test call/SMS + replay callback
+    - Expected: no duplicate lead/messages, expected 2xx/503 semantics
+
+- [ ] `P0-D2` Twilio webhook URL sync lock procedure
+  - File/area: `app/app/settings/actions.ts`, `RUNBOOK.md`
+  - Why it matters: prevents accidentally pointing prod number to preview URL.
+  - Verify:
+    - Command: resync webhooks from production only
+    - Expected: Twilio Console URLs match production `NEXT_PUBLIC_APP_URL`
+
+### Data & migrations (E)
+
+- [ ] `P0-E1` Pre-release migration + rollback plan approved
+  - File/area: `prisma/migrations/*`, `docs/DB_NEON_PRISMA.md`, `RUNBOOK.md`
+  - Why it matters: avoids schema drift and deploy failures.
+  - Verify:
+    - Command: `npx prisma migrate status` and `npx prisma migrate deploy`
+    - Expected: clean migration status; deploy success
+
+- [ ] `P0-E2` Backup/restore drill evidence (most recent <30 days)
+  - File/area: `docs/BACKUP_RESTORE_RUNBOOK.md`
+  - Why it matters: protects against catastrophic data-loss incidents.
+  - Verify:
+    - Command: execute restore drill in non-prod and run `npm run db:smoke`
+    - Expected: restore success evidence attached to release
+
+### Observability (F)
+
+- [x] `P0-F1` Health/readiness endpoint for uptime probes
+  - File/area: `app/api/health/route.ts`
+  - Why it matters: gives ops and monitors a deterministic service+DB readiness signal.
+  - Verify:
+    - Command: `curl -s -o /tmp/health.json -w "%{http_code}\n" http://localhost:3000/api/health && cat /tmp/health.json`
+    - Expected: `200` and JSON with `status: ok` when DB/env ready (or `503` + `degraded` when not)
+
+- [x] `P0-F2` Lightweight audit logging for key user actions
+  - File/area: `lib/audit-log.ts`, `app/app/onboarding/actions.ts`, `app/app/settings/actions.ts`, `app/app/leads/actions.ts`
+  - Why it matters: supports incident response and customer dispute resolution.
+  - Verify:
+    - Command: run onboarding/settings/lead-status actions
+    - Expected: `app.audit` logs emitted with actor/business/target metadata
+
+- [ ] `P0-F3` Alert webhook configured and tested
+  - File/area: `lib/observability.ts`, env config
+  - Why it matters: critical failures must page humans, not stay in logs.
+  - Verify:
+    - Command: trigger synthetic error in non-prod
+    - Expected: alert delivered to configured destination
+
+### Reliability & performance (G)
+
+- [ ] `P0-G1` Provider outage behavior validation
+  - File/area: Twilio/Stripe route handlers, `lib/twilio-webhook-retry.ts`
+  - Why it matters: graceful degradation prevents data loss/support spikes.
+  - Verify:
+    - Command: simulate provider failure and replay callbacks
+    - Expected: retryable failures (`503`) where appropriate, no duplicate durable state
+
+### Legal & customer ops (H)
+
+- [x] `P0-H1` Public legal/support pages available
+  - File/area: `app/terms/page.tsx`, `app/privacy/page.tsx`, `app/refund/page.tsx`, `app/contact/page.tsx`, `app/page.tsx`
+  - Why it matters: minimum legal/customer trust baseline for paid launch.
+  - Verify:
+    - Command: `npm test` (includes legal page assertions) + manual URL checks
+    - Expected: all pages render publicly and are linked from landing page/footer
+
+- [ ] `P0-H2` Minimal support SLA and escalation policy published
+  - File/area: docs/customer-facing support policy (new)
+  - Why it matters: reduces support ambiguity and churn risk.
+  - Verify:
+    - Command: policy review signoff
+    - Expected: published SLA language + contact path
+
+## P1 Launch Enhancers (strongly recommended)
+
+### Environments & config (A)
+
+- [ ] `P1-A1` Environment matrix doc (dev/staging/prod values and owners)
+  - File/area: new `docs/ENV_MATRIX.md`
+  - Why it matters: decreases configuration drift and onboarding errors.
+  - Verify:
+    - Command: docs review against Vercel/Neon/Stripe/Twilio dashboards
+    - Expected: all required vars mapped to source of truth
+
+### Security posture (B)
+
+- [ ] `P1-B1` Add explicit CSP (report-only first)
+  - File/area: middleware or Next config headers
+  - Why it matters: mitigates XSS/script-injection risk.
+  - Verify:
+    - Command: inspect response headers + browser console
+    - Expected: valid CSP header with no breaking violations in report-only
+
+- [ ] `P1-B2` Add brute-force/rate-limit coverage for debug endpoint
+  - File/area: `app/api/debug/env/route.ts`, middleware matcher/rate limits
+  - Why it matters: hardens low-traffic admin-style endpoints.
+  - Verify:
+    - Command: burst requests to endpoint
+    - Expected: bounded responses (429/404 as configured)
+
+### Payments & entitlements (C)
+
+- [ ] `P1-C1` Dedicated Stripe integration tests
+  - File/area: new `tests/stripe-*.test.ts`
+  - Why it matters: reduces regressions in entitlement sync logic.
+  - Verify:
+    - Command: `npm test`
+    - Expected: checkout/webhook mapping tests pass
+
+- [ ] `P1-C2` Improve billing UX for downgrade/cancel explanatory states
+  - File/area: `app/app/billing/page.tsx`
+  - Why it matters: lowers support tickets from ambiguous account state.
+  - Verify:
+    - Command: simulate status transitions (`ACTIVE`, `PAST_DUE`, `CANCELED`)
+    - Expected: clear state-specific copy + next-step CTA
+
+### Twilio operations (D)
+
+- [ ] `P1-D1` Twilio runbook for edge cases (carrier errors, opt-out, invalid numbers)
+  - File/area: `RUNBOOK.md`
+  - Why it matters: faster triage of SMS delivery issues.
+  - Verify:
+    - Command: manual runbook simulation
+    - Expected: deterministic operator steps for each failure class
+
+### Data & migrations (E)
+
+- [ ] `P1-E1` Retention + deletion policy implementation plan
+  - File/area: policy doc + future migration/backfill scripts
+  - Why it matters: controls storage cost/privacy exposure.
+  - Verify:
+    - Command: policy signoff
+    - Expected: explicit retention windows + deletion procedures
+
+### Observability (F)
+
+- [ ] `P1-F1` External error monitoring (Sentry or equivalent)
+  - File/area: app bootstrap + error pipeline
+  - Why it matters: captures stack traces/context beyond raw logs.
+  - Verify:
+    - Command: trigger controlled exception
+    - Expected: event appears in monitoring tool with correlation metadata
+
+- [ ] `P1-F2` Uptime monitor + synthetic transaction
+  - File/area: external monitor config + `/api/health`
+  - Why it matters: catches silent outages before customers report.
+  - Verify:
+    - Command: monitor dashboard check
+    - Expected: uptime checks green + alert on forced failure
+
+### Reliability & performance (G)
+
+- [ ] `P1-G1` Baseline load test for webhook endpoints
+  - File/area: new load test scripts under `scripts/`
+  - Why it matters: identifies bottlenecks before real traffic bursts.
+  - Verify:
+    - Command: run load script in staging
+    - Expected: acceptable p95 latency/error rates under target load
+
+### Legal/customer ops (H)
+
+- [ ] `P1-H1` Customer onboarding/getting-started guide
+  - File/area: new `docs/CUSTOMER_GETTING_STARTED.md`
+  - Why it matters: reduces setup-related churn and support volume.
+  - Verify:
+    - Command: dogfood setup from blank account
+    - Expected: guide enables successful first missed-call workflow
+
+## P2 Scale & Reliability (post-launch)
+
+### Security + authz (B)
+
+- [ ] `P2-B1` Multi-user RBAC model (owner/admin/agent)
+  - File/area: `prisma/schema.prisma`, `lib/auth.ts`, app route guards
+  - Why it matters: required for teams and safer internal delegation.
+  - Verify:
+    - Command: role-based auth tests
+    - Expected: role restrictions enforced for all sensitive actions
+
+### Payments (C)
+
+- [ ] `P2-C1` Durable webhook event ledger/idempotency store
+  - File/area: new DB model + webhook handlers
+  - Why it matters: exact-once processing guarantees under replay storms.
+  - Verify:
+    - Command: replay identical Stripe events
+    - Expected: one durable state transition per unique event
+
+### Twilio operations (D)
+
+- [ ] `P2-D1` Queue/outbox for outbound SMS side effects
+  - File/area: webhook handlers + queue worker
+  - Why it matters: decouples provider latency from webhook response path.
+  - Verify:
+    - Command: chaos test provider slowdowns
+    - Expected: webhook ack remains fast, queued retries succeed
+
+### Data (E)
+
+- [ ] `P2-E1` Archival and purge jobs for old metadata/log records
+  - File/area: scheduled jobs + retention implementation
+  - Why it matters: controls long-term storage growth and compliance risk.
+  - Verify:
+    - Command: run purge job in staging
+    - Expected: only out-of-policy records removed, audit output retained
+
+### Observability (F)
+
+- [ ] `P2-F1` Durable audit trail storage (DB-backed)
+  - File/area: new `AuditEvent` model + write path
+  - Why it matters: supports forensic and compliance requirements beyond ephemeral logs.
+  - Verify:
+    - Command: execute audited actions and query audit table
+    - Expected: immutable audit rows with actor/action/target/timestamp
+
+### Reliability/performance (G)
+
+- [ ] `P2-G1` Circuit-breaker/backoff policies for provider calls
+  - File/area: Twilio/Stripe client wrappers
+  - Why it matters: reduces cascading failures during provider incidents.
+  - Verify:
+    - Command: induce repeated provider failures
+    - Expected: bounded retries, no request storms, graceful fallback
+
+### Customer ops (H)
+
+- [ ] `P2-H1` Public status page + incident communication templates
+  - File/area: ops docs + external status tooling
+  - Why it matters: lowers trust damage during incidents.
+  - Verify:
+    - Command: incident dry run
+    - Expected: status update + customer comms sent within SLA target
+
+## 4) Implemented in this pass (top P0 items)
+
+1. Added security headers middleware support
+- Files: `lib/security-headers.ts`, `middleware.ts`
+
+2. Added same-origin request validation utility and applied to Stripe mutation routes (production-only)
+- Files: `lib/request-origin.ts`, `app/api/stripe/checkout/route.ts`, `app/api/stripe/portal/route.ts`
+
+3. Added checkout/portal observability instrumentation (correlation-aware errors)
+- Files: `app/api/stripe/checkout/route.ts`, `app/api/stripe/portal/route.ts`
+
+4. Added lightweight audit logging for critical user actions
+- Files: `lib/audit-log.ts`, `app/app/onboarding/actions.ts`, `app/app/settings/actions.ts`, `app/app/leads/actions.ts`, Stripe mutation routes
+
+5. Added health/readiness endpoint
+- File: `app/api/health/route.ts`
+
+## 5) Validation Commands
+
+Run from repo root:
+
+1. `npm test`
+- Expected: all tests pass (including new `request-origin` and `security-headers` tests)
+
+2. `npm run lint`
+- Expected: no lint errors/warnings
+
+3. `npm run typecheck`
+- Expected: TypeScript passes with no errors
+
+4. `npm run build`
+- Expected: production build completes successfully
+
+5. `curl -s -o /tmp/health.json -w "%{http_code}\n" http://localhost:3000/api/health && cat /tmp/health.json`
+- Expected: `200` with `status: ok` (or `503` with `status: degraded` if DB/env intentionally unavailable)
+
+6. `curl -I http://localhost:3000 | egrep 'X-Frame-Options|X-Content-Type-Options|Referrer-Policy|Permissions-Policy'`
+- Expected: required security headers present
diff --git a/lib/audit-log.ts b/lib/audit-log.ts
new file mode 100644
index 0000000..ba98eb8
--- /dev/null
+++ b/lib/audit-log.ts
@@ -0,0 +1,33 @@
+type AuditEventInput = {
+  event: string;
+  actorType: 'user' | 'system' | 'provider';
+  actorId?: string | null;
+  businessId?: string | null;
+  targetType: string;
+  targetId?: string | null;
+  metadata?: Record<string, unknown>;
+  correlationId?: string | null;
+};
+
+function sanitize(value: string | null | undefined, maxLength = 256) {
+  const trimmed = value?.trim();
+  if (!trimmed) return null;
+  if (trimmed.length > maxLength) return trimmed.slice(0, maxLength);
+  return trimmed;
+}
+
+export function logAuditEvent(input: AuditEventInput) {
+  const payload = {
+    event: sanitize(input.event, 128) || 'unknown_event',
+    actorType: input.actorType,
+    actorId: sanitize(input.actorId),
+    businessId: sanitize(input.businessId),
+    targetType: sanitize(input.targetType, 128) || 'unknown_target',
+    targetId: sanitize(input.targetId),
+    metadata: input.metadata ?? {},
+    correlationId: sanitize(input.correlationId, 128),
+    timestamp: new Date().toISOString(),
+  };
+
+  console.info('app.audit', payload);
+}
diff --git a/lib/request-origin.ts b/lib/request-origin.ts
new file mode 100644
index 0000000..d249fb1
--- /dev/null
+++ b/lib/request-origin.ts
@@ -0,0 +1,41 @@
+type HeaderGetter = {
+  headers: Pick<Headers, 'get'>;
+};
+
+function parseOrigin(value: string | null | undefined) {
+  const trimmed = value?.trim();
+  if (!trimmed) return null;
+  try {
+    return new URL(trimmed).origin;
+  } catch {
+    return null;
+  }
+}
+
+function parseOriginFromReferer(value: string | null | undefined) {
+  const trimmed = value?.trim();
+  if (!trimmed) return null;
+  try {
+    return new URL(trimmed).origin;
+  } catch {
+    return null;
+  }
+}
+
+export function isAllowedRequestOrigin(request: HeaderGetter, appBaseUrl: string | null | undefined) {
+  const expectedOrigin = parseOrigin(appBaseUrl);
+  if (!expectedOrigin) return true;
+
+  const originHeader = parseOrigin(request.headers.get('origin'));
+  if (originHeader) {
+    return originHeader === expectedOrigin;
+  }
+
+  const refererOrigin = parseOriginFromReferer(request.headers.get('referer'));
+  if (refererOrigin) {
+    return refererOrigin === expectedOrigin;
+  }
+
+  // If no origin/referrer is provided, do not hard-fail to avoid blocking non-browser clients.
+  return true;
+}
diff --git a/lib/security-headers.ts b/lib/security-headers.ts
new file mode 100644
index 0000000..0f6d1cb
--- /dev/null
+++ b/lib/security-headers.ts
@@ -0,0 +1,28 @@
+type EnvMap = Readonly<Record<string, string | undefined>>;
+
+function isProductionEnv(env: EnvMap) {
+  return env.NODE_ENV === 'production';
+}
+
+export function getSecurityHeaders(env: EnvMap = process.env): Record<string, string> {
+  const headers: Record<string, string> = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'DENY',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
+  };
+
+  if (isProductionEnv(env)) {
+    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains; preload';
+  }
+
+  return headers;
+}
+
+export function withSecurityHeaders<T extends Response>(response: T, env: EnvMap = process.env) {
+  const headers = getSecurityHeaders(env);
+  Object.entries(headers).forEach(([name, value]) => {
+    response.headers.set(name, value);
+  });
+  return response;
+}
diff --git a/middleware.ts b/middleware.ts
index fba37b4..dbbf342 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -9,6 +9,7 @@ import {
 } from '@/lib/portfolio-demo-guardrail';
 import { RATE_LIMIT_PROTECTED_API_MAX, RATE_LIMIT_WINDOW_MS } from '@/lib/rate-limit-config';
 import { buildRateLimitHeaders, consumeRateLimit, getClientIpAddress } from '@/lib/rate-limit';
+import { withSecurityHeaders } from '@/lib/security-headers';
 
 const isProtectedRoute = createRouteMatcher(['/app(.*)', '/api/stripe/checkout(.*)', '/api/stripe/portal(.*)']);
 const isProtectedApiMutationRoute = createRouteMatcher(['/api/stripe/checkout', '/api/stripe/portal']);
@@ -24,7 +25,7 @@ export default clerkMiddleware(async (auth, req) => {
         vercelEnv: process.env.VERCEL_ENV ?? null,
       });
     }
-    return NextResponse.json({ error: getPortfolioDemoGuardrailErrorMessage() }, { status: 503 });
+    return withSecurityHeaders(NextResponse.json({ error: getPortfolioDemoGuardrailErrorMessage() }, { status: 503 }));
   }
 
   if (isPortfolioDemoModeEnabled(process.env)) {
@@ -35,7 +36,7 @@ export default clerkMiddleware(async (auth, req) => {
         vercelEnv: process.env.VERCEL_ENV ?? null,
       });
     }
-    return;
+    return withSecurityHeaders(NextResponse.next());
   }
 
   if (isProtectedRoute(req)) {
@@ -51,12 +52,14 @@ export default clerkMiddleware(async (auth, req) => {
     });
 
     if (!rateLimit.allowed) {
-      return NextResponse.json(
+      return withSecurityHeaders(NextResponse.json(
         { error: 'Too many requests' },
         { status: 429, headers: buildRateLimitHeaders(rateLimit) }
-      );
+      ));
     }
   }
+
+  return withSecurityHeaders(NextResponse.next());
 });
 
 export const config = {
diff --git a/tests/request-origin.test.ts b/tests/request-origin.test.ts
new file mode 100644
index 0000000..4bbf1c6
--- /dev/null
+++ b/tests/request-origin.test.ts
@@ -0,0 +1,39 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+
+import { isAllowedRequestOrigin } from '../lib/request-origin.ts';
+
+function requestWithHeaders(values: Record<string, string>) {
+  return {
+    headers: new Headers(values),
+  };
+}
+
+test('allows same-origin requests via Origin header', () => {
+  const allowed = isAllowedRequestOrigin(
+    requestWithHeaders({ origin: 'https://app.example.com' }),
+    'https://app.example.com'
+  );
+  assert.equal(allowed, true);
+});
+
+test('rejects mismatched Origin header', () => {
+  const allowed = isAllowedRequestOrigin(
+    requestWithHeaders({ origin: 'https://attacker.example.com' }),
+    'https://app.example.com'
+  );
+  assert.equal(allowed, false);
+});
+
+test('allows same-origin referrer when Origin header is missing', () => {
+  const allowed = isAllowedRequestOrigin(
+    requestWithHeaders({ referer: 'https://app.example.com/app/billing' }),
+    'https://app.example.com'
+  );
+  assert.equal(allowed, true);
+});
+
+test('allows requests with no Origin/Referrer (non-browser clients)', () => {
+  const allowed = isAllowedRequestOrigin(requestWithHeaders({}), 'https://app.example.com');
+  assert.equal(allowed, true);
+});
diff --git a/tests/security-headers.test.ts b/tests/security-headers.test.ts
new file mode 100644
index 0000000..faaf828
--- /dev/null
+++ b/tests/security-headers.test.ts
@@ -0,0 +1,19 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+
+import { getSecurityHeaders } from '../lib/security-headers.ts';
+
+test('getSecurityHeaders includes baseline headers', () => {
+  const headers = getSecurityHeaders({ NODE_ENV: 'development' });
+
+  assert.equal(headers['X-Content-Type-Options'], 'nosniff');
+  assert.equal(headers['X-Frame-Options'], 'DENY');
+  assert.equal(headers['Referrer-Policy'], 'strict-origin-when-cross-origin');
+  assert.equal(headers['Permissions-Policy'], 'camera=(), microphone=(), geolocation=()');
+});
+
+test('getSecurityHeaders includes HSTS in production', () => {
+  const headers = getSecurityHeaders({ NODE_ENV: 'production' });
+
+  assert.equal(headers['Strict-Transport-Security'], 'max-age=31536000; includeSubDomains; preload');
+});

From 82b58baecec1dddd03d115708b02104ed6368909 Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Mon, 2 Mar 2026 13:34:51 -0500
Subject: [PATCH 04/10] feat: external buy flow + public legal/contact pages

---
 README.md                     |  16 +++
 app/app/billing/page.tsx      |  41 +++++-
 app/app/onboarding/actions.ts |  20 ++-
 app/app/onboarding/page.tsx   |  26 +++-
 app/buy/page.tsx              |  41 ++++++
 app/contact/page.tsx          |  44 ++++++
 app/page.tsx                  |  11 +-
 app/privacy/page.tsx          |   6 +-
 app/refund/page.tsx           |   4 +
 app/terms/page.tsx            |   4 +
 docs/SHIP_READINESS_AUDIT.md  | 256 ++++++++++++++++++++++++++++++++++
 tests/legal-pages.test.ts     |   2 +
 12 files changed, 458 insertions(+), 13 deletions(-)
 create mode 100644 app/buy/page.tsx
 create mode 100644 app/contact/page.tsx
 create mode 100644 docs/SHIP_READINESS_AUDIT.md

diff --git a/README.md b/README.md
index 94fb231..5ea66be 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ When a customer calls a business's Twilio number and the forwarded call is misse
 - Twilio SMS webhook (`/api/twilio/sms`) with lead qualification steps
 - Lead dashboard + filters + lead detail transcript + status updates
 - Stripe billing page + checkout + billing portal
+- Public purchase entry route (`/buy`) for external marketing-site links
 - Stripe webhook sync for subscription status gating
 - SMS compliance commands (`STOP` / `START` / `HELP`) with DB-backed opt-out state
 - Call recording enabled on forwarded calls + recording metadata captured on callbacks
@@ -303,12 +304,27 @@ Prisma models included:
 9. Optionally set `DEBUG_ENV_ENDPOINT_TOKEN`, then verify app URL resolution:
    - `https://YOUR_DOMAIN/api/debug/env?token=YOUR_DEBUG_ENV_ENDPOINT_TOKEN`
 
+## External Buy Link
+
+Use this URL for the Buy CTA on `getrelayworks.com`:
+
+- `https://YOUR_DOMAIN/buy`
+
+Optional plan-specific links:
+
+- `https://YOUR_DOMAIN/buy?plan=starter`
+- `https://YOUR_DOMAIN/buy?plan=pro`
+
+`/buy` handles auth/onboarding redirects and lands the user on `/app/billing`.
+
 ## Useful Routes
 
 - `/` - landing page
+- `/buy` - external purchase entry (redirects through auth/onboarding to billing)
 - `/terms` - terms of service
 - `/privacy` - privacy policy
 - `/refund` - refund policy
+- `/contact` - public support/contact page
 - `/sign-in` - Clerk sign-in
 - `/sign-up` - Clerk sign-up
 - `/app/onboarding` - create business record
diff --git a/app/app/billing/page.tsx b/app/app/billing/page.tsx
index 164c77c..afb207c 100644
--- a/app/app/billing/page.tsx
+++ b/app/app/billing/page.tsx
@@ -6,6 +6,7 @@ import { Card, CardContent, CardDescription, CardFooter, CardHeader, CardTitle }
 import { requireBusiness } from '@/lib/auth';
 import { db } from '@/lib/db';
 import { getPortfolioDemoBlockedCount, isPortfolioDemoMode } from '@/lib/portfolio-demo';
+import { isSubscriptionActive } from '@/lib/subscription';
 import { getConversationUsageForBusiness, resolveUsageTierFromSubscription } from '@/lib/usage';
 import {
   describeAutomationBlockReason,
@@ -18,12 +19,23 @@ function planPrice(priceId: string | undefined) {
   return priceId ? 'Configured via Stripe Price ID' : 'Missing env var';
 }
 
+function parseRequestedPlan(searchParams?: Record<string, string | string[] | undefined>) {
+  const rawPlan = searchParams?.plan;
+  const normalized = typeof rawPlan === 'string' ? rawPlan.trim().toLowerCase() : '';
+  if (normalized === 'starter' || normalized === 'pro') return normalized;
+  return null;
+}
+
 export default async function BillingPage({ searchParams }: { searchParams?: Record<string, string | string[] | undefined> }) {
   const business = await requireBusiness();
   const starterPriceId = process.env.STRIPE_PRICE_STARTER;
   const proPriceId = process.env.STRIPE_PRICE_PRO;
   const error = typeof searchParams?.error === 'string' ? searchParams.error : undefined;
   const checkout = typeof searchParams?.checkout === 'string' ? searchParams.checkout : undefined;
+  const requestedPlan = parseRequestedPlan(searchParams);
+  const subscriptionActive = isSubscriptionActive(business.subscriptionStatus);
+  const checkoutSucceeded = checkout === 'success';
+  const checkoutCanceled = checkout === 'canceled';
   const demoMode = isPortfolioDemoMode();
   const [blockedCount, usage] = demoMode
     ? [getPortfolioDemoBlockedCount(), null]
@@ -51,8 +63,29 @@ export default async function BillingPage({ searchParams }: { searchParams?: Rec
       </div>
 
       {error ? <div className="rounded-md border border-destructive/30 bg-destructive/5 p-3 text-sm text-destructive">{error}</div> : null}
-      {checkout === 'success' ? <div className="rounded-md border border-accent bg-accent/40 p-3 text-sm">Stripe checkout completed. Webhook sync may take a few seconds.</div> : null}
-      {checkout === 'canceled' ? <div className="rounded-md border bg-muted/40 p-3 text-sm">Checkout canceled.</div> : null}
+      {requestedPlan ? (
+        <div className="rounded-md border border-primary/30 bg-primary/5 p-3 text-sm">
+          Selected plan: <strong>{requestedPlan === 'starter' ? 'Starter' : 'Pro'}</strong>. Continue checkout below.
+        </div>
+      ) : null}
+      {checkoutSucceeded && subscriptionActive ? (
+        <div className="rounded-md border border-accent bg-accent/40 p-3 text-sm">
+          Subscription is active. Next steps: connect your Twilio number in <Link className="underline" href="/app/settings">Business Settings</Link>, then monitor new leads in{' '}
+          <Link className="underline" href="/app/leads">Dashboard</Link>.
+        </div>
+      ) : null}
+      {checkoutSucceeded && !subscriptionActive ? (
+        <div className="space-y-2 rounded-md border border-primary/30 bg-primary/5 p-3 text-sm">
+          <p>Stripe checkout completed. Subscription status is still syncing from webhook events.</p>
+          <p className="text-muted-foreground">If this does not update shortly, refresh this page and verify `STRIPE_WEBHOOK_SECRET` + webhook endpoint configuration.</p>
+          <div>
+            <Link href="/app/billing">
+              <Button size="sm" variant="outline">Refresh Status</Button>
+            </Link>
+          </div>
+        </div>
+      ) : null}
+      {checkoutCanceled ? <div className="rounded-md border bg-muted/40 p-3 text-sm">Checkout canceled. You can restart anytime below.</div> : null}
 
       <Card>
         <CardHeader>
@@ -86,7 +119,7 @@ export default async function BillingPage({ searchParams }: { searchParams?: Rec
       </Card>
 
       <div id="plan-options" className="grid gap-6 md:grid-cols-2">
-        <Card>
+        <Card className={requestedPlan === 'starter' ? 'border-primary/40 bg-primary/5' : ''}>
           <CardHeader>
             <CardTitle>Starter</CardTitle>
             <CardDescription>Basic missed-call SMS follow-up and dashboard access.</CardDescription>
@@ -103,7 +136,7 @@ export default async function BillingPage({ searchParams }: { searchParams?: Rec
           </CardFooter>
         </Card>
 
-        <Card>
+        <Card className={requestedPlan === 'pro' ? 'border-primary/40 bg-primary/5' : ''}>
           <CardHeader>
             <CardTitle>Pro</CardTitle>
             <CardDescription>Higher volume and premium support workflows.</CardDescription>
diff --git a/app/app/onboarding/actions.ts b/app/app/onboarding/actions.ts
index c5c46e7..ff4623f 100644
--- a/app/app/onboarding/actions.ts
+++ b/app/app/onboarding/actions.ts
@@ -7,12 +7,30 @@ import { revalidatePath } from 'next/cache';
 import { upsertBusinessForOwner } from '@/lib/business';
 import { onboardingSchema } from '@/lib/validators';
 
+const DEFAULT_POST_ONBOARDING_REDIRECT = '/app/leads';
+
+function resolveSafePostOnboardingRedirectPath(value: FormDataEntryValue | null) {
+  if (typeof value !== 'string') return DEFAULT_POST_ONBOARDING_REDIRECT;
+
+  const nextPath = value.trim();
+  if (!nextPath || !nextPath.startsWith('/') || nextPath.startsWith('//')) {
+    return DEFAULT_POST_ONBOARDING_REDIRECT;
+  }
+
+  if (nextPath === '/app') return DEFAULT_POST_ONBOARDING_REDIRECT;
+  if (!nextPath.startsWith('/app/')) return DEFAULT_POST_ONBOARDING_REDIRECT;
+
+  return nextPath;
+}
+
 export async function saveOnboardingAction(formData: FormData) {
   const { userId } = await auth();
   if (!userId) {
     redirect('/sign-in');
   }
 
+  const postOnboardingRedirect = resolveSafePostOnboardingRedirectPath(formData.get('next'));
+
   const parsed = onboardingSchema.safeParse(Object.fromEntries(formData));
   if (!parsed.success) {
     redirect(`/app/onboarding?error=${encodeURIComponent(parsed.error.issues[0]?.message || 'Invalid form data')}`);
@@ -20,5 +38,5 @@ export async function saveOnboardingAction(formData: FormData) {
 
   await upsertBusinessForOwner(userId, parsed.data);
   revalidatePath('/app');
-  redirect('/app/leads');
+  redirect(postOnboardingRedirect);
 }
diff --git a/app/app/onboarding/page.tsx b/app/app/onboarding/page.tsx
index 2ae97fa..fb873ee 100644
--- a/app/app/onboarding/page.tsx
+++ b/app/app/onboarding/page.tsx
@@ -8,12 +8,31 @@ import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
 import { db } from '@/lib/db';
 
-export default async function OnboardingPage({ searchParams }: { searchParams?: { error?: string } }) {
+const DEFAULT_POST_ONBOARDING_REDIRECT = '/app/leads';
+
+function resolveSafeNextPath(value: string | undefined) {
+  const nextPath = value?.trim();
+  if (!nextPath || !nextPath.startsWith('/') || nextPath.startsWith('//')) {
+    return DEFAULT_POST_ONBOARDING_REDIRECT;
+  }
+
+  if (nextPath === '/app') return DEFAULT_POST_ONBOARDING_REDIRECT;
+  if (!nextPath.startsWith('/app/')) return DEFAULT_POST_ONBOARDING_REDIRECT;
+  return nextPath;
+}
+
+export default async function OnboardingPage({
+  searchParams,
+}: {
+  searchParams?: Record<string, string | string[] | undefined>;
+}) {
   const { userId } = await auth();
   if (!userId) redirect('/sign-in');
 
   const existing = await db.business.findUnique({ where: { ownerClerkId: userId } });
   if (existing) redirect('/app/leads');
+  const error = typeof searchParams?.error === 'string' ? searchParams.error : undefined;
+  const nextPath = resolveSafeNextPath(typeof searchParams?.next === 'string' ? searchParams.next : undefined);
 
   return (
     <div className="mx-auto max-w-3xl space-y-6">
@@ -27,12 +46,13 @@ export default async function OnboardingPage({ searchParams }: { searchParams?:
           <CardDescription>Set the call forwarding and SMS qualification defaults.</CardDescription>
         </CardHeader>
         <CardContent>
-          {searchParams?.error ? (
+          {error ? (
             <div className="mb-4 rounded-md border border-destructive/30 bg-destructive/5 p-3 text-sm text-destructive">
-              {searchParams.error}
+              {error}
             </div>
           ) : null}
           <form action={saveOnboardingAction} className="grid gap-4 sm:grid-cols-2">
+            <input type="hidden" name="next" value={nextPath} />
             <div className="sm:col-span-2">
               <Label htmlFor="name">Business name</Label>
               <Input id="name" name="name" required placeholder="Acme Plumbing" />
diff --git a/app/buy/page.tsx b/app/buy/page.tsx
new file mode 100644
index 0000000..cd5f453
--- /dev/null
+++ b/app/buy/page.tsx
@@ -0,0 +1,41 @@
+import { auth } from '@clerk/nextjs/server';
+import { redirect } from 'next/navigation';
+
+import { db } from '@/lib/db';
+
+type PlanParam = 'starter' | 'pro';
+
+function parsePlan(searchParams?: Record<string, string | string[] | undefined>): PlanParam | null {
+  const raw = searchParams?.plan;
+  const value = typeof raw === 'string' ? raw.trim().toLowerCase() : '';
+  if (value === 'starter' || value === 'pro') return value;
+  return null;
+}
+
+function buildBuyPath(plan: PlanParam | null) {
+  if (!plan) return '/buy';
+  return `/buy?plan=${encodeURIComponent(plan)}`;
+}
+
+function buildBillingPath(plan: PlanParam | null) {
+  if (!plan) return '/app/billing';
+  return `/app/billing?plan=${encodeURIComponent(plan)}`;
+}
+
+export default async function BuyPage({ searchParams }: { searchParams?: Record<string, string | string[] | undefined> }) {
+  const plan = parsePlan(searchParams);
+  const buyPath = buildBuyPath(plan);
+  const billingPath = buildBillingPath(plan);
+  const { userId } = await auth();
+
+  if (!userId) {
+    redirect(`/sign-up?redirect_url=${encodeURIComponent(buyPath)}`);
+  }
+
+  const business = await db.business.findUnique({ where: { ownerClerkId: userId } });
+  if (!business) {
+    redirect(`/app/onboarding?next=${encodeURIComponent(billingPath)}`);
+  }
+
+  redirect(billingPath);
+}
diff --git a/app/contact/page.tsx b/app/contact/page.tsx
new file mode 100644
index 0000000..ebed43d
--- /dev/null
+++ b/app/contact/page.tsx
@@ -0,0 +1,44 @@
+import Link from 'next/link';
+
+const EFFECTIVE_DATE = 'March 2, 2026';
+const SUPPORT_EMAIL = 'support@callbackcloser.com';
+
+export default function ContactPage() {
+  return (
+    <main className="container py-12">
+      <article className="mx-auto max-w-3xl space-y-8">
+        <header className="space-y-2">
+          <h1 className="text-3xl font-semibold tracking-tight">Contact</h1>
+          <p className="text-sm text-muted-foreground">Effective date: {EFFECTIVE_DATE}</p>
+        </header>
+
+        <section className="space-y-2">
+          <h2 className="text-xl font-semibold">Support</h2>
+          <p className="text-sm text-muted-foreground">
+            Email <a className="underline" href={`mailto:${SUPPORT_EMAIL}`}>{SUPPORT_EMAIL}</a> and include your business name, account email, and a brief description of your request.
+          </p>
+        </section>
+
+        <section className="space-y-2">
+          <h2 className="text-xl font-semibold">Billing and Refund Questions</h2>
+          <p className="text-sm text-muted-foreground">
+            Include the charge date, last 4 digits of the card (if available), and any relevant Stripe receipt details.
+          </p>
+        </section>
+
+        <section className="space-y-2">
+          <h2 className="text-xl font-semibold">Privacy Requests</h2>
+          <p className="text-sm text-muted-foreground">
+            For data access, correction, or deletion requests, include your account email and business identifier so we can verify ownership.
+          </p>
+        </section>
+
+        <footer className="text-sm text-muted-foreground">
+          <Link className="underline" href="/">
+            Back to home
+          </Link>
+        </footer>
+      </article>
+    </main>
+  );
+}
diff --git a/app/page.tsx b/app/page.tsx
index bd4a1d7..5fc5e6e 100644
--- a/app/page.tsx
+++ b/app/page.tsx
@@ -19,12 +19,12 @@ export default function LandingPage() {
               When a customer calls and nobody answers, CallbackCloser texts them instantly, captures the job details, and alerts the owner with a lead summary.
             </p>
             <div className="flex flex-wrap gap-3">
-              <Link href="/app/leads">
-                <Button size="lg">Open App</Button>
+              <Link href="/buy">
+                <Button size="lg">Buy CallbackCloser</Button>
               </Link>
-              <Link href="/sign-up">
+              <Link href="/app/leads">
                 <Button size="lg" variant="outline">
-                  Create Account
+                  Open App
                 </Button>
               </Link>
             </div>
@@ -52,6 +52,9 @@ export default function LandingPage() {
           <Link className="underline underline-offset-4" href="/refund">
             Refund
           </Link>
+          <Link className="underline underline-offset-4" href="/contact">
+            Contact
+          </Link>
         </footer>
       </div>
     </main>
diff --git a/app/privacy/page.tsx b/app/privacy/page.tsx
index 8e20b25..1e0c42b 100644
--- a/app/privacy/page.tsx
+++ b/app/privacy/page.tsx
@@ -40,7 +40,11 @@ export default function PrivacyPage() {
         </section>
 
         <footer className="text-sm text-muted-foreground">
-          Contact: <a className="underline" href="mailto:support@callbackcloser.com">support@callbackcloser.com</a> ·{' '}
+          Support: <a className="underline" href="mailto:support@callbackcloser.com">support@callbackcloser.com</a> ·{' '}
+          <Link className="underline" href="/contact">
+            Contact
+          </Link>
+          {' '}·{' '}
           <Link className="underline" href="/">
             Back to home
           </Link>
diff --git a/app/refund/page.tsx b/app/refund/page.tsx
index 2ba796e..4a10f03 100644
--- a/app/refund/page.tsx
+++ b/app/refund/page.tsx
@@ -41,6 +41,10 @@ export default function RefundPolicyPage() {
 
         <footer className="text-sm text-muted-foreground">
           Support: <a className="underline" href="mailto:support@callbackcloser.com">support@callbackcloser.com</a> ·{' '}
+          <Link className="underline" href="/contact">
+            Contact
+          </Link>
+          {' '}·{' '}
           <Link className="underline" href="/">
             Back to home
           </Link>
diff --git a/app/terms/page.tsx b/app/terms/page.tsx
index e2202dc..9a2bb77 100644
--- a/app/terms/page.tsx
+++ b/app/terms/page.tsx
@@ -41,6 +41,10 @@ export default function TermsPage() {
 
         <footer className="text-sm text-muted-foreground">
           Questions: <a className="underline" href="mailto:support@callbackcloser.com">support@callbackcloser.com</a> ·{' '}
+          <Link className="underline" href="/contact">
+            Contact
+          </Link>
+          {' '}·{' '}
           <Link className="underline" href="/">
             Back to home
           </Link>
diff --git a/docs/SHIP_READINESS_AUDIT.md b/docs/SHIP_READINESS_AUDIT.md
new file mode 100644
index 0000000..e2defd7
--- /dev/null
+++ b/docs/SHIP_READINESS_AUDIT.md
@@ -0,0 +1,256 @@
+# CallbackCloser Ship Readiness Audit
+
+Date: March 2, 2026  
+Scope: `callbackcloser` app readiness to sell via `getrelayworks.com` with working buy flow and post-purchase path.
+
+## Summary
+
+CallbackCloser is close to sellable. Core SaaS plumbing is present: Vercel deploy shape, Clerk auth, Stripe checkout/webhook sync, Twilio webhook automation gates, and legal pages.
+
+This pass implemented high-confidence sell blockers:
+
+1. Added a public purchase entry route: `/buy` (supports optional `?plan=starter|pro`) that routes users through sign-up, onboarding, and then billing.
+2. Preserved purchase intent through onboarding via safe `next` redirect handling.
+3. Improved post-checkout billing UX with explicit success/pending/canceled states and next-step guidance.
+4. Added a public `/contact` page and linked it from landing/legal pages.
+5. Documented external buy-link usage in README.
+
+## 1) Deploy Targets, Env, and Auth
+
+### Deploy target(s)
+
+Current deploy target is Vercel.
+
+Evidence:
+- `vercel.json` (`framework: nextjs`, `buildCommand: npm run build`)
+- `README.md` production section is Vercel-specific
+- `docs/PRODUCTION_ENV.md` and `docs/EXTERNAL_SETUP_CHECKLIST.md` are Vercel-scoped
+- `RUNBOOK.md` deploy checklist references Vercel
+
+No evidence of alternate active deploy targets (Netlify/Render/Fly/etc.) in app runtime config.
+
+### Required env vars
+
+Required in production (runtime-enforced by `lib/env.server.ts`):
+
+- App/URL:
+  - `NEXT_PUBLIC_APP_URL` (absolute https URL in prod; fallback to Vercel system vars only if misconfigured)
+- DB:
+  - `DATABASE_URL`
+  - `DIRECT_DATABASE_URL`
+- Clerk:
+  - `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY`
+  - `CLERK_SECRET_KEY`
+- Stripe:
+  - `STRIPE_SECRET_KEY`
+  - `STRIPE_WEBHOOK_SECRET`
+  - `STRIPE_PRICE_STARTER`
+  - `STRIPE_PRICE_PRO`
+- Twilio:
+  - `TWILIO_ACCOUNT_SID`
+  - `TWILIO_AUTH_TOKEN`
+  - `TWILIO_WEBHOOK_AUTH_TOKEN`
+  - `TWILIO_VALIDATE_SIGNATURE=true` in production
+
+Optional but recommended/operational:
+- `NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY`
+- `DEBUG_ENV_ENDPOINT_TOKEN`
+- rate limit knobs (`RATE_LIMIT_*`)
+- alerting (`ALERT_WEBHOOK_URL`, `ALERT_WEBHOOK_TOKEN`, `ALERT_WEBHOOK_TIMEOUT_MS`)
+- demo guardrail override (`ALLOW_PRODUCTION_DEMO_MODE`) only for explicit break-glass
+
+### Auth model
+
+- Primary auth: Clerk (`@clerk/nextjs`)
+- Protected routes:
+  - Middleware protects `/app/*`, `/api/stripe/checkout`, `/api/stripe/portal`
+- Data-level authz:
+  - App pages/actions call `requireBusiness()` and query by `businessId`/`ownerClerkId`
+- Twilio/Stripe webhook auth:
+  - Twilio: signature validation in prod, fallback token mode only non-prod
+  - Stripe: webhook signature validation (`stripe-signature` + `STRIPE_WEBHOOK_SECRET`)
+
+## 2) Stripe Integration Status and Full Flow
+
+Stripe is integrated.
+
+### Checkout -> Webhook -> Entitlement -> UI gating
+
+1. Checkout creation:
+- `POST /api/stripe/checkout`
+- Requires authenticated Clerk user + existing business
+- Validates selected `priceId` against env allowlist (`STRIPE_PRICE_STARTER`/`STRIPE_PRICE_PRO`)
+- Creates/updates Stripe customer and starts subscription checkout session
+- Success redirect: `/app/billing?checkout=success`
+- Cancel redirect: `/app/billing?checkout=canceled`
+
+2. Webhook ingestion:
+- `POST /api/stripe/webhook`
+- Verifies Stripe signature
+- Handles:
+  - `checkout.session.completed`
+  - `customer.subscription.created|updated|deleted`
+  - `invoice.payment_failed|succeeded`
+- Syncs `Business`:
+  - `stripeCustomerId`
+  - `stripeSubscriptionId`
+  - `stripePriceId`
+  - `subscriptionStatus`
+  - `subscriptionStatusUpdatedAt`
+
+3. Entitlement enforcement:
+- `app/api/twilio/status/route.ts` blocks SMS automation unless subscription is active
+- Leads are still captured when inactive (`billingRequired=true`)
+- Usage limits applied by plan tier:
+  - Starter: 200 conversations/month
+  - Pro: 1000 conversations/month
+
+4. UI gating:
+- `/app/billing` shows subscription status, usage tier, usage counts, and automation state
+- `/app/leads` shows upgrade banner for blocked leads
+
+### Verification status
+
+- Code-level flow is complete and coherent.
+- Automated test coverage for Stripe routes themselves is limited (no dedicated checkout/webhook integration tests in `tests/`).
+- Manual sandbox verification remains required before go-live.
+
+## 3) Product Boundary (Free vs Paid)
+
+### Current technical boundary (implemented)
+
+Free/inactive state:
+- Missed calls and leads are still captured
+- SMS follow-up automation is paused
+- Leads marked `billingRequired=true`
+
+Paid active state:
+- SMS automation runs
+- Tier selected from active Stripe price:
+  - Starter (`STRIPE_PRICE_STARTER`) -> 200 monthly conversations
+  - Pro (`STRIPE_PRICE_PRO`) -> 1000 monthly conversations
+
+### Owner decision needed
+
+Commercial packaging is not fully finalized in code/docs (pricing amounts, team semantics, trial policy).
+
+Two viable packaging options:
+
+1. Starter vs Pro (recommended for current implementation)
+- Starter: single owner user, base monthly conversation cap
+- Pro: higher cap + team features (future RBAC) + priority support
+- Why: aligns directly with existing Stripe price + usage-tier plumbing
+
+2. Trial -> Paid
+- Time- or usage-bounded trial, then forced upgrade to paid tier
+- Why: can improve conversion, but needs explicit trial lifecycle policy + billing UX updates
+
+## 4) Compliance Basics
+
+### Public policy/contact surfaces
+
+Present:
+- `/terms`
+- `/privacy`
+- `/refund`
+- `/contact` (added in this pass)
+
+Landing + legal footers link to policy/contact pages.
+
+### Twilio recording access and authz
+
+Current behavior:
+- Recording metadata is captured on call records (`recordingSid`, `recordingUrl`, etc.)
+- Dashboard data access is business-scoped (`requireBusiness` + `businessId` query constraints)
+- No public recording proxy/download endpoint exists
+
+Security implication:
+- Recording playback is not publicly exposed by this app today.
+- If playback is added later, keep strict owner/business authz and avoid exposing raw Twilio URLs directly.
+
+## 5) Punch List
+
+### A) Blockers to selling
+
+1. External buy CTA path was missing.
+- Status: Fixed (`/buy` route + README guidance)
+
+2. New buyers could lose purchase intent after onboarding.
+- Status: Fixed (safe `next` redirect support in onboarding)
+
+3. Post-checkout state messaging was thin for webhook-lag cases.
+- Status: Fixed (billing page now distinguishes active vs pending sync vs canceled)
+
+4. Public contact page was missing.
+- Status: Fixed (`/contact` + footer links)
+
+5. Published pricing/offer boundaries are not finalized (amounts/terms/team definition).
+- Status: Open
+- Owner decision needed
+
+6. Production provider wiring must be validated in live sandboxes (Stripe + Twilio + Clerk).
+- Status: Open
+
+### B) Important
+
+1. Add dedicated Stripe route/integration tests (checkout and webhook event handling).
+2. Add a concise go-live runbook for relayworks-site -> `/buy` campaign link deployment and rollback.
+3. Define support mailbox ownership/SLAs (current pages use `support@callbackcloser.com`).
+4. Decide and document refund window and explicit policy terms (currently case-by-case language).
+
+### C) Nice-to-have
+
+1. Add explicit onboarding completion success state when arriving from `/buy`.
+2. Track attribution (`source`, `campaign`) from `/buy` into analytics.
+3. Add optional Stripe trial support if business chooses Trial -> Paid.
+4. Add team/RBAC roadmap item before marketing “Pro for teams”.
+
+### D) Verification steps (pre-ship)
+
+Automated:
+
+1. `npm run env:check`
+2. `npm test`
+3. `npm run lint`
+4. `npm run typecheck`
+5. `npm run build`
+
+Manual functional:
+
+1. Open `/buy` as signed-out user; verify redirect to sign-up and return path.
+2. Complete sign-up + onboarding from `/buy`; verify landing on `/app/billing`.
+3. Start checkout from `/app/billing`; complete Stripe test purchase.
+4. Confirm `/app/billing?checkout=success` shows pending or active state correctly.
+5. Trigger Stripe webhook events and confirm `Business.subscriptionStatus`/`stripePriceId` update.
+6. Simulate missed call with inactive billing; verify lead captured + SMS paused.
+7. Simulate missed call with active billing; verify SMS starts.
+8. Confirm `/terms`, `/privacy`, `/refund`, `/contact` render publicly.
+
+## Implemented in this pass (code changes)
+
+- `app/buy/page.tsx`
+  - New purchase entry route for external Buy links.
+- `app/app/onboarding/actions.ts`
+  - Added safe post-onboarding redirect resolver.
+- `app/app/onboarding/page.tsx`
+  - Added hidden `next` propagation with safe normalization.
+- `app/app/billing/page.tsx`
+  - Added plan preselection cue and clearer success/pending/canceled post-checkout UX.
+- `app/contact/page.tsx`
+  - Added public contact page.
+- `app/page.tsx`
+  - Added Buy CTA and Contact footer link.
+- `app/terms/page.tsx`, `app/privacy/page.tsx`, `app/refund/page.tsx`
+  - Added explicit link to `/contact`.
+- `tests/legal-pages.test.ts`
+  - Added contact page heading assertion.
+- `README.md`
+  - Added external buy-link documentation and new route references.
+
+## Final Ship Assessment
+
+- Readiness: **Conditional GO** for selling once provider production wiring and business decisions are finalized.
+- Remaining hard blockers are mostly non-code/business-ops:
+  - publish pricing/package decisions
+  - confirm production provider configuration end-to-end
+  - launch checklist execution evidence
diff --git a/tests/legal-pages.test.ts b/tests/legal-pages.test.ts
index ef57819..577e10e 100644
--- a/tests/legal-pages.test.ts
+++ b/tests/legal-pages.test.ts
@@ -11,8 +11,10 @@ test('legal public pages exist with required headings', () => {
   const terms = read('app/terms/page.tsx');
   const privacy = read('app/privacy/page.tsx');
   const refund = read('app/refund/page.tsx');
+  const contact = read('app/contact/page.tsx');
 
   assert.match(terms, /Terms of Service/);
   assert.match(privacy, /Privacy Policy/);
   assert.match(refund, /Refund Policy/);
+  assert.match(contact, /Contact/);
 });

From c52b68f0a2774f81177a6de8cda828ed529ad46f Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Sun, 8 Mar 2026 15:17:00 -0400
Subject: [PATCH 05/10] chore: add production master roadmap and launch checks

---
 README.md                         |  42 ++
 app/api/health/route.ts           |  75 +++
 app/api/stripe/checkout/route.ts  |  28 +-
 app/api/stripe/portal/route.ts    |  26 +-
 app/app/error.tsx                 |  35 ++
 app/global-error.tsx              |  41 ++
 docs/PRODUCTION_MASTER_ROADMAP.md | 890 ++++++++++++++++++++++++++++++
 lib/env.server.ts                 |  53 ++
 scripts/check_env.ts              |  62 +++
 9 files changed, 1240 insertions(+), 12 deletions(-)
 create mode 100644 app/api/health/route.ts
 create mode 100644 app/app/error.tsx
 create mode 100644 app/global-error.tsx
 create mode 100644 docs/PRODUCTION_MASTER_ROADMAP.md

diff --git a/README.md b/README.md
index 94fb231..3586971 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ When a customer calls a business's Twilio number and the forwarded call is misse
 - Call recording enabled on forwarded calls + recording metadata captured on callbacks
 - Twilio webhook protection: production-enforced `X-Twilio-Signature` validation, with shared-token fallback only in non-production
 - Webhook observability baseline: correlation IDs (`X-Correlation-Id`), centralized `app.error` reporting, optional alert webhook dispatch
+- `/api/health` readiness endpoint for deploy smoke checks and uptime monitors
 - Production guardrail: `PORTFOLIO_DEMO_MODE` is blocked in production unless `ALLOW_PRODUCTION_DEMO_MODE=true` is explicitly set
 
 ## Local Setup
@@ -303,6 +304,46 @@ Prisma models included:
 9. Optionally set `DEBUG_ENV_ENDPOINT_TOKEN`, then verify app URL resolution:
    - `https://YOUR_DOMAIN/api/debug/env?token=YOUR_DEBUG_ENV_ENDPOINT_TOKEN`
 
+## Production Launch Checklist
+
+Use this checklist before sending paid traffic from `getrelayworks.com` or allowing the release to auto-deploy to production.
+
+1. Confirm the production branch release content is complete.
+   - Merge and verify the launch branches that are not yet on `main`:
+     - `chore/p0-security-roadmap`
+     - `chore/product-ux-legal`
+     - `hardening/g14-recordings-ux`
+2. Run the full verification suite from a clean checkout:
+   - `npm run env:check`
+   - `npm test`
+   - `npm run lint`
+   - `npm run typecheck`
+   - `npm run build`
+3. Confirm Vercel production env vars match `docs/PRODUCTION_ENV.md`.
+4. Apply production Prisma migrations:
+   - `npx prisma migrate deploy`
+   - optional smoke: `npm run db:smoke`
+5. Confirm Stripe production setup:
+   - live products/prices exist
+   - live webhook targets `/api/stripe/webhook`
+   - billing portal is enabled
+6. Confirm Twilio production setup:
+   - production number is assigned
+   - webhooks point to the production app URL
+   - `TWILIO_VALIDATE_SIGNATURE=true`
+   - answered, missed, STOP, START, and HELP flows are tested
+7. Confirm Clerk production setup:
+   - production domain/origins are allowed
+   - sign-in and sign-up redirects work
+8. Confirm monitoring and operations readiness:
+   - `/api/health` returns `200`
+   - alerting or error sink is live
+   - backup/restore drill evidence is current
+9. Confirm customer-facing launch surface:
+   - `/terms`, `/privacy`, and `/refund` are public
+   - support inbox/contact path is monitored
+   - `getrelayworks.com` Buy CTA points to the approved production flow
+
 ## Useful Routes
 
 - `/` - landing page
@@ -315,6 +356,7 @@ Prisma models included:
 - `/app/leads` - dashboard
 - `/app/settings` - business settings + Twilio number provisioning
 - `/app/billing` - Stripe subscription page
+- `/api/health` - readiness probe for deploy and uptime checks
 - `/api/twilio/voice` - Twilio voice webhook
 - `/api/twilio/status` - Twilio dial action callback
 - `/api/twilio/sms` - Twilio SMS webhook
diff --git a/app/api/health/route.ts b/app/api/health/route.ts
new file mode 100644
index 0000000..8537c1f
--- /dev/null
+++ b/app/api/health/route.ts
@@ -0,0 +1,75 @@
+import { NextResponse } from 'next/server';
+
+import { db } from '@/lib/db';
+import { getConfiguredAppBaseUrl } from '@/lib/env.server';
+import { getCorrelationIdFromRequest, withCorrelationIdHeader } from '@/lib/observability';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+const DB_PROBE_TIMEOUT_MS = 2_000;
+
+function withTimeout<T>(promise: Promise<T>, timeoutMs: number) {
+  return Promise.race<T>([
+    promise,
+    new Promise<T>((_, reject) => {
+      const timer = setTimeout(() => {
+        reject(new Error(`timeout_after_${timeoutMs}ms`));
+      }, timeoutMs);
+      timer.unref?.();
+    }),
+  ]);
+}
+
+function hasValue(value: string | undefined) {
+  return Boolean(value?.trim());
+}
+
+function getEnvChecks() {
+  return {
+    appUrl: Boolean(getConfiguredAppBaseUrl()),
+    databaseUrl: hasValue(process.env.DATABASE_URL),
+    directDatabaseUrl: hasValue(process.env.DIRECT_DATABASE_URL),
+    clerk: hasValue(process.env.CLERK_SECRET_KEY) && hasValue(process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY),
+    stripe: hasValue(process.env.STRIPE_SECRET_KEY) && hasValue(process.env.STRIPE_WEBHOOK_SECRET),
+    twilio: hasValue(process.env.TWILIO_ACCOUNT_SID) && hasValue(process.env.TWILIO_AUTH_TOKEN),
+  };
+}
+
+async function getDatabaseCheck() {
+  try {
+    await withTimeout(db.$queryRaw`SELECT 1`, DB_PROBE_TIMEOUT_MS);
+    return { ok: true as const, detail: 'ok' };
+  } catch (error) {
+    return {
+      ok: false as const,
+      detail: error instanceof Error ? error.message : 'db_probe_failed',
+    };
+  }
+}
+
+export async function GET(request: Request) {
+  const correlationId = getCorrelationIdFromRequest(request);
+  const withCorrelation = (response: NextResponse) => withCorrelationIdHeader(response, correlationId);
+  const envChecks = getEnvChecks();
+  const dbCheck = await getDatabaseCheck();
+  const envReady = Object.values(envChecks).every(Boolean);
+  const ready = envReady && dbCheck.ok;
+
+  return withCorrelation(
+    NextResponse.json(
+      {
+        status: ready ? 'ok' : 'degraded',
+        timestamp: new Date().toISOString(),
+        checks: {
+          env: {
+            ready: envReady,
+            ...envChecks,
+          },
+          database: dbCheck,
+        },
+      },
+      { status: ready ? 200 : 503 }
+    )
+  );
+}
diff --git a/app/api/stripe/checkout/route.ts b/app/api/stripe/checkout/route.ts
index 1f69e6c..f1011d7 100644
--- a/app/api/stripe/checkout/route.ts
+++ b/app/api/stripe/checkout/route.ts
@@ -2,6 +2,7 @@ import { auth } from '@clerk/nextjs/server';
 import { NextResponse } from 'next/server';
 
 import { db } from '@/lib/db';
+import { getCorrelationIdFromRequest, reportApplicationError, withCorrelationIdHeader } from '@/lib/observability';
 import { getStripe } from '@/lib/stripe';
 import { absoluteUrl } from '@/lib/url';
 import { checkoutSchema } from '@/lib/validators';
@@ -14,25 +15,27 @@ function errorRedirect(message: string) {
 }
 
 export async function POST(request: Request) {
+  const correlationId = getCorrelationIdFromRequest(request);
+  const withCorrelation = (response: NextResponse) => withCorrelationIdHeader(response, correlationId);
   const { userId } = await auth();
   if (!userId) {
-    return NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 }));
   }
 
   const business = await db.business.findUnique({ where: { ownerClerkId: userId } });
   if (!business) {
-    return NextResponse.redirect(absoluteUrl('/app/onboarding'), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl('/app/onboarding'), { status: 303 }));
   }
 
   const formData = await request.formData();
   const parsed = checkoutSchema.safeParse(Object.fromEntries(formData));
   if (!parsed.success) {
-    return errorRedirect('Invalid Stripe price selection');
+    return withCorrelation(errorRedirect('Invalid Stripe price selection'));
   }
 
   const allowedPrices = [process.env.STRIPE_PRICE_STARTER, process.env.STRIPE_PRICE_PRO].filter(Boolean);
   if (!allowedPrices.includes(parsed.data.priceId)) {
-    return errorRedirect('Price ID is not allowed');
+    return withCorrelation(errorRedirect('Price ID is not allowed'));
   }
 
   try {
@@ -65,12 +68,23 @@ export async function POST(request: Request) {
     });
 
     if (!session.url) {
-      return errorRedirect('Stripe did not return a checkout URL');
+      return withCorrelation(errorRedirect('Stripe did not return a checkout URL'));
     }
 
-    return NextResponse.redirect(session.url, { status: 303 });
+    return withCorrelation(NextResponse.redirect(session.url, { status: 303 }));
   } catch (error) {
+    reportApplicationError({
+      source: 'stripe.checkout',
+      event: 'route_error',
+      correlationId,
+      error,
+      metadata: {
+        userId,
+        businessId: business.id,
+      },
+      alert: false,
+    });
     const message = error instanceof Error ? error.message : 'Failed to create Stripe checkout session';
-    return errorRedirect(message);
+    return withCorrelation(errorRedirect(message));
   }
 }
diff --git a/app/api/stripe/portal/route.ts b/app/api/stripe/portal/route.ts
index f9a1ad5..07f3295 100644
--- a/app/api/stripe/portal/route.ts
+++ b/app/api/stripe/portal/route.ts
@@ -2,21 +2,26 @@ import { auth } from '@clerk/nextjs/server';
 import { NextResponse } from 'next/server';
 
 import { db } from '@/lib/db';
+import { getCorrelationIdFromRequest, reportApplicationError, withCorrelationIdHeader } from '@/lib/observability';
 import { getStripe } from '@/lib/stripe';
 import { absoluteUrl } from '@/lib/url';
 
 export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
 
-export async function POST() {
+export async function POST(request: Request) {
+  const correlationId = getCorrelationIdFromRequest(request);
+  const withCorrelation = (response: NextResponse) => withCorrelationIdHeader(response, correlationId);
   const { userId } = await auth();
   if (!userId) {
-    return NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl('/sign-in'), { status: 303 }));
   }
 
   const business = await db.business.findUnique({ where: { ownerClerkId: userId } });
   if (!business?.stripeCustomerId) {
-    return NextResponse.redirect(absoluteUrl('/app/billing?error=No%20Stripe%20customer%20for%20this%20business'), { status: 303 });
+    return withCorrelation(
+      NextResponse.redirect(absoluteUrl('/app/billing?error=No%20Stripe%20customer%20for%20this%20business'), { status: 303 })
+    );
   }
 
   try {
@@ -26,9 +31,20 @@ export async function POST() {
       return_url: absoluteUrl('/app/billing'),
     });
 
-    return NextResponse.redirect(session.url, { status: 303 });
+    return withCorrelation(NextResponse.redirect(session.url, { status: 303 }));
   } catch (error) {
+    reportApplicationError({
+      source: 'stripe.portal',
+      event: 'route_error',
+      correlationId,
+      error,
+      metadata: {
+        userId,
+        businessId: business.id,
+      },
+      alert: false,
+    });
     const message = error instanceof Error ? error.message : 'Failed to open billing portal';
-    return NextResponse.redirect(absoluteUrl(`/app/billing?error=${encodeURIComponent(message)}`), { status: 303 });
+    return withCorrelation(NextResponse.redirect(absoluteUrl(`/app/billing?error=${encodeURIComponent(message)}`), { status: 303 }));
   }
 }
diff --git a/app/app/error.tsx b/app/app/error.tsx
new file mode 100644
index 0000000..b8ca797
--- /dev/null
+++ b/app/app/error.tsx
@@ -0,0 +1,35 @@
+'use client';
+
+import { useEffect } from 'react';
+
+import { Button } from '@/components/ui/button';
+
+export default function AppError({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  useEffect(() => {
+    console.error('app.route_error_boundary', {
+      message: error.message,
+      digest: error.digest ?? null,
+    });
+  }, [error]);
+
+  return (
+    <div className="mx-auto flex min-h-[50vh] max-w-2xl flex-col items-start justify-center gap-4">
+      <div className="space-y-2">
+        <p className="text-sm font-medium uppercase tracking-[0.2em] text-muted-foreground">Application Error</p>
+        <h1 className="text-3xl font-semibold tracking-tight">The dashboard hit an unexpected error.</h1>
+        <p className="text-sm text-muted-foreground">
+          Retry the request. If the problem repeats, capture the time and recent action for support.
+        </p>
+      </div>
+      <Button type="button" onClick={() => reset()}>
+        Try again
+      </Button>
+    </div>
+  );
+}
diff --git a/app/global-error.tsx b/app/global-error.tsx
new file mode 100644
index 0000000..90023f5
--- /dev/null
+++ b/app/global-error.tsx
@@ -0,0 +1,41 @@
+'use client';
+
+import { useEffect } from 'react';
+
+export default function GlobalError({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  useEffect(() => {
+    console.error('app.global_error_boundary', {
+      message: error.message,
+      digest: error.digest ?? null,
+    });
+  }, [error]);
+
+  return (
+    <html lang="en">
+      <body className="min-h-screen bg-background text-foreground">
+        <main className="mx-auto flex min-h-screen max-w-2xl flex-col items-start justify-center gap-4 px-6 py-16">
+          <div className="space-y-2">
+            <p className="text-sm font-medium uppercase tracking-[0.2em] text-muted-foreground">Unexpected Error</p>
+            <h1 className="text-3xl font-semibold tracking-tight">CallbackCloser could not finish this request.</h1>
+            <p className="text-sm text-muted-foreground">
+              Retry once. If the error persists, use the support contact listed on the public legal pages.
+            </p>
+          </div>
+          <button
+            type="button"
+            onClick={() => reset()}
+            className="inline-flex h-10 items-center justify-center rounded-md bg-primary px-4 text-sm font-medium text-primary-foreground"
+          >
+            Reload
+          </button>
+        </main>
+      </body>
+    </html>
+  );
+}
diff --git a/docs/PRODUCTION_MASTER_ROADMAP.md b/docs/PRODUCTION_MASTER_ROADMAP.md
new file mode 100644
index 0000000..f6f2693
--- /dev/null
+++ b/docs/PRODUCTION_MASTER_ROADMAP.md
@@ -0,0 +1,890 @@
+# CallbackCloser Production Master Roadmap
+
+Date: 2026-03-08  
+Scope: Move CallbackCloser from the current repository state to a fully production-ready SaaS launch for paying businesses coming from `getrelayworks.com`.
+
+## 1. Current State Snapshot
+
+### 1.1 Repository baseline
+
+| Area | Current state | Evidence |
+|---|---|---|
+| Production-line branch | `main` appears to be the production deploy branch | `origin/HEAD -> origin/main`; local `main` exists and is the default remote branch |
+| Current `main` HEAD | `2edb965` - `hardening: G13 usage visibility and automation block reasons (#26)` | `git show --stat --oneline main -1` |
+| Deploy target | Vercel | `vercel.json`, `README.md`, `docs/PRODUCTION_ENV.md`, `RUNBOOK.md` |
+| Framework | Next.js 14 App Router + TypeScript | `package.json`, `app/**` |
+| UI | Tailwind CSS + shadcn-style components | `tailwind.config.ts`, `components/ui/**`, `app/globals.css` |
+| Database | Postgres via Prisma, with Neon-oriented docs/config | `prisma/schema.prisma`, `docs/DB_NEON_PRISMA.md`, `docs/PRODUCTION_ENV.md` |
+| Authentication | Clerk | `@clerk/nextjs`, `middleware.ts`, `lib/auth.ts`, `app/(auth)/**` |
+| Payments | Stripe subscriptions + billing portal + webhook sync | `app/api/stripe/**`, `lib/stripe.ts`, `app/app/billing/page.tsx` |
+| Telephony + SMS | Twilio Voice + Messaging + recording metadata callbacks | `app/api/twilio/**`, `lib/twilio.ts`, `lib/twilio-recording.ts` |
+| Observability | Structured logs, webhook correlation IDs, optional alert webhook | `lib/observability.ts`, `lib/twilio-logging.ts`, `tests/observability.test.ts` |
+
+### 1.2 Launch-relevant work not yet on `main`
+
+The repository contains launch-critical work on separate branches that is not yet on the production-line branch:
+
+| Branch | Status relative to `main` | What it adds |
+|---|---|---|
+| `chore/p0-security-roadmap` | Open branch | `docs/PRODUCTION_ROADMAP.md`, `/api/health`, Stripe mutation route hardening, security headers, audit log helpers |
+| `chore/product-ux-legal` | Open branch | `/buy`, `/contact`, legal/public flow updates, `docs/SHIP_READINESS_AUDIT.md` |
+| `hardening/g14-recordings-ux` | Open branch | authenticated recording access flow and tests |
+
+Practical implication: the repo has already produced useful launch work, but `main` is not yet the sellable release branch.
+
+### 1.3 Providers in use
+
+| Provider | Purpose | Where used |
+|---|---|---|
+| Vercel | Hosting, runtime, environment management | `vercel.json`, README deploy docs |
+| Neon / Postgres | Primary database | `prisma/schema.prisma`, `docs/DB_NEON_PRISMA.md` |
+| Clerk | Authentication and session protection | `middleware.ts`, `lib/auth.ts`, `app/(auth)/**` |
+| Stripe | Subscription checkout, portal, webhook-based entitlements | `app/api/stripe/**`, `app/app/billing/page.tsx` |
+| Twilio | Phone number provisioning, voice forwarding, recording callbacks, SMS automation | `app/api/twilio/**`, `app/app/settings/actions.ts`, `lib/twilio.ts` |
+
+### 1.4 Authentication and authorization model
+
+- Authn: Clerk session auth.
+- Protected surfaces: `/app/**`, `/api/stripe/checkout`, `/api/stripe/portal` via `middleware.ts`.
+- Tenant model: single-business-per-owner (`Business.ownerClerkId` is unique).
+- Current boundary: most app reads/writes are keyed by `businessId` or `ownerClerkId`.
+- Current limitation: there is no multi-user team/org RBAC yet; this is still a single-owner SaaS.
+
+### 1.5 Environment variables in use
+
+#### Required for production
+
+- App / Vercel
+  - `NEXT_PUBLIC_APP_URL`
+- Database
+  - `DATABASE_URL`
+  - `DIRECT_DATABASE_URL`
+- Clerk
+  - `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY`
+  - `CLERK_SECRET_KEY`
+- Stripe
+  - `STRIPE_SECRET_KEY`
+  - `STRIPE_WEBHOOK_SECRET`
+  - `STRIPE_PRICE_STARTER`
+  - `STRIPE_PRICE_PRO`
+- Twilio
+  - `TWILIO_ACCOUNT_SID`
+  - `TWILIO_AUTH_TOKEN`
+  - `TWILIO_WEBHOOK_AUTH_TOKEN`
+  - `TWILIO_VALIDATE_SIGNATURE=true` in production
+
+#### Optional but operationally important
+
+- Clerk path config
+  - `NEXT_PUBLIC_CLERK_SIGN_IN_URL`
+  - `NEXT_PUBLIC_CLERK_SIGN_UP_URL`
+- Stripe frontend / future client usage
+  - `NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY`
+- Monitoring / alerts
+  - `ALERT_WEBHOOK_URL`
+  - `ALERT_WEBHOOK_TOKEN`
+  - `ALERT_WEBHOOK_TIMEOUT_MS`
+- Debug / controlled prod diagnostics
+  - `DEBUG_ENV_ENDPOINT_TOKEN`
+- Demo guardrail
+  - `PORTFOLIO_DEMO_MODE`
+  - `ALLOW_PRODUCTION_DEMO_MODE`
+- Rate limiting
+  - `RATE_LIMIT_WINDOW_MS`
+  - `RATE_LIMIT_TWILIO_AUTH_MAX`
+  - `RATE_LIMIT_TWILIO_UNAUTH_MAX`
+  - `RATE_LIMIT_STRIPE_AUTH_MAX`
+  - `RATE_LIMIT_STRIPE_UNAUTH_MAX`
+  - `RATE_LIMIT_PROTECTED_API_MAX`
+- Vercel system fallbacks
+  - `VERCEL_ENV`
+  - `VERCEL_URL`
+  - `VERCEL_PROJECT_PRODUCTION_URL`
+
+### 1.6 Current readiness summary
+
+#### Already present on `main`
+
+- Core app stack is functional.
+- Stripe subscription plumbing exists.
+- Twilio webhook auth, retry semantics, usage gating, and SMS compliance exist.
+- Legal pages `/terms`, `/privacy`, `/refund` exist.
+- Correlation IDs already exist on Twilio and Stripe webhook routes.
+- Environment validation exists and is production-aware.
+
+#### Still missing from the production branch
+
+- Public `/buy` and `/contact` surfaces.
+- `/api/health` readiness endpoint.
+- G14 recording access flow.
+- Earlier roadmap/audit docs that live only on open branches.
+- Final live provider setup and launch operations.
+
+## 2. Definition of Production Ready
+
+CallbackCloser is production ready only when every category below is true.
+
+| Category | Acceptance criteria |
+|---|---|
+| Application | `main` contains the intended release scope; `/`, `/buy`, `/contact`, `/terms`, `/privacy`, `/refund`, `/app/onboarding`, `/app/billing`, `/app/leads` all render correctly in production. |
+| Deployment | Production deploy comes from `main`; `npm run env:check`, `npm test`, `npm run lint`, `npm run typecheck`, and `npm run build` pass from a clean checkout; `npx prisma migrate deploy` succeeds against production DB. |
+| Security | Production enforces `TWILIO_VALIDATE_SIGNATURE=true`; Stripe webhook signatures validate; protected routes require auth; cross-business reads/writes are denied; no raw secret values are logged. |
+| Payments | Starter and Pro live prices exist; checkout completes in live mode; Stripe webhook events update `Business.subscriptionStatus`; billing portal works; failed payment and cancellation pause automation within one webhook cycle. |
+| Billing lifecycle | Active, past due, canceled, and downgraded states are visible on the billing page and correctly affect SMS automation/usage gating. |
+| Twilio operations | Answered call, missed call, HELP, STOP, START, and retry/replay scenarios work against the production number; call recording metadata persists; if G14 ships, authorized recording access works end-to-end. |
+| Observability | `/api/health` is monitored; critical failures produce searchable logs with `X-Correlation-Id`; error alerting reaches a human-owned channel; uptime monitor and deploy smoke checks are configured. |
+| Data safety | Production DB has backups/PITR enabled; restore drill evidence exists from the last 30 days; migration workflow and rollback notes are documented. |
+| Legal + support | Public Terms, Privacy, Refund, and Contact surfaces are reachable; support inbox is monitored; support SLA/response expectations are documented. |
+| Onboarding UX | A new buyer can go from marketing site to sign-up, onboarding, billing, and first successful missed-call automation without manual database intervention. |
+| Incident response | There is an owner-known runbook for Twilio outage, Stripe webhook failure, DB outage, and bad deploy rollback; alert recipients know where to act. |
+
+## 3. Phased Roadmap
+
+Execution labels:
+
+- `Codex`: repository/code/doc work that can be implemented locally.
+- `Owner`: external setup, product/legal/business decisions, or third-party console work.
+- `Shared`: Codex prepares code/docs/tests; owner completes console changes or approval/signoff.
+
+### P0 - Launch Blockers
+
+#### [ ] P0-1 Merge launch-critical branches into `main`
+
+- Execution: `Shared`
+- Description: Merge and verify `chore/p0-security-roadmap`, `chore/product-ux-legal`, and the hardened recording branch before any production sell-through.
+- Why it matters: `main` is the likely production deploy branch, and it currently does not contain the sell flow, health endpoint, or recording work.
+- File or area impacted: `main`; open branches `chore/p0-security-roadmap`, `chore/product-ux-legal`, `hardening/g14-recordings-ux`
+- Verification commands:
+  - `git diff --name-only main..chore/p0-security-roadmap`
+  - `git diff --name-only main..chore/product-ux-legal`
+  - `git diff --name-only main..hardening/g14-recordings-ux`
+  - after merge: `npm run env:check && npm test && npm run lint && npm run typecheck && npm run build`
+- Risk if not implemented: production deploys from `main` will miss key sellability and ops hardening.
+
+#### [ ] P0-2 Finalize pricing, packaging, refund, and support policy
+
+- Execution: `Owner`
+- Description: Lock Starter vs Pro boundaries, monthly price points, refund language, support inbox, and any recording retention commitments.
+- Why it matters: the code can sell only what the business has explicitly decided to fulfill.
+- File or area impacted: Stripe Dashboard product catalog; public legal copy; `README.md`; marketing copy on `getrelayworks.com`
+- Verification commands:
+  - no repo-only command; owner signoff required
+  - confirm `STRIPE_PRICE_STARTER` and `STRIPE_PRICE_PRO` point to final live products
+- Risk if not implemented: refund disputes, mismatched plan promises, support ambiguity.
+
+#### [ ] P0-3 Complete Vercel production environment and domain setup
+
+- Execution: `Owner`
+- Description: Configure production env vars, custom domain, and confirm production deploy branch behavior in Vercel.
+- Why it matters: incorrect env or branch wiring breaks auth, webhooks, redirects, and billing.
+- File or area impacted: Vercel Project Settings; `vercel.json`; `docs/PRODUCTION_ENV.md`
+- Verification commands:
+  - `npm run env:check`
+  - `curl -i https://YOUR_PRODUCTION_DOMAIN/api/health`
+- Risk if not implemented: bad deploys, broken redirects, failed webhooks, or traffic going to the wrong environment.
+
+#### [ ] P0-4 Complete Neon production DB cutover and restore drill
+
+- Execution: `Owner`
+- Description: Use the pooled runtime URL and direct migration URL, run migrations, enable PITR/backups, and document a fresh restore drill.
+- Why it matters: production SaaS without proven recovery is not launch safe.
+- File or area impacted: Neon console; `prisma/schema.prisma`; `docs/DB_NEON_PRISMA.md`; `docs/BACKUP_RESTORE_RUNBOOK.md`
+- Verification commands:
+  - `npx prisma migrate status`
+  - `npx prisma migrate deploy`
+  - `npm run db:smoke`
+- Risk if not implemented: irreversible data loss or failed deploys during schema changes.
+
+#### [ ] P0-5 Complete Clerk production auth setup
+
+- Execution: `Owner`
+- Description: Add the real production origin, redirects, and email settings in Clerk; verify real sign-up/sign-in flows.
+- Why it matters: if Clerk origins/redirects are wrong, customers cannot buy or access the app.
+- File or area impacted: Clerk Dashboard; `app/(auth)/**`; `middleware.ts`
+- Verification commands:
+  - manual browser test: sign up from production domain
+  - manual browser test: sign out and sign back in
+- Risk if not implemented: login failures and support escalations immediately at launch.
+
+#### [ ] P0-6 Complete Stripe live-mode launch verification
+
+- Execution: `Shared`
+- Description: Create final live products/prices, enable billing portal, configure live webhook endpoint, and verify checkout through cancellation/downgrade.
+- Why it matters: incorrect billing configuration means lost money, broken entitlements, or automation for unpaid accounts.
+- File or area impacted: Stripe Dashboard; `app/api/stripe/checkout/route.ts`; `app/api/stripe/portal/route.ts`; `app/api/stripe/webhook/route.ts`; `app/app/billing/page.tsx`
+- Verification commands:
+  - `npm test`
+  - manual test plan scenarios 1 and 7 in Section 6
+- Risk if not implemented: live checkout fails, portal is broken, or billing status does not map to automation behavior.
+
+#### [ ] P0-7 Complete Twilio production launch verification and messaging compliance
+
+- Execution: `Shared`
+- Description: provision the production number, sync correct production webhook URLs, complete required A2P/toll-free compliance path, and test real answered/missed/SMS flows.
+- Why it matters: Twilio is the core acquisition-to-lead automation path; misconfiguration directly causes lost leads or carrier violations.
+- File or area impacted: Twilio Console; `app/api/twilio/**`; `app/app/settings/actions.ts`; `lib/twilio.ts`
+- Verification commands:
+  - `npm run webhooks:print`
+  - manual test plan scenarios 2 through 6 in Section 6
+- Risk if not implemented: calls are not forwarded, leads are dropped, SMS gets blocked, or compliance issues shut messaging down.
+
+#### [ ] P0-8 Wire monitoring, uptime, and alert ownership
+
+- Execution: `Shared`
+- Description: connect structured app errors to a human-owned alert path and configure `/api/health` uptime probes.
+- Why it matters: production incidents must be visible quickly, not discovered by customers.
+- File or area impacted: `app/api/health/route.ts`; `lib/observability.ts`; Vercel logs; external monitoring tool
+- Verification commands:
+  - `curl -i http://localhost:3000/api/health`
+  - induce a safe synthetic application error and confirm alert delivery
+- Risk if not implemented: silent outages and long mean time to detection.
+
+#### [ ] P0-9 Publish and verify the external buy flow from `getrelayworks.com`
+
+- Execution: `Shared`
+- Description: merge the product/legal branch, publish the approved Buy CTA target, and test the full visitor -> account -> onboarding -> billing path.
+- Why it matters: the marketing site is the entry point for paying customers.
+- File or area impacted: `app/buy/page.tsx` on the open product branch; `getrelayworks.com` CTA config; `app/app/onboarding/**`; `app/app/billing/page.tsx`
+- Verification commands:
+  - manual browser flow from `getrelayworks.com`
+  - confirm target route and final billing state in production
+- Risk if not implemented: paid traffic lands on a broken or incomplete purchase flow.
+
+#### [ ] P0-10 Establish support and incident response ownership
+
+- Execution: `Owner`
+- Description: assign who monitors support, where alerts go, what the first-response SLA is, and how incidents are escalated.
+- Why it matters: production SaaS without support ownership becomes a support nightmare immediately.
+- File or area impacted: `RUNBOOK.md`; public contact/legal pages; support inbox/tooling
+- Verification commands:
+  - send a test email to the production support address
+  - confirm alert recipients and escalation path
+- Risk if not implemented: customer issues go unanswered and operational incidents stall.
+
+### P1 - Launch Enhancers
+
+#### [ ] P1-1 Persist audit logs in the database
+
+- Execution: `Codex`
+- Description: move beyond console-only audit events to a durable `AuditLog` table for privileged actions and billing/session events.
+- Why it matters: durable audit records improve support, security investigations, and customer dispute handling.
+- File or area impacted: `prisma/schema.prisma`; privileged server actions; Stripe routes; future admin views
+- Verification commands:
+  - `npm test`
+  - verify audit rows exist after settings/billing mutations
+- Risk if not implemented: limited forensic history and weaker support evidence.
+
+#### [ ] P1-2 Add tenant-boundary regression tests
+
+- Execution: `Codex`
+- Description: add explicit tests around lead access, settings mutations, and recording access boundaries.
+- Why it matters: auth code currently assumes a single owner model and needs regression coverage against data leaks.
+- File or area impacted: `app/app/leads/**`; `app/app/settings/actions.ts`; `app/api/leads/[leadId]/recording/route.ts` if G14 ships; new tests
+- Verification commands:
+  - `npm test`
+- Risk if not implemented: accidental cross-business access regressions may ship unnoticed.
+
+#### [ ] P1-3 Merge and verify G14 only in its hardened form
+
+- Execution: `Shared`
+- Description: if recording access is part of launch scope, merge only the hardened proxy/allowlist version from `hardening/g14-recordings-ux`.
+- Why it matters: recordings are sensitive and should never redirect to arbitrary stored URLs.
+- File or area impacted: `app/api/leads/[leadId]/recording/route.ts`; `lib/recording-access.ts`; `tests/recording-access.test.ts`
+- Verification commands:
+  - `npm test`
+  - manual recording access test in Section 6
+- Risk if not implemented: recordings remain inaccessible, or a weaker implementation could expose an open-redirect/security issue.
+
+#### [ ] P1-4 Improve billing lifecycle UX copy
+
+- Execution: `Codex`
+- Description: make cancel, past-due, downgrade, and usage-limit states more explicit in the billing and leads UI.
+- Why it matters: better self-service reduces support load and confusion.
+- File or area impacted: `app/app/billing/page.tsx`; `app/app/leads/page.tsx`; `components/upgrade-banner.tsx`
+- Verification commands:
+  - `npm run build`
+  - manual UI checks under active, past-due, and canceled states
+- Risk if not implemented: more support tickets about why automation stopped.
+
+#### [ ] P1-5 Add dependency and security scanning to the release gate
+
+- Execution: `Codex`
+- Description: add `npm audit` or equivalent dependency scanning to CI/release docs.
+- Why it matters: known CVEs should not be discovered after launch.
+- File or area impacted: `.github/workflows/ci.yml`; `package.json`; release checklist docs
+- Verification commands:
+  - `npm audit --production --audit-level=high`
+- Risk if not implemented: vulnerable dependency issues may ship unnoticed.
+
+#### [ ] P1-6 Publish customer onboarding docs and welcome steps
+
+- Execution: `Shared`
+- Description: create a minimal getting-started guide for new customers covering Twilio number setup, forwarding number, notify phone, and first test call.
+- Why it matters: onboarding friction becomes a support queue immediately after launch.
+- File or area impacted: public docs or help center; `/app/onboarding`; `/app/settings`
+- Verification commands:
+  - owner walkthrough with a new test account
+- Risk if not implemented: slow activation and manual hand-holding for every customer.
+
+#### [ ] P1-7 Add source attribution from `getrelayworks.com`
+
+- Execution: `Codex`
+- Description: preserve plan/source/campaign intent from the marketing site through sign-up and onboarding.
+- Why it matters: launch marketing spend needs attribution and funnel visibility.
+- File or area impacted: `/buy` flow on the product branch; onboarding actions; billing page; analytics layer
+- Verification commands:
+  - manual browser test with query params such as `?plan=starter&source=relayworks`
+- Risk if not implemented: weak conversion analytics and harder pricing/channel decisions.
+
+### P2 - Scale and Reliability
+
+#### [ ] P2-1 Move Twilio side effects to a queue or outbox
+
+- Execution: `Codex`
+- Description: persist webhook intent first, then send SMS/owner notifications asynchronously with retries and dead-letter visibility.
+- Why it matters: synchronous webhook side effects do not scale cleanly and are harder to recover.
+- File or area impacted: `app/api/twilio/status/route.ts`; `app/api/twilio/sms/route.ts`; `lib/twilio-messaging.ts`
+- Verification commands:
+  - queue worker test suite
+  - replay Twilio callback load against staging
+- Risk if not implemented: higher latency, brittle retries, and operational pain under load.
+
+#### [ ] P2-2 Add multi-user organization/RBAC support
+
+- Execution: `Codex`
+- Description: expand from one owner per business to owner/admin/agent roles with explicit authorization checks.
+- Why it matters: real SaaS accounts often need multiple team members.
+- File or area impacted: `prisma/schema.prisma`; `lib/auth.ts`; protected pages/actions; tests
+- Verification commands:
+  - new authz test matrix covering each role
+- Risk if not implemented: limited market fit for teams and ad hoc permission workarounds.
+
+#### [ ] P2-3 Automate retention and deletion policies
+
+- Execution: `Shared`
+- Description: define and implement retention/deletion rules for lead/message/call metadata and recordings references.
+- Why it matters: privacy compliance and storage costs grow with customer count.
+- File or area impacted: docs; background jobs; Prisma models; Twilio recording handling
+- Verification commands:
+  - documented policy
+  - non-production retention job dry run
+- Risk if not implemented: privacy ambiguity, higher storage costs, and messy customer deletion requests.
+
+#### [ ] P2-4 Add performance/load validation and provider degradation handling
+
+- Execution: `Codex`
+- Description: load test webhook and billing hotspots, and add graceful degradation rules for Twilio/Stripe/DB failures.
+- Why it matters: production stability needs more than correctness under single-request flows.
+- File or area impacted: webhook routes; rate limits; observability; new load-test scripts/docs
+- Verification commands:
+  - load-test scripts against staging
+  - failure injection runbook
+- Risk if not implemented: outages or degraded performance under spikes.
+
+#### [ ] P2-5 Expand customer/account operations tooling
+
+- Execution: `Codex`
+- Description: build durable admin/support tooling for account history, audit lookup, and manual recovery flows.
+- Why it matters: operational complexity grows after launch even at modest scale.
+- File or area impacted: future admin tools; audit logs; support docs
+- Verification commands:
+  - support drill using a staging customer account
+- Risk if not implemented: manual DB edits become the only recovery path.
+
+## 4. Owner Manual Tasks
+
+These tasks must be completed outside the repository. Codex can document them and validate the app-side behavior, but cannot complete the third-party account actions.
+
+### 4.1 Vercel
+
+Service: Vercel
+
+Exact settings to configure:
+
+- Production environment variables from `docs/PRODUCTION_ENV.md`
+- Custom production domain
+- Production branch confirmation (`main`)
+- Automatic production deployments for the intended branch
+
+Step-by-step:
+
+1. Open the Vercel project for CallbackCloser.
+2. Set all production env vars, including `NEXT_PUBLIC_APP_URL`, DB URLs, Clerk keys, Stripe keys, and Twilio secrets.
+3. Confirm the production domain resolves to the app and `NEXT_PUBLIC_APP_URL` matches it exactly.
+4. Confirm the production branch is `main`.
+5. Trigger a fresh production deployment after env changes.
+
+How to verify success:
+
+- `curl -i https://YOUR_PRODUCTION_DOMAIN/api/health`
+- Vercel dashboard shows the deployment as Production
+- auth, billing, and Twilio webhook URLs use the same origin
+
+### 4.2 Neon / Postgres
+
+Service: Neon
+
+Exact settings to configure:
+
+- pooled runtime connection string in `DATABASE_URL`
+- direct connection string in `DIRECT_DATABASE_URL`
+- PITR/backups enabled
+- retention window documented
+
+Step-by-step:
+
+1. In Neon, copy the pooled connection string and add `sslmode=require` if needed.
+2. Copy the direct non-pooler connection string for `DIRECT_DATABASE_URL`.
+3. Enable PITR/backups according to the paid plan.
+4. Run `npx prisma migrate deploy` against production.
+5. Run a restore drill into a non-production database and capture evidence.
+
+How to verify success:
+
+- `npx prisma migrate status`
+- `npm run db:smoke`
+- restore drill produces a working clone that the app can query
+
+### 4.3 Clerk
+
+Service: Clerk
+
+Exact settings to configure:
+
+- allowed origins for the production domain
+- sign-in redirect URL
+- sign-up redirect URL
+- email delivery/domain settings if production email is used
+
+Step-by-step:
+
+1. Open the Clerk dashboard for the production application.
+2. Add the production app origin.
+3. Add sign-in and sign-up redirect URLs for the production domain.
+4. If email verification or email templates are used, confirm production sender/domain configuration.
+5. Test a fresh sign-up and a returning sign-in.
+
+How to verify success:
+
+- production sign-up completes successfully
+- production sign-in returns to `/app`
+- no Clerk origin/redirect errors appear
+
+### 4.4 Stripe
+
+Service: Stripe
+
+Exact settings to configure:
+
+- live-mode Starter and Pro products/prices
+- live secret and publishable keys in Vercel
+- billing portal enabled
+- live webhook endpoint for `/api/stripe/webhook`
+- event subscription:
+  - `checkout.session.completed`
+  - `customer.subscription.created`
+  - `customer.subscription.updated`
+  - `customer.subscription.deleted`
+  - `invoice.payment_failed`
+  - `invoice.payment_succeeded`
+
+Step-by-step:
+
+1. In live mode, create the final Starter and Pro subscription prices.
+2. Copy live `price_...` IDs into Vercel env vars.
+3. Enable the billing portal.
+4. Create a live webhook endpoint pointing to `https://YOUR_PRODUCTION_DOMAIN/api/stripe/webhook`.
+5. Copy the live webhook signing secret into `STRIPE_WEBHOOK_SECRET`.
+6. Run a live-mode smoke purchase with a real internal payment method if policy allows, or complete end-to-end in test mode and separately verify live setup configuration.
+
+How to verify success:
+
+- checkout redirects to Stripe and completes
+- webhook events appear in Stripe and update the app
+- `/app/billing` shows the expected status and plan
+- portal session opens successfully
+
+### 4.5 Twilio
+
+Service: Twilio
+
+Exact settings to configure:
+
+- production voice/SMS number
+- webhook URLs targeting the production app URL
+- local-number A2P 10DLC registration, or toll-free verification if using a toll-free number
+- recording behavior and retention settings reviewed
+
+Step-by-step:
+
+1. Decide whether launch uses a US local number or toll-free number.
+2. If using a US local number, complete A2P 10DLC brand/campaign registration before real automation traffic.
+3. If using toll-free, complete toll-free verification before sending production traffic.
+4. Purchase or assign the production number.
+5. In the app or Twilio Console, point voice, SMS, and status callbacks at the production URLs.
+6. Confirm recording behavior matches your customer/legal expectations.
+7. Run answered-call, missed-call, HELP, STOP, and START tests from real phones.
+
+How to verify success:
+
+- Twilio debugger shows successful webhook deliveries
+- answered calls forward correctly
+- missed calls create leads and trigger SMS when entitled
+- STOP suppresses future outbound automation
+- START re-enables outbound automation
+
+### 4.6 `getrelayworks.com`
+
+Service: relayworks marketing site / CMS / hosting
+
+Exact settings to configure:
+
+- Buy CTA target URL
+- Contact/support links
+- legal/footer links
+- any campaign tracking parameters
+
+Step-by-step:
+
+1. After the product/legal branch is merged, decide the canonical production buy URL.
+2. Update the Buy CTA on `getrelayworks.com` to that route.
+3. Update Contact, Terms, Privacy, and Refund links if the marketing site hosts copies or deep links.
+4. If using attribution params, append them consistently to the CTA.
+5. Test the full purchase journey from the live marketing page.
+
+How to verify success:
+
+- clicking Buy on `getrelayworks.com` lands on the intended app route
+- the user can create an account, onboard, and reach billing without broken redirects
+
+### 4.7 Support and legal operations
+
+Service: support inbox, legal review, customer communications
+
+Exact settings to configure:
+
+- real monitored support inbox
+- support ownership and first-response SLA
+- approved Terms / Privacy / Refund copy
+
+Step-by-step:
+
+1. Decide the real support mailbox and who monitors it.
+2. Update public contact/legal copy if the launch brand or mailbox changes.
+3. Decide the refund window and any supported cancellation expectations.
+4. Perform one internal support drill from a customer email.
+
+How to verify success:
+
+- support email receives and can reply
+- legal pages match approved policy
+- owner can answer “what happens on cancel/refund/support request” without improvising
+
+## 5. Operational Readiness
+
+### Logging
+
+Current state:
+
+- structured console logs exist
+- Twilio and Stripe webhooks already emit correlation IDs
+- `app.error` is centralized in `lib/observability.ts`
+
+Recommended next step:
+
+- send Vercel logs to a searchable sink such as Better Stack, Axiom, Datadog, or similar
+
+Minimum launch bar:
+
+- an operator can search by correlation ID, `callSid`, `messageSid`, or Stripe event context
+
+### Monitoring
+
+Current state:
+
+- optional alert webhook exists
+- no external uptime monitor or error monitoring tool is committed in the repo
+
+Recommended tools:
+
+- uptime monitor: Better Stack / Pingdom / UptimeRobot
+- error monitoring: Sentry or another alert-capable error tracker
+
+Minimum launch bar:
+
+- `/api/health` is probed every minute
+- critical errors page a human-owned channel
+
+### Incident response
+
+Current state:
+
+- `RUNBOOK.md` and `docs/BACKUP_RESTORE_RUNBOOK.md` exist
+- no explicit incident severity/owner matrix is documented
+
+Recommended next step:
+
+- add a simple incident matrix covering Twilio outage, Stripe webhook failure, bad deploy, and DB outage
+
+Minimum launch bar:
+
+- one person owns incident triage during launch week
+- rollback path is known
+
+### Support workflow
+
+Current state:
+
+- public legal pages exist on `main`
+- `/contact` exists only on the product/legal branch
+
+Recommended tools:
+
+- shared inbox or helpdesk such as Help Scout, Zendesk, Front, or a monitored group inbox
+
+Minimum launch bar:
+
+- support mailbox is monitored
+- escalation path exists for billing and telephony issues
+
+### Customer onboarding documentation
+
+Current state:
+
+- the app has onboarding and settings screens
+- there is no dedicated customer-facing getting-started guide on `main`
+
+Recommended next step:
+
+- publish a short “first 15 minutes” guide with screenshots
+
+Minimum launch bar:
+
+- new customers know how to enter forwarding number, buy/connect a Twilio number, and run the first test call
+
+## 6. Launch Test Plan
+
+Run the full test plan in a production-like environment after all P0 code is merged into `main`.
+
+### 6.1 Stripe purchase flow
+
+Preconditions:
+
+- production or staging app deployed
+- valid Stripe prices configured
+- billing portal enabled
+
+Steps:
+
+1. Open the public Buy flow or sign in and go to `/app/billing`.
+2. Start a Starter checkout.
+3. Complete checkout with a valid Stripe card for the current mode.
+4. Wait for redirect back to `/app/billing`.
+5. Confirm `checkout=success` state appears.
+6. Confirm webhook events arrive in Stripe.
+7. Reload the billing page.
+
+Expected result:
+
+- checkout succeeds
+- `Business.subscriptionStatus` becomes `ACTIVE`
+- billing page shows the correct plan/tier
+
+Evidence to capture:
+
+- Stripe event log
+- billing page screenshot
+- app log snippet with correlation ID if debugging is needed
+
+### 6.2 Twilio missed-call flow
+
+Preconditions:
+
+- production/staging Twilio number configured
+- forwarding number set on the business
+- business subscription active
+
+Steps:
+
+1. Call the Twilio number from a real phone.
+2. Do not answer the forwarded call.
+3. Wait for Twilio status callback and SMS automation.
+4. Open `/app/leads`.
+
+Expected result:
+
+- one new lead is created
+- the lead is marked as missed-call driven
+- the first automation SMS is sent once
+
+Evidence to capture:
+
+- Twilio call log
+- lead dashboard screenshot
+- Twilio message log
+
+### 6.3 SMS auto-response and compliance flow
+
+Preconditions:
+
+- a lead exists for the calling phone number
+- business has an active subscription
+
+Steps:
+
+1. Reply to the automation SMS with a valid service response.
+2. Continue through urgency, ZIP, and best-time steps.
+3. Send `HELP`.
+4. Send `STOP`.
+5. Trigger another missed call and confirm outbound SMS is suppressed.
+6. Send `START`.
+7. Trigger another missed call and confirm automation resumes.
+
+Expected result:
+
+- state machine advances correctly
+- HELP returns help text
+- STOP opts out the sender
+- START opts the sender back in
+
+Evidence to capture:
+
+- Twilio messaging transcript
+- lead detail transcript in the app
+
+### 6.4 Lead creation and owner notification
+
+Preconditions:
+
+- `notifyPhone` set for the business
+- active subscription
+
+Steps:
+
+1. Run the missed-call flow.
+2. Complete enough SMS steps to collect ZIP.
+3. Confirm owner notification SMS is delivered.
+4. Open the new lead in `/app/leads`.
+
+Expected result:
+
+- lead detail contains captured fields
+- owner receives the summary notification once
+
+Evidence to capture:
+
+- owner SMS screenshot
+- lead detail screenshot
+
+### 6.5 Recording access
+
+Preconditions:
+
+- only applicable if `hardening/g14-recordings-ux` is merged
+- forwarded call is answered long enough to produce recording data
+
+Steps:
+
+1. Place an answered call through the Twilio number.
+2. Wait for recording callback completion.
+3. Open the lead detail page.
+4. Use the recording access action.
+5. Repeat while signed in as the wrong user or with a tampered URL if testing in staging.
+
+Expected result:
+
+- authorized owner can access the recording through the app proxy
+- unauthorized or invalid URL access returns `404`
+
+Evidence to capture:
+
+- Twilio recording metadata
+- browser network result for the recording route
+
+### 6.6 Usage limit enforcement
+
+Preconditions:
+
+- business set to Starter tier
+- test/staging database access available
+
+Steps:
+
+1. Set the business to Starter in Stripe/app state.
+2. In staging, create or update enough leads so `smsStartedAt` reflects the current-month limit.
+3. Trigger one additional missed call.
+4. Open `/app/billing` and `/app/leads`.
+
+Expected result:
+
+- automation is blocked once the limit is reached
+- billing/leads UI explain why automation is paused
+- owner limit notification is not duplicated on replay
+
+Evidence to capture:
+
+- billing page usage state
+- lead blocked-state UI
+
+### 6.7 Subscription cancel / downgrade / payment failure
+
+Preconditions:
+
+- active subscription exists
+
+Steps:
+
+1. Use Stripe to cancel the subscription or mark it past due in the active test environment.
+2. Replay or wait for webhook delivery.
+3. Reload `/app/billing`.
+4. Trigger a missed call after the status change.
+5. If downgrading, change from Pro to Starter and repeat.
+
+Expected result:
+
+- `subscriptionStatus` updates correctly
+- automation pauses for canceled or past-due accounts
+- downgraded accounts remain active but use the lower tier/limit
+
+Evidence to capture:
+
+- Stripe event log
+- billing page state
+- missed-call behavior after state change
+
+## 7. Safe Items Implemented On This Branch
+
+This branch implements only the low-risk readiness items that were still missing on `main`.
+
+### Implemented
+
+- Added `/api/health` readiness endpoint with env + DB checks and `X-Correlation-Id`
+  - file: `app/api/health/route.ts`
+- Added correlation/error instrumentation to Stripe checkout and portal routes
+  - files:
+    - `app/api/stripe/checkout/route.ts`
+    - `app/api/stripe/portal/route.ts`
+- Tightened env validation for:
+  - invalid `NEXT_PUBLIC_APP_URL`
+  - invalid `ALERT_WEBHOOK_URL`
+  - bad Neon URL shapes
+  - duplicate Stripe price IDs
+  - malformed optional rate-limit and timeout env vars
+  - files:
+    - `lib/env.server.ts`
+    - `scripts/check_env.ts`
+- Added app-level error boundaries
+  - files:
+    - `app/app/error.tsx`
+    - `app/global-error.tsx`
+- Added a production launch checklist to the README
+  - file: `README.md`
+
+### Intentionally not implemented here
+
+- pricing decisions
+- live Vercel/Stripe/Twilio/Clerk/Neon account setup
+- legal/business policy approvals
+- branch merges or PR actions
+
+Those remain owner tasks or shared release tasks.
diff --git a/lib/env.server.ts b/lib/env.server.ts
index 1db59a5..8698527 100644
--- a/lib/env.server.ts
+++ b/lib/env.server.ts
@@ -93,6 +93,46 @@ function validateDatabaseUrl() {
   }
 }
 
+function validateDistinctStripePrices() {
+  const starter = process.env.STRIPE_PRICE_STARTER?.trim();
+  const pro = process.env.STRIPE_PRICE_PRO?.trim();
+  if (starter && pro && starter === pro) {
+    throw new Error('Invalid environment configuration: STRIPE_PRICE_STARTER and STRIPE_PRICE_PRO must be different Stripe price IDs.');
+  }
+}
+
+function validateOptionalAbsoluteUrl(name: string, { requireHttps }: { requireHttps: boolean }) {
+  const raw = process.env[name]?.trim();
+  if (!raw) return;
+
+  let parsed: URL;
+  try {
+    parsed = new URL(raw);
+  } catch {
+    throw new Error(`Invalid environment configuration: ${name} must be a valid absolute URL when set.`);
+  }
+
+  if (requireHttps && parsed.protocol !== 'https:') {
+    throw new Error(`Invalid environment configuration: ${name} must use https:// in production.`);
+  }
+}
+
+function validateOptionalIntegerEnv(name: string, options: { min: number; max: number }) {
+  const raw = process.env[name]?.trim();
+  if (!raw) return;
+
+  if (!/^-?\d+$/.test(raw)) {
+    throw new Error(`Invalid environment configuration: ${name} must be an integer.`);
+  }
+
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed < options.min || parsed > options.max) {
+    throw new Error(
+      `Invalid environment configuration: ${name} must be between ${options.min} and ${options.max}.`
+    );
+  }
+}
+
 function parseBooleanFlag(value: string | undefined) {
   if (!value) return false;
   const normalized = value.trim().toLowerCase();
@@ -107,6 +147,17 @@ function validateTwilioWebhookSecurityMode() {
   }
 }
 
+function validateOperationalConfig() {
+  validateOptionalAbsoluteUrl('ALERT_WEBHOOK_URL', { requireHttps: process.env.NODE_ENV === 'production' });
+  validateOptionalIntegerEnv('ALERT_WEBHOOK_TIMEOUT_MS', { min: 1_000, max: 30_000 });
+  validateOptionalIntegerEnv('RATE_LIMIT_WINDOW_MS', { min: 1_000, max: 3_600_000 });
+  validateOptionalIntegerEnv('RATE_LIMIT_TWILIO_AUTH_MAX', { min: 10, max: 10_000 });
+  validateOptionalIntegerEnv('RATE_LIMIT_TWILIO_UNAUTH_MAX', { min: 5, max: 5_000 });
+  validateOptionalIntegerEnv('RATE_LIMIT_STRIPE_AUTH_MAX', { min: 10, max: 10_000 });
+  validateOptionalIntegerEnv('RATE_LIMIT_STRIPE_UNAUTH_MAX', { min: 5, max: 5_000 });
+  validateOptionalIntegerEnv('RATE_LIMIT_PROTECTED_API_MAX', { min: 10, max: 10_000 });
+}
+
 export function validateServerEnv() {
   if (validated) return;
   if (process.env.NODE_ENV !== 'production') return;
@@ -128,6 +179,8 @@ export function validateServerEnv() {
   enforcePortfolioDemoGuardrail(process.env);
   validateAppUrl();
   validateDatabaseUrl();
+  validateDistinctStripePrices();
+  validateOperationalConfig();
   validated = true;
 }
 
diff --git a/scripts/check_env.ts b/scripts/check_env.ts
index 05d2a7f..f189415 100644
--- a/scripts/check_env.ts
+++ b/scripts/check_env.ts
@@ -47,6 +47,38 @@ const requirements: EnvRequirement[] = [
 const missing = requirements.filter((item) => item.required && !process.env[item.name]?.trim());
 const configErrors: string[] = [];
 
+function validateAbsoluteUrl(name: string, options: { requireHttps: boolean }) {
+  const raw = process.env[name]?.trim();
+  if (!raw) return;
+
+  let parsed: URL;
+  try {
+    parsed = new URL(raw);
+  } catch {
+    configErrors.push(`${name} must be a valid absolute URL`);
+    return;
+  }
+
+  if (options.requireHttps && parsed.protocol !== 'https:') {
+    configErrors.push(`${name} must use https:// when NODE_ENV=production`);
+  }
+}
+
+function validateIntegerEnv(name: string, options: { min: number; max: number }) {
+  const raw = process.env[name]?.trim();
+  if (!raw) return;
+
+  if (!/^-?\d+$/.test(raw)) {
+    configErrors.push(`${name} must be an integer`);
+    return;
+  }
+
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed < options.min || parsed > options.max) {
+    configErrors.push(`${name} must be between ${options.min} and ${options.max}`);
+  }
+}
+
 if (productionNodeEnv && !signatureValidationEnabled) {
   configErrors.push('TWILIO_VALIDATE_SIGNATURE must be true when NODE_ENV=production');
 }
@@ -55,6 +87,36 @@ if (productionNodeEnv && demoModeEnabled && !demoModeOverrideEnabled) {
   configErrors.push('PORTFOLIO_DEMO_MODE cannot be enabled in production without ALLOW_PRODUCTION_DEMO_MODE=true');
 }
 
+validateAbsoluteUrl('NEXT_PUBLIC_APP_URL', { requireHttps: productionNodeEnv });
+validateAbsoluteUrl('ALERT_WEBHOOK_URL', { requireHttps: productionNodeEnv });
+
+const databaseUrl = process.env.DATABASE_URL?.trim();
+if (databaseUrl?.includes('neon.tech') && !/[?&]sslmode=require(?:&|$)/i.test(databaseUrl)) {
+  configErrors.push('DATABASE_URL for Neon must include sslmode=require');
+}
+
+const directDatabaseUrl = process.env.DIRECT_DATABASE_URL?.trim();
+if (directDatabaseUrl?.includes('neon.tech') && !/[?&]sslmode=require(?:&|$)/i.test(directDatabaseUrl)) {
+  configErrors.push('DIRECT_DATABASE_URL for Neon must include sslmode=require');
+}
+if (directDatabaseUrl?.includes('-pooler.')) {
+  configErrors.push('DIRECT_DATABASE_URL must use the Neon direct (non-pooler) host');
+}
+
+const starterPriceId = process.env.STRIPE_PRICE_STARTER?.trim();
+const proPriceId = process.env.STRIPE_PRICE_PRO?.trim();
+if (starterPriceId && proPriceId && starterPriceId === proPriceId) {
+  configErrors.push('STRIPE_PRICE_STARTER and STRIPE_PRICE_PRO must be different price IDs');
+}
+
+validateIntegerEnv('ALERT_WEBHOOK_TIMEOUT_MS', { min: 1_000, max: 30_000 });
+validateIntegerEnv('RATE_LIMIT_WINDOW_MS', { min: 1_000, max: 3_600_000 });
+validateIntegerEnv('RATE_LIMIT_TWILIO_AUTH_MAX', { min: 10, max: 10_000 });
+validateIntegerEnv('RATE_LIMIT_TWILIO_UNAUTH_MAX', { min: 5, max: 5_000 });
+validateIntegerEnv('RATE_LIMIT_STRIPE_AUTH_MAX', { min: 10, max: 10_000 });
+validateIntegerEnv('RATE_LIMIT_STRIPE_UNAUTH_MAX', { min: 5, max: 5_000 });
+validateIntegerEnv('RATE_LIMIT_PROTECTED_API_MAX', { min: 10, max: 10_000 });
+
 console.log('CallbackCloser env check');
 console.log(`- Loaded env files: ${loadedFiles.join(', ') || '(none)'}`);
 console.log(`- TWILIO_VALIDATE_SIGNATURE: ${signatureValidationEnabled ? 'enabled' : 'disabled'}`);

From e5eacbdd44662c0e7e934c052d41060e5ec583be Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Sun, 8 Mar 2026 21:44:04 -0400
Subject: [PATCH 06/10] hardening: finalize recording proxy on release
 candidate

---
 README.md                                 | 15 ++++--
 app/api/leads/[leadId]/recording/route.ts | 63 ++++++++++++++++++++++-
 docs/PRODUCTION_READINESS_GAPS.md         | 12 +++--
 lib/recording-access.ts                   | 40 ++++++++++++++
 tests/recording-access.test.ts            | 55 +++++++++++++++++++-
 5 files changed, 176 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 56de4d0..7ce1376 100644
--- a/README.md
+++ b/README.md
@@ -264,12 +264,21 @@ Current behavior:
 
 - Forwarded calls are recorded via TwiML `<Dial record="record-from-answer-dual">`
 - The app stores recording metadata on `Call` (`recordingSid`, `recordingUrl`, `recordingStatus`, `recordingDurationSeconds`) when Twilio posts recording callbacks to `/api/twilio/status`
-- Recording audio remains hosted in Twilio; CallbackCloser exposes a server-mediated redirect route for authenticated in-app access
+- Recording audio remains hosted in Twilio; CallbackCloser streams it through a server-side proxy for authenticated in-app access
+
+Recording URL safety + proxy behavior:
+
+- Stored recording URLs are validated before use:
+  - must use `https://`
+  - host must be allowlisted Twilio recording/API host: `api.twilio.com`, `api.us1.twilio.com`, `api.ie1.twilio.com`, or `api.au1.twilio.com`
+  - path must be a Twilio recording resource path (`.../Recordings/...`)
+- Invalid/malformed recording URLs return `404` from `/api/leads/[leadId]/recording`
+- Authorized requests are fetched from Twilio with server credentials and streamed back to the signed-in owner (no raw Twilio URL redirect)
 
 Where to access recordings:
 
 - Lead detail page (`/app/leads/[leadId]`) shows recording status/duration and an authenticated `Open recording` action
-- Recording links are mediated through `/api/leads/[leadId]/recording`, which checks the signed-in owner and lead business before redirecting
+- Recording links are mediated through `/api/leads/[leadId]/recording`, which checks the signed-in owner + business ownership and streams media via the server proxy
 - Twilio Console -> Monitor -> Calls (or Call Logs / Recordings, depending on account UI)
 - Database (`Call.recording*` fields) for metadata lookup / correlation
 
@@ -377,7 +386,7 @@ Use this checklist before sending paid traffic from `getrelayworks.com` or allow
 - `/api/twilio/voice` - Twilio voice webhook
 - `/api/twilio/status` - Twilio dial action callback
 - `/api/twilio/sms` - Twilio SMS webhook
-- `/api/leads/[leadId]/recording` - authenticated recording redirect for lead owners
+- `/api/leads/[leadId]/recording` - authenticated recording media proxy for lead owners
 - `/api/stripe/webhook` - Stripe webhook
 
 ## Notes / MVP Constraints
diff --git a/app/api/leads/[leadId]/recording/route.ts b/app/api/leads/[leadId]/recording/route.ts
index f70fc15..6e4e000 100644
--- a/app/api/leads/[leadId]/recording/route.ts
+++ b/app/api/leads/[leadId]/recording/route.ts
@@ -2,7 +2,7 @@ import { auth } from '@clerk/nextjs/server';
 import { NextResponse } from 'next/server';
 
 import { db } from '@/lib/db';
-import { resolveRecordingAccessReason } from '@/lib/recording-access';
+import { getTwilioRecordingMediaUrl, resolveRecordingAccessReason } from '@/lib/recording-access';
 import { absoluteUrl } from '@/lib/url';
 
 export const runtime = 'nodejs';
@@ -53,5 +53,64 @@ export async function GET(_request: Request, { params }: { params: { leadId: str
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }
 
-  return NextResponse.redirect(lead.call!.recordingUrl!, { status: 303 });
+  const mediaUrl = getTwilioRecordingMediaUrl(lead.call!.recordingUrl!);
+  if (!mediaUrl) {
+    return NextResponse.json({ error: 'Lead not found' }, { status: 404 });
+  }
+
+  const accountSid = process.env.TWILIO_ACCOUNT_SID?.trim();
+  const authToken = process.env.TWILIO_AUTH_TOKEN?.trim();
+  if (!accountSid || !authToken) {
+    console.error('recording.proxy.misconfigured', { leadId: lead.id });
+    return NextResponse.json({ error: 'Recording unavailable' }, { status: 503 });
+  }
+
+  let twilioResponse: Response;
+  try {
+    twilioResponse = await fetch(mediaUrl.toString(), {
+      headers: {
+        Authorization: `Basic ${Buffer.from(`${accountSid}:${authToken}`).toString('base64')}`,
+        Accept: 'audio/mpeg,audio/wav,*/*',
+      },
+      cache: 'no-store',
+    });
+  } catch (error) {
+    console.error('recording.proxy.fetch_error', {
+      leadId: lead.id,
+      host: mediaUrl.hostname,
+      error: error instanceof Error ? error.message : 'unknown_error',
+    });
+    return NextResponse.json({ error: 'Recording unavailable' }, { status: 502 });
+  }
+
+  if (twilioResponse.status === 404) {
+    return NextResponse.json({ error: 'Recording not available for this lead' }, { status: 404 });
+  }
+
+  if (!twilioResponse.ok || !twilioResponse.body) {
+    console.error('recording.proxy.upstream_error', {
+      leadId: lead.id,
+      status: twilioResponse.status,
+      statusText: twilioResponse.statusText,
+      host: mediaUrl.hostname,
+    });
+    return NextResponse.json({ error: 'Recording unavailable' }, { status: 502 });
+  }
+
+  const headers = new Headers();
+  headers.set('Cache-Control', 'private, no-store');
+  headers.set('Content-Type', twilioResponse.headers.get('content-type') ?? 'audio/mpeg');
+  headers.set('X-Content-Type-Options', 'nosniff');
+
+  const contentLength = twilioResponse.headers.get('content-length');
+  if (contentLength) {
+    headers.set('Content-Length', contentLength);
+  }
+
+  const contentDisposition = twilioResponse.headers.get('content-disposition');
+  if (contentDisposition) {
+    headers.set('Content-Disposition', contentDisposition);
+  }
+
+  return new NextResponse(twilioResponse.body, { status: 200, headers });
 }
diff --git a/docs/PRODUCTION_READINESS_GAPS.md b/docs/PRODUCTION_READINESS_GAPS.md
index 5b813fe..f8fe3c2 100644
--- a/docs/PRODUCTION_READINESS_GAPS.md
+++ b/docs/PRODUCTION_READINESS_GAPS.md
@@ -524,18 +524,24 @@ Dependencies: G4 (recommended)
     - Added access-control helper for recording links in `lib/recording-access.ts`:
       - only authenticated owner of the lead's business can open recordings
       - blocks wrong-business and missing-recording cases
+      - validates recording URLs before use:
+        - `https` only
+        - Twilio hostname allowlist: `api.twilio.com`, `api.us1.twilio.com`, `api.ie1.twilio.com`, `api.au1.twilio.com`
+        - recording-resource path requirement (`.../Recordings/...`)
     - Added server-mediated recording access route:
       - `app/api/leads/[leadId]/recording/route.ts`
-      - validates auth + business ownership before redirecting to Twilio recording URL
+      - validates auth + business ownership before fetching recording media from Twilio
+      - uses server-side Twilio credentials and streams media to the authenticated owner (no raw URL redirect)
       - hides cross-business lead access behind `404`
+      - returns `404` for invalid/malformed/non-allowlisted recording URLs
     - Updated lead detail UI (`app/app/leads/[leadId]/page.tsx`) to show:
       - recording status
       - recording duration
       - gated `Open recording` action (uses server route, not raw URL)
-    - Added focused access-control tests in `tests/recording-access.test.ts`.
+    - Added focused access-control + recording URL validation tests in `tests/recording-access.test.ts`.
     - Updated recording docs in `README.md` to reflect the in-app gated flow.
   - Commands run + results:
-    - `npm test` -> PASS (38/38)
+    - `npm test` -> PASS (41/41)
     - `npm run lint` -> PASS
     - `npm run build` -> PASS
     - `npm run typecheck` -> PASS
diff --git a/lib/recording-access.ts b/lib/recording-access.ts
index f96aa3f..fe82a26 100644
--- a/lib/recording-access.ts
+++ b/lib/recording-access.ts
@@ -4,6 +4,14 @@ export type RecordingAccessReason =
   | 'wrong_business'
   | 'recording_unavailable';
 
+// Twilio recording callbacks resolve to API URLs on these hosts.
+export const TWILIO_RECORDING_HOST_ALLOWLIST = [
+  'api.twilio.com',
+  'api.us1.twilio.com',
+  'api.ie1.twilio.com',
+  'api.au1.twilio.com',
+] as const;
+
 export function resolveRecordingAccessReason(input: {
   requestUserId: string | null | undefined;
   businessOwnerClerkId: string | null | undefined;
@@ -16,3 +24,35 @@ export function resolveRecordingAccessReason(input: {
   if (!input.recordingUrl) return 'recording_unavailable';
   return 'ok';
 }
+
+export function isAllowedTwilioRecordingUrl(url: URL): boolean {
+  const hostname = url.hostname.toLowerCase();
+  if (!TWILIO_RECORDING_HOST_ALLOWLIST.includes(hostname as (typeof TWILIO_RECORDING_HOST_ALLOWLIST)[number])) {
+    return false;
+  }
+
+  if (url.protocol !== 'https:') return false;
+
+  return /\/Recordings\//i.test(url.pathname);
+}
+
+export function getTwilioRecordingMediaUrl(recordingUrl: string): URL | null {
+  let parsed: URL;
+  try {
+    parsed = new URL(recordingUrl);
+  } catch {
+    return null;
+  }
+
+  if (!isAllowedTwilioRecordingUrl(parsed)) {
+    return null;
+  }
+
+  const pathname = parsed.pathname;
+  if (pathname.endsWith('.mp3') || pathname.endsWith('.wav')) {
+    return parsed;
+  }
+
+  parsed.pathname = pathname.endsWith('.json') ? `${pathname.slice(0, -5)}.mp3` : `${pathname}.mp3`;
+  return parsed;
+}
diff --git a/tests/recording-access.test.ts b/tests/recording-access.test.ts
index 3fd8364..e2b1b6b 100644
--- a/tests/recording-access.test.ts
+++ b/tests/recording-access.test.ts
@@ -1,7 +1,12 @@
 import assert from 'node:assert/strict';
 import test from 'node:test';
 
-import { resolveRecordingAccessReason } from '../lib/recording-access.ts';
+import {
+  TWILIO_RECORDING_HOST_ALLOWLIST,
+  getTwilioRecordingMediaUrl,
+  isAllowedTwilioRecordingUrl,
+  resolveRecordingAccessReason,
+} from '../lib/recording-access.ts';
 
 test('recording access denies unauthenticated requests', () => {
   const reason = resolveRecordingAccessReason({
@@ -42,3 +47,51 @@ test('recording access allows authenticated owner with recording URL', () => {
 
   assert.equal(reason, 'ok');
 });
+
+test('recording access denies when business owner id is missing', () => {
+  const reason = resolveRecordingAccessReason({
+    requestUserId: 'user_123',
+    businessOwnerClerkId: null,
+    recordingUrl: 'https://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123',
+  });
+
+  assert.equal(reason, 'wrong_business');
+});
+
+test('recording URL validation requires https and Twilio recording host/path allowlist', () => {
+  for (const hostname of TWILIO_RECORDING_HOST_ALLOWLIST) {
+    assert.equal(
+      isAllowedTwilioRecordingUrl(new URL(`https://${hostname}/2010-04-01/Accounts/AC123/Recordings/RE123`)),
+      true
+    );
+  }
+
+  assert.equal(
+    isAllowedTwilioRecordingUrl(new URL('http://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123')),
+    false
+  );
+
+  assert.equal(
+    isAllowedTwilioRecordingUrl(new URL('https://example.com/2010-04-01/Accounts/AC123/Recordings/RE123')),
+    false
+  );
+
+  assert.equal(isAllowedTwilioRecordingUrl(new URL('https://api.twilio.com/2010-04-01/Accounts/AC123/Messages/MM123')), false);
+});
+
+test('recording URL normalization returns Twilio media URL and rejects invalid input', () => {
+  assert.equal(
+    getTwilioRecordingMediaUrl('https://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123')?.toString(),
+    'https://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123.mp3'
+  );
+  assert.equal(
+    getTwilioRecordingMediaUrl('https://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123.json')?.toString(),
+    'https://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123.mp3'
+  );
+  assert.equal(
+    getTwilioRecordingMediaUrl('https://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123.wav')?.toString(),
+    'https://api.twilio.com/2010-04-01/Accounts/AC123/Recordings/RE123.wav'
+  );
+  assert.equal(getTwilioRecordingMediaUrl('https://example.com/recordings/RE123'), null);
+  assert.equal(getTwilioRecordingMediaUrl('not a URL'), null);
+});

From c5c08cd09fc3df82ab0589d5333a46e52e39a294 Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Sun, 8 Mar 2026 21:57:56 -0400
Subject: [PATCH 07/10] chore: reduce launch branch audit findings

---
 package-lock.json | 122 +++++++++++++++++++---------------------------
 package.json      |   5 ++
 2 files changed, 54 insertions(+), 73 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8092c96..64e0b4f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -312,13 +312,13 @@
       }
     },
     "node_modules/@isaacs/cliui/node_modules/strip-ansi": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
-      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-regex": "^6.0.1"
+        "ansi-regex": "^6.2.2"
       },
       "engines": {
         "node": ">=12"
@@ -953,37 +953,24 @@
         "typescript": ">=4.8.4 <6.0.0"
       }
     },
-    "node_modules/@typescript-eslint/typescript-estree/node_modules/balanced-match": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.3.tgz",
-      "integrity": "sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz",
-      "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
-      "engines": {
-        "node": "20 || >=22"
+        "balanced-match": "^1.0.0"
       }
     },
     "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-      "version": "9.0.6",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.6.tgz",
-      "integrity": "sha512-kQAVowdR33euIqeA0+VZTDqU+qo1IeVY+hrKYtZMio3Pg0P0vuh/kwRylLUddJhB6pf3q/botcOvRtx4IN1wqQ==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^5.0.2"
+        "brace-expansion": "^2.0.2"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -3295,25 +3282,23 @@
       }
     },
     "node_modules/glob": {
-      "version": "10.3.10",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.10.tgz",
-      "integrity": "sha512-fa46+tv1Ak0UPK1TOy/pZrIybNNt4HCv7SDzwyfiOZkvZLEbjsZkJBPtDHVshZjbecAoAGSC20MjLDG/qr679g==",
+      "version": "10.5.0",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
+      "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
       "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
       "dev": true,
       "license": "ISC",
       "dependencies": {
         "foreground-child": "^3.1.0",
-        "jackspeak": "^2.3.5",
-        "minimatch": "^9.0.1",
-        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0",
-        "path-scurry": "^1.10.1"
+        "jackspeak": "^3.1.2",
+        "minimatch": "^9.0.4",
+        "minipass": "^7.1.2",
+        "package-json-from-dist": "^1.0.0",
+        "path-scurry": "^1.11.1"
       },
       "bin": {
         "glob": "dist/esm/bin.mjs"
       },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
       }
@@ -3337,37 +3322,24 @@
       "integrity": "sha512-lkX1HJXwyMcprw/5YUZc2s7DrpAiHB21/V+E1rHUrVNokkvB6bqMzT0VfV6/86ZNabt1k14YOIaT7nDvOX3Iiw==",
       "license": "BSD-2-Clause"
     },
-    "node_modules/glob/node_modules/balanced-match": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.3.tgz",
-      "integrity": "sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
     "node_modules/glob/node_modules/brace-expansion": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz",
-      "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
-      "engines": {
-        "node": "20 || >=22"
+        "balanced-match": "^1.0.0"
       }
     },
     "node_modules/glob/node_modules/minimatch": {
-      "version": "9.0.6",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.6.tgz",
-      "integrity": "sha512-kQAVowdR33euIqeA0+VZTDqU+qo1IeVY+hrKYtZMio3Pg0P0vuh/kwRylLUddJhB6pf3q/botcOvRtx4IN1wqQ==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^5.0.2"
+        "brace-expansion": "^2.0.2"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -4077,17 +4049,14 @@
       }
     },
     "node_modules/jackspeak": {
-      "version": "2.3.6",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.3.6.tgz",
-      "integrity": "sha512-N3yCS/NegsOBokc8GAdM8UcmfsKiSS8cipheD/nivzr700H+nsMOxJjQnvwOcRYVuFkdH0wGUvW2WbXGmrZGbQ==",
+      "version": "3.4.3",
+      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
+      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
       "dev": true,
       "license": "BlueOak-1.0.0",
       "dependencies": {
         "@isaacs/cliui": "^8.0.2"
       },
-      "engines": {
-        "node": ">=14"
-      },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
       },
@@ -4444,9 +4413,9 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "3.1.3",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.3.tgz",
-      "integrity": "sha512-M2GCs7Vk83NxkUyQV1bkABc4yxgz9kILhHImZiBPAZ9ybuvCb0/H7lEl5XvIg3g+9d4eNotkZA5IWwYl0tibaA==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -4869,6 +4838,13 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/package-json-from-dist": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
+      "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
+      "dev": true,
+      "license": "BlueOak-1.0.0"
+    },
     "node_modules/parent-module": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
@@ -5831,13 +5807,13 @@
       }
     },
     "node_modules/string-width/node_modules/strip-ansi": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
-      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-regex": "^6.0.1"
+        "ansi-regex": "^6.2.2"
       },
       "engines": {
         "node": ">=12"
@@ -6747,13 +6723,13 @@
       }
     },
     "node_modules/wrap-ansi/node_modules/strip-ansi": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
-      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-regex": "^6.0.1"
+        "ansi-regex": "^6.2.2"
       },
       "engines": {
         "node": ">=12"
diff --git a/package.json b/package.json
index cbf98b8..7f5f818 100644
--- a/package.json
+++ b/package.json
@@ -48,5 +48,10 @@
     "prisma": "^5.22.0",
     "tailwindcss": "^3.4.17",
     "typescript": "^5.7.2"
+  },
+  "overrides": {
+    "@next/eslint-plugin-next": {
+      "glob": "10.5.0"
+    }
   }
 }

From aada906c6549f6e5fb0e8e52f7b84330cfed4678 Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Sun, 8 Mar 2026 22:33:44 -0400
Subject: [PATCH 08/10] fix: prevent Clerk middleware crash on public routes

---
 middleware.ts | 81 +++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 63 insertions(+), 18 deletions(-)

diff --git a/middleware.ts b/middleware.ts
index dbbf342..8490715 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -1,3 +1,4 @@
+import type { NextFetchEvent, NextRequest } from 'next/server';
 import { NextResponse } from 'next/server';
 import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
 
@@ -15,8 +16,45 @@ const isProtectedRoute = createRouteMatcher(['/app(.*)', '/api/stripe/checkout(.
 const isProtectedApiMutationRoute = createRouteMatcher(['/api/stripe/checkout', '/api/stripe/portal']);
 let productionDemoGuardrailLogged = false;
 let productionDemoOverrideLogged = false;
+let missingClerkEnvLogged = false;
 
-export default clerkMiddleware(async (auth, req) => {
+type EnvMap = Readonly<Record<string, string | undefined>>;
+
+function hasRequiredClerkMiddlewareEnv(env: EnvMap = process.env) {
+  return Boolean(env.CLERK_SECRET_KEY?.trim() && env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY?.trim());
+}
+
+function buildAuthUnavailableResponse(request: NextRequest) {
+  if (request.nextUrl.pathname.startsWith('/api/')) {
+    return NextResponse.json({ error: 'Authentication is temporarily unavailable.' }, { status: 503 });
+  }
+
+  return new NextResponse('Authentication is temporarily unavailable.', { status: 503 });
+}
+
+const protectedMiddleware = clerkMiddleware(async (auth, req) => {
+  await auth.protect();
+
+  if (req.method === 'POST' && isProtectedApiMutationRoute(req)) {
+    const clientIp = getClientIpAddress(req);
+    const rateLimit = consumeRateLimit({
+      key: `middleware:protected-api:${clientIp}`,
+      limit: RATE_LIMIT_PROTECTED_API_MAX,
+      windowMs: RATE_LIMIT_WINDOW_MS,
+    });
+
+    if (!rateLimit.allowed) {
+      return NextResponse.json(
+        { error: 'Too many requests' },
+        { status: 429, headers: buildRateLimitHeaders(rateLimit) }
+      );
+    }
+  }
+
+  return NextResponse.next();
+});
+
+export default async function middleware(req: NextRequest, event: NextFetchEvent) {
   if (isPortfolioDemoModeBlockedInProduction(process.env)) {
     if (!productionDemoGuardrailLogged) {
       productionDemoGuardrailLogged = true;
@@ -39,28 +77,35 @@ export default clerkMiddleware(async (auth, req) => {
     return withSecurityHeaders(NextResponse.next());
   }
 
-  if (isProtectedRoute(req)) {
-    await auth.protect();
+  if (!isProtectedRoute(req)) {
+    return withSecurityHeaders(NextResponse.next());
   }
 
-  if (req.method === 'POST' && isProtectedApiMutationRoute(req)) {
-    const clientIp = getClientIpAddress(req);
-    const rateLimit = consumeRateLimit({
-      key: `middleware:protected-api:${clientIp}`,
-      limit: RATE_LIMIT_PROTECTED_API_MAX,
-      windowMs: RATE_LIMIT_WINDOW_MS,
-    });
-
-    if (!rateLimit.allowed) {
-      return withSecurityHeaders(NextResponse.json(
-        { error: 'Too many requests' },
-        { status: 429, headers: buildRateLimitHeaders(rateLimit) }
-      ));
+  if (!hasRequiredClerkMiddlewareEnv(process.env)) {
+    if (!missingClerkEnvLogged) {
+      missingClerkEnvLogged = true;
+      console.error('Clerk middleware env is incomplete; protected routes will return 503 until keys are configured.', {
+        clerkSecretKeyPresent: Boolean(process.env.CLERK_SECRET_KEY?.trim()),
+        clerkPublishableKeyPresent: Boolean(process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY?.trim()),
+        nodeEnv: process.env.NODE_ENV ?? null,
+        vercelEnv: process.env.VERCEL_ENV ?? null,
+      });
     }
+
+    return withSecurityHeaders(buildAuthUnavailableResponse(req));
   }
 
-  return withSecurityHeaders(NextResponse.next());
-});
+  try {
+    const response = await protectedMiddleware(req, event);
+    return withSecurityHeaders(response ?? NextResponse.next());
+  } catch (error) {
+    console.error('Protected middleware invocation failed.', {
+      path: req.nextUrl.pathname,
+      message: error instanceof Error ? error.message : 'unknown_error',
+    });
+    return withSecurityHeaders(buildAuthUnavailableResponse(req));
+  }
+}
 
 export const config = {
   matcher: ['/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)', '/(api|trpc)(.*)'],

From fe2474f7249c224cd9ef1be5e4c89e6bbe5e9ffb Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Sun, 8 Mar 2026 23:49:58 -0400
Subject: [PATCH 09/10] feat: automatic Twilio number provisioning

---
 app/api/twilio/provision-number/route.ts | 105 +++++++++++++++++
 app/app/onboarding/actions.ts            |  38 ++++++-
 app/app/settings/actions.ts              |  59 ++++------
 lib/twilio-client.ts                     |  29 +++++
 lib/twilio-logging.ts                    |   2 +-
 lib/twilio-provision.ts                  | 139 +++++++++++++++++++++++
 lib/twilio.ts                            |  19 +---
 7 files changed, 336 insertions(+), 55 deletions(-)
 create mode 100644 app/api/twilio/provision-number/route.ts
 create mode 100644 lib/twilio-client.ts
 create mode 100644 lib/twilio-provision.ts

diff --git a/app/api/twilio/provision-number/route.ts b/app/api/twilio/provision-number/route.ts
new file mode 100644
index 0000000..5e57cfd
--- /dev/null
+++ b/app/api/twilio/provision-number/route.ts
@@ -0,0 +1,105 @@
+import { auth } from '@clerk/nextjs/server';
+import { NextResponse } from 'next/server';
+
+import { db } from '@/lib/db';
+import { getCorrelationIdFromRequest, withCorrelationIdHeader } from '@/lib/observability';
+import { logTwilioError, logTwilioWarn } from '@/lib/twilio-logging';
+import { getTwilioProvisioningBlockReason, linkProvisionedPhoneNumberToBusiness, provisionPhoneNumber } from '@/lib/twilio-provision';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+function buildBlockedResponse(blockReason: ReturnType<typeof getTwilioProvisioningBlockReason>) {
+  switch (blockReason) {
+    case 'already_has_number':
+      return NextResponse.json(
+        { error: 'This business already has a Twilio phone number.', code: blockReason },
+        { status: 409 }
+      );
+    case 'demo_mode':
+      return NextResponse.json(
+        { error: 'Twilio number provisioning is disabled while demo mode is enabled.', code: blockReason },
+        { status: 409 }
+      );
+    case 'missing_twilio_credentials':
+      return NextResponse.json(
+        { error: 'Twilio number provisioning is unavailable until Twilio credentials are configured.', code: blockReason },
+        { status: 503 }
+      );
+    default:
+      return NextResponse.json({ error: 'Provisioning is not available.' }, { status: 503 });
+  }
+}
+
+export async function POST(request: Request) {
+  const correlationId = getCorrelationIdFromRequest(request);
+  const withCorrelation = (response: NextResponse) => withCorrelationIdHeader(response, correlationId);
+
+  const { userId } = await auth();
+  if (!userId) {
+    return withCorrelation(NextResponse.json({ error: 'Unauthorized' }, { status: 401 }));
+  }
+
+  const business = await db.business.findUnique({
+    where: { ownerClerkId: userId },
+    select: {
+      id: true,
+      name: true,
+      twilioPhoneNumber: true,
+      twilioPhoneNumberSid: true,
+    },
+  });
+
+  if (!business) {
+    return withCorrelation(NextResponse.json({ error: 'Business not found' }, { status: 404 }));
+  }
+
+  const blockReason = getTwilioProvisioningBlockReason(business);
+  if (blockReason) {
+    logTwilioWarn('provisioning', 'manual_provision_blocked', {
+      correlationId,
+      businessId: business.id,
+      ownerClerkId: userId,
+      decision: blockReason,
+    });
+
+    return withCorrelation(buildBlockedResponse(blockReason));
+  }
+
+  try {
+    const provisionedNumber = await provisionPhoneNumber({
+      businessName: business.name,
+      correlationId,
+    });
+
+    await linkProvisionedPhoneNumberToBusiness({
+      businessId: business.id,
+      phoneNumber: provisionedNumber.phoneNumber,
+      phoneNumberSid: provisionedNumber.phoneNumberSid,
+      syncedAt: provisionedNumber.syncedAt,
+      correlationId,
+    });
+
+    return withCorrelation(
+      NextResponse.json({
+        ok: true,
+        phoneNumber: provisionedNumber.phoneNumber,
+        phoneNumberSid: provisionedNumber.phoneNumberSid,
+      })
+    );
+  } catch (error) {
+    logTwilioError(
+      'provisioning',
+      'manual_provision_failed',
+      {
+        correlationId,
+        businessId: business.id,
+        ownerClerkId: userId,
+        decision: 'return_503',
+      },
+      error
+    );
+
+    return withCorrelation(NextResponse.json({ error: 'Failed to provision Twilio number.' }, { status: 503 }));
+  }
+}
diff --git a/app/app/onboarding/actions.ts b/app/app/onboarding/actions.ts
index ff4623f..7754b9e 100644
--- a/app/app/onboarding/actions.ts
+++ b/app/app/onboarding/actions.ts
@@ -5,6 +5,8 @@ import { redirect } from 'next/navigation';
 import { revalidatePath } from 'next/cache';
 
 import { upsertBusinessForOwner } from '@/lib/business';
+import { logTwilioError } from '@/lib/twilio-logging';
+import { getTwilioProvisioningBlockReason, linkProvisionedPhoneNumberToBusiness, provisionPhoneNumber } from '@/lib/twilio-provision';
 import { onboardingSchema } from '@/lib/validators';
 
 const DEFAULT_POST_ONBOARDING_REDIRECT = '/app/leads';
@@ -36,7 +38,41 @@ export async function saveOnboardingAction(formData: FormData) {
     redirect(`/app/onboarding?error=${encodeURIComponent(parsed.error.issues[0]?.message || 'Invalid form data')}`);
   }
 
-  await upsertBusinessForOwner(userId, parsed.data);
+  const business = await upsertBusinessForOwner(userId, parsed.data);
+  const provisioningBlockReason = getTwilioProvisioningBlockReason(business);
+
+  if (!provisioningBlockReason) {
+    const correlationId = `onboarding_${business.id}`;
+
+    try {
+      const provisionedNumber = await provisionPhoneNumber({
+        businessName: business.name,
+        correlationId,
+      });
+
+      await linkProvisionedPhoneNumberToBusiness({
+        businessId: business.id,
+        phoneNumber: provisionedNumber.phoneNumber,
+        phoneNumberSid: provisionedNumber.phoneNumberSid,
+        syncedAt: provisionedNumber.syncedAt,
+        correlationId,
+      });
+    } catch (error) {
+      logTwilioError(
+        'provisioning',
+        'onboarding_auto_provision_failed',
+        {
+          correlationId,
+          businessId: business.id,
+          ownerClerkId: userId,
+          decision: 'onboarding_completed_without_twilio_number',
+        },
+        error
+      );
+    }
+  }
+
   revalidatePath('/app');
+  revalidatePath('/app/settings');
   redirect(postOnboardingRedirect);
 }
diff --git a/app/app/settings/actions.ts b/app/app/settings/actions.ts
index 5d03cd0..1669fe2 100644
--- a/app/app/settings/actions.ts
+++ b/app/app/settings/actions.ts
@@ -6,6 +6,8 @@ import { redirect } from 'next/navigation';
 
 import { db } from '@/lib/db';
 import { normalizePhoneNumber } from '@/lib/phone';
+import { logTwilioError } from '@/lib/twilio-logging';
+import { linkProvisionedPhoneNumberToBusiness, provisionPhoneNumber } from '@/lib/twilio-provision';
 import { getTwilioClient, getTwilioWebhookConfig, syncTwilioIncomingPhoneNumberWebhooks } from '@/lib/twilio';
 import { businessSettingsSchema, buyNumberSchema } from '@/lib/validators';
 
@@ -92,49 +94,34 @@ export async function buyTwilioNumberAction(formData: FormData) {
   }
 
   try {
-    const client = getTwilioClient();
-    const webhookConfig = getTwilioWebhookConfig();
-    const areaCode = parsed.data.areaCode?.trim() || undefined;
-    const areaCodeNumber = areaCode ? Number.parseInt(areaCode, 10) : undefined;
-    const candidates = await client.availablePhoneNumbers('US').local.list({
-      limit: 1,
-      smsEnabled: true,
-      voiceEnabled: true,
-      ...(areaCodeNumber ? { areaCode: areaCodeNumber } : {}),
+    const correlationId = `settings_buy_${business.id}`;
+    const provisionedNumber = await provisionPhoneNumber({
+      businessName: business.name,
+      areaCode: parsed.data.areaCode,
+      correlationId,
     });
 
-    const candidate = candidates[0];
-    if (!candidate?.phoneNumber) {
-      redirect('/app/settings?error=No%20US%20local%20numbers%20available');
-    }
-
-    const number = await client.incomingPhoneNumbers.create({
-      phoneNumber: candidate.phoneNumber,
-      friendlyName: `${business.name} - CallbackCloser`,
-      voiceUrl: webhookConfig.voiceUrl,
-      voiceMethod: 'POST',
-      smsUrl: webhookConfig.smsUrl,
-      smsMethod: 'POST',
-      statusCallback: webhookConfig.statusUrl,
-      statusCallbackMethod: 'POST',
-    });
-
-    const syncedAt = new Date();
-    await saveBusinessTwilioNumber(business.id, {
-      phoneNumber: number.phoneNumber,
-      phoneNumberSid: number.sid,
-      syncedAt,
-    });
-
-    console.info('Twilio webhook sync applied', {
-      phoneNumberSid: number.sid,
-      phoneNumber: number.phoneNumber,
-      appBaseUrl: webhookConfig.appBaseUrl,
+    await linkProvisionedPhoneNumberToBusiness({
+      businessId: business.id,
+      phoneNumber: provisionedNumber.phoneNumber,
+      phoneNumberSid: provisionedNumber.phoneNumberSid,
+      syncedAt: provisionedNumber.syncedAt,
+      correlationId,
     });
 
     revalidatePath('/app/settings');
     redirect('/app/settings?numberBought=1');
   } catch (error) {
+    logTwilioError(
+      'provisioning',
+      'settings_manual_provision_failed',
+      {
+        correlationId: `settings_buy_${business.id}`,
+        businessId: business.id,
+        decision: 'redirect_with_error',
+      },
+      error
+    );
     const message = error instanceof Error ? error.message : 'Failed to buy number';
     redirect(`/app/settings?error=${encodeURIComponent(message)}`);
   }
diff --git a/lib/twilio-client.ts b/lib/twilio-client.ts
new file mode 100644
index 0000000..40db496
--- /dev/null
+++ b/lib/twilio-client.ts
@@ -0,0 +1,29 @@
+import twilio from 'twilio';
+
+type EnvMap = Readonly<Record<string, string | undefined>>;
+
+let twilioClientSingleton: ReturnType<typeof twilio> | null = null;
+
+export function hasTwilioClientEnv(env: EnvMap = process.env) {
+  return Boolean(env.TWILIO_ACCOUNT_SID?.trim() && env.TWILIO_AUTH_TOKEN?.trim());
+}
+
+export function getTwilioClient(env: EnvMap = process.env) {
+  if (env === process.env && twilioClientSingleton) {
+    return twilioClientSingleton;
+  }
+
+  const accountSid = env.TWILIO_ACCOUNT_SID?.trim();
+  const authToken = env.TWILIO_AUTH_TOKEN?.trim();
+
+  if (!accountSid || !authToken) {
+    throw new Error('Missing TWILIO_ACCOUNT_SID or TWILIO_AUTH_TOKEN');
+  }
+
+  const client = twilio(accountSid, authToken);
+  if (env === process.env) {
+    twilioClientSingleton = client;
+  }
+
+  return client;
+}
diff --git a/lib/twilio-logging.ts b/lib/twilio-logging.ts
index 336ab25..79f6236 100644
--- a/lib/twilio-logging.ts
+++ b/lib/twilio-logging.ts
@@ -1,6 +1,6 @@
 import { reportApplicationError } from './observability.ts';
 
-type TwilioLogRoute = 'voice' | 'sms' | 'status' | 'messaging' | 'webhook-auth';
+type TwilioLogRoute = 'voice' | 'sms' | 'status' | 'messaging' | 'webhook-auth' | 'provisioning';
 type TwilioLogLevel = 'info' | 'warn' | 'error';
 
 type TwilioLogFields = Record<string, unknown>;
diff --git a/lib/twilio-provision.ts b/lib/twilio-provision.ts
new file mode 100644
index 0000000..45f8067
--- /dev/null
+++ b/lib/twilio-provision.ts
@@ -0,0 +1,139 @@
+import type { Business } from '@prisma/client';
+
+import { db } from '@/lib/db';
+import { normalizePhoneNumber } from '@/lib/phone';
+import { isPortfolioDemoModeEnabled } from '@/lib/portfolio-demo-guardrail';
+import { getTwilioClient, hasTwilioClientEnv } from '@/lib/twilio-client';
+import { logTwilioInfo } from '@/lib/twilio-logging';
+import { getTwilioWebhookConfig, syncTwilioIncomingPhoneNumberWebhooks } from '@/lib/twilio';
+
+type EnvMap = Readonly<Record<string, string | undefined>>;
+
+export type TwilioProvisioningBlockReason = 'already_has_number' | 'missing_twilio_credentials' | 'demo_mode';
+
+type ProvisionableBusiness = Pick<Business, 'id' | 'name' | 'twilioPhoneNumber' | 'twilioPhoneNumberSid'>;
+
+type ProvisionPhoneNumberOptions = {
+  businessName: string;
+  areaCode?: string | number | null;
+  correlationId?: string;
+};
+
+type LinkProvisionedPhoneNumberParams = {
+  businessId: string;
+  phoneNumber: string | null;
+  phoneNumberSid: string;
+  syncedAt?: Date;
+  correlationId?: string;
+};
+
+export type ProvisionPhoneNumberResult = {
+  phoneNumber: string | null;
+  phoneNumberSid: string;
+  syncedAt: Date;
+};
+
+function parseAreaCode(areaCode: ProvisionPhoneNumberOptions['areaCode']) {
+  if (typeof areaCode === 'number' && Number.isInteger(areaCode) && areaCode >= 100 && areaCode <= 999) {
+    return areaCode;
+  }
+
+  if (typeof areaCode !== 'string') {
+    return undefined;
+  }
+
+  const trimmed = areaCode.trim();
+  if (!/^\d{3}$/.test(trimmed)) {
+    return undefined;
+  }
+
+  return Number.parseInt(trimmed, 10);
+}
+
+export function getTwilioProvisioningBlockReason(
+  business: Pick<ProvisionableBusiness, 'twilioPhoneNumber' | 'twilioPhoneNumberSid'>,
+  env: EnvMap = process.env
+): TwilioProvisioningBlockReason | null {
+  if (isPortfolioDemoModeEnabled(env)) {
+    return 'demo_mode';
+  }
+
+  if (business.twilioPhoneNumber || business.twilioPhoneNumberSid) {
+    return 'already_has_number';
+  }
+
+  if (!hasTwilioClientEnv(env)) {
+    return 'missing_twilio_credentials';
+  }
+
+  return null;
+}
+
+export async function provisionPhoneNumber(options: ProvisionPhoneNumberOptions): Promise<ProvisionPhoneNumberResult> {
+  const correlationId = options.correlationId ?? 'n/a';
+  const client = getTwilioClient();
+  const webhookConfig = getTwilioWebhookConfig();
+  const areaCode = parseAreaCode(options.areaCode);
+
+  const candidates = await client.availablePhoneNumbers('US').local.list({
+    limit: 1,
+    smsEnabled: true,
+    voiceEnabled: true,
+    ...(areaCode ? { areaCode } : {}),
+  });
+
+  const candidate = candidates[0];
+  if (!candidate?.phoneNumber) {
+    throw new Error('No US local phone numbers available');
+  }
+
+  const purchasedNumber = await client.incomingPhoneNumbers.create({
+    phoneNumber: candidate.phoneNumber,
+    friendlyName: `${options.businessName} - CallbackCloser`,
+  });
+
+  logTwilioInfo('provisioning', 'number_purchased', {
+    correlationId,
+    phoneNumberSid: purchasedNumber.sid,
+    phoneNumber: purchasedNumber.phoneNumber,
+    appBaseUrl: webhookConfig.appBaseUrl,
+  });
+
+  const { number } = await syncTwilioIncomingPhoneNumberWebhooks(purchasedNumber.sid);
+
+  logTwilioInfo('provisioning', 'webhooks_configured', {
+    correlationId,
+    phoneNumberSid: number.sid,
+    phoneNumber: number.phoneNumber,
+    voiceUrl: webhookConfig.voiceUrl,
+    smsUrl: webhookConfig.smsUrl,
+    statusUrl: webhookConfig.statusUrl,
+  });
+
+  return {
+    phoneNumber: number.phoneNumber,
+    phoneNumberSid: number.sid,
+    syncedAt: new Date(),
+  };
+}
+
+export async function linkProvisionedPhoneNumberToBusiness(params: LinkProvisionedPhoneNumberParams) {
+  const syncedAt = params.syncedAt ?? new Date();
+  const business = await db.business.update({
+    where: { id: params.businessId },
+    data: {
+      twilioPhoneNumber: normalizePhoneNumber(params.phoneNumber),
+      twilioPhoneNumberSid: params.phoneNumberSid,
+      twilioWebhookSyncedAt: syncedAt,
+    },
+  });
+
+  logTwilioInfo('provisioning', 'account_linked', {
+    correlationId: params.correlationId ?? 'n/a',
+    businessId: business.id,
+    phoneNumberSid: business.twilioPhoneNumberSid,
+    phoneNumber: business.twilioPhoneNumber,
+  });
+
+  return business;
+}
diff --git a/lib/twilio.ts b/lib/twilio.ts
index 1f8b040..28209e2 100644
--- a/lib/twilio.ts
+++ b/lib/twilio.ts
@@ -1,8 +1,5 @@
-import twilio from 'twilio';
-
 import { getConfiguredAppBaseUrl, resolveConfiguredAppBaseUrl } from '@/lib/env.server';
-
-let twilioClient: ReturnType<typeof twilio> | null = null;
+import { getTwilioClient } from '@/lib/twilio-client';
 
 export type TwilioWebhookConfig = {
   appBaseUrl: string;
@@ -11,19 +8,7 @@ export type TwilioWebhookConfig = {
   statusUrl: string;
 };
 
-export function getTwilioClient() {
-  if (twilioClient) return twilioClient;
-
-  const accountSid = process.env.TWILIO_ACCOUNT_SID;
-  const authToken = process.env.TWILIO_AUTH_TOKEN;
-
-  if (!accountSid || !authToken) {
-    throw new Error('Missing TWILIO_ACCOUNT_SID or TWILIO_AUTH_TOKEN');
-  }
-
-  twilioClient = twilio(accountSid, authToken);
-  return twilioClient;
-}
+export { getTwilioClient } from '@/lib/twilio-client';
 
 export function getTwilioWebhookConfig(): TwilioWebhookConfig {
   const appBaseUrl = getConfiguredAppBaseUrl();

From 55334017f869298da9dcf281927be5ef58c3d684 Mon Sep 17 00:00:00 2001
From: DevCalebR <rogerscaleb321@gmail.com>
Date: Mon, 9 Mar 2026 02:18:30 -0400
Subject: [PATCH 10/10] feat: add Twilio subaccount provisioning

---
 app/api/twilio/provision-number/route.ts      | 13 ++--
 app/app/onboarding/actions.ts                 | 13 +---
 app/app/settings/actions.ts                   | 31 ++++-----
 app/app/settings/page.tsx                     |  5 +-
 lib/portfolio-demo.ts                         |  1 +
 lib/twilio-client.ts                          | 38 ++++++++++-
 lib/twilio-provision.ts                       | 68 +++++++++++++++++--
 lib/twilio-webhook.ts                         | 18 ++++-
 lib/twilio.ts                                 | 12 ++--
 .../migration.sql                             |  3 +
 prisma/schema.prisma                          |  1 +
 tests/twilio-signature-validation.test.ts     | 22 ++++++
 12 files changed, 177 insertions(+), 48 deletions(-)
 create mode 100644 prisma/migrations/20260309060000_add_twilio_subaccount_sid/migration.sql

diff --git a/app/api/twilio/provision-number/route.ts b/app/api/twilio/provision-number/route.ts
index 5e57cfd..c435a91 100644
--- a/app/api/twilio/provision-number/route.ts
+++ b/app/api/twilio/provision-number/route.ts
@@ -4,7 +4,7 @@ import { NextResponse } from 'next/server';
 import { db } from '@/lib/db';
 import { getCorrelationIdFromRequest, withCorrelationIdHeader } from '@/lib/observability';
 import { logTwilioError, logTwilioWarn } from '@/lib/twilio-logging';
-import { getTwilioProvisioningBlockReason, linkProvisionedPhoneNumberToBusiness, provisionPhoneNumber } from '@/lib/twilio-provision';
+import { getTwilioProvisioningBlockReason, provisionPhoneNumber } from '@/lib/twilio-provision';
 
 export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
@@ -45,6 +45,7 @@ export async function POST(request: Request) {
     select: {
       id: true,
       name: true,
+      twilioSubaccountSid: true,
       twilioPhoneNumber: true,
       twilioPhoneNumberSid: true,
     },
@@ -68,15 +69,8 @@ export async function POST(request: Request) {
 
   try {
     const provisionedNumber = await provisionPhoneNumber({
-      businessName: business.name,
-      correlationId,
-    });
-
-    await linkProvisionedPhoneNumberToBusiness({
       businessId: business.id,
-      phoneNumber: provisionedNumber.phoneNumber,
-      phoneNumberSid: provisionedNumber.phoneNumberSid,
-      syncedAt: provisionedNumber.syncedAt,
+      businessName: business.name,
       correlationId,
     });
 
@@ -85,6 +79,7 @@ export async function POST(request: Request) {
         ok: true,
         phoneNumber: provisionedNumber.phoneNumber,
         phoneNumberSid: provisionedNumber.phoneNumberSid,
+        twilioSubaccountSid: provisionedNumber.subaccountSid,
       })
     );
   } catch (error) {
diff --git a/app/app/onboarding/actions.ts b/app/app/onboarding/actions.ts
index 7754b9e..af09398 100644
--- a/app/app/onboarding/actions.ts
+++ b/app/app/onboarding/actions.ts
@@ -6,7 +6,7 @@ import { revalidatePath } from 'next/cache';
 
 import { upsertBusinessForOwner } from '@/lib/business';
 import { logTwilioError } from '@/lib/twilio-logging';
-import { getTwilioProvisioningBlockReason, linkProvisionedPhoneNumberToBusiness, provisionPhoneNumber } from '@/lib/twilio-provision';
+import { getTwilioProvisioningBlockReason, provisionPhoneNumber } from '@/lib/twilio-provision';
 import { onboardingSchema } from '@/lib/validators';
 
 const DEFAULT_POST_ONBOARDING_REDIRECT = '/app/leads';
@@ -45,16 +45,9 @@ export async function saveOnboardingAction(formData: FormData) {
     const correlationId = `onboarding_${business.id}`;
 
     try {
-      const provisionedNumber = await provisionPhoneNumber({
-        businessName: business.name,
-        correlationId,
-      });
-
-      await linkProvisionedPhoneNumberToBusiness({
+      await provisionPhoneNumber({
         businessId: business.id,
-        phoneNumber: provisionedNumber.phoneNumber,
-        phoneNumberSid: provisionedNumber.phoneNumberSid,
-        syncedAt: provisionedNumber.syncedAt,
+        businessName: business.name,
         correlationId,
       });
     } catch (error) {
diff --git a/app/app/settings/actions.ts b/app/app/settings/actions.ts
index 1669fe2..b597ed7 100644
--- a/app/app/settings/actions.ts
+++ b/app/app/settings/actions.ts
@@ -7,8 +7,9 @@ import { redirect } from 'next/navigation';
 import { db } from '@/lib/db';
 import { normalizePhoneNumber } from '@/lib/phone';
 import { logTwilioError } from '@/lib/twilio-logging';
-import { linkProvisionedPhoneNumberToBusiness, provisionPhoneNumber } from '@/lib/twilio-provision';
-import { getTwilioClient, getTwilioWebhookConfig, syncTwilioIncomingPhoneNumberWebhooks } from '@/lib/twilio';
+import { provisionPhoneNumber } from '@/lib/twilio-provision';
+import { getTwilioBusinessClient } from '@/lib/twilio-client';
+import { syncTwilioIncomingPhoneNumberWebhooks } from '@/lib/twilio';
 import { businessSettingsSchema, buyNumberSchema } from '@/lib/validators';
 
 async function getBusinessForOwner() {
@@ -30,8 +31,11 @@ function parseTwilioPhoneNumberSid(formData: FormData) {
   return sid;
 }
 
-async function pickExistingTwilioIncomingNumber(phoneNumberSid?: string) {
-  const client = getTwilioClient();
+async function pickExistingTwilioIncomingNumber(
+  business: Awaited<ReturnType<typeof getBusinessForOwner>>,
+  phoneNumberSid?: string
+) {
+  const client = getTwilioBusinessClient(business.twilioSubaccountSid);
   if (phoneNumberSid) {
     return client.incomingPhoneNumbers(phoneNumberSid).fetch();
   }
@@ -95,20 +99,13 @@ export async function buyTwilioNumberAction(formData: FormData) {
 
   try {
     const correlationId = `settings_buy_${business.id}`;
-    const provisionedNumber = await provisionPhoneNumber({
+    await provisionPhoneNumber({
+      businessId: business.id,
       businessName: business.name,
       areaCode: parsed.data.areaCode,
       correlationId,
     });
 
-    await linkProvisionedPhoneNumberToBusiness({
-      businessId: business.id,
-      phoneNumber: provisionedNumber.phoneNumber,
-      phoneNumberSid: provisionedNumber.phoneNumberSid,
-      syncedAt: provisionedNumber.syncedAt,
-      correlationId,
-    });
-
     revalidatePath('/app/settings');
     redirect('/app/settings?numberBought=1');
   } catch (error) {
@@ -131,9 +128,10 @@ export async function connectExistingTwilioNumberAction(formData: FormData) {
   const business = await getBusinessForOwner();
 
   try {
+    const client = getTwilioBusinessClient(business.twilioSubaccountSid);
     const phoneNumberSid = parseTwilioPhoneNumberSid(formData);
-    const selectedNumber = await pickExistingTwilioIncomingNumber(phoneNumberSid);
-    const { number } = await syncTwilioIncomingPhoneNumberWebhooks(selectedNumber.sid);
+    const selectedNumber = await pickExistingTwilioIncomingNumber(business, phoneNumberSid);
+    const { number } = await syncTwilioIncomingPhoneNumberWebhooks(selectedNumber.sid, client);
     const syncedAt = new Date();
 
     await saveBusinessTwilioNumber(business.id, {
@@ -157,7 +155,8 @@ export async function resyncTwilioWebhooksAction() {
   }
 
   try {
-    const { number } = await syncTwilioIncomingPhoneNumberWebhooks(business.twilioPhoneNumberSid);
+    const client = getTwilioBusinessClient(business.twilioSubaccountSid);
+    const { number } = await syncTwilioIncomingPhoneNumberWebhooks(business.twilioPhoneNumberSid, client);
     const syncedAt = new Date();
 
     await saveBusinessTwilioNumber(business.id, {
diff --git a/app/app/settings/page.tsx b/app/app/settings/page.tsx
index 426adfe..69e29f0 100644
--- a/app/app/settings/page.tsx
+++ b/app/app/settings/page.tsx
@@ -1,7 +1,8 @@
 import { requireBusiness } from '@/lib/auth';
 import { formatPhoneForDisplay } from '@/lib/phone';
 import { getPortfolioDemoTwilioNumbers, getPortfolioDemoWebhookConfig, isPortfolioDemoMode } from '@/lib/portfolio-demo';
-import { getTwilioClient, getTwilioWebhookConfig } from '@/lib/twilio';
+import { getTwilioBusinessClient } from '@/lib/twilio-client';
+import { getTwilioWebhookConfig } from '@/lib/twilio';
 import { saveBusinessSettingsAction, buyTwilioNumberAction, connectExistingTwilioNumberAction, resyncTwilioWebhooksAction } from '@/app/app/settings/actions';
 import { CopyValueButton } from '@/components/copy-value-button';
 import { Button } from '@/components/ui/button';
@@ -45,7 +46,7 @@ export default async function SettingsPage({ searchParams }: { searchParams?: Re
     existingTwilioNumbers = getPortfolioDemoTwilioNumbers();
   } else {
     try {
-      const client = getTwilioClient();
+      const client = getTwilioBusinessClient(business.twilioSubaccountSid);
       const numbers = await client.incomingPhoneNumbers.list({ limit: 50 });
       existingTwilioNumbers = numbers.map((number) => ({
         sid: number.sid,
diff --git a/lib/portfolio-demo.ts b/lib/portfolio-demo.ts
index 39c14b4..8171285 100644
--- a/lib/portfolio-demo.ts
+++ b/lib/portfolio-demo.ts
@@ -35,6 +35,7 @@ const demoBusiness: Business = {
   serviceLabel2: 'Install',
   serviceLabel3: 'Maintenance',
   timezone: 'America/Chicago',
+  twilioSubaccountSid: 'ACbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
   twilioPhoneNumber: '+15125550123',
   twilioPhoneNumberSid: 'PNxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
   twilioWebhookSyncedAt: new Date('2026-02-24T15:14:00.000Z'),
diff --git a/lib/twilio-client.ts b/lib/twilio-client.ts
index 40db496..d71bb52 100644
--- a/lib/twilio-client.ts
+++ b/lib/twilio-client.ts
@@ -2,7 +2,10 @@ import twilio from 'twilio';
 
 type EnvMap = Readonly<Record<string, string | undefined>>;
 
-let twilioClientSingleton: ReturnType<typeof twilio> | null = null;
+export type TwilioClient = ReturnType<typeof twilio>;
+
+let twilioClientSingleton: TwilioClient | null = null;
+const twilioSubaccountClientSingletons = new Map<string, TwilioClient>();
 
 export function hasTwilioClientEnv(env: EnvMap = process.env) {
   return Boolean(env.TWILIO_ACCOUNT_SID?.trim() && env.TWILIO_AUTH_TOKEN?.trim());
@@ -27,3 +30,36 @@ export function getTwilioClient(env: EnvMap = process.env) {
 
   return client;
 }
+
+export function getTwilioSubaccountClient(subaccountSid: string, env: EnvMap = process.env) {
+  const normalizedSubaccountSid = subaccountSid.trim();
+  if (!/^AC[0-9a-fA-F]{32}$/.test(normalizedSubaccountSid)) {
+    throw new Error('Invalid Twilio subaccount SID');
+  }
+
+  if (env === process.env) {
+    const existing = twilioSubaccountClientSingletons.get(normalizedSubaccountSid);
+    if (existing) return existing;
+  }
+
+  const accountSid = env.TWILIO_ACCOUNT_SID?.trim();
+  const authToken = env.TWILIO_AUTH_TOKEN?.trim();
+  if (!accountSid || !authToken) {
+    throw new Error('Missing TWILIO_ACCOUNT_SID or TWILIO_AUTH_TOKEN');
+  }
+
+  const client = twilio(accountSid, authToken, { accountSid: normalizedSubaccountSid });
+  if (env === process.env) {
+    twilioSubaccountClientSingletons.set(normalizedSubaccountSid, client);
+  }
+
+  return client;
+}
+
+export function getTwilioBusinessClient(subaccountSid: string | null | undefined, env: EnvMap = process.env) {
+  if (subaccountSid?.trim()) {
+    return getTwilioSubaccountClient(subaccountSid, env);
+  }
+
+  return getTwilioClient(env);
+}
diff --git a/lib/twilio-provision.ts b/lib/twilio-provision.ts
index 45f8067..8066023 100644
--- a/lib/twilio-provision.ts
+++ b/lib/twilio-provision.ts
@@ -3,7 +3,7 @@ import type { Business } from '@prisma/client';
 import { db } from '@/lib/db';
 import { normalizePhoneNumber } from '@/lib/phone';
 import { isPortfolioDemoModeEnabled } from '@/lib/portfolio-demo-guardrail';
-import { getTwilioClient, hasTwilioClientEnv } from '@/lib/twilio-client';
+import { getTwilioClient, getTwilioSubaccountClient, hasTwilioClientEnv } from '@/lib/twilio-client';
 import { logTwilioInfo } from '@/lib/twilio-logging';
 import { getTwilioWebhookConfig, syncTwilioIncomingPhoneNumberWebhooks } from '@/lib/twilio';
 
@@ -11,9 +11,10 @@ type EnvMap = Readonly<Record<string, string | undefined>>;
 
 export type TwilioProvisioningBlockReason = 'already_has_number' | 'missing_twilio_credentials' | 'demo_mode';
 
-type ProvisionableBusiness = Pick<Business, 'id' | 'name' | 'twilioPhoneNumber' | 'twilioPhoneNumberSid'>;
+type ProvisionableBusiness = Pick<Business, 'id' | 'name' | 'twilioSubaccountSid' | 'twilioPhoneNumber' | 'twilioPhoneNumberSid'>;
 
 type ProvisionPhoneNumberOptions = {
+  businessId: string;
   businessName: string;
   areaCode?: string | number | null;
   correlationId?: string;
@@ -25,12 +26,14 @@ type LinkProvisionedPhoneNumberParams = {
   phoneNumberSid: string;
   syncedAt?: Date;
   correlationId?: string;
+  subaccountSid?: string | null;
 };
 
 export type ProvisionPhoneNumberResult = {
   phoneNumber: string | null;
   phoneNumberSid: string;
   syncedAt: Date;
+  subaccountSid: string;
 };
 
 function parseAreaCode(areaCode: ProvisionPhoneNumberOptions['areaCode']) {
@@ -69,10 +72,50 @@ export function getTwilioProvisioningBlockReason(
   return null;
 }
 
+export async function ensureTwilioSubaccount(
+  businessId: string,
+  businessName: string,
+  correlationId = 'n/a'
+) {
+  const business = await db.business.findUnique({
+    where: { id: businessId },
+    select: { id: true, twilioSubaccountSid: true },
+  });
+
+  if (!business) {
+    throw new Error('Business not found');
+  }
+
+  if (business.twilioSubaccountSid) {
+    return business.twilioSubaccountSid;
+  }
+
+  const parentClient = getTwilioClient();
+  const subaccount = await parentClient.api.accounts.create({
+    friendlyName: `CallbackCloser-${businessId}`,
+  });
+
+  await db.business.update({
+    where: { id: businessId },
+    data: { twilioSubaccountSid: subaccount.sid },
+  });
+
+  logTwilioInfo('provisioning', 'subaccount_created', {
+    correlationId,
+    businessId,
+    businessName,
+    twilioSubaccountSid: subaccount.sid,
+    ownerAccountSid: subaccount.ownerAccountSid,
+  });
+
+  return subaccount.sid;
+}
+
 export async function provisionPhoneNumber(options: ProvisionPhoneNumberOptions): Promise<ProvisionPhoneNumberResult> {
   const correlationId = options.correlationId ?? 'n/a';
-  const client = getTwilioClient();
   const webhookConfig = getTwilioWebhookConfig();
+  const subaccountSid = await ensureTwilioSubaccount(options.businessId, options.businessName, correlationId);
+  const client = getTwilioSubaccountClient(subaccountSid);
   const areaCode = parseAreaCode(options.areaCode);
 
   const candidates = await client.availablePhoneNumbers('US').local.list({
@@ -94,15 +137,17 @@ export async function provisionPhoneNumber(options: ProvisionPhoneNumberOptions)
 
   logTwilioInfo('provisioning', 'number_purchased', {
     correlationId,
+    twilioSubaccountSid: subaccountSid,
     phoneNumberSid: purchasedNumber.sid,
     phoneNumber: purchasedNumber.phoneNumber,
     appBaseUrl: webhookConfig.appBaseUrl,
   });
 
-  const { number } = await syncTwilioIncomingPhoneNumberWebhooks(purchasedNumber.sid);
+  const { number } = await syncTwilioIncomingPhoneNumberWebhooks(purchasedNumber.sid, client);
 
   logTwilioInfo('provisioning', 'webhooks_configured', {
     correlationId,
+    twilioSubaccountSid: subaccountSid,
     phoneNumberSid: number.sid,
     phoneNumber: number.phoneNumber,
     voiceUrl: webhookConfig.voiceUrl,
@@ -110,10 +155,21 @@ export async function provisionPhoneNumber(options: ProvisionPhoneNumberOptions)
     statusUrl: webhookConfig.statusUrl,
   });
 
+  const syncedAt = new Date();
+  await linkProvisionedPhoneNumberToBusiness({
+    businessId: options.businessId,
+    phoneNumber: number.phoneNumber,
+    phoneNumberSid: number.sid,
+    syncedAt,
+    correlationId,
+    subaccountSid,
+  });
+
   return {
     phoneNumber: number.phoneNumber,
     phoneNumberSid: number.sid,
-    syncedAt: new Date(),
+    syncedAt,
+    subaccountSid,
   };
 }
 
@@ -122,6 +178,7 @@ export async function linkProvisionedPhoneNumberToBusiness(params: LinkProvision
   const business = await db.business.update({
     where: { id: params.businessId },
     data: {
+      ...(params.subaccountSid !== undefined ? { twilioSubaccountSid: params.subaccountSid } : {}),
       twilioPhoneNumber: normalizePhoneNumber(params.phoneNumber),
       twilioPhoneNumberSid: params.phoneNumberSid,
       twilioWebhookSyncedAt: syncedAt,
@@ -131,6 +188,7 @@ export async function linkProvisionedPhoneNumberToBusiness(params: LinkProvision
   logTwilioInfo('provisioning', 'account_linked', {
     correlationId: params.correlationId ?? 'n/a',
     businessId: business.id,
+    twilioSubaccountSid: business.twilioSubaccountSid,
     phoneNumberSid: business.twilioPhoneNumberSid,
     phoneNumber: business.twilioPhoneNumber,
   });
diff --git a/lib/twilio-webhook.ts b/lib/twilio-webhook.ts
index 23e0f6b..d5d8915 100644
--- a/lib/twilio-webhook.ts
+++ b/lib/twilio-webhook.ts
@@ -13,6 +13,7 @@ let missingTokenWarningLogged = false;
 let missingSignatureConfigWarningLogged = false;
 let missingSignatureHeaderWarningLogged = false;
 let productionSignatureModeWarningLogged = false;
+let subaccountTokenFallbackWarningLogged = false;
 
 function parseBooleanFlag(value: string | undefined) {
   if (!value) return false;
@@ -129,8 +130,23 @@ export function hasValidTwilioWebhookRequest(
   const signatureValid = hasValidTwilioWebhookSignature(request, params, env);
   if (signatureValid) return true;
 
+  const sharedTokenValid = hasValidTwilioWebhookToken(request, { env, allowQueryParam: true });
   if (env.NODE_ENV !== 'production') {
-    return hasValidTwilioWebhookToken(request, { env, allowQueryParam: true });
+    return sharedTokenValid;
+  }
+
+  const parentAccountSid = env.TWILIO_ACCOUNT_SID?.trim();
+  const requestAccountSid = params.AccountSid?.trim();
+  const isSubaccountRequest = Boolean(requestAccountSid && parentAccountSid && requestAccountSid !== parentAccountSid);
+  if (sharedTokenValid && isSubaccountRequest) {
+    if (!subaccountTokenFallbackWarningLogged) {
+      subaccountTokenFallbackWarningLogged = true;
+      logTwilioWarn('webhook-auth', 'subaccount_signature_validation_fallback_token', {
+        decision: 'allow',
+        accountSid: requestAccountSid,
+      });
+    }
+    return true;
   }
 
   return false;
diff --git a/lib/twilio.ts b/lib/twilio.ts
index 28209e2..e55734b 100644
--- a/lib/twilio.ts
+++ b/lib/twilio.ts
@@ -1,5 +1,5 @@
 import { getConfiguredAppBaseUrl, resolveConfiguredAppBaseUrl } from '@/lib/env.server';
-import { getTwilioClient } from '@/lib/twilio-client';
+import { getTwilioClient, type TwilioClient } from '@/lib/twilio-client';
 
 export type TwilioWebhookConfig = {
   appBaseUrl: string;
@@ -8,7 +8,8 @@ export type TwilioWebhookConfig = {
   statusUrl: string;
 };
 
-export { getTwilioClient } from '@/lib/twilio-client';
+export { getTwilioBusinessClient, getTwilioClient, getTwilioSubaccountClient } from '@/lib/twilio-client';
+export type { TwilioClient } from '@/lib/twilio-client';
 
 export function getTwilioWebhookConfig(): TwilioWebhookConfig {
   const appBaseUrl = getConfiguredAppBaseUrl();
@@ -52,8 +53,10 @@ export function getTwilioWebhookConfig(): TwilioWebhookConfig {
   };
 }
 
-export async function syncTwilioIncomingPhoneNumberWebhooks(phoneNumberSid: string) {
-  const client = getTwilioClient();
+export async function syncTwilioIncomingPhoneNumberWebhooks(
+  phoneNumberSid: string,
+  client: TwilioClient = getTwilioClient()
+) {
   const webhookConfig = getTwilioWebhookConfig();
 
   const number = await client.incomingPhoneNumbers(phoneNumberSid).update({
@@ -66,6 +69,7 @@ export async function syncTwilioIncomingPhoneNumberWebhooks(phoneNumberSid: stri
   });
 
   console.info('Twilio webhook sync applied', {
+    twilioAccountSid: client.accountSid,
     phoneNumberSid: number.sid,
     phoneNumber: number.phoneNumber,
     appBaseUrl: webhookConfig.appBaseUrl,
diff --git a/prisma/migrations/20260309060000_add_twilio_subaccount_sid/migration.sql b/prisma/migrations/20260309060000_add_twilio_subaccount_sid/migration.sql
new file mode 100644
index 0000000..cf55c60
--- /dev/null
+++ b/prisma/migrations/20260309060000_add_twilio_subaccount_sid/migration.sql
@@ -0,0 +1,3 @@
+ALTER TABLE "Business" ADD COLUMN     "twilioSubaccountSid" TEXT;
+
+CREATE UNIQUE INDEX "Business_twilioSubaccountSid_key" ON "Business"("twilioSubaccountSid");
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index a0805cf..803865c 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -53,6 +53,7 @@ model Business {
   serviceLabel2               String             @default("Install")
   serviceLabel3               String             @default("Maintenance")
   timezone                    String             @default("America/New_York")
+  twilioSubaccountSid         String?            @unique
   twilioPhoneNumber           String?            @unique
   twilioPhoneNumberSid        String?            @unique
   twilioWebhookSyncedAt       DateTime?
diff --git a/tests/twilio-signature-validation.test.ts b/tests/twilio-signature-validation.test.ts
index eda48af..8e3e594 100644
--- a/tests/twilio-signature-validation.test.ts
+++ b/tests/twilio-signature-validation.test.ts
@@ -112,3 +112,25 @@ test('does not allow shared-token fallback in production when signature is missi
     }
   );
 });
+
+test('allows shared-token fallback for subaccount webhooks in production when parent signature validation does not match', () => {
+  withEnv(
+    {
+      NODE_ENV: 'production',
+      TWILIO_VALIDATE_SIGNATURE: 'true',
+      TWILIO_ACCOUNT_SID: 'AC11111111111111111111111111111111',
+      TWILIO_AUTH_TOKEN: 'parent-auth-token',
+      TWILIO_WEBHOOK_AUTH_TOKEN: 'prod-token',
+    },
+    () => {
+      const params = {
+        AccountSid: 'AC22222222222222222222222222222222',
+        CallSid: 'CA555',
+        From: '+15550000000',
+        To: '+15551111111',
+      };
+      const request = new Request('https://example.com/api/twilio/voice?webhook_token=prod-token');
+      assert.equal(hasValidTwilioWebhookRequest(request, params), true);
+    }
+  );
+});