Completed
When partner tops up, whop takes 1-2 days to approve, and then the payment status never updates for user. It just stays as "pending"

Harshil S about 2 months ago
Completed
When partner tops up, whop takes 1-2 days to approve, and then the payment status never updates for user. It just stays as "pending"

Harshil S about 2 months ago
In Progress
REDUCE DB DATA REDUNDANCY / DB SECURITY
Comprehensive Database Schema Optimization & Security Plan 1. Problem Statement & Root Cause Analysis A. Metric Accuracy & Role Tracking Issues Symptom: Admin dashboard counts are mismatched (e.g., showing 25 users in one place but 26 in another; 24 startups vs 22 actual startups). Root Cause: Role tracking is currently split between profiles.role and a separate user_roles table. The OverviewPage.tsx counts "Total Users" from profiles but counts "Startups/Partners" from user_roles. If a newly registered user (especially via Google OAuth) is inserted into profiles but has a mismatched or missing entry in user_roles, the counts skew. Goal: Unify role tracking to a single source of truth (profiles.role) and eliminate the redundant user_roles table entirely. B. Security Vulnerabilities (Supabase Linter Errors) Symptom: Database linter is throwing SECURITY DEFINER and RLS Disabled errors. Root Cause: partner_wallet_stats view joins directly with auth.users AND is marked SECURITY DEFINER, exposing sensitive authentication data globally. app_unified_revenue and live_datasets are also SECURITY DEFINER views which bypass RLS of the querying user. Several tables (app_ad_summaries, app_daily_ad_stats, app_dataset_summaries, domain_taxonomy) simply lack Row Level Security (RLS) entirely. Goal: Convert views to use SECURITY INVOKER or remove them, decouple from auth.users, and apply strict RLS policies to all remaining tables. C. Schema Redundancy & Dead Code Symptom: Bloated tables, confusing settings relationships, empty or unused LLM tracking tables. Root Cause: Settings are scattered: app_settings holds general preferences, while app_profiles holds app-level info, and enterprise_profiles holds partner info. They share redundant fields (like bank details, notifications). Ad stats are fragmented: app_daily_ad_stats and app_ad_summaries track clicks/impressions separately from the main app_daily_revenue_stats pipeline. Wise (TransferWise) is no longer being used as the payout provider, but wise_* fields pollute multiple tables. Outdated or empty LLM pipeline tables (dpo_triplets, interaction_pairs) from legacy features. Goal: Merge settings into role-specific profiles, aggregate stats accurately, and purge unused columns/tables to slim down the schema significantly. 2. Infrastructure & Database Changes (Phase 1) We will execute these changes via a new SQL migration file (e.g., 20260518_schema_optimization_and_rls.sql). 1. Drop Wise Integrations ALTER TABLE platform_settings DROP COLUMN wise_payment_links; ALTER TABLE payouts DROP COLUMN wise_transfer_id; ALTER TABLE

Harshil S about 2 months ago
In Progress
REDUCE DB DATA REDUNDANCY / DB SECURITY
Comprehensive Database Schema Optimization & Security Plan 1. Problem Statement & Root Cause Analysis A. Metric Accuracy & Role Tracking Issues Symptom: Admin dashboard counts are mismatched (e.g., showing 25 users in one place but 26 in another; 24 startups vs 22 actual startups). Root Cause: Role tracking is currently split between profiles.role and a separate user_roles table. The OverviewPage.tsx counts "Total Users" from profiles but counts "Startups/Partners" from user_roles. If a newly registered user (especially via Google OAuth) is inserted into profiles but has a mismatched or missing entry in user_roles, the counts skew. Goal: Unify role tracking to a single source of truth (profiles.role) and eliminate the redundant user_roles table entirely. B. Security Vulnerabilities (Supabase Linter Errors) Symptom: Database linter is throwing SECURITY DEFINER and RLS Disabled errors. Root Cause: partner_wallet_stats view joins directly with auth.users AND is marked SECURITY DEFINER, exposing sensitive authentication data globally. app_unified_revenue and live_datasets are also SECURITY DEFINER views which bypass RLS of the querying user. Several tables (app_ad_summaries, app_daily_ad_stats, app_dataset_summaries, domain_taxonomy) simply lack Row Level Security (RLS) entirely. Goal: Convert views to use SECURITY INVOKER or remove them, decouple from auth.users, and apply strict RLS policies to all remaining tables. C. Schema Redundancy & Dead Code Symptom: Bloated tables, confusing settings relationships, empty or unused LLM tracking tables. Root Cause: Settings are scattered: app_settings holds general preferences, while app_profiles holds app-level info, and enterprise_profiles holds partner info. They share redundant fields (like bank details, notifications). Ad stats are fragmented: app_daily_ad_stats and app_ad_summaries track clicks/impressions separately from the main app_daily_revenue_stats pipeline. Wise (TransferWise) is no longer being used as the payout provider, but wise_* fields pollute multiple tables. Outdated or empty LLM pipeline tables (dpo_triplets, interaction_pairs) from legacy features. Goal: Merge settings into role-specific profiles, aggregate stats accurately, and purge unused columns/tables to slim down the schema significantly. 2. Infrastructure & Database Changes (Phase 1) We will execute these changes via a new SQL migration file (e.g., 20260518_schema_optimization_and_rls.sql). 1. Drop Wise Integrations ALTER TABLE platform_settings DROP COLUMN wise_payment_links; ALTER TABLE payouts DROP COLUMN wise_transfer_id; ALTER TABLE

Harshil S about 2 months ago
Completed
Fix Campaign (THE FULL FLOW IS MESSED UP) (CLICK TO READ)
Geographies field should not be there. It will be global on default. No device types field. Fix Audience Segments (It should be just the industries theyve chosen/ have option for in their account settings) Remove App Categories (show ads in these types of apps) - That will come under our new audience segments fix Ensure daily/lifetime budget filters actually work For the Bid Strategy section - ONLY CPM. No βMax Bid ($) *β or Frequency Cap (per user/day)β fields. Remove scheduling section.

Harshil S about 2 months ago
Completed
Fix Campaign (THE FULL FLOW IS MESSED UP) (CLICK TO READ)
Geographies field should not be there. It will be global on default. No device types field. Fix Audience Segments (It should be just the industries theyve chosen/ have option for in their account settings) Remove App Categories (show ads in these types of apps) - That will come under our new audience segments fix Ensure daily/lifetime budget filters actually work For the Bid Strategy section - ONLY CPM. No βMax Bid ($) *β or Frequency Cap (per user/day)β fields. Remove scheduling section.

Harshil S about 2 months ago
In Progress
Supabase Security Rotation Steps (Click to Read)
https://claude.ai/share/31f96692-014d-4628-b56f-605e1a82d1b2 Step 1: Rotate the JWT Secret Go to supabase.com and log in Open your project Click Project Settings (gear icon, bottom left sidebar) Click Data API or JWT Keys in the settings menu Find the Legacy JWT Secret tab Click Change Legacy Secret Click Generate a random secret Read the confirmation dialog β it warns you everything breaks instantly Confirm it β Anon key and service role key auto-regenerate after this. Step 2: Rotate the Database Password Still in Project Settings Click Database in the left menu Scroll down to Database password Click Reset database password Save the new password in a password manager Step 3: Get Your New API Keys Go to Project Settings β Data API Copy the new anon key and service role key Step 4: Update Your App's Environment Variables Open your.env file or your hosting dashboard (Vercel, Railway, etc.) Replace the old SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY with the new ones Redeploy your app Step 5: Rotate Edge Function Secrets Go to Project Settings β Edge Functions β Secrets Delete all old secrets Re-add them with fresh values (OpenAI keys, any third party stuff, etc.) Step 7: Change Dashboard Passwords + Enable MFA Go to your Supabase account settings Change your password Enable MFA Have jeet (co-owner) do the same Step 8: Audit What Happened Go to Logs Explorer in your project sidebar Check for suspicious activity around March 21 (when the attacker was active) Make sure no unknown edge functions exist in your project

Harshil S 2 months ago
In Progress
Supabase Security Rotation Steps (Click to Read)
https://claude.ai/share/31f96692-014d-4628-b56f-605e1a82d1b2 Step 1: Rotate the JWT Secret Go to supabase.com and log in Open your project Click Project Settings (gear icon, bottom left sidebar) Click Data API or JWT Keys in the settings menu Find the Legacy JWT Secret tab Click Change Legacy Secret Click Generate a random secret Read the confirmation dialog β it warns you everything breaks instantly Confirm it β Anon key and service role key auto-regenerate after this. Step 2: Rotate the Database Password Still in Project Settings Click Database in the left menu Scroll down to Database password Click Reset database password Save the new password in a password manager Step 3: Get Your New API Keys Go to Project Settings β Data API Copy the new anon key and service role key Step 4: Update Your App's Environment Variables Open your.env file or your hosting dashboard (Vercel, Railway, etc.) Replace the old SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY with the new ones Redeploy your app Step 5: Rotate Edge Function Secrets Go to Project Settings β Edge Functions β Secrets Delete all old secrets Re-add them with fresh values (OpenAI keys, any third party stuff, etc.) Step 7: Change Dashboard Passwords + Enable MFA Go to your Supabase account settings Change your password Enable MFA Have jeet (co-owner) do the same Step 8: Audit What Happened Go to Logs Explorer in your project sidebar Check for suspicious activity around March 21 (when the attacker was active) Make sure no unknown edge functions exist in your project

Harshil S 2 months ago
Completed
Add Vercel Analytics (https://vercel.com/harshil12345000s-projects/zerocost/analytics?environment=all)
https://vercel.com/harshil12345000s-projects/zerocost/analytics?environment=all

Harshil S 2 months ago
Completed
Add Vercel Analytics (https://vercel.com/harshil12345000s-projects/zerocost/analytics?environment=all)
https://vercel.com/harshil12345000s-projects/zerocost/analytics?environment=all

Harshil S 2 months ago
Completed
Add Usecasely to usecasely.zerocost.app (Do similar with more free tools for people to use - indirect marketing for Zerocost)

Harshil S 2 months ago
Completed
Add Usecasely to usecasely.zerocost.app (Do similar with more free tools for people to use - indirect marketing for Zerocost)

Harshil S 2 months ago
Completed
Reframe the Hero Title (Click to Read)
Current statement: βMonetize your startup without charging usersβ β but this overpromises since Zerocost currently provides supplemental revenue, not full monetization. The dilemma is balancing honesty (itβs just extra revenue today) with strong positioning (it still feels like monetization). Both are strong, but they signal slightly different things. βTurn your free users into revenueβ - THIS IS BEST More powerful + punchy Feels like a core transformation Broader (doesnβt lock you into one method) Better as a headline βMonetize your free users (without paywalls)β More explicit Immediately explains how (no paywalls) Slightly more βSaaS/technicalβ tone Feels like a feature/value prop

Harshil S 3 months ago
Completed
Reframe the Hero Title (Click to Read)
Current statement: βMonetize your startup without charging usersβ β but this overpromises since Zerocost currently provides supplemental revenue, not full monetization. The dilemma is balancing honesty (itβs just extra revenue today) with strong positioning (it still feels like monetization). Both are strong, but they signal slightly different things. βTurn your free users into revenueβ - THIS IS BEST More powerful + punchy Feels like a core transformation Broader (doesnβt lock you into one method) Better as a headline βMonetize your free users (without paywalls)β More explicit Immediately explains how (no paywalls) Slightly more βSaaS/technicalβ tone Feels like a feature/value prop

Harshil S 3 months ago
Planned
Modify Consent Workflow (Click to Read - Very Long Spec)
We do not always need consent for ads. Under GDPR, consent is generally not required for non-personalized contextual ads that do not rely on personal data, profiling, or behavioral tracking. Since Zerocost focuses on privacy-first contextual advertising, many ad placements may operate under legitimate interest or outside consent requirements depending on implementation and jurisdiction. However, developers remain responsible for ensuring their own compliance based on how they use the product. To make this practical, Zerocost should support two consent models. First, developers can use the built-in Zerocost consent popup (triggered from the shield/privacy button), where users can manage permissions for products like data collection or recordings. Second, developers should be able to run their own custom consent flow, such as collecting consent during registration, onboarding, account creation, or inside their own privacy settings page. This should be controlled directly in the Zerocost dashboard with a clear Enable / Disable Consent Popup setting. If enabled, Zerocost handles the consent UI and stores consent states through the SDK. If disabled, the developer confirms they are managing consent independently and acknowledges that legal compliance obligations (GDPR, ePrivacy, CCPA, and other applicable laws) become their responsibility. Additionally, the dashboard should include API hooks or SDK methods so developers using custom consent flows can pass verified consent states into Zerocost. This gives startups flexibility while ensuring Zerocost can still respect user preferences technically. The result is a system that works for both privacy-conscious builders who want turnkey compliance tools and advanced teams who prefer to manage consent inside their own product experience. (We need a solid plan for all of this so before building make a plan). NOTE: We must also update our TOS, Privacy Policy, Docs. Legally, it can be permissible for Zerocost to let developers handle consent instead of Zerocost always handling it, if roles, responsibilities, and data flows are structured correctly. This is common in SaaS/SDK ecosystems. For example, many analytics, ad tech, CRM, and customer-support SDKs rely on the website/app operator to obtain consent. Why this can be valid Under laws like GDPR and the ePrivacy Directive: The app developer / website operator is usually the primary party interacting with the end user. They often act as the controller (or joint controller in some cases) for user data collected through third-party SDKs. A vendor like Zerocost can act as a processor for some services, or an independent/joint controller for others depending on product design. That means the app can collect consent in its own signup flow, cookie banner, onboarding, or privacy center, then pass the consent signal to Zerocost. But only if these conditions are met 1. Clear contractual allocation Your Terms, DPA, and dashboard settings should clearly state: If developer disables Zerocost consent UI, developer confirms they obtain valid consent where required. Developer must provide required notices. Developer must pass consent signals accurately. Zerocost may suspend products if no lawful basis exists. 2. Zerocost must technically honor consent If user has not consented (where needed), Zerocost should not collect/process that data. Example: Ads product (contextual only): maybe no consent needed in some regions/use cases. Product 2 datasets: likely higher risk, often consent strongly recommended. Product 3 recordings: explici

Harshil S 3 months ago
Planned
Modify Consent Workflow (Click to Read - Very Long Spec)
We do not always need consent for ads. Under GDPR, consent is generally not required for non-personalized contextual ads that do not rely on personal data, profiling, or behavioral tracking. Since Zerocost focuses on privacy-first contextual advertising, many ad placements may operate under legitimate interest or outside consent requirements depending on implementation and jurisdiction. However, developers remain responsible for ensuring their own compliance based on how they use the product. To make this practical, Zerocost should support two consent models. First, developers can use the built-in Zerocost consent popup (triggered from the shield/privacy button), where users can manage permissions for products like data collection or recordings. Second, developers should be able to run their own custom consent flow, such as collecting consent during registration, onboarding, account creation, or inside their own privacy settings page. This should be controlled directly in the Zerocost dashboard with a clear Enable / Disable Consent Popup setting. If enabled, Zerocost handles the consent UI and stores consent states through the SDK. If disabled, the developer confirms they are managing consent independently and acknowledges that legal compliance obligations (GDPR, ePrivacy, CCPA, and other applicable laws) become their responsibility. Additionally, the dashboard should include API hooks or SDK methods so developers using custom consent flows can pass verified consent states into Zerocost. This gives startups flexibility while ensuring Zerocost can still respect user preferences technically. The result is a system that works for both privacy-conscious builders who want turnkey compliance tools and advanced teams who prefer to manage consent inside their own product experience. (We need a solid plan for all of this so before building make a plan). NOTE: We must also update our TOS, Privacy Policy, Docs. Legally, it can be permissible for Zerocost to let developers handle consent instead of Zerocost always handling it, if roles, responsibilities, and data flows are structured correctly. This is common in SaaS/SDK ecosystems. For example, many analytics, ad tech, CRM, and customer-support SDKs rely on the website/app operator to obtain consent. Why this can be valid Under laws like GDPR and the ePrivacy Directive: The app developer / website operator is usually the primary party interacting with the end user. They often act as the controller (or joint controller in some cases) for user data collected through third-party SDKs. A vendor like Zerocost can act as a processor for some services, or an independent/joint controller for others depending on product design. That means the app can collect consent in its own signup flow, cookie banner, onboarding, or privacy center, then pass the consent signal to Zerocost. But only if these conditions are met 1. Clear contractual allocation Your Terms, DPA, and dashboard settings should clearly state: If developer disables Zerocost consent UI, developer confirms they obtain valid consent where required. Developer must provide required notices. Developer must pass consent signals accurately. Zerocost may suspend products if no lawful basis exists. 2. Zerocost must technically honor consent If user has not consented (where needed), Zerocost should not collect/process that data. Example: Ads product (contextual only): maybe no consent needed in some regions/use cases. Product 2 datasets: likely higher risk, often consent strongly recommended. Product 3 recordings: explici

Harshil S 3 months ago
Planned
Distribution & Product Plan (Click to Read Doc)
Read the above document. Also for the 100 day series (Day 1 of 100 building a free AI app) - we subtly mention how its free and how we make the free plan more accessible by subsidizing with revenue from Zerocost. AI App Ideas for the Series: StonerGPT (Clone of stonedgpt.app) We make the free plan fully powered by Zerocost revenue: ads and LLM convo data. And then like a pro plan for $9.99/mo with multimodal file upload support. For marketers and those needing creative uses CoverLetterGPT / ResumeGPT (ADD MORE IDEAS)

Harshil S 3 months ago
Planned
Distribution & Product Plan (Click to Read Doc)
Read the above document. Also for the 100 day series (Day 1 of 100 building a free AI app) - we subtly mention how its free and how we make the free plan more accessible by subsidizing with revenue from Zerocost. AI App Ideas for the Series: StonerGPT (Clone of stonedgpt.app) We make the free plan fully powered by Zerocost revenue: ads and LLM convo data. And then like a pro plan for $9.99/mo with multimodal file upload support. For marketers and those needing creative uses CoverLetterGPT / ResumeGPT (ADD MORE IDEAS)

Harshil S 3 months ago