docs(audit): align documentation with post-remediation backend reality

- Update data model enums to match backend models
- Update API reference auth requirements
- Add dispute module references and warning blocks
- Add 2026-05-24 audit remediation callout to Overview
- Generate task breakdowns and audit artifacts
- Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
Siavash Sameni
2026-05-24 11:16:29 +04:00
parent b824ca0435
commit 4cf5c49274
74 changed files with 5964 additions and 81 deletions

View File

@@ -26,15 +26,20 @@
"defaultSubtasks": 5,
"defaultPriority": "medium",
"projectName": "Amanat Documentation PRDs",
"defaultTag": "master",
"ollamaBaseURL": "http://localhost:11434/api",
"bedrockBaseURL": "https://bedrock.us-east-1.amazonaws.com",
"responseLanguage": "English",
"enableCodebaseAnalysis": true,
"enableProxy": false,
"anonymousTelemetry": false
"anonymousTelemetry": false,
"defaultTag": "master",
"userId": "1234567890"
},
"storage": {
"type": "file"
"claudeCode": {},
"codexCli": {},
"grokCli": {
"timeout": 120000,
"workingDirectory": null,
"defaultModel": "grok-4-latest"
}
}
}

View File

@@ -0,0 +1,206 @@
# Task 2.7 — Documentation & Code Alignment Report
**Date:** 2026-05-24
**Auditor:** Kimi Code CLI (subagent)
**Scope:** `nick-doc/` technical documentation vs. `backend/src/` runtime code
---
## 1. Files Reviewed
### Data Models (`nick-doc/02 - Data Models/`)
- `Data Model Overview.md`
- `Payment.md`
- `PurchaseRequest.md`
- `User.md`
- `Dispute.md`
- `Chat.md` (spot-checked)
### API Reference (`nick-doc/03 - API Reference/`)
- `API Overview.md`
- `Payment API.md`
- `Dispute API.md`
- `Marketplace API.md` (spot-checked)
- `Authentication API.md` (spot-checked)
### Architecture (`nick-doc/01 - Architecture/`)
- `Backend Architecture.md`
- `Security Architecture.md`
- `System Architecture.md`
### Flows (`nick-doc/04 - Flows/`)
- `Escrow Flow.md`
- `Dispute Flow.md`
- `Payment Flow - SHKeeper.md`
- `Payment Flow - DePay & Web3.md`
### Backend Code
- `backend/src/models/*.ts` (all)
- `backend/src/app.ts` (bootstrap, middleware, route mounting)
- `backend/src/services/payment/decentralizedPaymentRoutes.ts`
- `backend/src/services/payment/shkeeper/shkeeperRoutes.ts`
- `backend/src/services/payment/paymentControllerRoutes.ts`
- `backend/src/services/marketplace/controllerRoutes.ts`
- `backend/src/services/marketplace/routes.ts`
- `backend/src/services/auth/passkeyService.ts`
---
## 2. Discrepancies Found
### 2.1 Missing modules (documented but not implemented)
| Module | Doc claims | Reality in code |
|---|---|---|
| **Dispute** | `backend/src/services/dispute/`, `backend/src/models/Dispute.ts`, `/api/disputes` | **None exist**. No directory, no model, no routes, no controller. |
| **Blog** | `services/blog/blogRoutes.ts` | **Does not exist**. |
| **Points** | `services/points/pointsRoutes.ts`, `Points API` | **Does not exist**. |
| **Admin** | `services/admin/adminRoutes.ts`, `Admin API` | **Does not exist**. |
| **Review** | `Review.md` data model | `backend/src/models/Review.ts` **does not exist**. |
| **PointTransaction** | `PointTransaction.md` data model | `backend/src/models/PointTransaction.ts` **does not exist**. |
| **LevelConfig** | `LevelConfig.md` data model | `backend/src/models/LevelConfig.ts` **does not exist**. |
| **ShopSettings** | `ShopSettings.md` data model | `backend/src/models/ShopSettings.ts` **does not exist**. |
| **BlogPost** | `BlogPost.md` data model | `backend/src/models/BlogPost.ts` **does not exist**. |
### 2.2 Data-model enum mismatches
| Model | Field | Doc value | Code value | Severity |
|---|---|---|---|---|
| **Payment** | `provider` | `shkeeper` / `other` | `shkeeper` / `request.network` / `request-network` / `other` | Medium |
| **Payment** | `escrowState` | 6 values | 8 values (`+ cancelled`, `+ partial`) | Medium |
| **Payment** | `metadata` | SHKeeper fields only | Also has `requestNetworkRequestId`, `requestNetworkPaymentReference`, `requestNetworkSecurePaymentUrl`, `requestNetworkData` | Low |
| **Payment API** | Status list | Missing `confirmed` and `processing` in the "Status model" prose | Code has full 7-value enum incl. `confirmed`, `processing` | Medium |
### 2.3 User-model fields documented but missing from schema
The `User.md` table describes `referralCode`, `referredBy`, `points.{total,available,used,level}`, and `referralStats.{totalReferrals,activeReferrals,totalEarned}`. These fields **do not exist** in `backend/src/models/User.ts` (line count stops at 201; no referral or points subdocuments). The associated unique/sparse indexes are also absent.
### 2.4 Authentication requirements (post-remediation drift)
Several endpoints in `Payment API.md` were documented as **unauthenticated** but the code now enforces `authenticateToken` (and in some cases `authorizeRoles`):
| Endpoint | Doc auth | Code auth | Fix applied |
|---|---|---|---|
| `POST /api/payment/decentralized/save` | No | Bearer JWT + ownership | ✅ Updated doc |
| `PUT /api/payment/decentralized/update` | No | Bearer JWT + ownership | ✅ Updated doc |
| `GET /api/payment/decentralized/history/:userId` | No | Bearer JWT + `requireOwnershipOrAdmin` | ✅ Updated doc |
| `POST /api/payment/decentralized/verify/:paymentId` | No | Bearer JWT + ownership | ✅ Updated doc |
| `POST /api/payment/decentralized/verify-all-pending` | No (cron) | Bearer JWT + `admin` | ✅ Updated doc |
Additionally, the legacy `routes.ts` marketplace router applies `authenticateToken` globally, but `app.ts` mounts the **controller router** (`controllerRoutes.ts`) which exposes public read endpoints. The docs correctly describe the controller-router behaviour.
### 2.5 Rate limiting
All architecture and API docs stated rate limiting was **disabled** (`app.ts:227`). After remediation it is **enabled** with four tiers:
- Global: 100 req / 15 min
- Auth: 10 req / 15 min
- Payment: 30 req / 15 min
- AI: 20 req / 15 min
### 2.6 Socket.IO authentication
Docs described Socket.IO as an open real-time channel. In reality `app.ts` now enforces:
- JWT verification on every connection (`io.use(jwt.verify(...))`).
- Strict room-membership checks (`join-user-room`, `join-request-room`, `join-chat-room`, etc.) that reject cross-user or unauthorized joins.
### 2.7 Passkey hardening
`passkeyService.ts` now implements:
- Single-use challenge consumption (`consumeChallenge` deletes immediately after read).
- 5-minute challenge TTL with periodic cleanup.
- Explicit expiry error messages.
- This was not documented in the Security Architecture or Authentication API docs.
### 2.8 Endpoint path errors in flow docs
- `Payment Flow - DePay & Web3.md` referenced `POST /api/payment/decentralized/create` which **does not exist**; the actual endpoint is `POST /api/payment/decentralized/save`.
- Same doc referenced `POST /api/payment/decentralized/verify` which **does not exist**; the actual endpoint is `POST /api/payment/decentralized/verify/:paymentId`.
### 2.9 Backend Architecture route table omissions
The original table:
- Listed `/api/payment/payout` as a top-level mount; it is actually nested under `/api/payment/shkeeper/payout*`.
- Listed `/api/file`; the actual mount is `/api/files`.
- Omitted `/api/trezor`, `/api/email`, `/api/payment/decentralized`, and `/api/payment/request-network`.
---
## 3. Fixes Applied
### Data Models
1. **`Payment.md`**
- Expanded `provider` enum to match code (`request.network`, `request-network`).
- Expanded `escrowState` enum to include `cancelled`, `partial`.
- Added Request Network metadata fields to the schema table.
- Updated "Status model" prose to include `confirmed` and `processing`.
2. **`User.md`**
- Added `[!warning]` blocks on `referralCode`, `referredBy`, `points`, and `referralStats` fields marking them as **not yet implemented**.
- Corrected index line references and added a note about missing indexes.
3. **`Dispute.md`**
- Added a prominent `[!warning]` that `backend/src/models/Dispute.ts` does not exist and the schema reflects intended design only.
4. **`Data Model Overview.md`**
- Added a scope warning listing documented models that lack Mongoose schema files.
- Noted the two undocumented models that exist in code (`FundsLedgerEntry.ts`, `TrezorAccount.ts`).
### API Reference
5. **`API Overview.md`**
- Rewrote "Rate limiting" section to describe the four active tiers.
- Rewrote "Real-time channel" section to document Socket.IO JWT enforcement and room-membership checks.
- Marked `Dispute API`, `Blog API`, `Admin API`, and `Points API` as "planned, not yet implemented".
6. **`Payment API.md`**
- Updated auth requirements for all decentralized endpoints to reflect `authenticateToken` enforcement.
- Updated status/escrowState enums.
7. **`Dispute API.md`**
- Added a top-level `[!warning]` that the module is not implemented.
- Rewrote introductory sentences to use conditional language ("would be", "planned").
### Architecture
8. **`Backend Architecture.md`**
- Updated middleware chain note: rate limiting is now enabled.
- Updated route table to reflect actual mounts, mark missing services, and add omitted routes (`/api/files`, `/api/trezor`, `/api/email`, `/api/payment/decentralized`, `/api/payment/request-network`).
- Changed solid dependency arrows from `dispute` and `points` to dotted lines in the Mermaid diagram to indicate planned-but-not-implemented status.
9. **`Security Architecture.md`**
- Updated "Rate limiting & abuse" section to reflect enabled tiers.
- Checked off "Enable rate-limit middleware" and "Enforce Socket.IO JWT authentication" in the hardening checklist.
### Flows
10. **`Escrow Flow.md`**
- Updated `escrowState` enum prose to include `cancelled` and `partial`.
- Added `Cancelled` state to the Mermaid state diagram.
11. **`Dispute Flow.md`**
- Added a `[!warning]` block next to backend file references stating none exist.
12. **`Payment Flow - DePay & Web3.md`**
- Changed `POST /api/payment/decentralized/create``POST /api/payment/decentralized/save` with auth note.
- Changed `POST /api/payment/decentralized/verify``POST /api/payment/decentralized/verify/:paymentId` with auth note.
### Changelog
13. **`nick-doc/00 - Overview/Introduction.md`**
- Inserted a 2026-05-24 audit-remediation callout at the top summarising auth enforcement, rate limiting, passkeys, Web3 verification, Socket.IO auth, and dispute status.
---
## 4. Remaining Gaps
The following items were identified but **not fully resolved** (out of scope for a pure doc-alignment task or require code implementation):
1. **Missing models still documented**`Dispute`, `BlogPost`, `Review`, `PointTransaction`, `LevelConfig`, and `ShopSettings` remain in the docs with warnings. A future subtask should either implement the models or move the docs to a "Planned" archive folder.
2. **Missing services still documented**`Dispute API`, `Blog API`, `Admin API`, `Points API` still have markdown pages. Same recommendation as above.
3. **User referral/points fields** — The `User.ts` schema is missing the documented referral and points subdocuments. Either the schema needs to be extended or the fields should be removed from `User.md` once a final product decision is made.
4. **Frontend docs not audited** — This subtask focused on backend alignment. `nick-doc/05 - Design System/` and `frontend/src/` docs were not reviewed.
5. **OpenAPI / generated spec** — The `openapi.json` referenced in `Backend Architecture.md` was not regenerated or audited.
6. **`FundsLedgerEntry` & `TrezorAccount`** — These models exist in `backend/src/models/` but have no documentation notes yet. They should be added to `Data Model Overview.md` in a future pass.
---
## 5. Acceptance Criteria Verification
| Criterion | Status | Evidence |
|---|---|---|
| Data model enums in docs match backend models | ✅ | `Payment.md` provider & escrowState enums aligned; `User.md` enum values verified against `User.ts`. |
| API reference auth requirements reflect post-remediation state | ✅ | Decentralized payment endpoints now correctly list `Bearer JWT`; rate limiting section updated. |
| Flow docs do not describe unauthenticated financial endpoints | ✅ | DePay flow updated to show auth on `save` and `verify/:paymentId`. |
| Report file created | ✅ | This file. |
| No incorrect references to non-existent dispute modules remain | ✅ | All dispute references now carry `[!warning]` blocks and conditional language. |
---
*End of report.*

View File

@@ -1,6 +1,6 @@
# Task 2: Implement platform audit remediation plan
Status: pending
Status: done
Priority: high
Source PRD: `.taskmaster/docs/prd-platform-audit-remediation-plan-2026-05-24.md`
@@ -8,10 +8,10 @@ Address the code-backed security and consistency issues identified in the 2026-0
Subtasks:
1. Secure unauthenticated endpoints and owner enforcement.
2. Re-enable and scope rate limiting.
3. Replace stubbed passkey/WebAuthn flow.
4. Strengthen DePay/Web3 payment verification.
5. Lock Socket.IO room joins to authenticated context.
6. Enforce dispute hold before payout and release operations.
7. Align documentation, API references, and runtime enums.
1. Secure unauthenticated endpoints and owner enforcement.
2. Re-enable and scope rate limiting.
3. Replace stubbed passkey/WebAuthn flow.
4. Strengthen DePay/Web3 payment verification.
5. Lock Socket.IO room joins to authenticated context.
6. Enforce dispute hold before payout and release operations.
7. Align documentation, API references, and runtime enums.