docs(audit): align documentation with post-remediation backend reality
- Update data model enums to match backend models - Update API reference auth requirements - Add dispute module references and warning blocks - Add 2026-05-24 audit remediation callout to Overview - Generate task breakdowns and audit artifacts - Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
@@ -4,6 +4,16 @@ tags: [overview, introduction, mission, product]
|
||||
created: 2026-05-23
|
||||
---
|
||||
|
||||
> [!note] 2026-05-24 Audit Remediation
|
||||
> A platform-wide security and documentation alignment audit was completed on 2026-05-24 (Subtask 2.7). Key changes reflected in this vault:
|
||||
> - **Authentication enforced** on all financial and marketplace endpoints; previously unauthenticated decentralized payment routes now require Bearer JWT.
|
||||
> - **Rate limiting restored** in `backend/src/app.ts` with four tiers (global 100/15 min, auth 10/15 min, payment 30/15 min, AI 20/15 min).
|
||||
> - **Passkeys hardened** — challenge consumption is now single-use with immediate deletion, 5-minute expiry, and replay-attack protection.
|
||||
> - **Web3 verification real** — `BSCTransactionVerifier` performs on-chain `eth_getTransactionReceipt` validation with confirmation counting.
|
||||
> - **Socket.IO auth enforced** — all socket connections require a valid JWT; room joins enforce strict ownership/participation checks.
|
||||
> - **Dispute holds** documented as planned but not yet implemented; the `Dispute` model, service layer, and API routes do not exist in the current backend.
|
||||
> - **Data model docs aligned** with actual Mongoose schemas (Payment provider/escrowState enums, User model omissions documented).
|
||||
|
||||
# Introduction
|
||||
|
||||
> [!info] About this vault
|
||||
|
||||
Reference in New Issue
Block a user