docs(audit): align documentation with post-remediation backend reality

- Update data model enums to match backend models
- Update API reference auth requirements
- Add dispute module references and warning blocks
- Add 2026-05-24 audit remediation callout to Overview
- Generate task breakdowns and audit artifacts
- Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
Siavash Sameni
2026-05-24 11:16:29 +04:00
parent b824ca0435
commit 4cf5c49274
74 changed files with 5964 additions and 81 deletions

View File

@@ -117,17 +117,22 @@ The full route table mounted by `app.ts`:
| `/api/marketplace/templates` | `services/marketplace/controllerRoutes.ts` | JWT (seller) | RequestTemplate CRUD |
| `/api/marketplace/categories` | `services/marketplace/controllerRoutes.ts` | public read | Category list |
| `/api/marketplace/shop-settings` | `services/marketplace/shopSettingsController.ts` | JWT (seller) | Shop profile |
| `/api/payment` | `services/payment/paymentRoutes.ts` | JWT | Payment intent, status |
| `/api/payment/shkeeper/webhook` | `services/payment/shkeeper/shkeeperWebhook.ts` | HMAC | Inbound from gateway |
| `/api/payment/payout` | `services/payment/shkeeper/shkeeperPayoutService.ts` | JWT (seller/admin) | Withdraw to wallet |
| `/api/payment` | `services/payment/paymentControllerRoutes.ts` + `paymentRoutes.ts` | JWT | Payment CRUD, health, export |
| `/api/payment/decentralized` | `services/payment/decentralizedPaymentRoutes.ts` | mixed | Web3 save, verify, receiver |
| `/api/payment/shkeeper` | `services/payment/shkeeper/shkeeperRoutes.ts` | mixed | Intents, webhook, release, refund, config |
| `/api/payment/shkeeper/payout` | `services/payment/shkeeper/shkeeperPayoutRoutes.ts` | JWT (seller/admin) | Withdraw to wallet |
| `/api/payment/request-network` | `services/payment/requestNetwork/requestNetworkRoutes.ts` | HMAC | Request Network webhooks |
| `/api/chat` | `services/chat/chatRoutes.ts` | JWT | Conversations, messages |
| `/api/notification` | `services/notification/notificationRoutes.ts` | JWT | List, mark read |
| `/api/dispute` | `services/dispute/disputeRoutes.ts` | JWT | Open, evidence, resolve |
| `/api/blog` | `services/blog/blogRoutes.ts` | mixed | Public read, admin write |
| `/api/admin` | `services/admin/adminRoutes.ts` | JWT (admin) | Mod operations |
| `/api/points` | `services/points/pointsRoutes.ts` | JWT | Balance, redemption |
| `/api/notification` | `services/notification/notificationRoutes.ts` + `notificationControllerRouter` | JWT | List, mark read |
| `/api/dispute` | `services/dispute/disputeRoutes.ts` | JWT | **Not implemented** — planned |
| `/api/blog` | `services/blog/blogRoutes.ts` | mixed | **Not implemented** — planned |
| `/api/admin` | `services/admin/adminRoutes.ts` | JWT (admin) | **Not implemented** — planned |
| `/api/points` | `services/points/pointsRoutes.ts` | JWT | **Not implemented** — planned |
| `/api/ai` | `services/ai/aiRoutes.ts` | JWT | OpenAI-backed helpers |
| `/api/file` | `services/file/fileRoutes.ts` | JWT | Multipart upload |
| `/api/files` | `services/file/fileRoutes.ts` | JWT | Multipart upload |
| `/api/email` | `services/email/emailRoutes.ts` | JWT | Email dispatch |
| `/api/trezor` | `services/trezor/trezorRoutes.ts` | JWT | Trezor hardware-wallet ops |
| `/api/users` | `services/user/userRoutes.ts` | JWT | Legacy user profile routes |
Full per-endpoint details → [[03 - API Reference/API Overview]] and the service-specific reference docs.
@@ -179,10 +184,10 @@ flowchart TB
pay --> market
pay --> notify
pay --> socket
dispute --> market
dispute --> chat
dispute --> notify
points --> notify
dispute -.-> market
dispute -.-> chat
dispute -.-> notify
points -.-> notify
notify --> socket
notify --> email
```

View File

@@ -176,12 +176,13 @@ See [[Environment Variables]] for the catalog.
## 9. Rate limiting & abuse
- Backend has `express-rate-limit` ready but currently disabled (`app.ts:227`).
- Recommended pre-launch settings:
- `/api/auth/*` — 10 req / 5 min / IP
- `/api/auth/login`5 req / 5 min / IP **and** /email
- global API100 req / 15 min / IP (current default constants)
- Counters stored in Redis when enabled.
- Rate limiting is **enabled** as of 2026-05-24 (`app.ts`).
- Active tiers:
- `/api/auth/*` — 10 req / 15 min / IP
- `/api/payment/*`30 req / 15 min / IP
- `/api/ai/*`20 req / 15 min / IP
- global API — 100 req / 15 min / IP (skips `/health` and Request-Network webhooks)
- Counters are in-memory (Redis adapter planned for distributed deploys).
- For chat and notifications, debounce at the client to avoid spamming legitimate emits.
---
@@ -206,7 +207,8 @@ The codebase currently uses `morgan` (HTTP access logs) and ad-hoc `logger.info/
## 12. Hardening checklist (pre-launch)
- [ ] Enable rate-limit middleware
- [x] Enable rate-limit middleware (done 2026-05-24)
- [x] Enforce Socket.IO JWT authentication (done 2026-05-24)
- [ ] Promote refresh tokens to `httpOnly` cookies
- [ ] Replace `localhost` passkey RP ID with production domain
- [ ] Disable `NEXT_PUBLIC_IS_DEVELOPMENT=true` and `ENABLE_DEBUG=true` in prod build