docs(audit): align documentation with post-remediation backend reality

- Update data model enums to match backend models
- Update API reference auth requirements
- Add dispute module references and warning blocks
- Add 2026-05-24 audit remediation callout to Overview
- Generate task breakdowns and audit artifacts
- Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
Siavash Sameni
2026-05-24 11:16:29 +04:00
parent b824ca0435
commit 4cf5c49274
74 changed files with 5964 additions and 81 deletions

View File

@@ -176,12 +176,13 @@ See [[Environment Variables]] for the catalog.
## 9. Rate limiting & abuse
- Backend has `express-rate-limit` ready but currently disabled (`app.ts:227`).
- Recommended pre-launch settings:
- `/api/auth/*` — 10 req / 5 min / IP
- `/api/auth/login`5 req / 5 min / IP **and** /email
- global API100 req / 15 min / IP (current default constants)
- Counters stored in Redis when enabled.
- Rate limiting is **enabled** as of 2026-05-24 (`app.ts`).
- Active tiers:
- `/api/auth/*` — 10 req / 15 min / IP
- `/api/payment/*`30 req / 15 min / IP
- `/api/ai/*`20 req / 15 min / IP
- global API — 100 req / 15 min / IP (skips `/health` and Request-Network webhooks)
- Counters are in-memory (Redis adapter planned for distributed deploys).
- For chat and notifications, debounce at the client to avoid spamming legitimate emits.
---
@@ -206,7 +207,8 @@ The codebase currently uses `morgan` (HTTP access logs) and ad-hoc `logger.info/
## 12. Hardening checklist (pre-launch)
- [ ] Enable rate-limit middleware
- [x] Enable rate-limit middleware (done 2026-05-24)
- [x] Enforce Socket.IO JWT authentication (done 2026-05-24)
- [ ] Promote refresh tokens to `httpOnly` cookies
- [ ] Replace `localhost` passkey RP ID with production domain
- [ ] Disable `NEXT_PUBLIC_IS_DEVELOPMENT=true` and `ENABLE_DEBUG=true` in prod build