docs(audit): align documentation with post-remediation backend reality
- Update data model enums to match backend models - Update API reference auth requirements - Add dispute module references and warning blocks - Add 2026-05-24 audit remediation callout to Overview - Generate task breakdowns and audit artifacts - Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
35
Taskmaster/Tasks/task-1-1.md
Normal file
35
Taskmaster/Tasks/task-1-1.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "1.1"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: []
|
||||
parent_id: "1"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 1.1 - Fix Security Architecture email/password sequence
|
||||
|
||||
- [x] 1.1 - Fix Security Architecture email/password sequence #taskmaster #priority/medium #status/done 🔼 🆔 tm-1-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 1.1 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | None |
|
||||
| Parent | 1 - Stabilize Mermaid diagram rendering across documentation vault |
|
||||
|
||||
## Description
|
||||
|
||||
Normalize parser-sensitive sequence text in 01 - Architecture/Security Architecture.md.
|
||||
|
||||
## Details
|
||||
|
||||
Avoid semicolons and ambiguous inline punctuation in sequence messages.
|
||||
|
||||
## Verification
|
||||
|
||||
mmdc parse for the specific block.
|
||||
35
Taskmaster/Tasks/task-1-2.md
Normal file
35
Taskmaster/Tasks/task-1-2.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "1.2"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: []
|
||||
parent_id: "1"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 1.2 - Fix authentication login and refresh diagrams
|
||||
|
||||
- [x] 1.2 - Fix authentication login and refresh diagrams #taskmaster #priority/medium #status/done 🔼 🆔 tm-1-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 1.2 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | None |
|
||||
| Parent | 1 - Stabilize Mermaid diagram rendering across documentation vault |
|
||||
|
||||
## Description
|
||||
|
||||
Normalize parser-sensitive token and refresh-token sequence text in Authentication Flow.
|
||||
|
||||
## Details
|
||||
|
||||
Split method-like or expression-like message text into parser-safe plain text lines.
|
||||
|
||||
## Verification
|
||||
|
||||
mmdc parse for both Authentication Flow blocks.
|
||||
35
Taskmaster/Tasks/task-1-3.md
Normal file
35
Taskmaster/Tasks/task-1-3.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "1.3"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: []
|
||||
parent_id: "1"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 1.3 - Fix chat, delivery, dispute, OAuth, purchase request, referral, registration, and seller-offer diagrams
|
||||
|
||||
- [x] 1.3 - Fix chat, delivery, dispute, OAuth, purchase request, referral, registration, and seller-offer diagrams #taskmaster #priority/medium #status/done 🔼 🆔 tm-1-3
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 1.3 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | None |
|
||||
| Parent | 1 - Stabilize Mermaid diagram rendering across documentation vault |
|
||||
|
||||
## Description
|
||||
|
||||
Clean the remaining Mermaid sequence diagrams with invalid or ambiguous syntax.
|
||||
|
||||
## Details
|
||||
|
||||
Split multi-recipient arrows, remove parser-conflicting semicolon/expression text, and keep intent unchanged.
|
||||
|
||||
## Verification
|
||||
|
||||
Full vault mmdc parser sweep across all Mermaid blocks.
|
||||
35
Taskmaster/Tasks/task-1.md
Normal file
35
Taskmaster/Tasks/task-1.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "1"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: []
|
||||
parent_id: ""
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 1 - Stabilize Mermaid diagram rendering across documentation vault
|
||||
|
||||
- [x] 1 - Stabilize Mermaid diagram rendering across documentation vault #taskmaster #priority/medium #status/done 🔼 🆔 tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 1 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | None |
|
||||
| Parent | None |
|
||||
|
||||
## Description
|
||||
|
||||
Correct Mermaid syntax/rendering issues across the documentation vault and validate all Mermaid blocks.
|
||||
|
||||
## Details
|
||||
|
||||
Source PRD: .taskmaster/docs/prd-mermaid-diagram-rendering-stabilization.md. Scope covered 57 Mermaid blocks and 11 failing blocks. The source PRD records that all targeted files now pass mmdc parse validation and the full vault sweep passes.
|
||||
|
||||
## Verification
|
||||
|
||||
Run the same mmdc-based syntax validation across all Markdown Mermaid blocks and confirm zero parser failures in Obsidian/markdown previews.
|
||||
35
Taskmaster/Tasks/task-2-1.md
Normal file
35
Taskmaster/Tasks/task-2-1.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2.1"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: []
|
||||
parent_id: "2"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2.1 - Secure unauthenticated endpoints and owner enforcement
|
||||
|
||||
- [x] 2.1 - Secure unauthenticated endpoints and owner enforcement #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2.1 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | None |
|
||||
| Parent | 2 - Implement platform audit remediation plan |
|
||||
|
||||
## Description
|
||||
|
||||
Require authenticateToken and owner/admin checks on exposed payment, AI, and legacy notification routes.
|
||||
|
||||
## Details
|
||||
|
||||
Derive notification userId from authenticated principal. Protect payment history and mutation endpoints. Restrict AI calls to authenticated users with per-user budgets. Add denied-access audit logs.
|
||||
|
||||
## Verification
|
||||
|
||||
Unauthorized callers receive 401/403; users cannot access or mutate other users' payments/notifications; admins retain authorized access.
|
||||
35
Taskmaster/Tasks/task-2-2.md
Normal file
35
Taskmaster/Tasks/task-2-2.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2.2"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["1"]
|
||||
parent_id: "2"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2.2 - Re-enable and scope rate limiting
|
||||
|
||||
- [x] 2.2 - Re-enable and scope rate limiting #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-2 ⛔ tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2.2 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 1 |
|
||||
| Parent | 2 - Implement platform audit remediation plan |
|
||||
|
||||
## Description
|
||||
|
||||
Restore global and route-tiered rate limits for public-sensitive paths.
|
||||
|
||||
## Details
|
||||
|
||||
Use stricter limits for auth, financial, AI, file upload, and verification paths. Keep public reads at relaxed limits. Add observability for 429 spikes.
|
||||
|
||||
## Verification
|
||||
|
||||
Exercise configured limits per tier and confirm expected 429 responses without blocking ordinary reads.
|
||||
35
Taskmaster/Tasks/task-2-3.md
Normal file
35
Taskmaster/Tasks/task-2-3.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2.3"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["1"]
|
||||
parent_id: "2"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2.3 - Replace stubbed passkey/WebAuthn flow
|
||||
|
||||
- [x] 2.3 - Replace stubbed passkey/WebAuthn flow #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-3 ⛔ tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2.3 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 1 |
|
||||
| Parent | 2 - Implement platform audit remediation plan |
|
||||
|
||||
## Description
|
||||
|
||||
Implement production-grade WebAuthn registration/authentication and shared challenge storage.
|
||||
|
||||
## Details
|
||||
|
||||
Use real attestation/assertion verification, Redis-backed TTL challenges, refresh-token persistence/rotation, and deterministic malformed/reused/expired challenge errors.
|
||||
|
||||
## Verification
|
||||
|
||||
Registration, login, replay, expired challenge, and refresh-token continuity tests pass.
|
||||
35
Taskmaster/Tasks/task-2-4.md
Normal file
35
Taskmaster/Tasks/task-2-4.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2.4"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["1"]
|
||||
parent_id: "2"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2.4 - Strengthen DePay/Web3 payment verification
|
||||
|
||||
- [x] 2.4 - Strengthen DePay/Web3 payment verification #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-4 ⛔ tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2.4 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 1 |
|
||||
| Parent | 2 - Implement platform audit remediation plan |
|
||||
|
||||
## Description
|
||||
|
||||
Verify transaction recipient, token contract, and amount, not only receipt success.
|
||||
|
||||
## Details
|
||||
|
||||
Decode ERC-20 Transfer logs, compare recipient against escrow address, validate token contract and decimals-adjusted minimum amount, store verifier evidence and idempotency fingerprint.
|
||||
|
||||
## Verification
|
||||
|
||||
Reject successful but wrong-recipient/wrong-token/underpaid tx hashes; accept only matching transfers.
|
||||
35
Taskmaster/Tasks/task-2-5.md
Normal file
35
Taskmaster/Tasks/task-2-5.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2.5"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: ["1"]
|
||||
parent_id: "2"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2.5 - Lock Socket.IO room joins to authenticated context
|
||||
|
||||
- [x] 2.5 - Lock Socket.IO room joins to authenticated context #taskmaster #priority/medium #status/done 🔼 🆔 tm-2-5 ⛔ tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2.5 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | 1 |
|
||||
| Parent | 2 - Implement platform audit remediation plan |
|
||||
|
||||
## Description
|
||||
|
||||
Remove trust in client-supplied user/buyer/seller room IDs.
|
||||
|
||||
## Details
|
||||
|
||||
Validate socket handshake token, derive server-side room membership, reject mismatched joins, and monitor suspicious join attempts.
|
||||
|
||||
## Verification
|
||||
|
||||
A user cannot subscribe to another user's rooms; legitimate realtime notifications still arrive.
|
||||
35
Taskmaster/Tasks/task-2-6.md
Normal file
35
Taskmaster/Tasks/task-2-6.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2.6"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: ["1", "4"]
|
||||
parent_id: "2"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2.6 - Enforce dispute hold before payout and release operations
|
||||
|
||||
- [x] 2.6 - Enforce dispute hold before payout and release operations #taskmaster #priority/medium #status/done 🔼 🆔 tm-2-6 ⛔ tm-1 ⛔ tm-4
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2.6 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | 1, 4 |
|
||||
| Parent | 2 - Implement platform audit remediation plan |
|
||||
|
||||
## Description
|
||||
|
||||
Add payment hold state and central release/refund guards that block disputed funds.
|
||||
|
||||
## Details
|
||||
|
||||
Introduce explicit dispute hold fields or state, enforce in PaymentCoordinator and payout/release services, return clear 409/423 responses, and backfill/report blocked payments.
|
||||
|
||||
## Verification
|
||||
|
||||
Open dispute blocks release/refund until resolved or explicitly overridden through authorized path.
|
||||
35
Taskmaster/Tasks/task-2-7.md
Normal file
35
Taskmaster/Tasks/task-2-7.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2.7"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: ["1", "2", "3", "4", "5", "6"]
|
||||
parent_id: "2"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2.7 - Align documentation, API references, and runtime enums
|
||||
|
||||
- [x] 2.7 - Align documentation, API references, and runtime enums #taskmaster #priority/medium #status/done 🔼 🆔 tm-2-7 ⛔ tm-1 ⛔ tm-2 ⛔ tm-3 ⛔ tm-4 ⛔ tm-5 ⛔ tm-6
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2.7 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | 1, 2, 3, 4, 5, 6 |
|
||||
| Parent | 2 - Implement platform audit remediation plan |
|
||||
|
||||
## Description
|
||||
|
||||
Normalize disputed/payment/request status docs and implementation references after security behavior changes.
|
||||
|
||||
## Details
|
||||
|
||||
Resolve mismatch around absent dispute module, endpoint names, status enums, and action names across Data Models, API Reference, and Flows.
|
||||
|
||||
## Verification
|
||||
|
||||
Docs match implemented routes, models, enum values, and state transitions.
|
||||
35
Taskmaster/Tasks/task-2.md
Normal file
35
Taskmaster/Tasks/task-2.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "2"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: []
|
||||
parent_id: ""
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 2 - Implement platform audit remediation plan
|
||||
|
||||
- [x] 2 - Implement platform audit remediation plan #taskmaster #priority/high #status/done ⏫ 🆔 tm-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 2 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | None |
|
||||
| Parent | None |
|
||||
|
||||
## Description
|
||||
|
||||
Address the code-backed security and consistency issues identified in the 2026-05-24 platform audit remediation PRD.
|
||||
|
||||
## Details
|
||||
|
||||
Source PRD: .taskmaster/docs/prd-platform-audit-remediation-plan-2026-05-24.md. Target backend hardening first, then documentation/runtime alignment. Delivery order suggested by PRD: security/auth, rate limiting, passkeys, Web3 verification, socket hardening, dispute hold controls, docs/API alignment.
|
||||
|
||||
## Verification
|
||||
|
||||
Add focused regression tests for route auth/ownership, passkey challenge/verification, Web3 verification semantics, socket authorization, rate limiting tiers, and payout/release dispute holds. Update API docs after behavior is implemented.
|
||||
35
Taskmaster/Tasks/task-3-1.md
Normal file
35
Taskmaster/Tasks/task-3-1.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.1"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: []
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.1 - Define provider-neutral payment contracts and adapter
|
||||
|
||||
- [x] 3.1 - Define provider-neutral payment contracts and adapter #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.1 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | None |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Create provider-agnostic payment interface with pay-in, webhook, payout/refund instruction creation, status lookup, and search methods.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-10.md
Normal file
35
Taskmaster/Tasks/task-3-10.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.10"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.8", "3.9"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.10 - Update release/refund APIs and marketplace release paths
|
||||
|
||||
- [x] 3.10 - Update release/refund APIs and marketplace release paths #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-10 ⛔ tm-3-8 ⛔ tm-3-9
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.10 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.8, 3.9 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Refactor release routes to consume ledger state and provider-neutral contracts; deprecate direct simulation where possible.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-11.md
Normal file
35
Taskmaster/Tasks/task-3-11.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.11"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.6", "3.8", "3.9", "3.10"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.11 - Add comprehensive observability, runbooks, and incident controls
|
||||
|
||||
- [x] 3.11 - Add comprehensive observability, runbooks, and incident controls #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-11 ⛔ tm-3-6 ⛔ tm-3-8 ⛔ tm-3-9 ⛔ tm-3-10
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.11 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.6, 3.8, 3.9, 3.10 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Track webhook latency, ledger imbalance, release failures, and reconciliation lag with alerts, on-call runbooks, and rollback procedures.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-12.md
Normal file
35
Taskmaster/Tasks/task-3-12.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.12"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.6", "3.10", "3.11"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.12 - Add end-to-end integration, migration, and rollback test suites
|
||||
|
||||
- [x] 3.12 - Add end-to-end integration, migration, and rollback test suites #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-12 ⛔ tm-3-6 ⛔ tm-3-10 ⛔ tm-3-11
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.12 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.6, 3.10, 3.11 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Cover backend contract tests, provider fixture tests, UI acceptance, rollout simulation, DRYRUN migration, and release rollback rehearsals.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-2.md
Normal file
35
Taskmaster/Tasks/task-3-2.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.2"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.1"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.2 - Implement provider configuration, feature flags, and safe rollback
|
||||
|
||||
- [x] 3.2 - Implement provider configuration, feature flags, and safe rollback #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-2 ⛔ tm-3-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.2 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.1 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Add runtime provider selection, rollout controls, env validation, and one-command kill-switch to revert to SHKeeper.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-3.md
Normal file
35
Taskmaster/Tasks/task-3-3.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.3"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.1"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.3 - Create internal funds and payment ledger model
|
||||
|
||||
- [x] 3.3 - Create internal funds and payment ledger model #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-3 ⛔ tm-3-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.3 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.1 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Define FundsAccount, immutable LedgerEntry, and balance/query views for expected/held/releasable/released/refunded/disputed states.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-4.md
Normal file
35
Taskmaster/Tasks/task-3-4.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.4"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.3"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.4 - Build migration and indexing plan for existing SHKeeper records
|
||||
|
||||
- [x] 3.4 - Build migration and indexing plan for existing SHKeeper records #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-4 ⛔ tm-3-3
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.4 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.3 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Add DB indexes for payment/provider fields and run backfill to produce a migration report with skipped/failed/ambiguous historical entries.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-5.md
Normal file
35
Taskmaster/Tasks/task-3-5.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.5"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.2"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.5 - Implement Request Network pay-in intent and secure payment pages
|
||||
|
||||
- [x] 3.5 - Implement Request Network pay-in intent and secure payment pages #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-5 ⛔ tm-3-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.5 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.2 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Add Request Network intent/service layer, secure payment URLs, and validation of network/currency/reference/amount before setting paid state.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-6.md
Normal file
35
Taskmaster/Tasks/task-3-6.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.6"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.2"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.6 - Implement signed Request Network webhook intake
|
||||
|
||||
- [x] 3.6 - Implement signed Request Network webhook intake #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-6 ⛔ tm-3-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.6 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.2 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Build /api/payment/request-network/webhook with raw-body signature verification, idempotent delivery handling, and immutable event audit rows.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-7.md
Normal file
35
Taskmaster/Tasks/task-3-7.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.7"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.5", "3.6"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.7 - Implement reconciliation and repair jobs
|
||||
|
||||
- [x] 3.7 - Implement reconciliation and repair jobs #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-7 ⛔ tm-3-5 ⛔ tm-3-6
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.7 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.5, 3.6 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Add periodic Request Network payment search/reconciliation and manual replay support to fix missed or delayed events.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-8.md
Normal file
35
Taskmaster/Tasks/task-3-8.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.8"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.5"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.8 - Replace checkout and payment UI with provider-neutral flows
|
||||
|
||||
- [x] 3.8 - Replace checkout and payment UI with provider-neutral flows #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-8 ⛔ tm-3-5
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.8 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.5 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Introduce provider-neutral payment components, remove SHKeeper walletAddress assumptions for RN, and keep legacy path only for existing SHKeeper records.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
35
Taskmaster/Tasks/task-3-9.md
Normal file
35
Taskmaster/Tasks/task-3-9.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "3.9"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["3.3", "3.7"]
|
||||
parent_id: "3"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3.9 - Add payout/release and refund orchestration using ledger gates
|
||||
|
||||
- [x] 3.9 - Add payout/release and refund orchestration using ledger gates #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-9 ⛔ tm-3-3 ⛔ tm-3-7
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 3.9 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 3.3, 3.7 |
|
||||
| Parent | 3 - Migrate payment architecture toward Request Network and internal funds management |
|
||||
|
||||
## Description
|
||||
|
||||
Create release/refund instruction queue with signer, tx payloads, provider tx hash, and strict ledger invariants before action.
|
||||
|
||||
## Details
|
||||
|
||||
_No details._
|
||||
|
||||
## Verification
|
||||
|
||||
_No verification strategy._
|
||||
@@ -5,7 +5,7 @@ priority: "high"
|
||||
depends_on: ["2"]
|
||||
parent_id: ""
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:09:45.397Z"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 3 - Migrate payment architecture toward Request Network and internal funds management
|
||||
|
||||
35
Taskmaster/Tasks/task-4-1.md
Normal file
35
Taskmaster/Tasks/task-4-1.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.1"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: []
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.1 - Assign security ownership and launch decision criteria
|
||||
|
||||
- [x] 4.1 - Assign security ownership and launch decision criteria #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.1 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | None |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Define who owns security decisions and what must be true before public launch or migration work proceeds.
|
||||
|
||||
## Details
|
||||
|
||||
Completed. Produced 09 - Audits/Security Ownership and Launch Decision Criteria.md. Contains: RACI matrix (10 decision areas, 6 roles, fallback rules), 42-item launch safety gate checklist with Required/Strongly Recommended/Deferred classifications cross-referenced to audit findings, launch priority decision (harden first, redesign deferred), external pentest decision (yes, before public launch, with compensating controls), 12-item deferred decisions register with owners and deadlines.
|
||||
|
||||
## Verification
|
||||
|
||||
Written owner/RACI and launch gate checklist are accepted by leadership and engineering.
|
||||
35
Taskmaster/Tasks/task-4-2.md
Normal file
35
Taskmaster/Tasks/task-4-2.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.2"
|
||||
status: "done"
|
||||
priority: "high"
|
||||
depends_on: ["1"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.2 - Produce threat model for escrow platform
|
||||
|
||||
- [x] 4.2 - Produce threat model for escrow platform #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-2 ⛔ tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.2 |
|
||||
| Status | done |
|
||||
| Priority | high |
|
||||
| Dependencies | 1 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Document protected assets, actors, trust boundaries, and abuse cases for the financial marketplace.
|
||||
|
||||
## Details
|
||||
|
||||
Completed. Produced 09 - Audits/Threat Model - Amanat Escrow Platform.md. Contains: system description, 17 protected asset classes with sensitivity ratings, 11 actors with access levels and risk profiles, trust boundary diagram (Mermaid) with 10 boundary descriptions and current gaps, 23-threat catalog (T01-T23) with STRIDE categories and specific code-path references, risk summary matrix (6 Critical, 10 High, 6 Medium, 1 Low), threat-to-mitigation traceability matrix mapping 9 remediation docs to specific threats. Living document. Open verification items: Socket.IO room auth in socketService.ts, Telegram initData validation, actual lockfile versions for multer/axios/tanstack.
|
||||
|
||||
## Verification
|
||||
|
||||
Threat model maps each high-risk finding to at least one mitigation task or accepted risk.
|
||||
35
Taskmaster/Tasks/task-4-3.md
Normal file
35
Taskmaster/Tasks/task-4-3.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.3"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["2"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.3 - Specify funds ledger and escrow state machine
|
||||
|
||||
- [ ] 4.3 - Specify funds ledger and escrow state machine #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-3 ⛔ tm-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.3 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 2 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Define canonical money movement and legal state transitions before refactor or provider migration.
|
||||
|
||||
## Details
|
||||
|
||||
Create specs for FundsAccount, LedgerEntry, FundsBalance, gross paid, provider fees, platform fees, held, disputed, releasable, released, refunded, idempotency keys, reconciliation behavior, purchase request states, payment states, escrow/funds states, dispute states, valid transitions, forbidden transitions, and release/refund/admin override preconditions.
|
||||
|
||||
## Verification
|
||||
|
||||
Spec can be used to reject double-release, release-during-dispute, underfunded payout, and ambiguous provider-event scenarios.
|
||||
35
Taskmaster/Tasks/task-4-4.md
Normal file
35
Taskmaster/Tasks/task-4-4.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.4"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["2"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.4 - Create authorization matrix for REST and Socket.IO
|
||||
|
||||
- [ ] 4.4 - Create authorization matrix for REST and Socket.IO #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-4 ⛔ tm-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.4 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 2 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Map every endpoint and realtime event to access level, ownership checks, state preconditions, rate-limit tier, and audit-log requirement.
|
||||
|
||||
## Details
|
||||
|
||||
Include public/authenticated/owner/buyer/seller/admin/support/service-role classifications. Socket.IO rooms must be server-derived from authenticated identity, not client-supplied user IDs.
|
||||
|
||||
## Verification
|
||||
|
||||
No route or socket event remains unmapped; implementation tasks can reference matrix rows directly.
|
||||
35
Taskmaster/Tasks/task-4-5.md
Normal file
35
Taskmaster/Tasks/task-4-5.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.5"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["2"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.5 - Decide session, passkey, and admin step-up architecture
|
||||
|
||||
- [ ] 4.5 - Decide session, passkey, and admin step-up architecture #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-5 ⛔ tm-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.5 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 2 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Choose browser session model and high-risk admin authentication requirements.
|
||||
|
||||
## Details
|
||||
|
||||
Decide localStorage versus httpOnly cookies, access/refresh token lifetimes, CSRF strategy, refresh rotation, WebAuthn requirements, OAuth requirements, device/session revocation, and whether payouts/role changes require step-up authentication or two-person approval.
|
||||
|
||||
## Verification
|
||||
|
||||
Decision record lists chosen model, rejected alternatives, migration cost, and required implementation tasks.
|
||||
35
Taskmaster/Tasks/task-4-6.md
Normal file
35
Taskmaster/Tasks/task-4-6.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.6"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["3"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.6 - Specify webhook security and provider adapter contracts
|
||||
|
||||
- [ ] 4.6 - Specify webhook security and provider adapter contracts #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-6 ⛔ tm-3
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.6 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 3 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Define provider-neutral payment interface and signed webhook processing rules.
|
||||
|
||||
## Details
|
||||
|
||||
Document createPayInIntent, getPayInStatus, handleProviderWebhook, createHostedPaymentLink, createReleaseInstruction, createRefundInstruction, getPayoutStatus, searchProviderPayments, raw-body signature verification, replay prevention, delivery ID idempotency, duplicate/unknown event behavior, retry semantics, dead-letter/replay storage, and alert thresholds.
|
||||
|
||||
## Verification
|
||||
|
||||
Contracts cover SHKeeper legacy, Request Network, manual/admin wallet, invalid signatures, duplicate deliveries, and missed webhook reconciliation.
|
||||
35
Taskmaster/Tasks/task-4-7.md
Normal file
35
Taskmaster/Tasks/task-4-7.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.7"
|
||||
status: "done"
|
||||
priority: "medium"
|
||||
depends_on: ["1"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.7 - Define secure build and supply-chain policy
|
||||
|
||||
- [x] 4.7 - Define secure build and supply-chain policy #taskmaster #priority/medium #status/done 🔼 🆔 tm-4-7 ⛔ tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.7 |
|
||||
| Status | done |
|
||||
| Priority | medium |
|
||||
| Dependencies | 1 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Reduce npm/dependency compromise risk across frontend and any remaining Node services.
|
||||
|
||||
## Details
|
||||
|
||||
Completed. Produced 09 - Audits/Secure Build and Supply-Chain Policy.md. 11 sections + 3 appendices: lockfile policy (npm ci mandatory), dependency update cadence (biweekly routine, immediate security-critical), advisory monitoring with SLAs (Critical 24h, High 72h, Medium 1 week), known exposure register with 5 open 2026 CVEs (multer, axios, tanstack, express, node) and SLA deadlines, npm provenance policy, secrets rotation schedule for all 10 secret types, production build reproducibility requirements, frontend vs backend risk separation with interim policy, incident response for 3 scenarios, CI/CD enforcement checklist with Gitea Actions YAML example.
|
||||
|
||||
## Verification
|
||||
|
||||
Policy is actionable in CI and includes response steps for compromised package, leaked token, and vulnerable dependency alerts.
|
||||
35
Taskmaster/Tasks/task-4-8.md
Normal file
35
Taskmaster/Tasks/task-4-8.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.8"
|
||||
status: "pending"
|
||||
priority: "medium"
|
||||
depends_on: ["2", "3", "4", "5", "6", "7"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.8 - Make backend-core stack decision
|
||||
|
||||
- [ ] 4.8 - Make backend-core stack decision #taskmaster #priority/medium #status/pending 🔼 🆔 tm-4-8 ⛔ tm-2 ⛔ tm-3 ⛔ tm-4 ⛔ tm-5 ⛔ tm-6 ⛔ tm-7
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.8 |
|
||||
| Status | pending |
|
||||
| Priority | medium |
|
||||
| Dependencies | 2, 3, 4, 5, 6, 7 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Choose whether the security-critical backend core remains TypeScript or moves to Go/Kotlin/Rust/Python.
|
||||
|
||||
## Details
|
||||
|
||||
Evaluate team capability, two-year maintainability, operational footprint, rewrite cost, dual-stack complexity, auditability, supply-chain exposure, and which modules belong in a payment/auth/escrow core versus the existing marketplace/chat API.
|
||||
|
||||
## Verification
|
||||
|
||||
Architecture decision record states chosen stack, scope of extraction, non-goals, migration phases, rollback criteria, and owners.
|
||||
35
Taskmaster/Tasks/task-4-9.md
Normal file
35
Taskmaster/Tasks/task-4-9.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4.9"
|
||||
status: "pending"
|
||||
priority: "medium"
|
||||
depends_on: ["8"]
|
||||
parent_id: "4"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4.9 - Create migration and operational runbooks
|
||||
|
||||
- [ ] 4.9 - Create migration and operational runbooks #taskmaster #priority/medium #status/pending 🔼 🆔 tm-4-9 ⛔ tm-8
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4.9 |
|
||||
| Status | pending |
|
||||
| Priority | medium |
|
||||
| Dependencies | 8 |
|
||||
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
||||
|
||||
## Description
|
||||
|
||||
Document rollout, rollback, and incident response for the selected backend/funds architecture.
|
||||
|
||||
## Details
|
||||
|
||||
Include SHKeeper legacy read path, provider feature flag, ledger backfill, validation report before enforcement, rollback criteria, webhook cutoff, manual reconciliation, failed webhook, duplicate/missing payment, stuck release, disputed release attempt, compromised admin, leaked API key, provider outage, chain/RPC outage, suspicious payment proof, and npm/package compromise.
|
||||
|
||||
## Verification
|
||||
|
||||
Runbooks identify owner, trigger, detection signal, immediate action, recovery action, and post-incident documentation for each scenario.
|
||||
35
Taskmaster/Tasks/task-4.md
Normal file
35
Taskmaster/Tasks/task-4.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "4"
|
||||
status: "in-progress"
|
||||
priority: "high"
|
||||
depends_on: []
|
||||
parent_id: ""
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 4 - Define backend security and refactor strategy from latest audit
|
||||
|
||||
- [ ] 4 - Define backend security and refactor strategy from latest audit #taskmaster #priority/high #status/in-progress ⏫ 🆔 tm-4
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 4 |
|
||||
| Status | in-progress |
|
||||
| Priority | high |
|
||||
| Dependencies | None |
|
||||
| Parent | None |
|
||||
|
||||
## Description
|
||||
|
||||
Convert the backend stack security/refactor assessment into concrete architecture decisions, documentation deliverables, and developer handoff criteria.
|
||||
|
||||
## Details
|
||||
|
||||
Source audit: .taskmaster/docs/audit-backend-stack-security-and-refactor-assessment-2026-05-24.md. This task is advisory/architecture-focused and should run in parallel with immediate hardening. It should produce the decision artifacts needed before any backend-core rewrite or provider migration is started.
|
||||
|
||||
## Verification
|
||||
|
||||
Review and sign off each architecture document with backend, payments, frontend, and operations stakeholders. Confirm every open question has an owner or explicit deferred decision before implementation work begins.
|
||||
35
Taskmaster/Tasks/task-5-1.md
Normal file
35
Taskmaster/Tasks/task-5-1.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.1"
|
||||
status: "in-progress"
|
||||
priority: "high"
|
||||
depends_on: []
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.1 - Define Telegram product surface and flow map
|
||||
|
||||
- [ ] 5.1 - Define Telegram product surface and flow map #taskmaster #priority/high #status/in-progress ⏫ 🆔 tm-5-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.1 |
|
||||
| Status | in-progress |
|
||||
| Priority | high |
|
||||
| Dependencies | None |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Document which Amanat workflows live in bot messages, which live in the Mini App, and which remain web/admin-only for first release.
|
||||
|
||||
## Details
|
||||
|
||||
Map buyer, seller, admin/support, unauthenticated, linked-user, and unlinked-user journeys. Specify deep-link entry points for request details, offer review, payment, dispute, delivery evidence, and account linking. Separate first-release scope from later enhancements and map every Telegram action to backend API/state transitions.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-2.md
Normal file
35
Taskmaster/Tasks/task-5-2.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.2"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["1"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.2 - Build Telegram identity linking and session model
|
||||
|
||||
- [ ] 5.2 - Build Telegram identity linking and session model #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-2 ⛔ tm-1
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.2 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 1 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Implement secure account linking between Telegram users and Amanat accounts.
|
||||
|
||||
## Details
|
||||
|
||||
Backend must verify Telegram Mini App initData before creating a Telegram session. Store an auditable Telegram user ID to Amanat user link. Support existing users, new users, unlinking, blocked accounts, duplicate-link attempts, session expiry, replay protection, rate limits, and audit logs.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-3.md
Normal file
35
Taskmaster/Tasks/task-5-3.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.3"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["1", "2"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.3 - Implement bot command and notification foundation
|
||||
|
||||
- [ ] 5.3 - Implement bot command and notification foundation #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-3 ⛔ tm-1 ⛔ tm-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.3 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 1, 2 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Create the Telegram bot backend for commands, inline keyboards, callback queries, deep links, and outbound notifications.
|
||||
|
||||
## Details
|
||||
|
||||
Support start/help/link/status/request/offer/payment/dispute/settings basics. Use short opaque IDs or signed tokens for callback payloads. Process incoming updates idempotently with rate limits. Respect notification preferences, quiet/error states, failed delivery, blocked bot, and retry observability.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-4.md
Normal file
35
Taskmaster/Tasks/task-5-4.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.4"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["1", "2"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.4 - Build Telegram Mini App shell for marketplace workflows
|
||||
|
||||
- [ ] 5.4 - Build Telegram Mini App shell for marketplace workflows #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-4 ⛔ tm-1 ⛔ tm-2
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.4 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 1, 2 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Deliver the mobile-first Mini App that gives users the full Amanat workflow surface inside Telegram.
|
||||
|
||||
## Details
|
||||
|
||||
Use Telegram theme, safe-area, viewport, back button, haptics, and main/bottom button patterns. Support browsing requests, creating/editing requests, reviewing offers, payment state, evidence uploads, delivery actions, and dispute actions. Launch from bot profile, menu button, inline buttons, and direct links with startapp context. Handle unlinked accounts, expired sessions, unsupported clients, and fallback web links.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-5.md
Normal file
35
Taskmaster/Tasks/task-5-5.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.5"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["2", "4"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.5 - Add Telegram payment and wallet strategy
|
||||
|
||||
- [ ] 5.5 - Add Telegram payment and wallet strategy #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-5 ⛔ tm-2 ⛔ tm-4
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.5 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 2, 4 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Evaluate and implement safe payment entry points for Telegram-native users without weakening escrow accounting.
|
||||
|
||||
## Details
|
||||
|
||||
Compare Bot API payments/Stars, Wallet Pay, TON Pay, TON Connect, Request Network links, and existing crypto checkout. Select a first payment path and document rejected options. Store provider, Telegram user ID, deep-link source, payment reference, invoice/order/request ID, currency, amount, expiration, and idempotency key. Wallet/TON flows must validate recipient, asset, amount, memo/reference, confirmation status, and reconciliation evidence before crediting escrow. Refund/release behavior must remain compatible with canonical ledger and dispute holds.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-6.md
Normal file
35
Taskmaster/Tasks/task-5-6.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.6"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["4", "5"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.6 - Expose escrow, delivery, dispute, and release actions safely
|
||||
|
||||
- [ ] 5.6 - Expose escrow, delivery, dispute, and release actions safely #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-6 ⛔ tm-4 ⛔ tm-5
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.6 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 4, 5 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Make Telegram actions useful for real escrow work while preserving backend state authority.
|
||||
|
||||
## Details
|
||||
|
||||
Telegram users can see current escrow state, next allowed actions, and blockers. Delivery confirmation, evidence upload, refund request, dispute open/respond, and release approval must route through backend precondition checks. High-risk actions require fresh confirmation and audit logging with Telegram context. Disputed or held funds cannot be released through Telegram shortcuts.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-7.md
Normal file
35
Taskmaster/Tasks/task-5-7.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.7"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["2", "3", "5"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.7 - Add admin and support surface for Telegram-originated cases
|
||||
|
||||
- [ ] 5.7 - Add admin and support surface for Telegram-originated cases #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-7 ⛔ tm-2 ⛔ tm-3 ⛔ tm-5
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.7 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 2, 3, 5 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Give support/admin users visibility and controls for Telegram-originated users, payments, and bot events.
|
||||
|
||||
## Details
|
||||
|
||||
Admin UI/API should show Telegram linked identity, bot notification status, launch source, payment provider, and wallet/payment references. Support can resend links, revoke Telegram link, block bot access, and inspect Telegram-originated events. Admin overrides must use the same step-up or two-person policy as web flows when configured.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-8.md
Normal file
35
Taskmaster/Tasks/task-5-8.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.8"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["2", "3", "5", "6"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.8 - Add security, compliance, and abuse controls for Telegram
|
||||
|
||||
- [ ] 5.8 - Add security, compliance, and abuse controls for Telegram #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-8 ⛔ tm-2 ⛔ tm-3 ⛔ tm-5 ⛔ tm-6
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.8 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 2, 3, 5, 6 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Threat-model the Telegram surface and add controls before launch.
|
||||
|
||||
## Details
|
||||
|
||||
Cover forged init data, callback replay, deep-link parameter tampering, phishing links, bot token leakage, spam, account takeover, wallet spoofing, fake payment proof, and support impersonation. Document secrets, bot webhook endpoints, Wallet Pay keys, TON Connect manifest, CORS, CSP, allowed origins, rate limits, and monitoring for update failures, abnormal callbacks, payment mismatches, blocked notifications, and suspicious wallet activity.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5-9.md
Normal file
35
Taskmaster/Tasks/task-5-9.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5.9"
|
||||
status: "pending"
|
||||
priority: "high"
|
||||
depends_on: ["3", "4", "5", "6", "7", "8"]
|
||||
parent_id: "5"
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5.9 - Prepare QA, rollout, analytics, and launch operations
|
||||
|
||||
- [ ] 5.9 - Prepare QA, rollout, analytics, and launch operations #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-9 ⛔ tm-3 ⛔ tm-4 ⛔ tm-5 ⛔ tm-6 ⛔ tm-7 ⛔ tm-8
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5.9 |
|
||||
| Status | pending |
|
||||
| Priority | high |
|
||||
| Dependencies | 3, 4, 5, 6, 7, 8 |
|
||||
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
||||
|
||||
## Description
|
||||
|
||||
Prepare the Telegram app and bot for controlled release.
|
||||
|
||||
## Details
|
||||
|
||||
Test Telegram iOS, Android, Desktop, Web, light/dark themes, compact/fullscreen modes, slow network, blocked bot, expired sessions, and payment cancellation. Keep sandbox/test bot and production bot environments separated. Roll out through feature flags, internal allowlist, beta cohort, and production enablement. Track activation, linked accounts, request creation, offer response, payment start/completion, dispute activity, release approval, and notification opt-outs. Add runbooks for bot outage, Telegram API outage, payment provider outage, stuck payment, duplicate callback, suspicious wallet proof, and compromised bot token.
|
||||
|
||||
## Verification
|
||||
|
||||
See Telegram-native PRD acceptance criteria.
|
||||
35
Taskmaster/Tasks/task-5.md
Normal file
35
Taskmaster/Tasks/task-5.md
Normal file
@@ -0,0 +1,35 @@
|
||||
---
|
||||
taskmaster_id: "5"
|
||||
status: "in-progress"
|
||||
priority: "high"
|
||||
depends_on: []
|
||||
parent_id: ""
|
||||
source: "taskmaster"
|
||||
generated_at: "2026-05-24T07:15:25.199Z"
|
||||
---
|
||||
|
||||
# 5 - Deliver Telegram-native app, bot, and wallet experience
|
||||
|
||||
- [ ] 5 - Deliver Telegram-native app, bot, and wallet experience #taskmaster #priority/high #status/in-progress ⏫ 🆔 tm-5
|
||||
|
||||
## Metadata
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Taskmaster ID | 5 |
|
||||
| Status | in-progress |
|
||||
| Priority | high |
|
||||
| Dependencies | None |
|
||||
| Parent | None |
|
||||
|
||||
## Description
|
||||
|
||||
Create a Telegram bot plus Mini App surface so users can complete Amanat buyer, seller, escrow, chat, dispute, payment, release/refund, and support workflows from inside Telegram.
|
||||
|
||||
## Details
|
||||
|
||||
Source PRD: .taskmaster/docs/prd-telegram-native-app-bot-wallet.md. Keep this as a separate delivery track from security remediation and Request Network migration. Identity, bot navigation, Mini App shell, and notifications can start behind flags; wallet/payment crediting and release/refund actions must use canonical backend authorization, provider adapter, funds ledger, escrow state machine, idempotency, and dispute holds.
|
||||
|
||||
## Verification
|
||||
|
||||
Use Telegram sandbox and production bot separation, Mini App client matrix testing, provider/wallet payment fixtures, backend authorization and ledger invariant tests, webhook/callback replay tests, and staged rollout analytics before launch.
|
||||
Reference in New Issue
Block a user