docs(audit): align documentation with post-remediation backend reality

- Update data model enums to match backend models
- Update API reference auth requirements
- Add dispute module references and warning blocks
- Add 2026-05-24 audit remediation callout to Overview
- Generate task breakdowns and audit artifacts
- Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
Siavash Sameni
2026-05-24 11:16:29 +04:00
parent b824ca0435
commit 4cf5c49274
74 changed files with 5964 additions and 81 deletions

57
Taskmaster/tasks.md Normal file
View File

@@ -0,0 +1,57 @@
# Taskmaster Tasks
Generated from `.taskmaster/tasks/tasks.json` at 2026-05-24T07:15:25.199Z.
These lines use the Obsidian Tasks emoji format:
- standard Markdown checkbox syntax
- `#taskmaster` tag for filtering
- priority emoji where available
- `🆔` task IDs
- `⛔` dependency IDs
- [x] 1 - Stabilize Mermaid diagram rendering across documentation vault #taskmaster #priority/medium #status/done 🔼 🆔 tm-1
- [x] 1.1 - Fix Security Architecture email/password sequence #taskmaster #priority/medium #status/done 🔼 🆔 tm-1-1
- [x] 1.2 - Fix authentication login and refresh diagrams #taskmaster #priority/medium #status/done 🔼 🆔 tm-1-2
- [x] 1.3 - Fix chat, delivery, dispute, OAuth, purchase request, referral, registration, and seller-offer diagrams #taskmaster #priority/medium #status/done 🔼 🆔 tm-1-3
- [x] 2 - Implement platform audit remediation plan #taskmaster #priority/high #status/done ⏫ 🆔 tm-2
- [x] 2.1 - Secure unauthenticated endpoints and owner enforcement #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-1
- [x] 2.2 - Re-enable and scope rate limiting #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-2 ⛔ tm-1
- [x] 2.3 - Replace stubbed passkey/WebAuthn flow #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-3 ⛔ tm-1
- [x] 2.4 - Strengthen DePay/Web3 payment verification #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-4 ⛔ tm-1
- [x] 2.5 - Lock Socket.IO room joins to authenticated context #taskmaster #priority/medium #status/done 🔼 🆔 tm-2-5 ⛔ tm-1
- [x] 2.6 - Enforce dispute hold before payout and release operations #taskmaster #priority/medium #status/done 🔼 🆔 tm-2-6 ⛔ tm-1 ⛔ tm-4
- [x] 2.7 - Align documentation, API references, and runtime enums #taskmaster #priority/medium #status/done 🔼 🆔 tm-2-7 ⛔ tm-1 ⛔ tm-2 ⛔ tm-3 ⛔ tm-4 ⛔ tm-5 ⛔ tm-6
- [x] 3 - Migrate payment architecture toward Request Network and internal funds management #taskmaster #priority/high #status/done ⏫ 🆔 tm-3 ⛔ tm-2
- [x] 3.1 - Define provider-neutral payment contracts and adapter #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-1
- [x] 3.2 - Implement provider configuration, feature flags, and safe rollback #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-2 ⛔ tm-3-1
- [x] 3.3 - Create internal funds and payment ledger model #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-3 ⛔ tm-3-1
- [x] 3.4 - Build migration and indexing plan for existing SHKeeper records #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-4 ⛔ tm-3-3
- [x] 3.5 - Implement Request Network pay-in intent and secure payment pages #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-5 ⛔ tm-3-2
- [x] 3.6 - Implement signed Request Network webhook intake #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-6 ⛔ tm-3-2
- [x] 3.7 - Implement reconciliation and repair jobs #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-7 ⛔ tm-3-5 ⛔ tm-3-6
- [x] 3.8 - Replace checkout and payment UI with provider-neutral flows #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-8 ⛔ tm-3-5
- [x] 3.9 - Add payout/release and refund orchestration using ledger gates #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-9 ⛔ tm-3-3 ⛔ tm-3-7
- [x] 3.10 - Update release/refund APIs and marketplace release paths #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-10 ⛔ tm-3-8 ⛔ tm-3-9
- [x] 3.11 - Add comprehensive observability, runbooks, and incident controls #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-11 ⛔ tm-3-6 ⛔ tm-3-8 ⛔ tm-3-9 ⛔ tm-3-10
- [x] 3.12 - Add end-to-end integration, migration, and rollback test suites #taskmaster #priority/high #status/done ⏫ 🆔 tm-3-12 ⛔ tm-3-6 ⛔ tm-3-10 ⛔ tm-3-11
- [ ] 4 - Define backend security and refactor strategy from latest audit #taskmaster #priority/high #status/in-progress ⏫ 🆔 tm-4
- [x] 4.1 - Assign security ownership and launch decision criteria #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-1
- [x] 4.2 - Produce threat model for escrow platform #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-2 ⛔ tm-1
- [ ] 4.3 - Specify funds ledger and escrow state machine #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-3 ⛔ tm-2
- [ ] 4.4 - Create authorization matrix for REST and Socket.IO #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-4 ⛔ tm-2
- [ ] 4.5 - Decide session, passkey, and admin step-up architecture #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-5 ⛔ tm-2
- [ ] 4.6 - Specify webhook security and provider adapter contracts #taskmaster #priority/high #status/pending ⏫ 🆔 tm-4-6 ⛔ tm-3
- [x] 4.7 - Define secure build and supply-chain policy #taskmaster #priority/medium #status/done 🔼 🆔 tm-4-7 ⛔ tm-1
- [ ] 4.8 - Make backend-core stack decision #taskmaster #priority/medium #status/pending 🔼 🆔 tm-4-8 ⛔ tm-2 ⛔ tm-3 ⛔ tm-4 ⛔ tm-5 ⛔ tm-6 ⛔ tm-7
- [ ] 4.9 - Create migration and operational runbooks #taskmaster #priority/medium #status/pending 🔼 🆔 tm-4-9 ⛔ tm-8
- [ ] 5 - Deliver Telegram-native app, bot, and wallet experience #taskmaster #priority/high #status/in-progress ⏫ 🆔 tm-5
- [ ] 5.1 - Define Telegram product surface and flow map #taskmaster #priority/high #status/in-progress ⏫ 🆔 tm-5-1
- [ ] 5.2 - Build Telegram identity linking and session model #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-2 ⛔ tm-1
- [ ] 5.3 - Implement bot command and notification foundation #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-3 ⛔ tm-1 ⛔ tm-2
- [ ] 5.4 - Build Telegram Mini App shell for marketplace workflows #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-4 ⛔ tm-1 ⛔ tm-2
- [ ] 5.5 - Add Telegram payment and wallet strategy #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-5 ⛔ tm-2 ⛔ tm-4
- [ ] 5.6 - Expose escrow, delivery, dispute, and release actions safely #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-6 ⛔ tm-4 ⛔ tm-5
- [ ] 5.7 - Add admin and support surface for Telegram-originated cases #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-7 ⛔ tm-2 ⛔ tm-3 ⛔ tm-5
- [ ] 5.8 - Add security, compliance, and abuse controls for Telegram #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-8 ⛔ tm-2 ⛔ tm-3 ⛔ tm-5 ⛔ tm-6
- [ ] 5.9 - Prepare QA, rollout, analytics, and launch operations #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-9 ⛔ tm-3 ⛔ tm-4 ⛔ tm-5 ⛔ tm-6 ⛔ tm-7 ⛔ tm-8