Add full system audit reports and Telegram Mini App debug handoff

- Three-stream audit (security / logic / performance) with 35+ findings
  derived from actual source code, each with file:line and remediation
- Audit Index cross-references criticals across streams into prioritized
  fix tiers: immediately / before soft launch / before public launch
- Telegram Mini App debug handoff documenting what was implemented and
  all remaining work items with exact file lists and test commands
- Updated architecture, data model, auth API, and registration flow docs
  to reflect Telegram auth, TON wallet, and email verification additions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Siavash Sameni
2026-05-24 17:20:08 +04:00
parent 2533bedb91
commit 940ad0c655
12 changed files with 1795 additions and 28 deletions

View File

@@ -328,9 +328,11 @@ Routes are nested under `/api/auth/` via `passkeyRoutes`. Service: `passkeyServi
| HTTP | App code | Meaning |
| --- | --- | --- |
| 400 | `Validation Error` | `express-validator` rejected the body |
| 401 | — | Bad credentials / missing token |
| 403 | — | Email not verified or insufficient role |
| 401 | — | Bad credentials / missing token / invalid Telegram signature |
| 403 | — | Email not verified, insufficient role, or blocked Telegram account |
| 409 | `USER_EXISTS` | Email already in use |
| 409 | `TELEGRAM_REPLAY` | Reused Telegram Mini App `initData` (replay protection) |
| 423 | — | Account temporarily locked after failed logins |
| 429 | — | Rate-limited (auth tier: 10 req / 15 min / IP) |
See [[Error Codes]] for the global error shape.