audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks

Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Siavash Sameni
2026-05-30 18:41:44 +04:00
parent eab1d77582
commit dceaf82934
153 changed files with 6276 additions and 179 deletions

View File

@@ -71,8 +71,8 @@ The buyer-facing CRUD plus seller-side workflow endpoints. Model: [[PurchaseRequ
size?: string;
color?: string;
quantity?: number; // default 1
budget?: { min?: number; max?: number; currency: "USD" | "EUR" | "IRR" };
urgency?: "low" | "medium" | "high";
budget?: { min?: number; max?: number; currency: "USDT" | "USDC" }; // restricted to escrow-compatible stablecoins (commit d52feb7)
urgency?: "low" | "medium" | "high" | "urgent";
deliveryInfo?: {
deliveryType: "physical" | "online";
addressId?: string; // when physical
@@ -239,7 +239,7 @@ Valid `status` values: `pending | accepted | rejected | withdrawn`
**Request body:**
```ts
{
price: { amount: number; currency: "USD" | "EUR" | "IRR" };
price: { amount: number; currency: "USDT" }; // USDT only for escrow MVP
deliveryEstimate: { days: number; note?: string };
notes?: string;
attachments?: string[];
@@ -248,6 +248,8 @@ Valid `status` values: `pending | accepted | rejected | withdrawn`
**Response 201:** `{ success, data: { offer } }`
**Side effects:** Emits `new-offer` to `buyer-<buyerId>` and `seller-offer-update` to `seller-<sellerId>`.
> **Note:** Currency is locked to `USDT` for the escrow MVP (commit 3aaa2fe). The frontend `CURRENCY_SYMBOLS` map in `src/sections/request/constants.ts` exposes only `USDT`.
### PUT /api/marketplace/purchase-requests/:id/offers (legacy)
**Description:** Older offer-update endpoint kept for compatibility.
@@ -271,16 +273,19 @@ Valid `status` values: `pending | accepted | rejected | withdrawn`
This endpoint does not exist. Use `GET /api/marketplace/purchase-requests/:id/offers` instead.
### ⚠️ NOT IMPLEMENTED: GET /api/marketplace/offers/seller/:sellerId
### GET /api/marketplace/offers/seller/:sellerId
This endpoint does not exist. `getOffersBySeller()` is an internal service method and is not exposed via HTTP.
**Description:** Returns all offers submitted by the given seller, across all purchase requests. Used by the Offer Management dashboard page (`/dashboard/seller/marketplace/offers`).
**Auth required:** Bearer JWT (seller, own `:sellerId` only)
**Response 200:** `{ data: [SellerOffer, ...] }`
**Frontend action:** `getSellerOffers(sellerId)` in `src/actions/marketplace.ts` (added commit 240a668)
### PATCH /api/marketplace/offers/:id
**Description:** Seller edits their pending offer (price, delivery estimate, notes).
**Auth required:** Bearer JWT (offer owner)
> ⚠️ **KNOWN BUG:** The frontend sends `PUT` but the backend registers `PATCH`. Requests from clients using `PUT` will receive `404`. Use `PATCH`.
> **Fixed (commit 240a668):** The frontend `updateOffer` and `acceptOffer` actions now correctly send `PATCH`.
### DELETE /api/marketplace/offers/:id
@@ -293,9 +298,14 @@ This endpoint does not exist. `getOffersBySeller()` is an internal service metho
**Auth required:** Bearer JWT
**Request body:** `{ status: "pending" | "accepted" | "rejected" | "withdrawn" }`
### ⚠️ NOT IMPLEMENTED: POST /api/marketplace/offers/:id/withdraw
### POST /api/marketplace/offers/:id/withdraw
This endpoint does not exist. To withdraw an offer use `PUT /api/marketplace/offers/:id/status` with `{ status: 'withdrawn' }`.
**Description:** Seller withdraws their offer. Sets offer status to `withdrawn` using `sellerOfferService.withdrawOffer()`. Only the offer owner may call this.
**Auth required:** Bearer JWT (offer owner)
**Response 200:** `{ success: true, data: { /* updated offer */ } }`
**Errors:** `403` not the offer owner, `404` offer not found.
> **Note:** This endpoint was previously documented as NOT IMPLEMENTED. It was added to `backend/src/services/marketplace/routes.ts` (commit `3e47713`).
### POST /api/marketplace/purchase-requests/:id/select-offer
@@ -303,7 +313,8 @@ This endpoint does not exist. To withdraw an offer use `PUT /api/marketplace/off
**Auth required:** Bearer JWT (buyer)
**Request body:** `{ offerId: string }`
**Side effects:**
- Updates [[PurchaseRequest]] `selectedOfferId`, status moves toward `payment`.
- Persists `selectedOfferId` on [[PurchaseRequest]] (commit `023255f` — previously this field was not saved, causing it to be lost). Status moves toward `payment`.
- Rejects all **losing** offers (sets their status to `rejected`) when payment is confirmed (commit `023255f`).
- Emits `seller-offer-update` to all sellers for the request.
### POST /api/marketplace/offers/:id/accept (legacy)