audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -112,6 +112,24 @@ TREZOR_SAFEKEEPING_REQUIRED=false
|
||||
|
||||
Default is permissive so existing Request Network release/refund flows continue to work. Set it to `true` only after registering the operating admin's Trezor account (the frontend signing flow via `TrezorSignDialog` is already implemented). Any value other than the literal string `true` is treated as disabled.
|
||||
|
||||
## Break-Glass Mode (Emergency Bypass)
|
||||
|
||||
When `TREZOR_SAFEKEEPING_REQUIRED=true` but the Trezor device is unavailable (lost, hardware fault, key-holder absent), an admin can activate **break-glass mode** to temporarily bypass the safekeeping requirement:
|
||||
|
||||
| Endpoint | Action |
|
||||
|---|---|
|
||||
| `GET /api/admin/settings/break-glass` | Read current status (`active`, `expiresAt`, `activatedBy`) |
|
||||
| `POST /api/admin/settings/break-glass` | Activate for **1 hour** — fires a Telegram alarm immediately |
|
||||
| `DELETE /api/admin/settings/break-glass` | Cancel before expiry |
|
||||
|
||||
**Properties:**
|
||||
- State is in-memory only (resets on server restart — intentional).
|
||||
- Activation fires a Telegram alert via `tgNotify` regardless of `TG_NOTIFY_BOT_TOKEN` set status.
|
||||
- The exported `isBreakGlassActive()` helper is called by `assertTrezorSignatureForOperation` — when `true`, the signature check is skipped.
|
||||
- Maximum duration: 1 hour. After expiry the guard is automatically re-enabled.
|
||||
|
||||
**Source:** `backend/src/services/admin/breakGlassRoutes.ts` (commit `b21df25`).
|
||||
|
||||
## Safety Rules
|
||||
|
||||
- Never store Trezor seed words, private keys, or xprv/tprv values.
|
||||
|
||||
Reference in New Issue
Block a user