moojttaba
c39e89b266
docs: sync — PG seeds, mock shops, template-creation fix (backend v2.8.65-66)
2026-06-03 13:38:34 +03:30
moojttaba
32a033869b
docs: sync — backend v2.8.64-65 ratings + chat names
2026-06-03 13:17:29 +03:30
moojttaba
773e2e23c4
docs: sync — v2.8.66-67 + review system audit
2026-06-03 12:44:27 +03:30
moojttaba
a28bcff4f4
docs: sync — v2.8.65 + Mini App UX queue
2026-06-03 11:55:10 +03:30
moojttaba
f68b54a9ef
docs: sync from backend 91877ae — points legacy-id fix (v2.8.63)
2026-06-03 11:41:21 +03:30
moojttaba
23c4a717ba
docs: sync — Mini App points + email verify (v2.8.64)
2026-06-03 11:18:48 +03:30
moojttaba
c61028f880
docs: sync — compact Mini App FABs (v2.8.63)
2026-06-03 10:57:27 +03:30
moojttaba
c663c657e2
docs: sync from backend c5d6490 — points level fixes (v2.8.62)
2026-06-03 10:54:04 +03:30
moojttaba
3cac5bd45e
docs: sync — Mini App support bubble (v2.8.61)
2026-06-03 10:35:17 +03:30
moojttaba
7b727cec53
docs: sync — Mini App cart FAB (v2.8.60)
2026-06-03 10:18:53 +03:30
Siavash Sameni
4b1d8ea36d
docs: Telegram Mini App pass 2 — shop/cart/account parity + frontend arch (v2.8.59)
...
- 04 - Flows/Telegram Mini App.md: major expansion — TelegramSellerShopView,
TelegramCartView, TelegramAccountView, useTelegramCart/useTelegramShops hooks,
full nav model, SDK surface table, shop→cart→checkout handoff flow
- 01 - Architecture/Frontend Architecture.md: add Telegram Mini App section,
TON Connect dependency, update to v2.8.59
- 09 - Audits/Activity Log.md: new entry for frontend@9bafbbb (v2.8.57–2.8.59)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 10:41:01 +04:00
Siavash Sameni
d072238fe8
docs: update PG migration status, data models, architecture + add Telegram Mini App flow (v2.8.59)
...
- Postgres Runtime Cutover Status: 17 migrations (0000–0017), dual-write repo matrix
- Backend Architecture: dual-DB architecture, repo factory, MONGO_CONNECT_MODE modes
- Data Model Overview: 23-model index with PG table names and migration status
- User, PurchaseRequest, SellerOffer, Chat, Dispute: Drizzle schema + cutover status added
- 04 - Flows/Telegram Mini App.md: new doc covering Mini App architecture and flows
- mongo-to-pg-migration-prd.md: status block prepended with 2026-06-03 milestone tracking
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 10:30:51 +04:00
Siavash Sameni
6f13903644
docs: sync from backend 7c4dedf — complete dual-write repos, migrations pipeline, TTL scheduler
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 10:30:51 +04:00
moojttaba
a283f0ef21
docs: sync — Mini App in-shell cart, buyer-parity phase 1 (v2.8.59)
2026-06-03 09:54:56 +03:30
moojttaba
27da7e18e6
docs: sync — Mini App account parity (v2.8.58)
2026-06-03 09:25:10 +03:30
moojttaba
2c27a7e58d
docs: sync from frontend a8ae1e3 — in-shell Mini App shop (v2.8.57)
2026-06-03 09:12:58 +03:30
moojttaba
49e7d614ce
docs: sync from backend 14d164c / frontend 6adb2e0 — Mini App account, support chat, shop fix (v2.8.56)
2026-06-03 08:42:57 +03:30
moojttaba
af7459e4dd
docs: sync from backend 9424395 / frontend a18e870 — chat, notifications, role dashboards (v2.8.55)
2026-06-03 08:04:38 +03:30
moojttaba
8e71f629d4
docs: sync from backend 8b8c1ae / frontend 583d55a — guard role + Mini App tab fix (v2.8.54)
2026-06-03 02:03:45 +03:30
moojttaba
bbb16fb2a6
docs: sync from frontend 7b949bf — Mini App live socket updates (v2.8.53)
2026-06-03 01:39:41 +03:30
moojttaba
4d8aea38fd
docs: sync from backend 804bb99 — PG serialization & id resolution fixes (v2.8.52)
2026-06-03 01:18:37 +03:30
moojttaba
92d3307f55
docs: sync from backend 14c231e+378f8f6 — admin user management fixes (v2.8.50–51)
2026-06-03 00:29:23 +03:30
Siavash Sameni
476aac2b08
docs: sync from backend 515bea3 — guard dataCleanupService against MONGO_CONNECT_MODE=never
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-02 13:47:01 +04:00
Siavash Sameni
4196c119ea
docs: sync from backend 4949988 — route admin user counts through postgres-capable stores
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-02 13:20:23 +04:00
Siavash Sameni
345c58542e
docs: sync from backend cf59726 — normalize pg repo modes
2026-06-02 12:41:54 +04:00
Siavash Sameni
85fe50aca0
docs: sync from backend 882096f — notification pg dev cutover
2026-06-02 12:33:58 +04:00
Siavash Sameni
bf82e7d628
docs: sync from backend f1ba14b — notification pg backfill tooling
2026-06-02 10:44:18 +04:00
Siavash Sameni
c90f286b12
docs: sync from backend 10de752 — defer legacy mongo imports
2026-06-02 10:30:06 +04:00
Siavash Sameni
1a59dacf87
docs: sync from backend 134d155 — lazy-load pg-capable store fallbacks
2026-06-02 10:21:43 +04:00
Siavash Sameni
1d983c8bfa
docs: sync from backend 2c5c3c7 — pg ledger repo seam
2026-06-01 22:38:33 +04:00
Siavash Sameni
e908cfce63
docs: sync from deployment 38cb75b — pg store defaults
2026-06-01 21:40:42 +04:00
Siavash Sameni
8a90bb69be
docs: sync from backend c5db471 — request templates
2026-06-01 19:02:03 +04:00
Siavash Sameni
02641e1333
docs: sync from backend 1543b53 — category uniqueness
2026-06-01 17:22:53 +04:00
Siavash Sameni
78707c11a7
docs: sync from backend 6df113d — marketplace pg backfill
2026-06-01 14:53:35 +04:00
Siavash Sameni
5352a78e96
docs: record postgres health store modes
2026-06-01 14:00:16 +04:00
Siavash Sameni
7b5dbb2683
docs: sync from backend 1757f1e - postgres cutover stores
2026-06-01 11:54:56 +04:00
Siavash Sameni
e8a1bba471
docs: sync from backend 8e03360 — auth health hotfix
2026-05-31 16:28:09 +04:00
Siavash Sameni
35640e38cc
docs: sync from backend cbc32dc — template delivery rails
2026-05-31 15:52:30 +04:00
Siavash Sameni
9f8cc104c7
docs: sync from backend a4d72df - cap confirmation floors
2026-05-31 15:21:28 +04:00
Siavash Sameni
798fa2f48e
docs: sync from backend 896f17f - persist webhook confirmations
2026-05-31 15:08:50 +04:00
Siavash Sameni
0bd3fe5598
docs: sync from backend cab0719 - align request budget validation
2026-05-31 14:46:59 +04:00
Siavash Sameni
773f5db454
docs: sync from backend 3a50dc4 - promote postgres integration
2026-05-31 14:20:40 +04:00
moojttaba
622dbe4dcb
Merge branch 'main' of ssh://git.manko.yoga:222/nick/nick-doc
2026-05-31 07:50:51 +03:30
Siavash Sameni
dceaf82934
audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
...
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.
Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-30 18:48:04 +04:00
Siavash Sameni
eab1d77582
docs(issues): mark ISSUE-003 through ISSUE-006 resolved, update index
...
Index: 47 open (8 critical, 39 major), 6 resolved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-30 18:48:04 +04:00
Siavash Sameni
12348ebb80
docs(issues): mark ISSUE-001 and ISSUE-002 resolved, update index
...
Both dispute privilege-escalation issues fixed in backend disputeRoutes.ts.
Index updated: 51 open (12 critical), 2 resolved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-30 18:48:04 +04:00
moojttaba
c6bbb4bdcb
docs: sync from frontend 9013b70 — staged node-package upgrade + TS6 test fix + lint sweep
...
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-30 03:20:28 +03:30
Siavash Sameni
7a616744f4
docs: complete code-reality alignment for remaining docs + reconcile issue set
...
Remaining docs updated to match code (the docs that the first pass had not covered):
- Flows: Chat, Referral, Rating, Registration, Google OAuth, Negotiation, Payout,
Trezor Safekeeping — corrected endpoints, socket events, status enums, auth gaps
- API Reference: User API, Trezor API — admin route prefix/verb/status corrections,
added undocumented endpoints (ton-proof challenge, profile email verify,
GET /trezor/account, POST /trezor/verify-operation)
- Data Models: Chat, Notification, Payment, PointTransaction, User — corrected
enums (PaymentProvider, escrowState, PointTransaction.type, User.status),
90-day notification TTL, soft-delete semantics, wallet fields
Trezor "zero frontend" finding (audit C31/C32) corrected as STALE:
- Verified current code HAS a full frontend Trezor implementation (admin/trezor
page, TrezorSettingsView, trezorConnector via @trezor/connect-web,
TrezorSignDialog, actions/trezor.ts building the {message,signature} object)
- Fixed Trezor Safekeeping Flow doc (removed false "no frontend" warnings)
- Reclassified ISSUE-012 as invalid/superseded with explanation
Issue set reconciled to a single canonical numbering (ISSUE-001..054):
- Adopted the comprehensive 51-issue set (long-slug, fully indexed)
- Removed 35 superseded short-slug duplicates from the first pass
- Removed a duplicate ISSUE-046 file
- Added 3 issues the 51-set lacked: ISSUE-052 (completed-not-counted-in-stats),
ISSUE-053 (axios 401-only interceptor), ISSUE-054 (rate limiter counts all attempts)
- Regenerated Issues Index: 53 open (14 critical, 39 major) + 1 invalid
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-29 15:15:02 +04:00
Siavash Sameni
9698ec5809
docs: align API reference and data model docs with code reality
...
API Reference (9 files updated):
- Marketplace API: corrected offer endpoints (scoped under /purchase-requests/:id/offers),
marked phantom /search /stats /seller/:sellerId /withdraw routes as NOT IMPLEMENTED,
documented PUT→PATCH mismatches, removed invalid SellerOffer 'active' status
- Dispute API: corrected resolve schema (action enum), categories (no 'fraud'),
removed 'under_review' status, added security callouts (3 unguarded endpoints),
route shadowing documented, all socket events marked as TODO stubs
- Notification API: corrected mark-all-read method+path, fixed broken GET /:id,
added unread-count-update event, 90-day TTL documented
- Payment API: /create→/save, removed 10+ phantom endpoints, fixed release/refund
paths (no /shkeeper/ segment), added 3 unauthenticated endpoint security warnings,
stats undercounting documented, export privilege gap documented
- Authentication API: 8-digit→6-digit code, no-complexity warning on reset-with-code,
rate limiter counts all attempts, passkey stub claims removed, deleteAccount bug noted
- Admin API: PUT→PATCH bug documented, wrong status values documented, hard vs soft
delete clarified, scanner no-auth security bug, 3 NOT IMPLEMENTED endpoints
- Chat API: file upload wrong endpoint bug, archive PUT→PATCH bug, rate limits added
- Points API: corrected redeem schema, referral triggers on 'completed' only,
leaderboard period ignored, removed 'refund' PointTransaction type
- Socket Events: removed request-cancelled, notification-read; added unread-count-update;
dispute events all stubs; referral-signup is auth-domain not points-domain
Data Models (3 files updated):
- SellerOffer: removed 'active' from status enum, withdrawOffer() is dead code
- PurchaseRequest: added pending_payment/active statuses, added 'urgent' urgency,
corrected description minimum (5 chars), removed finalized/archived
- Dispute: corrected action enum, categories (no fraud), removed under_review,
security callout on unguarded status/resolve endpoints
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 14:57:47 +04:00
Siavash Sameni
a1f056e6a5
docs: align flow docs with code reality + create 35 implementation issue files
...
Flow docs updated (11 files):
- Delivery Confirmation: reversed actor roles (buyer generates, seller verifies),
fixed endpoint paths (/delivery-code/generate, /delivery-code/verify)
- Passkey (WebAuthn): removed stub/simulated-key claims; real @simplewebauthn/server
attestation is implemented; refresh tokens are persisted
- Dispute: corrected resolve schema (action enum), removed non-existent statuses,
documented security gaps (no role guards on status/resolve/assign), route shadowing,
all socket events are TODO stubs
- Seller Offer: corrected all endpoint paths, removed 'active' status, documented
withdraw dead code, missing seller history page, select-offer notification gap
- Notification: corrected mark-all-read method+path, fixed GET /:id broken lookup,
added unread-count-update socket event
- Authentication: corrected rate limiter (counts all attempts), axios 403 not handled,
deleteAccount wrong endpoint bug, changePassword no UI
- Password Reset: corrected 6-digit code (not 8), documented no-complexity gap on
reset-with-code vs token reset
- Payment Flow DePay: /create→/save, removed phantom sub-routes, SIM_ bypass risk,
PaymentProvider type gap, getProviderIntentEndpoint routing bug
- Payment Flow SHKeeper: removed phantom polling endpoint, fixed release/refund paths
- Purchase Request: added pending_payment/active statuses, fixed sellers/attachments
endpoints, corrected socket events, PUT→PATCH bug
- Escrow: documented dispute resolve does not touch escrow, route shadowing, confirm-delivery auth gap
Issues created (35 files in Issues/):
- 9 security issues (critical) including: dispute privilege escalation ×4,
unauthenticated payment/scanner endpoints ×2, SIM_ production bypass,
confirm-delivery ownership gap
- 26 additional major/critical bugs covering broken endpoints, missing features,
data integrity gaps, and frontend-backend mismatches
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 14:47:49 +04:00