Siavash Sameni
f4fad02e1c
docs: sync from backend 99ae2db — delivery confirmation id seam
2026-06-06 08:34:58 +04:00
Siavash Sameni
641334a2e5
docs: sync from backend 3e9a2f2 — BSC Testnet tUSDT rail
2026-06-06 08:20:55 +04:00
Siavash Sameni
cafef04a75
docs: sync from backend 810098f — BSC Testnet scanner rail
2026-06-06 07:37:39 +04:00
Siavash Sameni
a5d71bcc05
docs: sync documentation with latest codebase state
...
- Update Activity Log with 108 missing commits (48 backend + 60 frontend)
- Update version references: backend v2.8.79, frontend v2.8.94
- Update migration count: 18 migrations (0000-0017)
- Update Telegram Mini App Flow to v2.8.94
- Update Payment Flow - Scanner to 2026-06-05
- Update all architectural and database references
Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai >
2026-06-05 07:34:49 +04:00
Siavash Sameni
9dcdb420fc
docs: sync from backend 22ae0bd — scanner balance watches
2026-06-03 21:23:50 +04:00
Siavash Sameni
4b1d8ea36d
docs: Telegram Mini App pass 2 — shop/cart/account parity + frontend arch (v2.8.59)
...
- 04 - Flows/Telegram Mini App.md: major expansion — TelegramSellerShopView,
TelegramCartView, TelegramAccountView, useTelegramCart/useTelegramShops hooks,
full nav model, SDK surface table, shop→cart→checkout handoff flow
- 01 - Architecture/Frontend Architecture.md: add Telegram Mini App section,
TON Connect dependency, update to v2.8.59
- 09 - Audits/Activity Log.md: new entry for frontend@9bafbbb (v2.8.57–2.8.59)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 10:41:01 +04:00
Siavash Sameni
d072238fe8
docs: update PG migration status, data models, architecture + add Telegram Mini App flow (v2.8.59)
...
- Postgres Runtime Cutover Status: 17 migrations (0000–0017), dual-write repo matrix
- Backend Architecture: dual-DB architecture, repo factory, MONGO_CONNECT_MODE modes
- Data Model Overview: 23-model index with PG table names and migration status
- User, PurchaseRequest, SellerOffer, Chat, Dispute: Drizzle schema + cutover status added
- 04 - Flows/Telegram Mini App.md: new doc covering Mini App architecture and flows
- mongo-to-pg-migration-prd.md: status block prepended with 2026-06-03 milestone tracking
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 10:30:51 +04:00
Siavash Sameni
35640e38cc
docs: sync from backend cbc32dc — template delivery rails
2026-05-31 15:52:30 +04:00
Siavash Sameni
9f8cc104c7
docs: sync from backend a4d72df - cap confirmation floors
2026-05-31 15:21:28 +04:00
Siavash Sameni
798fa2f48e
docs: sync from backend 896f17f - persist webhook confirmations
2026-05-31 15:08:50 +04:00
Siavash Sameni
dceaf82934
audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
...
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.
Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-30 18:48:04 +04:00
Siavash Sameni
7a616744f4
docs: complete code-reality alignment for remaining docs + reconcile issue set
...
Remaining docs updated to match code (the docs that the first pass had not covered):
- Flows: Chat, Referral, Rating, Registration, Google OAuth, Negotiation, Payout,
Trezor Safekeeping — corrected endpoints, socket events, status enums, auth gaps
- API Reference: User API, Trezor API — admin route prefix/verb/status corrections,
added undocumented endpoints (ton-proof challenge, profile email verify,
GET /trezor/account, POST /trezor/verify-operation)
- Data Models: Chat, Notification, Payment, PointTransaction, User — corrected
enums (PaymentProvider, escrowState, PointTransaction.type, User.status),
90-day notification TTL, soft-delete semantics, wallet fields
Trezor "zero frontend" finding (audit C31/C32) corrected as STALE:
- Verified current code HAS a full frontend Trezor implementation (admin/trezor
page, TrezorSettingsView, trezorConnector via @trezor/connect-web,
TrezorSignDialog, actions/trezor.ts building the {message,signature} object)
- Fixed Trezor Safekeeping Flow doc (removed false "no frontend" warnings)
- Reclassified ISSUE-012 as invalid/superseded with explanation
Issue set reconciled to a single canonical numbering (ISSUE-001..054):
- Adopted the comprehensive 51-issue set (long-slug, fully indexed)
- Removed 35 superseded short-slug duplicates from the first pass
- Removed a duplicate ISSUE-046 file
- Added 3 issues the 51-set lacked: ISSUE-052 (completed-not-counted-in-stats),
ISSUE-053 (axios 401-only interceptor), ISSUE-054 (rate limiter counts all attempts)
- Regenerated Issues Index: 53 open (14 critical, 39 major) + 1 invalid
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-29 15:15:02 +04:00
Siavash Sameni
a1f056e6a5
docs: align flow docs with code reality + create 35 implementation issue files
...
Flow docs updated (11 files):
- Delivery Confirmation: reversed actor roles (buyer generates, seller verifies),
fixed endpoint paths (/delivery-code/generate, /delivery-code/verify)
- Passkey (WebAuthn): removed stub/simulated-key claims; real @simplewebauthn/server
attestation is implemented; refresh tokens are persisted
- Dispute: corrected resolve schema (action enum), removed non-existent statuses,
documented security gaps (no role guards on status/resolve/assign), route shadowing,
all socket events are TODO stubs
- Seller Offer: corrected all endpoint paths, removed 'active' status, documented
withdraw dead code, missing seller history page, select-offer notification gap
- Notification: corrected mark-all-read method+path, fixed GET /:id broken lookup,
added unread-count-update socket event
- Authentication: corrected rate limiter (counts all attempts), axios 403 not handled,
deleteAccount wrong endpoint bug, changePassword no UI
- Password Reset: corrected 6-digit code (not 8), documented no-complexity gap on
reset-with-code vs token reset
- Payment Flow DePay: /create→/save, removed phantom sub-routes, SIM_ bypass risk,
PaymentProvider type gap, getProviderIntentEndpoint routing bug
- Payment Flow SHKeeper: removed phantom polling endpoint, fixed release/refund paths
- Purchase Request: added pending_payment/active statuses, fixed sellers/attachments
endpoints, corrected socket events, PUT→PATCH bug
- Escrow: documented dispute resolve does not touch escrow, route shadowing, confirm-delivery auth gap
Issues created (35 files in Issues/):
- 9 security issues (critical) including: dispute privilege escalation ×4,
unauthenticated payment/scanner endpoints ×2, SIM_ production bypass,
confirm-delivery ownership gap
- 26 additional major/critical bugs covering broken endpoints, missing features,
data integrity gaps, and frontend-backend mismatches
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-29 14:47:49 +04:00
Siavash Sameni
81625d35d2
docs: AML scope note, human-blocked items, Task #11 pre-flight inventory
...
- Add AML scope note to Handoff - RN Multichain Probe (sanctions-only vs full KYT)
- Add human-blocked section with 3 precise next steps for owner
- Create Task 11 Pre-flight Inventory: library choice, dev/prod flow, admin UI gaps, backend gaps, risks, acceptance criteria
2026-05-28 20:42:42 +04:00
Siavash Sameni
ddc0434819
docs: sync from backend 19f7eb9, frontend 60ee6fb — Task #10 AML screening
2026-05-28 20:35:38 +04:00
Siavash Sameni
940ad0c655
Add full system audit reports and Telegram Mini App debug handoff
...
- Three-stream audit (security / logic / performance) with 35+ findings
derived from actual source code, each with file:line and remediation
- Audit Index cross-references criticals across streams into prioritized
fix tiers: immediately / before soft launch / before public launch
- Telegram Mini App debug handoff documenting what was implemented and
all remaining work items with exact file lists and test commands
- Updated architecture, data model, auth API, and registration flow docs
to reflect Telegram auth, TON wallet, and email verification additions
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-24 17:20:08 +04:00
Siavash Sameni
fa7234cbe1
Document Telegram first-class auth
2026-05-24 16:12:46 +04:00
Siavash Sameni
4cf5c49274
docs(audit): align documentation with post-remediation backend reality
...
- Update data model enums to match backend models
- Update API reference auth requirements
- Add dispute module references and warning blocks
- Add 2026-05-24 audit remediation callout to Overview
- Generate task breakdowns and audit artifacts
- Add doc alignment report (.taskmaster/reports/)
2026-05-24 11:16:29 +04:00
Siavash Sameni
b824ca0435
Document payment verification and trezor safekeeping
2026-05-24 11:12:17 +04:00
Siavash Sameni
09ef02c314
fix: repair Mermaid diagram syntax errors and add PRD task plan
2026-05-24 08:07:25 +04:00
moojttaba
0da235ae27
Initial commit: nick docs
2026-05-23 20:35:34 +03:30