--- issue: 119 title: "Frontend: TelegramDebugPanel exposed in production via URL/localStorage flag" severity: low domain: Security labels: [security, frontend, debug-panel] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: TelegramDebugPanel exposed in production via URL/localStorage flag **Severity:** low **Domain:** Security **Labels:** security, frontend, debug-panel ## Description `src/components/debug/telegram-debug-panel.tsx:50` is enabled by a URL param or localStorage flag. In production, any user who discovers this flag can activate the debug panel, which exposes internal state including email, wallet, userId, and Telegram session data. ## Options 1. Render the panel only when `NODE_ENV !== 'production'` (compile-time) — removes the enumeration surface. 2. Keep runtime flag but redact PII fields (email, wallet, userId). 3. Remove the component from account pages entirely. ## Recommendation Guard rendering on `NODE_ENV !== 'production'` so the flag cannot reveal it in prod builds. ## Affected Files - `frontend/src/components/debug/telegram-debug-panel.tsx:50` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-7