Task 2
Implement platform audit remediation plan
Address the code-backed security and consistency issues identified in the 2026-05-24 platform audit remediation PRD.
Details and test strategy
Source PRD: .taskmaster/docs/prd-platform-audit-remediation-plan-2026-05-24.md. Target backend hardening first, then documentation/runtime alignment. Delivery order suggested by PRD: security/auth, rate limiting, passkeys, Web3 verification, socket hardening, dispute hold controls, docs/API alignment.
Test strategy: Add focused regression tests for route auth/ownership, passkey challenge/verification, Web3 verification semantics, socket authorization, rate limiting tiers, and payout/release dispute holds. Update API docs after behavior is implemented.
Subtasks (7)
-
2.1 Secure unauthenticated endpoints and owner enforcement pending high
Require authenticateToken and owner/admin checks on exposed payment, AI, and legacy notification routes.
-
2.2 Re-enable and scope rate limiting pending high
Restore global and route-tiered rate limits for public-sensitive paths.
Depends on: 2.1
-
2.3 Replace stubbed passkey/WebAuthn flow pending high
Implement production-grade WebAuthn registration/authentication and shared challenge storage.
Depends on: 2.1
-
2.4 Strengthen DePay/Web3 payment verification pending high
Verify transaction recipient, token contract, and amount, not only receipt success.
Depends on: 2.1
-
2.5 Lock Socket.IO room joins to authenticated context pending medium
Remove trust in client-supplied user/buyer/seller room IDs.
Depends on: 2.1
-
2.6 Enforce dispute hold before payout and release operations pending medium
Add payment hold state and central release/refund guards that block disputed funds.
Depends on: 2.1, 2.4
-
2.7 Align documentation, API references, and runtime enums pending medium
Normalize disputed/payment/request status docs and implementation references after security behavior changes.
Depends on: 2.1, 2.2, 2.3, 2.4, 2.5, 2.6