# Issues Index > Generated from Doc vs Code Audit โ€” 2026-05-29 > **35 open issues** | ๐Ÿ”ด 14 critical ยท ๐ŸŸ  19 major ยท ๐ŸŸก 2 minor ## ๐Ÿ”ด Critical - [[ISSUE-001-dispute-status-no-role-guard|PATCH /api/disputes/:id/status no role guard โ€” privilege escalation]] โ€” `dispute` ยท security - [[ISSUE-002-dispute-resolve-no-role-guard|POST /api/disputes/:id/resolve no role guard โ€” any user can resolve + ban sellers]] โ€” `dispute` ยท security - [[ISSUE-003-dispute-route-shadowing|Route shadowing: two dispute routers at /api/disputes โ€” wrong handler fires]] โ€” `dispute` - [[ISSUE-004-payment-endpoints-no-auth|fetch-tx, auto-fetch-missing, debug payment endpoints have no authentication]] โ€” `payment` ยท security - [[ISSUE-005-scanner-status-no-auth|GET /api/admin/scanner/status has no authentication]] โ€” `admin` ยท security - [[ISSUE-006-delete-account-wrong-endpoint|Frontend deleteAccount calls DELETE /user/profile โ€” endpoint doesn't exist]] โ€” `auth` - [[ISSUE-007-sim-bypass-no-env-guard|SIM_ transaction bypass active in production โ€” no NODE_ENV guard]] โ€” `payment` ยท security - [[ISSUE-008-chat-file-upload-wrong-endpoint|sendFileMessage posts to wrong endpoint โ€” chat file uploads always fail]] โ€” `chat` - [[ISSUE-010-admin-user-status-wrong-values-and-verb|Admin user status/role broken: wrong HTTP verb + wrong status values]] โ€” `admin` - [[ISSUE-016-payment-provider-routing-always-request-network|createProviderPaymentIntent always routes to request-network โ€” SHKeeper broken]] โ€” `payment` - [[ISSUE-018-trezor-no-frontend-implementation|Trezor Safekeeping has zero frontend implementation]] โ€” `trezor` - [[ISSUE-020-dispute-assign-no-role-guard|POST /api/disputes/:id/assign no role guard โ€” any user can self-assign mediator]] โ€” `dispute` ยท security - [[ISSUE-030-confirm-delivery-no-auth-guard|PATCH /confirm-delivery no ownership check โ€” any user can confirm delivery]] โ€” `delivery` ยท security - [[ISSUE-035-payment-dispute-verify-button-404|Dispute 'Verify' button always 404s โ€” getPaymentStatus hits non-existent endpoint]] โ€” `payment` ## ๐ŸŸ  Major - [[ISSUE-009-archive-chat-wrong-method|archiveConversation uses PUT but backend only accepts PATCH]] โ€” `chat` - [[ISSUE-011-update-purchase-request-put-vs-patch|updatePurchaseRequest sends PUT but backend only accepts PATCH]] โ€” `purchase-request` - [[ISSUE-012-update-offer-put-vs-patch|updateOffer sends PUT but backend registers PATCH]] โ€” `seller-offer` - [[ISSUE-013-select-offer-no-status-filter-corrupts-withdrawn|select-offer cascade overwrites withdrawn offers โ€” missing status filter]] โ€” `seller-offer` ยท data-integrity - [[ISSUE-014-select-offer-no-seller-notifications|select-offer sends no per-seller notifications to winning/losing sellers]] โ€” `seller-offer` - [[ISSUE-015-seller-offer-withdraw-no-http-route|Seller offer withdraw has no HTTP route โ€” withdrawOffer() is dead code]] โ€” `seller-offer` - [[ISSUE-017-payment-provider-type-missing-values|PaymentProvider TypeScript type missing 'shkeeper' and 'decentralized']] โ€” `payment` - [[ISSUE-019-rn-payout-release-refund-not-implemented|Request Network admin payout/release/refund sub-routes do not exist]] โ€” `payment` - [[ISSUE-021-axios-interceptor-403-not-handled|Axios interceptor only retriggers token refresh for 401, not 403]] โ€” `auth` - [[ISSUE-022-rate-limit-counts-all-attempts|Login rate limiter counts all attempts โ€” users locked out after correct logins]] โ€” `auth` - [[ISSUE-023-change-password-no-ui|changePassword action exists but no dashboard UI page]] โ€” `auth` - [[ISSUE-024-reset-password-with-code-no-complexity-check|POST /api/auth/reset-password-with-code accepts weak passwords]] โ€” `auth` ยท security - [[ISSUE-025-dispute-socket-events-all-stubs|All dispute socket events are TODO stubs โ€” no real-time updates]] โ€” `dispute` - [[ISSUE-026-payment-completed-not-counted-in-stats|'completed' payment not counted in successfulPayments โ€” admin dashboard undercounts]] โ€” `payment` - [[ISSUE-027-get-notification-by-id-broken|GET /api/notifications/:id always 404s for non-latest notifications]] โ€” `notification` - [[ISSUE-028-payment-export-no-admin-guard|GET /api/payment/export has no admin guard โ€” any user can export payments]] โ€” `payment` ยท security - [[ISSUE-029-delivery-attempts-stats-phantom-endpoints|Frontend delivery actions regenerate/attempts/stats hit non-existent endpoints]] โ€” `delivery` - [[ISSUE-031-points-missing-frontend-pages|Points/referral missing 5 frontend pages โ€” redemption, levels, referrals, transactions, admin]] โ€” `points` - [[ISSUE-032-shkeeper-release-refund-wrong-paths|SHKeeper release/refund doc paths include erroneous /shkeeper/ segment]] โ€” `payment` - [[ISSUE-033-seller-offer-history-route-missing|GET seller offer history has no HTTP route โ€” getOffersBySeller() is dead code]] โ€” `seller-offer` - [[ISSUE-034-seller-offer-active-status-invalid|SellerOffer 'active' status invalid โ€” saves throw ValidationError]] โ€” `seller-offer` ## Security Issues Summary | # | Issue | Severity | |---|---|---| | 001 | Dispute status PATCH โ€” no role guard (privilege escalation) | ๐Ÿ”ด Critical | | 002 | Dispute resolve POST โ€” no role guard (ban_seller without auth) | ๐Ÿ”ด Critical | | 004 | Payment fetch-tx/auto-fetch/debug โ€” no authentication | ๐Ÿ”ด Critical | | 005 | Admin scanner status โ€” no authentication | ๐Ÿ”ด Critical | | 007 | SIM_ bypass active in production | ๐Ÿ”ด Critical | | 020 | Dispute assign โ€” no role guard | ๐Ÿ”ด Critical | | 030 | confirm-delivery โ€” no ownership check | ๐Ÿ”ด Critical | | 024 | reset-password-with-code โ€” no complexity validation | ๐ŸŸ  Major | | 028 | Payment export โ€” no admin guard | ๐ŸŸ  Major |