# Issues Index > Generated from Doc vs Code Audit โ€” 2026-05-29 ยท last reconciled 2026-05-29 > **0 open issues** | ๐Ÿ”ด 0 critical ยท ๐ŸŸ  0 major ยท ๐ŸŸก 0 minor ยท โšช 1 invalid (stale audit) ยท โœ… 53 resolved ## ๐Ÿ”ด Critical - [[ISSUE-001-patch-api-disputes-id-status-and-post-api-disputes-id-resolv|PATCH /api/disputes/:id/status and POST /api/disputes/:id/resolve have no role guard โ€” privilege escalation]] โ€” `Dispute` - [[ISSUE-002-post-api-disputes-id-assign-has-no-role-guard-any-user-can-s|POST /api/disputes/:id/assign has no role guard โ€” any user can self-assign as admin]] โ€” `Dispute` - [[ISSUE-003-route-shadowing-post-api-disputes-purchaserequestid-resolve-|Route shadowing: POST /api/disputes/:purchaseRequestId/resolve matches dashboard router first and executes wrong handler]] โ€” `Dispute` - [[ISSUE-004-post-api-disputes-id-resolve-dashboard-does-not-trigger-escr|POST /api/disputes/:id/resolve (dashboard) does not trigger escrow release โ€” only updates Dispute model]] โ€” `Dispute` - [[ISSUE-005-post-api-payment-payments-id-fetch-tx-post-api-payment-payme|POST /api/payment/payments/:id/fetch-tx, POST /api/payment/payments/auto-fetch-missing, and GET /api/payment/payments/:id/debug have no authentication middleware]] โ€” `Payment` - [[ISSUE-006-get-api-admin-scanner-status-has-no-authentication-middlewar|GET /api/admin/scanner/status has no authentication middleware despite /api/admin/ prefix]] โ€” `Admin` - [[ISSUE-007-frontend-deleteaccount-action-calls-delete-user-profile-whic|Frontend deleteAccount action calls DELETE /user/profile which has no backend route โ€” account deletion is broken]] โ€” `Authentication` - [[ISSUE-008-sendfilemessage-posts-to-wrong-endpoint-file-uploads-silentl|sendFileMessage posts to wrong endpoint โ€” file uploads silently fail or corrupt text-message handler]] โ€” `Chat` - [[ISSUE-009-archiveconversation-sends-put-but-backend-only-accepts-patch|archiveConversation sends PUT but backend only accepts PATCH โ€” all archive attempts fail]] โ€” `Chat` - [[ISSUE-010-frontend-admin-updateuserstatus-and-updateuserrole-use-put-b|Frontend admin updateUserStatus and updateUserRole use PUT but backend only accepts PATCH]] โ€” `User Management` - [[ISSUE-011-frontend-updateuserstatus-sends-inactive-pending-status-valu|Frontend updateUserStatus sends 'inactive'/'pending' status values that backend does not accept]] โ€” `User Management` - [[ISSUE-013-createproviderpaymentintent-always-routes-to-request-network|createProviderPaymentIntent always routes to request-network/intents regardless of provider argument]] โ€” `Payment` - [[ISSUE-014-paymentprovider-typescript-type-excludes-shkeeper-and-decent|PaymentProvider TypeScript type excludes 'shkeeper' and 'decentralized' causing UI fallthrough for main payment providers]] โ€” `Payment` - [[ISSUE-015-simulated-transaction-sim-bypass-has-no-environment-guard-ca|Simulated transaction SIM_ bypass has no environment guard โ€” can fire in production on wallet connection failure]] โ€” `Payment` ## ๐ŸŸ  Major - [[ISSUE-016-updatepurchaserequest-uses-put-but-backend-only-registers-pa|updatePurchaseRequest uses PUT but backend only registers PATCH โ€” all purchase request edits fail]] โ€” `Purchase Request` - [[ISSUE-017-updateoffer-uses-put-marketplace-offers-id-but-backend-regis|updateOffer uses PUT /marketplace/offers/:id but backend registers PATCH /offers/:id โ€” offer edits fail]] โ€” `Seller Offer` - [[ISSUE-018-select-offer-updatemany-has-no-status-filter-overwrites-with|select-offer updateMany has no status filter โ€” overwrites withdrawn/rejected offers back to 'rejected' corrupting status history]] โ€” `Seller Offer` - [[ISSUE-019-selleroffer-status-active-does-not-exist-in-schema-enum-but-|SellerOffer.status 'active' does not exist in schema enum but is referenced in docs and code comments]] โ€” `Seller Offer` - [[ISSUE-020-select-offer-does-not-send-per-seller-socket-events-or-notif|select-offer does not send per-seller socket events or notifications to winning or losing sellers]] โ€” `Seller Offer` - [[ISSUE-021-post-api-marketplace-offers-id-withdraw-http-route-does-not-|POST /api/marketplace/offers/:id/withdraw HTTP route does not exist โ€” seller withdraw is dead code]] โ€” `Seller Offer` - [[ISSUE-022-get-api-payment-payments-id-debug-has-no-authentication-full|GET /api/payment/payments/:id/debug has no authentication โ€” full payment data exposed without credentials]] โ€” `Payment` - [[ISSUE-023-get-api-payment-export-has-no-admin-role-guard-at-route-leve|GET /api/payment/export has no admin role guard at route level โ€” any authenticated user can export all payment data]] โ€” `Payment` - [[ISSUE-024-get-api-payment-stats-has-no-admin-role-guard-any-authentica|GET /api/payment/stats has no admin role guard โ€” any authenticated user can read aggregate payment stats]] โ€” `Payment` - [[ISSUE-025-get-api-disputes-statistics-has-no-admin-role-guard-any-auth|GET /api/disputes/statistics has no admin role guard โ€” any authenticated user can access aggregate dispute KPIs]] โ€” `Dispute` - [[ISSUE-026-get-notifications-id-only-returns-user-s-most-recent-notific|GET /notifications/:id only returns user's most-recent notification โ€” all others return 404 erroneously]] โ€” `Notification` - [[ISSUE-027-confirm-delivery-endpoint-has-no-ownership-check-any-authent|confirm-delivery endpoint has no ownership check โ€” any authenticated user can confirm delivery on any request]] โ€” `Delivery` - [[ISSUE-028-delivery-code-generated-socket-event-broadcasts-raw-6-digit-|delivery-code-generated socket event broadcasts raw 6-digit code to entire request room including seller]] โ€” `Delivery` - [[ISSUE-029-no-brute-force-protection-on-delivery-code-verification-endp|No brute-force protection on delivery code verification endpoint โ€” 900,000 combinations are enumerable]] โ€” `Delivery` - [[ISSUE-030-post-api-payment-payments-cleanup-pending-admin-check-is-ins|POST /api/payment/payments/cleanup-pending admin check is inside handler only โ€” no middleware-level enforcement]] โ€” `Admin` - [[ISSUE-031-post-api-points-admin-add-admin-check-is-inside-handler-only|POST /api/points/admin/add admin check is inside handler only โ€” no middleware-level enforcement]] โ€” `Admin` - [[ISSUE-032-admin-delete-user-via-legacy-endpoint-performs-hard-delete-f|Admin delete user via legacy endpoint performs hard delete (findByIdAndDelete) instead of soft delete]] โ€” `User Management` - [[ISSUE-033-admin-can-delete-other-admin-accounts-via-new-controller-leg|Admin can delete other admin accounts via new controller โ€” legacy admin-on-admin protection does not apply]] โ€” `User Management` - [[ISSUE-034-all-dispute-socket-io-emit-blocks-are-todo-stubs-no-real-tim|All dispute socket.io emit blocks are TODO stubs โ€” no real-time updates fire for any dispute event]] โ€” `Dispute` - [[ISSUE-035-frontend-getpaymentstatus-and-confirmpayment-call-non-existe|Frontend getPaymentStatus and confirmPayment call non-existent endpoints GET /payment/:id/status and POST /payment/:id/confirm]] โ€” `Payment` - [[ISSUE-036-cancelpayment-action-sends-delete-payment-id-but-no-delete-r|cancelPayment action sends DELETE /payment/:id but no DELETE route exists on any payment endpoint]] โ€” `Payment` - [[ISSUE-037-frontend-initiaterequestnetworkpayout-confirmrequestnetworkp|Frontend initiateRequestNetworkPayout, confirmRequestNetworkPayout, confirmRequestNetworkRelease, confirmRequestNetworkRefund call non-existent backend routes]] โ€” `Payment` - [[ISSUE-038-multiple-frontend-payment-stub-actions-call-non-existent-bac|Multiple frontend payment stub actions call non-existent backend endpoints: /payment/history, /payment/methods, /payment/validate, /payment/transactions, /payment/escrow/balance]] โ€” `Payment` - [[ISSUE-039-reset-password-with-code-endpoint-has-no-password-complexity|reset-password-with-code endpoint has no password complexity validation โ€” accepts weak passwords rejected by token-based reset]] โ€” `Authentication` - [[ISSUE-040-changepassword-action-has-no-ui-component-change-password-fe|changePassword action has no UI component โ€” change password feature is untestable from the UI]] โ€” `Authentication` - [[ISSUE-041-frontend-searchpurchaserequests-calls-marketplace-purchase-r|Frontend searchPurchaseRequests calls /marketplace/purchase-requests/search which does not exist in backend]] โ€” `Purchase Request` - [[ISSUE-042-frontend-getmarketplacestats-calls-marketplace-purchase-requ|Frontend getMarketplaceStats calls /marketplace/purchase-requests/stats which has no backend handler]] โ€” `Purchase Request` - [[ISSUE-043-frontend-getdeliveryattempts-and-getdeliverystats-call-non-e|Frontend getDeliveryAttempts and getDeliveryStats call non-existent backend endpoints]] โ€” `Delivery` - [[ISSUE-044-post-api-marketplace-purchase-requests-id-final-approval-cre|POST /api/marketplace/purchase-requests/:id/final-approval creates dummy payment for testing if no real payment exists โ€” testing backdoor in production code]] โ€” `Purchase Request` - [[ISSUE-045-addparticipants-frontend-sends-participants-string-array-but|addParticipants frontend sends { participants: string[] } array but backend expects { userId: string } single user]] โ€” `Chat` - [[ISSUE-046-frontend-getsellerofferhistory-seller-offer-history-page-doe|Frontend getSellerOfferHistory / seller offer history page does not exist โ€” notification links to /dashboard/seller/marketplace/offers are broken]] โ€” `Seller Offer` - [[ISSUE-047-frontend-cron-management-and-per-id-token-sweep-endpoints-fo|Frontend cron management and per-id token sweep endpoints for derived-destinations are not in backend inventory]] โ€” `Admin` - [[ISSUE-048-frontend-reloadnetworkregistry-and-probechain-call-backend-e|Frontend reloadNetworkRegistry and probeChain call backend endpoints that do not exist]] โ€” `Admin` - [[ISSUE-049-frontend-getconfirmationthresholdhistory-calls-get-api-admin|Frontend getConfirmationThresholdHistory calls GET /api/admin/settings/confirmation-thresholds/history which does not exist in backend]] โ€” `Admin` - [[ISSUE-050-points-referral-five-frontend-pages-do-not-exist-redemption-|Points/Referral: five frontend pages do not exist โ€” redemption, levels, referrals, transactions, admin-add all untestable via UI]] โ€” `Points` - [[ISSUE-051-self-referral-prevention-is-absent-users-can-refer-themselve|Self-referral prevention is absent โ€” users can refer themselves for points]] โ€” `Points` - [[ISSUE-052-payment-completed-status-not-counted-in-successful-payments-stats|'completed' payment status not counted in successfulPayments stats โ€” admin dashboard undercounts]] โ€” `Payment` - [[ISSUE-053-axios-interceptor-only-handles-401-not-403-for-token-refresh|Axios interceptor only retriggers token refresh for 401, not 403]] โ€” `Authentication` - [[ISSUE-054-login-rate-limiter-counts-all-attempts-not-only-failures|Login rate limiter counts all attempts (not just failures) โ€” users locked out after correct logins]] โ€” `Authentication` ## โšช Invalid / Superseded (audit was stale vs current code) - [[ISSUE-012-trezor-safekeeping-zero-frontend-implementation-all-admin-re|Trezor Safekeeping "zero frontend" โ€” INVALID: the frontend Trezor implementation exists in current code (TrezorSettingsView, trezorConnector, TrezorSignDialog, actions/trezor.ts). Audit findings C31/C32 were from an older snapshot.]] โ€” `Trezor` ## ๐ŸŸก Minor - [[ISSUE-136-backend-api-profiling-mongo-hot-path-cache-query-fanout|Backend: API profiling shows Mongo hot paths are index-backed but still do avoidable repeated reads]] โ€” `Performance`