--- issue: 068 title: "Backend: dataCleanupService deletes Payments without provider scoping — risk of destroying escrow records" severity: high domain: Admin labels: [security, backend, data-loss, escrow] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: dataCleanupService deletes Payments without provider scoping — risk of destroying escrow records **Severity:** high **Domain:** Admin **Labels:** security, backend, data-loss, escrow ## Description `dataCleanupService.ts:121` deletes Payment documents without filtering by `provider`. Request Network and SHKeeper escrow payments are webhook-driven and can take hours to confirm. Sweeping them deletes the ledger records that webhooks need to reconcile, silently destroying multi-seller cart records. This matches the project memory note: "Any Payment-collection cleanup/orphan query MUST scope by `provider:`." ## Options 1. Scope all payment deletes by provider (exclude `request.network`/`shkeeper` escrow records). 2. Soft-delete instead of hard delete for payments. 3. Disallow payment-collection cleanup entirely from this tool. ## Recommendation Require provider scoping on every payment delete and prefer soft-delete; never sweep escrow-driven records. This is a data-loss risk. ## Affected Files - `backend/src/services/admin/dataCleanupService.ts:121` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-38 - Project memory: `feedback_payment_cleanup_provider_filter.md`