- Update data model enums to match backend models - Update API reference auth requirements - Add dispute module references and warning blocks - Add 2026-05-24 audit remediation callout to Overview - Generate task breakdowns and audit artifacts - Add doc alignment report (.taskmaster/reports/)
11 KiB
Task 2.7 — Documentation & Code Alignment Report
Date: 2026-05-24
Auditor: Kimi Code CLI (subagent)
Scope: nick-doc/ technical documentation vs. backend/src/ runtime code
1. Files Reviewed
Data Models (nick-doc/02 - Data Models/)
Data Model Overview.mdPayment.mdPurchaseRequest.mdUser.mdDispute.mdChat.md(spot-checked)
API Reference (nick-doc/03 - API Reference/)
API Overview.mdPayment API.mdDispute API.mdMarketplace API.md(spot-checked)Authentication API.md(spot-checked)
Architecture (nick-doc/01 - Architecture/)
Backend Architecture.mdSecurity Architecture.mdSystem Architecture.md
Flows (nick-doc/04 - Flows/)
Escrow Flow.mdDispute Flow.mdPayment Flow - SHKeeper.mdPayment Flow - DePay & Web3.md
Backend Code
backend/src/models/*.ts(all)backend/src/app.ts(bootstrap, middleware, route mounting)backend/src/services/payment/decentralizedPaymentRoutes.tsbackend/src/services/payment/shkeeper/shkeeperRoutes.tsbackend/src/services/payment/paymentControllerRoutes.tsbackend/src/services/marketplace/controllerRoutes.tsbackend/src/services/marketplace/routes.tsbackend/src/services/auth/passkeyService.ts
2. Discrepancies Found
2.1 Missing modules (documented but not implemented)
| Module | Doc claims | Reality in code |
|---|---|---|
| Dispute | backend/src/services/dispute/, backend/src/models/Dispute.ts, /api/disputes |
None exist. No directory, no model, no routes, no controller. |
| Blog | services/blog/blogRoutes.ts |
Does not exist. |
| Points | services/points/pointsRoutes.ts, Points API |
Does not exist. |
| Admin | services/admin/adminRoutes.ts, Admin API |
Does not exist. |
| Review | Review.md data model |
backend/src/models/Review.ts does not exist. |
| PointTransaction | PointTransaction.md data model |
backend/src/models/PointTransaction.ts does not exist. |
| LevelConfig | LevelConfig.md data model |
backend/src/models/LevelConfig.ts does not exist. |
| ShopSettings | ShopSettings.md data model |
backend/src/models/ShopSettings.ts does not exist. |
| BlogPost | BlogPost.md data model |
backend/src/models/BlogPost.ts does not exist. |
2.2 Data-model enum mismatches
| Model | Field | Doc value | Code value | Severity |
|---|---|---|---|---|
| Payment | provider |
shkeeper / other |
shkeeper / request.network / request-network / other |
Medium |
| Payment | escrowState |
6 values | 8 values (+ cancelled, + partial) |
Medium |
| Payment | metadata |
SHKeeper fields only | Also has requestNetworkRequestId, requestNetworkPaymentReference, requestNetworkSecurePaymentUrl, requestNetworkData |
Low |
| Payment API | Status list | Missing confirmed and processing in the "Status model" prose |
Code has full 7-value enum incl. confirmed, processing |
Medium |
2.3 User-model fields documented but missing from schema
The User.md table describes referralCode, referredBy, points.{total,available,used,level}, and referralStats.{totalReferrals,activeReferrals,totalEarned}. These fields do not exist in backend/src/models/User.ts (line count stops at 201; no referral or points subdocuments). The associated unique/sparse indexes are also absent.
2.4 Authentication requirements (post-remediation drift)
Several endpoints in Payment API.md were documented as unauthenticated but the code now enforces authenticateToken (and in some cases authorizeRoles):
| Endpoint | Doc auth | Code auth | Fix applied |
|---|---|---|---|
POST /api/payment/decentralized/save |
No | Bearer JWT + ownership | ✅ Updated doc |
PUT /api/payment/decentralized/update |
No | Bearer JWT + ownership | ✅ Updated doc |
GET /api/payment/decentralized/history/:userId |
No | Bearer JWT + requireOwnershipOrAdmin |
✅ Updated doc |
POST /api/payment/decentralized/verify/:paymentId |
No | Bearer JWT + ownership | ✅ Updated doc |
POST /api/payment/decentralized/verify-all-pending |
No (cron) | Bearer JWT + admin |
✅ Updated doc |
Additionally, the legacy routes.ts marketplace router applies authenticateToken globally, but app.ts mounts the controller router (controllerRoutes.ts) which exposes public read endpoints. The docs correctly describe the controller-router behaviour.
2.5 Rate limiting
All architecture and API docs stated rate limiting was disabled (app.ts:227). After remediation it is enabled with four tiers:
- Global: 100 req / 15 min
- Auth: 10 req / 15 min
- Payment: 30 req / 15 min
- AI: 20 req / 15 min
2.6 Socket.IO authentication
Docs described Socket.IO as an open real-time channel. In reality app.ts now enforces:
- JWT verification on every connection (
io.use(jwt.verify(...))). - Strict room-membership checks (
join-user-room,join-request-room,join-chat-room, etc.) that reject cross-user or unauthorized joins.
2.7 Passkey hardening
passkeyService.ts now implements:
- Single-use challenge consumption (
consumeChallengedeletes immediately after read). - 5-minute challenge TTL with periodic cleanup.
- Explicit expiry error messages.
- This was not documented in the Security Architecture or Authentication API docs.
2.8 Endpoint path errors in flow docs
Payment Flow - DePay & Web3.mdreferencedPOST /api/payment/decentralized/createwhich does not exist; the actual endpoint isPOST /api/payment/decentralized/save.- Same doc referenced
POST /api/payment/decentralized/verifywhich does not exist; the actual endpoint isPOST /api/payment/decentralized/verify/:paymentId.
2.9 Backend Architecture route table omissions
The original table:
- Listed
/api/payment/payoutas a top-level mount; it is actually nested under/api/payment/shkeeper/payout*. - Listed
/api/file; the actual mount is/api/files. - Omitted
/api/trezor,/api/email,/api/payment/decentralized, and/api/payment/request-network.
3. Fixes Applied
Data Models
-
Payment.md- Expanded
providerenum to match code (request.network,request-network). - Expanded
escrowStateenum to includecancelled,partial. - Added Request Network metadata fields to the schema table.
- Updated "Status model" prose to include
confirmedandprocessing.
- Expanded
-
User.md- Added
[!warning]blocks onreferralCode,referredBy,points, andreferralStatsfields marking them as not yet implemented. - Corrected index line references and added a note about missing indexes.
- Added
-
Dispute.md- Added a prominent
[!warning]thatbackend/src/models/Dispute.tsdoes not exist and the schema reflects intended design only.
- Added a prominent
-
Data Model Overview.md- Added a scope warning listing documented models that lack Mongoose schema files.
- Noted the two undocumented models that exist in code (
FundsLedgerEntry.ts,TrezorAccount.ts).
API Reference
-
API Overview.md- Rewrote "Rate limiting" section to describe the four active tiers.
- Rewrote "Real-time channel" section to document Socket.IO JWT enforcement and room-membership checks.
- Marked
Dispute API,Blog API,Admin API, andPoints APIas "planned, not yet implemented".
-
Payment API.md- Updated auth requirements for all decentralized endpoints to reflect
authenticateTokenenforcement. - Updated status/escrowState enums.
- Updated auth requirements for all decentralized endpoints to reflect
-
Dispute API.md- Added a top-level
[!warning]that the module is not implemented. - Rewrote introductory sentences to use conditional language ("would be", "planned").
- Added a top-level
Architecture
-
Backend Architecture.md- Updated middleware chain note: rate limiting is now enabled.
- Updated route table to reflect actual mounts, mark missing services, and add omitted routes (
/api/files,/api/trezor,/api/email,/api/payment/decentralized,/api/payment/request-network). - Changed solid dependency arrows from
disputeandpointsto dotted lines in the Mermaid diagram to indicate planned-but-not-implemented status.
-
Security Architecture.md- Updated "Rate limiting & abuse" section to reflect enabled tiers.
- Checked off "Enable rate-limit middleware" and "Enforce Socket.IO JWT authentication" in the hardening checklist.
Flows
-
Escrow Flow.md- Updated
escrowStateenum prose to includecancelledandpartial. - Added
Cancelledstate to the Mermaid state diagram.
- Updated
-
Dispute Flow.md- Added a
[!warning]block next to backend file references stating none exist.
- Added a
-
Payment Flow - DePay & Web3.md- Changed
POST /api/payment/decentralized/create→POST /api/payment/decentralized/savewith auth note. - Changed
POST /api/payment/decentralized/verify→POST /api/payment/decentralized/verify/:paymentIdwith auth note.
- Changed
Changelog
nick-doc/00 - Overview/Introduction.md- Inserted a 2026-05-24 audit-remediation callout at the top summarising auth enforcement, rate limiting, passkeys, Web3 verification, Socket.IO auth, and dispute status.
4. Remaining Gaps
The following items were identified but not fully resolved (out of scope for a pure doc-alignment task or require code implementation):
- Missing models still documented —
Dispute,BlogPost,Review,PointTransaction,LevelConfig, andShopSettingsremain in the docs with warnings. A future subtask should either implement the models or move the docs to a "Planned" archive folder. - Missing services still documented —
Dispute API,Blog API,Admin API,Points APIstill have markdown pages. Same recommendation as above. - User referral/points fields — The
User.tsschema is missing the documented referral and points subdocuments. Either the schema needs to be extended or the fields should be removed fromUser.mdonce a final product decision is made. - Frontend docs not audited — This subtask focused on backend alignment.
nick-doc/05 - Design System/andfrontend/src/docs were not reviewed. - OpenAPI / generated spec — The
openapi.jsonreferenced inBackend Architecture.mdwas not regenerated or audited. FundsLedgerEntry&TrezorAccount— These models exist inbackend/src/models/but have no documentation notes yet. They should be added toData Model Overview.mdin a future pass.
5. Acceptance Criteria Verification
| Criterion | Status | Evidence |
|---|---|---|
| Data model enums in docs match backend models | ✅ | Payment.md provider & escrowState enums aligned; User.md enum values verified against User.ts. |
| API reference auth requirements reflect post-remediation state | ✅ | Decentralized payment endpoints now correctly list Bearer JWT; rate limiting section updated. |
| Flow docs do not describe unauthenticated financial endpoints | ✅ | DePay flow updated to show auth on save and verify/:paymentId. |
| Report file created | ✅ | This file. |
| No incorrect references to non-existent dispute modules remain | ✅ | All dispute references now carry [!warning] blocks and conditional language. |
End of report.