Purpose: Canonical reference mapping every REST endpoint and Socket.IO event to its required access level, ownership checks, state preconditions, rate-limit tier, and audit-log requirement. Implementation tasks reference individual rows by ID.
How to read this document:
Each row is a discrete authorization rule identified by a unique ID (e.g., AUTH-R001).
Valid Bearer JWT. req.user = { id, email, role } is populated.
authenticateToken middleware on route.
Owner
Authenticated + req.user.id matches the resource owner. Ownership is determined per resource type: (a) User profile/addresses/wallet: user._id === req.params.userId; (b) PurchaseRequest: request.buyerId === req.user.id; (c) SellerOffer: offer.sellerId === req.user.id; (d) Payment: `payment.buyerId === req.user.id
Buyer
Authenticated + user is the buyer on the specific purchase request (i.e., request.buyerId === req.user.id).
authenticateToken + service-layer buyer check.
Seller
Authenticated + user is the selected seller on the purchase request (request.selectedOffer.sellerId === req.user.id) or has a seller role making an offer.
authenticateToken + service-layer seller check.
Admin
Authenticated + req.user.role === 'admin'. All admin actions MUST be audit-logged.
authenticateToken + roleGuard('admin') or authorizeRoles('admin').
Support
Authenticated + req.user.role === 'support'. Read-only access to user data, dispute records, and chat. Can reset passwords and escalate to admin. Cannot modify financial records or release funds.
authenticateToken + roleGuard('support'). Controller must enforce read-only constraint.
Service
Internal service-to-service calls. Authenticated via shared secret (X-Internal-Secret header) or restricted to localhost network. Not user-facing.
Custom middleware verifying internal header or req.ip === '127.0.0.1'.
Step-up
Admin + re-authenticated within last 15 minutes (configurable). Required for: payout creation/release, role changes, large refunds (>$100), user deletion, admin-wallet signing.
authenticateToken + roleGuard('admin') + step-up timestamp check from Redis session.
HMAC
No user auth. Verified via HMAC-SHA256 signature on raw body using SHKEEPER_WEBHOOK_SECRET. Signature-verified, not identity-verified.
express.raw() body parser + timing-safe HMAC comparison.
Section 2: REST Endpoint Authorization Matrix
Rate-Limit Tiers (reference)
Tier
Limit
Scope
Applies to
Tier 1 (strict)
5 req / 5 min / IP
Login, register, password reset, verification
Auth mutation paths
Tier 2 (auth-financial)
20 req / 15 min / user
Payment operations, AI calls, file uploads
Financial and cost-bearing
Tier 3 (moderate)
60 req / 15 min / user
Chat messages, notifications, marketplace writes
User interaction
Tier 4 (relaxed)
200 req / 15 min / IP
Public reads, browsing
Public data access
Tier 5 (webhook)
Provider-specific; signature-verified
SHKeeper inbound webhooks
External callbacks
Tier 6 (admin)
60 req / 15 min / user
Admin write operations
Admin mutations
2.1 Auth Routes
ID
Method
Path
Access Level
Ownership Check
State Preconditions
Rate-Limit Tier
Audit Log
Current State
Required State
Notes
AUTH-R001
POST
/api/auth/register
Public
None
None
Tier 1
No
No rate limit. Code logged to stdout. T07.
Public + Tier 1 + remove code logging
Triggers email send.
AUTH-R002
POST
/api/auth/verify-email-code
Public
None
TempVerification exists and not expired
Tier 1
No
No rate limit. T07.
Public + Tier 1
Creates User + issues JWT.
AUTH-R003
GET
/api/auth/verify-email/:token
Public
None
Token not expired
Tier 1
No
Legacy path.
Public + Tier 1
Legacy URL-based verification.
AUTH-R004
POST
/api/auth/resend-verification
Public
None
User/TempVerification exists
Tier 1
No
No rate limit. T07.
Public + Tier 1
Email cost abuse vector.
AUTH-R005
POST
/api/auth/force-verify-user
Service
None
NODE_ENV=development only
Tier 1
Yes
No auth gate. Exposed in production.
Disable in production builds
Dev-only. Must be removed from prod.
AUTH-R006
POST
/api/auth/login
Public
None
Account not locked
Tier 1
Yes (failure)
Redis lockout exists. No global rate limit. T12.
Public + Tier 1 + audit failure
Lockout after N failures.
AUTH-R007
POST
/api/auth/refresh-token
Public
Token belongs to user
Refresh token valid and not revoked
Tier 1
No
No rate limit.
Public + Tier 1
Rotation detects reuse.
AUTH-R008
POST
/api/auth/logout
Authenticated
Token belongs to user
None
Tier 3
No
Auth enforced.
Authenticated
Clears Redis session.
AUTH-R009
POST
/api/auth/google/signup
Public
None
Google ID token valid
Tier 1
No
No rate limit.
Public + Tier 1
Creates user if new email.
AUTH-R010
POST
/api/auth/google/signin
Public
None
Google ID token valid, user exists
Tier 1
No
No rate limit.
Public + Tier 1
Returns JWT for existing user.
AUTH-R011
POST
/api/auth/passkey/authenticate/challenge
Public
None
None
Tier 1
No
Stubbed implementation. T10.
Disable or fix
Passkeys are broken per T10.
AUTH-R012
POST
/api/auth/passkey/authenticate
Public
None
Challenge valid (in-memory)
Tier 1
No
In-memory challenge store breaks at scale. T10.
Disable or fix
Public key is stub string.
AUTH-R013
POST
/api/auth/passkey/register/challenge
Authenticated
None
None
Tier 1
No
Auth required.
Authenticated
Challenge in process memory.
AUTH-R014
POST
/api/auth/passkey/register
Authenticated
None
Challenge valid
Tier 1
No
Auth required.
Authenticated
Stores stub public key.
AUTH-R015
GET
/api/auth/passkey/list
Authenticated
Owner
None
Tier 3
No
Auth required.
Authenticated
Returns caller's passkeys.
AUTH-R016
DELETE
/api/auth/passkey/:passkeyId
Authenticated
Owner
Passkey belongs to user
Tier 3
Yes
Auth required.
Authenticated + audit
AUTH-R017
POST
/api/auth/request-password-reset
Public
None
User with email exists
Tier 1
No
Redis rate limit exists. Code logged to stdout. T22.
Public + Tier 1 + remove code logging
Always returns success to avoid enumeration.
AUTH-R018
POST
/api/auth/reset-password
Public
None
Reset token valid and not expired
Tier 1
Yes
No rate limit.
Public + Tier 1 + audit
Wipes refresh tokens.
AUTH-R019
POST
/api/auth/reset-password-with-code
Public
None
Code valid and not expired
Tier 1
Yes
No rate limit.
Public + Tier 1 + audit
Alternative reset path.
AUTH-R020
POST
/api/auth/change-password
Authenticated
Owner
Current password correct
Tier 3
Yes
Auth enforced.
Authenticated + audit
Clears all refresh tokens.
AUTH-R021
GET
/api/auth/profile
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
Returns full user doc.
AUTH-R022
PUT
/api/auth/profile
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
AUTH-R023
POST
/api/auth/update-profile
Authenticated
Owner
None
Tier 3
No
Auth enforced. Legacy alias.
Authenticated
Duplicate of R022.
AUTH-R024
DELETE
/api/auth/account
Authenticated
Owner
Password re-verified
Tier 3
Yes
Auth + password required.
Authenticated + audit
Permanent deletion.
2.2 User Routes
ID
Method
Path
Access Level
Ownership Check
State Preconditions
Rate-Limit Tier
Audit Log
Current State
Required State
Notes
USER-R001
GET
/api/user/profile
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
New controller path.
USER-R002
PUT
/api/user/profile
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
USER-R003
GET
/api/users/profile
Authenticated
Owner
None
Tier 3
No
Auth enforced. Legacy.
Authenticated
Legacy alias.
USER-R004
GET
/api/users/profile/:userId
Authenticated
Owner or Admin
None
Tier 3
No
Auth enforced. Public/private split based on isPublic flag.
Authenticated
Returns limited fields for non-owners.
USER-R005
GET
/api/user/wallet-address
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
Returns stored wallet.
USER-R006
PATCH
/api/user/wallet-address
Authenticated
Owner
Signature verification passes
Tier 3
Yes
Auth enforced. EIP-191 verify.
Authenticated + audit
Financial implications.
USER-R007
GET
/api/users/contacts
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
Role-filtered contact list.
USER-R008
GET
/api/users/search
Authenticated
None
q.length >= 2
Tier 3
No
Auth enforced.
Authenticated
Returns max 20 results.
USER-R009
GET
/api/users
Authenticated
None
None
Tier 3
No
Auth enforced. No admin gate. [VERIFY]
Authenticated
Paginated user directory. Should restrict non-admin to limited fields.
2.3 User Admin Routes
ID
Method
Path
Access Level
Ownership Check
State Preconditions
Rate-Limit Tier
Audit Log
Current State
Required State
Notes
UADM-R001
POST
/api/user/admin/create
Admin
None
Email not taken
Tier 6
Yes
Inline role check. [VERIFY] consistent enforcement.
Admin + Step-up + audit
Creates user with arbitrary role. T09.
UADM-R002
DELETE
/api/user/admin/:userId
Admin
Cannot delete self or other admins
Target user exists
Tier 6
Yes
Inline role check.
Admin + Step-up + audit
Hard delete. T09.
UADM-R003
PATCH
/api/user/admin/:userId/status
Admin
None
Target user exists
Tier 6
Yes
Inline role check.
Admin + audit
Activate/suspend.
UADM-R004
PATCH
/api/user/admin/:userId/toggle-status
Admin
None
Target user exists
Tier 6
Yes
Inline role check.
Admin + audit
Flip active/suspended.
UADM-R005
PATCH
/api/user/admin/:userId/role
Admin
None
Target user exists; valid role
Tier 6
Yes
Inline role check.
Admin + Step-up + audit
Role change is high-risk. T09.
UADM-R006
GET
/api/user/admin/list
Admin
None
None
Tier 6
No
Inline role check.
Admin
Paginated user directory.
UADM-R007
GET
/api/user/admin/:userId/dependencies
Admin
None
Target user exists
Tier 6
No
Inline role check.
Admin
Pre-delete check.
UADM-R008
GET
/api/users/admin/stats
Admin
None
None
Tier 6
No
Inline role check.
Admin
Aggregated stats.
UADM-R009
GET
/api/users/admin/:userId
Admin
None
Target user exists
Tier 6
No
Inline role check.
Admin
Full user detail.
UADM-R010
PUT
/api/users/admin/:userId
Admin
None
Target user exists
Tier 6
Yes
Inline role check.
Admin + audit
Mass update user.
UADM-R011
PUT
/api/users/admin/update/:email
Admin
None
User with email exists
Tier 6
Yes
Inline role check.
Admin + audit
Mass update by email.
UADM-R012
PATCH
/api/users/admin/:userId/password
Admin
None
Target user exists
Tier 6
Yes
Inline role check.
Admin + Step-up + audit
Wipes all sessions.
UADM-R013
POST
/api/users/admin/:userId/resend-verification
Admin
None
User not already verified
Tier 6
Yes
Inline role check.
Admin + audit
Triggers email.
2.4 Address Routes
ID
Method
Path
Access Level
Ownership Check
State Preconditions
Rate-Limit Tier
Audit Log
Current State
Required State
Notes
ADDR-R001
GET
/api/addresses
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
Lists caller's addresses.
ADDR-R002
POST
/api/addresses
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
First auto-primary.
ADDR-R003
PUT
/api/addresses/:addressId
Authenticated
Owner
Address belongs to user
Tier 3
No
Auth enforced. 404 if not owned.
Authenticated
ADDR-R004
DELETE
/api/addresses/:addressId
Authenticated
Owner
Address belongs to user
Tier 3
No
Auth enforced.
Authenticated
Promotes next primary.
ADDR-R005
PATCH
/api/addresses/:addressId/primary
Authenticated
Owner
Address belongs to user
Tier 3
No
Auth enforced.
Authenticated
2.5 Purchase Request Routes
ID
Method
Path
Access Level
Ownership Check
State Preconditions
Rate-Limit Tier
Audit Log
Current State
Required State
Notes
PR-R001
POST
/api/marketplace/purchase-requests
Buyer
None
None
Tier 3
No
Auth enforced.
Authenticated (Buyer)
Emits to sellers room.
PR-R002
POST
/api/marketplace/purchase-requests/bulk
Buyer
None
None
Tier 3
No
Auth enforced.
Authenticated (Buyer)
Template checkout.
PR-R003
GET
/api/marketplace/purchase-requests
Authenticated
None (filtered by role)
None
Tier 3
No
Auth enforced.
Authenticated
Buyers see own; sellers see routed; admins see all.
PR-R004
GET
/api/marketplace/purchase-requests/my
Authenticated
Owner
None
Tier 3
No
Auth enforced.
Authenticated
Shortcut for caller's requests.
PR-R005
GET
/api/marketplace/purchase-requests/:id
Public
None
None
Tier 4
No
No auth. Public read for shareable links.
Public
Exposes request data to unauthenticated users. Consider limiting fields.
Server-to-client events are emitted by backend services after REST-level authorization. The socket layer does NOT re-authorize emissions; it relies on room membership to limit audience. This table documents which rooms receive which events and what data they contain.
ID
Event Name
Direction
Emitted By
Target Rooms
Payload Sensitivity
Audit Log
Notes
SOCK-E015
new-notification
Server -> Client
NotificationService
user-{recipientId}
Contains notification body; PII if notification content includes it
No
Relies on correct room membership.
SOCK-E016
unread-count-update
Server -> Client
NotificationService
user-{userId}
Low (count only)
No
SOCK-E017
new-purchase-request
Server -> Client
PurchaseRequestService
sellers
Contains request details; some fields may be sensitive
No
Broadcast to all sellers.
SOCK-E018
new-offer
Server -> Client
SellerOfferService
buyer-{buyerId}
Contains offer price; financial data
No
SOCK-E019
seller-offer-update
Server -> Client
SellerOfferService
seller-{sellerId} + global on payment
Contains offer status and payment info
No
Global emit leaks data.
SOCK-E020
purchase-request-update
Server -> Client
PurchaseRequestService
request-{requestId}
Contains status and tx hashes
No
SOCK-E021
request-cancelled
Server -> Client
PurchaseRequestService
user-{buyerId}, user-{sellerId}
Contains request ID
No
SOCK-E022
transaction-completed
Server -> Client
MarketplaceController
user-{buyerId}, user-{sellerId}
Contains amount and currency
No
SOCK-E023
delivery-code-generated
Server -> Client
DeliveryService
request-{requestId}
Contains 6-digit code. HIGH sensitivity.
No
Code exposed to room; only seller should see it.
SOCK-E024
delivery-update
Server -> Client
DeliveryService
request-{requestId}
Contains carrier/tracking
No
SOCK-E025
delivery-confirmed
Server -> Client
DeliveryService
request-{requestId}
Contains request ID only
No
SOCK-E026
buyer-confirmed-delivery
Server -> Client
DeliveryService
user-{sellerId}
Contains buyerId
No
SOCK-E027
payment-created
Server -> Client
PaymentService
Global
Contains paymentId, amount, currency, parties
No
Global emit leaks financial metadata.
SOCK-E028
payment-received
Server -> Client
PaymentRoutes
user-{sellerId}
Contains amount, buyerId
No
SOCK-E029
payment-update
Server -> Client
PaymentCoordinator
Global + room-specific
Contains status, escrowState, txHash
No
Global emit is too broad.
SOCK-E030
payout-created
Server -> Client
PayoutService
Global
Contains payoutId, sellerId, amount
No
Global emit. Should be targeted.
SOCK-E031
payout-completed
Server -> Client
PayoutService
Global, user-{sellerId}
Contains txHash
No
SOCK-E032
payout-updated
Server -> Client
PayoutService
Global
Contains status
No
SOCK-E033
new-message
Server -> Client
ChatService
chat-{chatId}
Contains message content; potentially sensitive
No
SOCK-E034
messages-read
Server -> Client
ChatService
chat-{chatId}
Low (read receipt)
No
SOCK-E035
message-edited
Server -> Client
ChatService
chat-{chatId}
Contains new content
No
SOCK-E036
message-deleted
Server -> Client
ChatService
chat-{chatId}
Low (messageId)
No
SOCK-E037
participants-added
Server -> Client
ChatService
chat-{chatId}
Contains user IDs
No
SOCK-E038
participant-removed
Server -> Client
ChatService
chat-{chatId}
Contains user ID
No
SOCK-E039
user-typing
Server -> Client
Socket handler
chat-{chatId}
Contains userId, userName
No
SOCK-E040
user-status-change
Server -> Client
Socket handler
Broadcast
Contains userId, lastSeen
No
SOCK-E041
level-up
Server -> Client
PointsService
user-{userId}
Low (level info)
No
SOCK-E042
referral-reward
Server -> Client
PointsService
user-{referrerId}
Contains points earned
No
SOCK-E043
referral-signup
Server -> Client
AuthController
user-{referrerId}
Contains referred user info
No
SOCK-E044
template-checkout-payment-confirmed
Server -> Client
PaymentCoordinator
Global + template-checkout-{id}
Contains paymentId, requestIds
No
Global emit.
SOCK-E045
template-checkout-payment-pending
Server -> Client
PaymentCoordinator
Global
Contains checkoutId
No
Global emit.
SOCK-E046
template-checkout-payment-failed
Server -> Client
PaymentCoordinator
Global
Contains checkoutId, reason
No
Global emit.
Section 4: Current Gaps and Required Fixes
4.1 CRITICAL -- Authentication Missing but Required
Gap ID
Endpoint / Event
Threat IDs
Description
Impact
GAP-C001
POST /api/payment/decentralized/save
T11, T21
No authentication. Anyone can persist Web3 payment records.
Payment fraud; data poisoning
GAP-C002
PUT /api/payment/decentralized/update
T11
No authentication. Anyone can update decentralized payment status/confirmations.
Payment status manipulation
GAP-C003
GET /api/payment/decentralized/history/:userId
T21
No authentication. Anyone can read any user's payment history.
Privacy breach; data exfiltration
GAP-C004
POST /api/payment/decentralized/verify/:paymentId
T01, T11
No authentication. Anyone can trigger chain re-verification.
DoS; payment fraud if verification is flawed
GAP-C005
POST /api/payment/decentralized/verify-all-pending
T11
No authentication. Anyone can trigger batch verification.
DoS; resource exhaustion
GAP-C006
GET /api/payment/decentralized/status/:paymentId
T21
No authentication. Payment status exposed.
Information disclosure
GAP-C007
POST /api/payment/shkeeper/create-test-payment
T11, T21
No authentication. Injects fake payment records.
Data poisoning in production
GAP-C008
POST /api/ai/generate
T08
No authentication. Unlimited OpenAI cost abuse.
Financial cost; DoS
GAP-C009
POST /api/ai/analyze
T08
No authentication.
Financial cost
GAP-C010
POST /api/ai/translate
T08
No authentication.
Financial cost
GAP-C011
POST /api/ai/assist
T08
No authentication.
Financial cost
GAP-C012
POST /api/auth/force-verify-user
T09
No authentication gate. Bypasses email verification.
Account takeover
GAP-C013
POST /api/payment/shkeeper/test
T11
No authentication in production.
Test data in production
GAP-C014
POST /api/payment/shkeeper/callback-test
T11
No authentication in production.
Test data in production
GAP-C015
GET /api/payment/shkeeper/callback-test
T11
No authentication in production.
Test data in production
GAP-C016
Legacy notification router (mounted without auth)
T21
Accepts ?userId= query parameter for notification read/modify.
Privacy breach; notification manipulation
GAP-C017
Socket.IO room join events
T03
Client-supplied userId/requestId/chatId; server verification uncertain. Any authenticated user may subscribe to any other user's rooms.
Private data exfiltration; real-time surveillance
4.2 CRITICAL -- Ownership Check Missing but Required
Buyer can confirm delivery before seller ships (manual fast-track).
Escrow released without delivery
GAP-H011
PUT /api/marketplace/offers/:id/status
T09
No documented admin-only enforcement on direct status mutation.
Unauthorized offer manipulation
4.5 MEDIUM -- Audit Logging Missing but Required
Gap ID
Endpoint / Event
Description
Impact
GAP-M001
All admin routes (user management)
No structured audit log for admin user management actions.
No accountability for admin actions
GAP-M002
POST /api/payment/shkeeper/:id/release
No append-only audit log for escrow release.
No financial audit trail
GAP-M003
POST /api/payment/shkeeper/:id/refund
No append-only audit log for escrow refund.
No financial audit trail
GAP-M004
POST /api/payment/shkeeper/payout
No append-only audit log for payout creation.
No financial audit trail
GAP-M005
POST /api/disputes/:id/resolve
No append-only audit log for dispute resolution.
No dispute resolution trail
GAP-M006
PATCH /api/user/admin/:userId/role
No audit log for role changes.
No accountability
GAP-M007
DELETE /api/user/admin/:userId
No audit log for user deletion.
No accountability
GAP-M008
POST /api/points/admin/add
No structured audit log for manual point grants.
No points audit trail
GAP-M009
POST /api/auth/change-password
No audit log for password changes.
No security event trail
GAP-M010
Global emit events (payment-created, payment-update, payout-created, etc.)
Sensitive financial data broadcast globally via Socket.IO. Should be targeted.
Data overexposure
4.6 Socket.IO-Specific Gaps
Gap ID
Issue
Threat IDs
Description
Impact
GAP-S001
No handshake JWT authentication
T03
Socket Events doc states "no token-based handshake" -- ownership checked at REST layer only.
Unauthenticated socket connections
GAP-S002
Client-driven room joins
T03
All join-* events accept arbitrary IDs. Server must verify socket.data.user.id matches.
Eavesdropping on other users
GAP-S003
delivery-code-generated event to request room
T03
6-digit code emitted to request room where both buyer and seller are present. Code should only go to seller.
Buyer can intercept own code
GAP-S004
Global payment events
T03, T21
payment-created, payment-update, payout-created emitted globally. Financial data exposed to all connected sockets.
Data overexposure
GAP-S005
No socket event rate limiting
T12
No per-event rate limiting on typing, messages, or room joins.
Socket spam; DoS
GAP-S006
No offline status tracking
--
No userId-to-socketId mapping stored; no offline broadcast on disconnect.
Stale presence data
Section 5: Implementation Priority
P0 -- Fix Immediately (Blocks Launch)
These gaps allow unauthenticated or unauthorized access to financial data or fund manipulation. They must be resolved before any public deployment.
Priority
Gap IDs
Work Required
Threat IDs
Estimated Effort
P0-1
GAP-C001, C002, C003, C004, C005, C006
Add Bearer JWT auth to all /api/payment/decentralized/* endpoints. Add ownership check (buyer on referenced purchase request, or admin).
T11, T21
1-2 days
P0-2
GAP-C007, C013, C014, C015
Remove or disable test/demo endpoints in production builds. Add NODE_ENV gate that returns 404 in production.
T11
0.5 days
P0-3
GAP-C008, C009, C010, C011
Add Bearer JWT auth to all /api/ai/* endpoints. Add per-user daily token budget.
T08
0.5 days
P0-4
GAP-C012
Remove /api/auth/force-verify-user from production builds or gate behind NODE_ENV + admin role.
T09
0.5 hours
P0-5
GAP-C016
Remove legacy notification router or add authenticateToken to all its routes. Ensure controller router wins for all shared paths.
T21
1 day
P0-6
GAP-C019, C020, H009
Add escrowState=disputed check before release/refund. DisputeService.createDispute must set escrow hold. PaymentCoordinator must enforce it.
T06
1 day
P0-7
GAP-C021
Decode Transfer event in BSCTransactionVerifier. Verify recipient==ESCROW_WALLET, value>=expectedAmount, token contract matches.
T01
1 day
P0-8
GAP-C017, S001, S002
Require JWT in Socket.IO handshake. Server auto-joins user-{decoded.id}. For role rooms, derive from decoded.role. For chat rooms, verify participants. Remove client-driven join-* events.
T03
2-3 days
P0-9
GAP-H001
Enable global rate limiting in app.ts. Configure tiered limits per Section 2.
T12
0.5 days
P1 -- Fix Before Launch
These gaps involve missing ownership checks, rate limits on authentication paths, and state precondition enforcement. They represent significant security risks but are slightly lower priority than unauthenticated financial access.
Priority
Gap IDs
Work Required
Threat IDs
Estimated Effort
P1-1
GAP-C018
Reject PATCH /api/marketplace/offers/:id if offer.status !== 'pending'. Snapshot offer amount at payment creation.
Add Tier 2 rate limiting on /api/ai/*. 20 req/15 min/user.
T08
0.5 days
P1-6
GAP-H008
Add Tier 3 rate limiting on /api/chat/:id/messages. 60 req/15 min/user.
T12
0.5 days
P1-7
GAP-H010
Restrict delivery confirmation to status=delivery only. Remove manual fast-track or require admin override.
T20
0.5 days
P1-8
GAP-H011
Add roleGuard('admin') to PUT /api/marketplace/offers/:id/status.
T09
0.5 hours
P1-9
GAP-S003
Emit delivery-code-generated only to seller, not to entire request room.
T03
0.5 hours
P1-10
GAP-S004
Change payment-created, payment-update, payout-created from global emit to targeted room emits (user-{buyerId}, user-{sellerId}).
T03, T21
1 day
P1-11
GAP-S005
Add per-socket rate limiting for high-frequency events (typing, messages).
T12
1 day
P2 -- Fix Post-Launch
These gaps involve audit logging and presence tracking. They are important for operational security and compliance but do not represent immediate attack vectors.
Priority
Gap IDs
Work Required
Estimated Effort
P2-1
GAP-M001, M002, M003, M004, M005
Implement append-only audit log collection for all admin actions, payment mutations, dispute resolutions. Include actor, target, action, before/after diff, request ID.
3-5 days
P2-2
GAP-M006, M007, M008
Add structured audit logging for role changes, user deletions, manual point grants.
1 day
P2-3
GAP-M009
Add audit logging for password changes and account deletions.
0.5 days
P2-4
GAP-M010
Audit all global emit events; convert to targeted room emits where possible.
1 day
P2-5
GAP-S006
Implement userId-to-socketId mapping. Emit user-status-change offline on disconnect.
0.5 days
P2-6
GAP-H007
Add rate limiting on /api/payment/decentralized/* once auth is in place.
0.5 days
Section 6: Summary Statistics
REST Endpoint Count
Route Group
Endpoints
Auth
24
User
9
User Admin
13
Address
5
Purchase Request
18
Delivery Code
4
Seller Offer
10
Request Template
11
Shop Settings
3
Category / Seller Directory
6
Review
3
Payment (General)
18
Payment (SHKeeper Pay-in)
11
Payment (SHKeeper Release/Refund)
4
Payment (SHKeeper Payout)
3
Payment (Decentralized)
8
Marketplace Payment (Legacy)
5
Chat
15
Notification
9
Dispute
8
AI
4
Blog
10
Points
8
File
9
Admin Cleanup
7
System
2
Total REST Endpoints
248
Socket.IO Event Count
Category
Events
Connection/Handshake
2
Room Join/Leave
9
Chat Events
2
Presence Events
1
Server-to-Client
32
Total Socket Events
46
Gap Summary
Severity
Count
Gap IDs
CRITICAL (auth missing)
17
GAP-C001 through GAP-C017
CRITICAL (ownership missing)
4
GAP-C018 through GAP-C021
HIGH (rate limit missing)
8
GAP-H001 through GAP-H008
HIGH (state precondition missing)
3
GAP-H009 through GAP-H011
MEDIUM (audit log missing)
10
GAP-M001 through GAP-M010
Socket.IO specific
6
GAP-S001 through GAP-S006
Total Gaps
48
Priority Distribution
Priority
Gap Count
Work Estimate
P0 (blocks launch)
9 work items covering 24 gaps
~8-10 days
P1 (before launch)
11 work items covering 11 gaps
~5-6 days
P2 (post-launch)
6 work items covering 13 gaps
~7-8 days
This document was produced on 2026-05-24 as part of the Amanat authorization audit. It must be updated when: new endpoints are added, existing endpoint access levels change, new Socket.IO events are introduced, or the role model is extended. Implementation tasks should reference specific AUTH-R, USER-R, UADM-R, ADDR-R, PR-R, DC-R, OFF-R, TPL-R, SHOP-R, CAT-R, REV-R, PAY-R, SHK-R, REL-R, PO-R, DEC-R, MPAY-R, CHAT-R, NOTIF-R, DIS-R, AI-R, BLOG-R, PTS-R, FILE-R, ADM-R, SYS-R, and SOCK-E IDs from this matrix.