Flow docs updated (11 files): - Delivery Confirmation: reversed actor roles (buyer generates, seller verifies), fixed endpoint paths (/delivery-code/generate, /delivery-code/verify) - Passkey (WebAuthn): removed stub/simulated-key claims; real @simplewebauthn/server attestation is implemented; refresh tokens are persisted - Dispute: corrected resolve schema (action enum), removed non-existent statuses, documented security gaps (no role guards on status/resolve/assign), route shadowing, all socket events are TODO stubs - Seller Offer: corrected all endpoint paths, removed 'active' status, documented withdraw dead code, missing seller history page, select-offer notification gap - Notification: corrected mark-all-read method+path, fixed GET /:id broken lookup, added unread-count-update socket event - Authentication: corrected rate limiter (counts all attempts), axios 403 not handled, deleteAccount wrong endpoint bug, changePassword no UI - Password Reset: corrected 6-digit code (not 8), documented no-complexity gap on reset-with-code vs token reset - Payment Flow DePay: /create→/save, removed phantom sub-routes, SIM_ bypass risk, PaymentProvider type gap, getProviderIntentEndpoint routing bug - Payment Flow SHKeeper: removed phantom polling endpoint, fixed release/refund paths - Purchase Request: added pending_payment/active statuses, fixed sellers/attachments endpoints, corrected socket events, PUT→PATCH bug - Escrow: documented dispute resolve does not touch escrow, route shadowing, confirm-delivery auth gap Issues created (35 files in Issues/): - 9 security issues (critical) including: dispute privilege escalation ×4, unauthenticated payment/scanner endpoints ×2, SIM_ production bypass, confirm-delivery ownership gap - 26 additional major/critical bugs covering broken endpoints, missing features, data integrity gaps, and frontend-backend mismatches Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5.6 KiB
5.6 KiB
Issues Index
Generated from Doc vs Code Audit — 2026-05-29 35 open issues | 🔴 14 critical · 🟠 19 major · 🟡 2 minor
🔴 Critical
- ISSUE-001-dispute-status-no-role-guard —
dispute· security - ISSUE-002-dispute-resolve-no-role-guard —
dispute· security - ISSUE-003-dispute-route-shadowing —
dispute - ISSUE-004-payment-endpoints-no-auth —
payment· security - ISSUE-005-scanner-status-no-auth —
admin· security - ISSUE-006-delete-account-wrong-endpoint —
auth - ISSUE-007-sim-bypass-no-env-guard —
payment· security - ISSUE-008-chat-file-upload-wrong-endpoint —
chat - ISSUE-010-admin-user-status-wrong-values-and-verb —
admin - ISSUE-016-payment-provider-routing-always-request-network —
payment - ISSUE-018-trezor-no-frontend-implementation —
trezor - ISSUE-020-dispute-assign-no-role-guard —
dispute· security - ISSUE-030-confirm-delivery-no-auth-guard —
delivery· security - ISSUE-035-payment-dispute-verify-button-404 —
payment
🟠 Major
- ISSUE-009-archive-chat-wrong-method —
chat - ISSUE-011-update-purchase-request-put-vs-patch —
purchase-request - ISSUE-012-update-offer-put-vs-patch —
seller-offer - ISSUE-013-select-offer-no-status-filter-corrupts-withdrawn —
seller-offer· data-integrity - ISSUE-014-select-offer-no-seller-notifications —
seller-offer - ISSUE-015-seller-offer-withdraw-no-http-route —
seller-offer - ISSUE-017-payment-provider-type-missing-values —
payment - ISSUE-019-rn-payout-release-refund-not-implemented —
payment - ISSUE-021-axios-interceptor-403-not-handled —
auth - ISSUE-022-rate-limit-counts-all-attempts —
auth - ISSUE-023-change-password-no-ui —
auth - ISSUE-024-reset-password-with-code-no-complexity-check —
auth· security - ISSUE-025-dispute-socket-events-all-stubs —
dispute - ISSUE-026-payment-completed-not-counted-in-stats —
payment - ISSUE-027-get-notification-by-id-broken —
notification - ISSUE-028-payment-export-no-admin-guard —
payment· security - ISSUE-029-delivery-attempts-stats-phantom-endpoints —
delivery - ISSUE-031-points-missing-frontend-pages —
points - ISSUE-032-shkeeper-release-refund-wrong-paths —
payment - ISSUE-033-seller-offer-history-route-missing —
seller-offer - ISSUE-034-seller-offer-active-status-invalid —
seller-offer
Security Issues Summary
| # | Issue | Severity |
|---|---|---|
| 001 | Dispute status PATCH — no role guard (privilege escalation) | 🔴 Critical |
| 002 | Dispute resolve POST — no role guard (ban_seller without auth) | 🔴 Critical |
| 004 | Payment fetch-tx/auto-fetch/debug — no authentication | 🔴 Critical |
| 005 | Admin scanner status — no authentication | 🔴 Critical |
| 007 | SIM_ bypass active in production | 🔴 Critical |
| 020 | Dispute assign — no role guard | 🔴 Critical |
| 030 | confirm-delivery — no ownership check | 🔴 Critical |
| 024 | reset-password-with-code — no complexity validation | 🟠 Major |
| 028 | Payment export — no admin guard | 🟠 Major |