Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.2 KiB
1.2 KiB
issue, title, severity, domain, labels, status, created, source
| issue | title | severity | domain | labels | status | created | source | |||
|---|---|---|---|---|---|---|---|---|---|---|
| 119 | Frontend: TelegramDebugPanel exposed in production via URL/localStorage flag | low | Security |
|
open | 2026-05-30 | Full Codebase Audit 2026-05-30 |
Frontend: TelegramDebugPanel exposed in production via URL/localStorage flag
Severity: low Domain: Security Labels: security, frontend, debug-panel
Description
src/components/debug/telegram-debug-panel.tsx:50 is enabled by a URL param or localStorage flag. In production, any user who discovers this flag can activate the debug panel, which exposes internal state including email, wallet, userId, and Telegram session data.
Options
- Render the panel only when
NODE_ENV !== 'production'(compile-time) — removes the enumeration surface. - Keep runtime flag but redact PII fields (email, wallet, userId).
- Remove the component from account pages entirely.
Recommendation
Guard rendering on NODE_ENV !== 'production' so the flag cannot reveal it in prod builds.
Affected Files
frontend/src/components/debug/telegram-debug-panel.tsx:50
References
- Full Codebase Audit 2026-05-30 — DEC-7