Files
nick-doc/Issues/ISSUE-119-frontend-telegramdebugpanel-exposed-in-production-via-url-flag.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.2 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
119 Frontend: TelegramDebugPanel exposed in production via URL/localStorage flag low Security
security
frontend
debug-panel
open 2026-05-30 Full Codebase Audit 2026-05-30

Frontend: TelegramDebugPanel exposed in production via URL/localStorage flag

Severity: low Domain: Security Labels: security, frontend, debug-panel

Description

src/components/debug/telegram-debug-panel.tsx:50 is enabled by a URL param or localStorage flag. In production, any user who discovers this flag can activate the debug panel, which exposes internal state including email, wallet, userId, and Telegram session data.

Options

  1. Render the panel only when NODE_ENV !== 'production' (compile-time) — removes the enumeration surface.
  2. Keep runtime flag but redact PII fields (email, wallet, userId).
  3. Remove the component from account pages entirely.

Recommendation

Guard rendering on NODE_ENV !== 'production' so the flag cannot reveal it in prod builds.

Affected Files

  • frontend/src/components/debug/telegram-debug-panel.tsx:50

References