- Three-stream audit (security / logic / performance) with 35+ findings
derived from actual source code, each with file:line and remediation
- Audit Index cross-references criticals across streams into prioritized
fix tiers: immediately / before soft launch / before public launch
- Telegram Mini App debug handoff documenting what was implemented and
all remaining work items with exact file lists and test commands
- Updated architecture, data model, auth API, and registration flow docs
to reflect Telegram auth, TON wallet, and email verification additions
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
[!info] Versions
Versions below are pulled directly from frontend/package.json and backend/package.json on the development branch. Where a ^ range is declared in package.json, the declared minimum is shown — the lockfile may have resolved a newer patch. When in doubt, check yarn.lock in each repo.
Frontend stack
The frontend is a Next.js 16 App Router application written in TypeScript. The build is deliberately heavy on best-in-class libraries rather than home-grown solutions: MUI for components, Wagmi for Web3, React Query / SWR for data, Zod for validation, Sentry for errors. The package is amn-frontend@2.6.5-beta and requires Node >=20.
The backend is amn-backend@2.6.3-beta, an Express 5 server in TypeScript backed by MongoDB (Mongoose), Redis, and Socket.IO. It owns all integrations with SHKeeper, the EVM chains, OpenAI, Google OAuth, and SMTP.
Core runtime & framework
Tool
Version
Purpose
Where used
Node.js
(per Dockerfile)
Runtime
Dockerfile.prod
TypeScript
^5.8.3
Strict typing
tsconfig.json
express
^5.2.1
HTTP framework
backend/src/app.ts
body-parser
^2.2.0
Body parsing (legacy fallback)
Body middleware
helmet
^8.1.0
HTTP security headers
app.ts:189
cors
^2.8.5
Cross-origin policy
app.ts:194
express-rate-limit
^8.0.1
Rate-limit middleware
Active — auth 10/15min, payment 30/15min, AI 20/15min, global 100/15min
express-validator
^7.2.1
Request validation
Auth, marketplace
multer
^2.0.2
Multipart file uploads
services/file/
sharp
^0.34.3
Image resizing / format conversion
Upload pipeline
dotenv
^17.2.0
Env var loader
Bootstrap
uuid
^11.1.0
ID generation
Tokens, ephemeral IDs
axios
^1.11.0
Outbound HTTP (SHKeeper, blockchain)
Integration calls
@babel/runtime
^7.27.6
Babel runtime helpers
Compiled output
[!warning] React in backend dependencies
react and react-dom are listed in backend/package.json:86-87. These are vestigial — they slipped in via a tool that shared types and are not used at runtime. Safe to remove during cleanup; see backend/TODO.md.
Database & cache
Tool
Version
Purpose
Where used
mongoose
^8.16.4
MongoDB ODM
backend/src/models/**
redis
^5.6.0
Cache, locks, rate-limit store
services/redis/, app.ts:362
mongodb-memory-server
^10.2.0 (dev)
In-memory Mongo for tests
__tests__/
Auth, crypto & validation
Tool
Version
Purpose
Where used
jsonwebtoken
^9.0.2
JWT issue + verify
services/auth/
bcrypt
^6.0.0
Password hashing (native)
Auth service
bcryptjs
^3.0.2
Pure-JS fallback for bcrypt
Auth fallback
google-auth-library
^10.3.0
Google OAuth token verification
googleOAuthService.ts
crypto
^1.0.1
Node crypto polyfill (legacy package)
Webhook signing
Realtime, AI, email
Tool
Version
Purpose
Where used
socket.io
^4.8.1
WebSocket server with rooms
app.ts:70-179
openai
^5.10.1
OpenAI SDK
services/ai/
nodemailer
^7.0.5
SMTP email
services/email/
@types/nodemailer
^6.4.17
Types
dev
Blockchain
Tool
Version
Purpose
Where used
ethers
^6.15.0
EVM client
services/blockchain/
web3
^4.16.0
Alternative EVM client
Legacy paths
Observability
Tool
Version
Purpose
Where used
@sentry/node
^10.22.0
Error + perf monitoring
config/sentry.ts
@sentry/profiling-node
^10.22.0
CPU profiling
Sentry init
Build & test
Tool
Version
Purpose
Where used
ts-node
^10.9.2
TS execution in dev / seeds
npm run dev
nodemon
^3.1.10
Auto-restart on change
dev:start script
jest
^29.7.0
Unit / integration tests
__tests__/
ts-jest
^29.4.0
TS transform for Jest
jest config
supertest
^7.1.4
HTTP-level API tests
__tests__/
eslint
^9.31.0
Linting
eslint.config.js
prettier
^3.6.2
Formatting
scripts
Infrastructure
Component
Tool / version
Purpose
Notes
Container engine
Docker + Docker Compose
Dev & prod deployment
docker-compose.dev.yml, docker-compose.production.yml in each repo
Reverse proxy
Nginx (external)
TLS termination, routing
TRUST_PROXY=true recognised in app.ts:64
Database
MongoDB
Primary store
Connection string via env
Cache
Redis
Sessions, locks, ephemeral data
Optional — backend boots without it
Object storage
Local disk /uploads
User uploads
UPLOAD_PATH env override
Process manager
Docker restart: unless-stopped (typical)
Crash recovery
Per compose file
CI/CD
Manual + scripts/auto-version.sh
Semver bumps + tags
npm run release:*
External services
Service
Purpose
Touchpoint in code
SHKeeper
Self-hosted crypto payment processor — issues wallets, watches for incoming USDT, pays out
[!tip] How to upgrade
Always upgrade frontend and backend together when they share a wire protocol — chat events, Socket.IO room schemas, and the Payment model are the three areas most sensitive to drift. After bumping a major version, run both yarn typecheck and the full test suites (yarn test in backend, yarn test and yarn test:e2e in frontend) before tagging a release.