chore: organize docs — move 37 files from root into docs/ subfolders

Root now contains only essential files:
  README.md, CLAUDE.md, CHANGELOG.md, CONTRIBUTING.md

Reorganized into:
  docs/audits/       — all audit reports & checklists (71 files)
  docs/architecture/  — codebase overview, implementation plan
  docs/guides/        — auth guide, implementation checklist
  docs/load-testing/  — k6 load test guides & endpoints
  docs/security/      — payment & security reviews

Also removed 5 untracked debug/investigation files and
cleaned up playwright-report/ & test-results/ artifacts.

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

docs/security/PAYMENT_REVIEW_EXECUTIVE_SUMMARY.txt

@@ -0,0 +1,289 @@
+================================================================================
+GOODGO PLATFORM - PAYMENT MODULE SECURITY REVIEW
+Executive Summary
+================================================================================
+
+Generated: April 13, 2026
+Scope: Order & Escrow Entities Security Review
+Module Path: apps/api/src/modules/payments/
+
+================================================================================
+FILES ANALYZED: 102 FILES TOTAL
+================================================================================
+
+DOMAIN LAYER:
+  - 3 Core entities (Order, Escrow, Payment)
+  - 2 Value objects (Money, PlatformFee)
+  - 3 Repository interfaces
+  - 10 Domain events
+  
+INFRASTRUCTURE LAYER:
+  - 3 Repository implementations (Prisma)
+  - 3 Payment gateway services (VNPay, MoMo, ZaloPay)
+  - 1 Gateway factory
+  
+APPLICATION LAYER:
+  - 10 Command handlers (create-order, cancel-order, hold-escrow, release-escrow, 
+    create-payment, refund-payment, handle-callback, etc.)
+  - 3 Query handlers (get-order-status, get-payment-status, list-transactions)
+  
+PRESENTATION LAYER:
+  - 2 Controllers (Orders, Payments)
+  - 5 DTOs (Data transfer objects)
+  
+TEST FILES:
+  - 15 Test suites covering domain, application, and infrastructure layers
+
+================================================================================
+CRITICAL SECURITY FINDINGS
+================================================================================
+
+🔴 CRITICAL ISSUES FOUND:
+
+1. ❌ NO DISTRIBUTED LOCKING FOR ESCROW OPERATIONS
+   File: application/commands/hold-escrow/hold-escrow.handler.ts
+   File: application/commands/release-escrow/release-escrow.handler.ts
+   Risk: RACE CONDITION - Concurrent requests can cause escrow state corruption
+   Impact: HIGH - Financial inconsistency, duplicate fund holds/releases
+   Fix Required: Implement Redis distributed lock before production
+
+2. ⚠️ POTENTIAL RACE CONDITION IN ORDER/ESCROW ATOMIC UPDATES
+   Files: CreateOrderHandler, HoldEscrowHandler, ReleaseEscrowHandler
+   Risk: Order + Escrow updated in separate sequential DB calls
+   Impact: MEDIUM - Could result in desynchronized state between entities
+   Fix Required: Implement database transaction or verify atomicity
+
+🟠 HIGH SECURITY ISSUES:
+
+3. ✅ Callback signature verification - STRONG
+   - All 3 payment providers use crypto.timingSafeEqual() for constant-time comparison
+   - HMAC validation: VNPay (SHA512), MoMo/ZaloPay (SHA256)
+   - No known timing attack vulnerabilities
+
+4. ✅ Payment callback idempotency - GOOD
+   - updateIfStatus() uses conditional WHERE clause (atomic update)
+   - Already-processed callbacks handled correctly
+   - Prevents duplicate charge issues
+
+5. ⚠️ Refund authorization - PARTIAL
+   - Only ADMIN role check implemented
+   - Missing: business logic validation (refund window, max amount)
+   - Missing: refund tracking for partial refunds
+
+6. ✅ Rate limiting on callbacks - GOOD
+   - @Throttle: 20 req/60s
+   - @EndpointRateLimit: 100 req/60s
+   - Protects against callback flooding
+
+🟡 MEDIUM SECURITY ISSUES:
+
+7. ⚠️ Secrets management - NOT VERIFIED
+   - All secrets loaded from ConfigService (good)
+   - No evidence of hardcoded values (good)
+   - NOT VERIFIED: env encryption at rest, secret rotation
+
+8. ⚠️ Database constraints - NOT VERIFIED
+   - Idempotency unique constraint (NOT VERIFIED)
+   - Foreign key cascades (NOT VERIFIED)
+   - CHECK constraints on status enums (NOT VERIFIED)
+
+9. ⚠️ Error message information disclosure - NOT VERIFIED
+   - No stack traces exposed to clients (assumed)
+   - Generic error responses used (assumed)
+   - NOT VERIFIED: no payment secrets in logs
+
+================================================================================
+SECURITY STRENGTHS
+================================================================================
+
+✅ STRONG SECURITY MEASURES IN PLACE:
+
+1. Callback Signature Verification
+   - All 3 providers implement proper HMAC validation
+   - Uses constant-time comparison (crypto.timingSafeEqual)
+   - No replay attack vulnerabilities detected
+
+2. Idempotency Protection
+   - Orders check idempotencyKey before creation
+   - Payments check idempotencyKey before creation
+   - Prevents duplicate transactions
+
+3. Authorization & Access Control
+   - JwtAuthGuard on all user endpoints
+   - RolesGuard for admin operations (hold/release escrow, refunds)
+   - Ownership verification in queries
+
+4. Financial Amount Validation
+   - Money VO validates: 0 < amount ≤ 999,999,999,999 VND
+   - Platform fee calculation: 5% (validated)
+   - Seller payout: amount - fee (no negative payouts possible)
+
+5. State Machine Validation
+   - Order state transitions validated: VALID_TRANSITIONS whitelist
+   - Escrow state transitions validated: explicit state checks
+   - Invalid transitions rejected with DomainException
+
+6. Rate Limiting
+   - Callback endpoint protected with dual rate limiters
+   - IP-based rate limiting strategy
+   - Admin bypass disabled for security
+
+7. Event-Driven Architecture
+   - Domain events for critical state changes
+   - Events consumed by event bus for side effects
+   - Provides audit trail of operations
+
+================================================================================
+FILES REQUIRING IMMEDIATE REVIEW
+================================================================================
+
+HIGHEST PRIORITY - Security Critical:
+
+[1] infrastructure/services/vnpay.service.ts (87 lines)
+    → Verify HMAC-SHA512 signature verification (lines 72-105)
+    → Test callback replay attack scenarios
+
+[2] infrastructure/services/momo.service.ts (103 lines)
+    → Verify HMAC-SHA256 signature verification (lines 102-147)
+    → Confirm parameter order matches MoMo spec
+
+[3] infrastructure/services/zalopay.service.ts (105 lines)
+    → Verify HMAC-SHA256 with key2 for callback verification
+    → Test JSON parsing error handling (lines 116-129)
+
+[4] application/commands/handle-callback/handle-callback.handler.ts (110+ lines)
+    → CRITICAL: Verify updateIfStatus() atomicity (lines 48-55)
+    → Test concurrent callback handling
+
+[5] application/commands/hold-escrow/hold-escrow.handler.ts (67 lines)
+    → ADD: Redis distributed lock for concurrent request handling
+    → Test: concurrent hold operations
+
+[6] application/commands/release-escrow/release-escrow.handler.ts (72 lines)
+    → ADD: Redis distributed lock for concurrent request handling
+    → Test: concurrent release operations
+
+HIGH PRIORITY - Important Security:
+
+[7] domain/entities/order.entity.ts (166 lines)
+    → Verify state machine transitions are complete (lines 22-32)
+
+[8] domain/entities/escrow.entity.ts (150 lines)
+    → Verify hold/release/dispute transitions are correct
+
+[9] infrastructure/repositories/prisma-payment.repository.ts (128 lines)
+    → Verify updateIfStatus() implementation (lines 84-109)
+
+[10] presentation/controllers/payments.controller.ts (140 lines)
+     → Verify rate limiting decorators (lines 75-77)
+     → Test callback endpoint security
+
+================================================================================
+RECOMMENDED IMMEDIATE ACTIONS
+================================================================================
+
+CRITICAL (Before Production):
+
+1. Implement Redis distributed lock for escrow operations
+   Affected Files: hold-escrow.handler.ts, release-escrow.handler.ts
+   Estimated Time: 2-3 hours
+   
+2. Add integration tests for race condition scenarios
+   Test Cases:
+   - Double callback for same payment
+   - Concurrent hold operations
+   - Hold + release concurrent calls
+   Estimated Time: 4-6 hours
+
+3. Verify Prisma schema constraints
+   Check:
+   - Unique constraint on (userId, idempotencyKey)
+   - NOT NULL on critical fields
+   - CHECK constraints on status enums
+   Estimated Time: 1-2 hours
+
+4. Security code review of callback handlers
+   Focus on:
+   - Signature verification implementation
+   - Atomic update logic
+   - Error handling
+   Estimated Time: 2-4 hours
+
+HIGH (Before First Deployment):
+
+5. Audit error messages for information disclosure
+6. Verify secrets management (env vars, rotation)
+7. Implement comprehensive security tests
+8. Document webhook behavior and retry logic
+
+================================================================================
+QUICK FILE REFERENCE - ALL FILES TO REVIEW
+================================================================================
+
+FILE LISTING (102 total files in payments module):
+
+DOMAIN LAYER (18 files):
+  - order.entity.ts, escrow.entity.ts, payment.entity.ts
+  - money.vo.ts, platform-fee.vo.ts
+  - order.repository.ts, escrow.repository.ts, payment.repository.ts
+  - order-created.event.ts, order-paid.event.ts, order-cancelled.event.ts
+  - escrow-held.event.ts, escrow-released.event.ts, escrow-disputed.event.ts
+  - payment-created.event.ts, payment-completed.event.ts, payment-failed.event.ts
+  - payment-refunded.event.ts
+  - [6 test files]
+
+INFRASTRUCTURE LAYER (19 files):
+  - prisma-order.repository.ts, prisma-escrow.repository.ts, prisma-payment.repository.ts
+  - vnpay.service.ts, momo.service.ts, zalopay.service.ts
+  - payment-gateway.interface.ts, payment-gateway.factory.ts
+  - [4 test files]
+
+APPLICATION LAYER (35+ files):
+  - create-order.command/handler, cancel-order.command/handler
+  - hold-escrow.command/handler, release-escrow.command/handler
+  - create-payment.command/handler, refund-payment.command/handler
+  - handle-callback.command/handler
+  - get-order-status.query/handler, get-payment-status.query/handler
+  - list-transactions.query/handler
+  - [6 test files]
+
+PRESENTATION LAYER (15+ files):
+  - orders.controller.ts, payments.controller.ts
+  - create-order.dto.ts, cancel-order.dto.ts
+  - create-payment.dto.ts, refund-payment.dto.ts, list-transactions.dto.ts
+
+MODULE FILES (5 files):
+  - payments.module.ts, index.ts
+
+Full detailed file listing with descriptions available in:
+  → PAYMENT_MODULE_SECURITY_REVIEW.md
+
+================================================================================
+NEXT STEPS
+================================================================================
+
+1. Review this executive summary with security team
+2. Create tasks for CRITICAL items (Redis locking, constraint verification)
+3. Schedule detailed code review sessions
+4. Set up test environment for attack scenario testing
+5. Document findings in security audit report
+
+================================================================================
+REVIEW DOCUMENTS CREATED
+================================================================================
+
+1. PAYMENT_MODULE_SECURITY_REVIEW.md
+   → Complete file inventory with detailed descriptions
+   → 102 files catalogued by layer and functionality
+   
+2. PAYMENT_SECURITY_CHECKLIST.md
+   → Detailed security checklist (15 major items)
+   → Attack scenarios and test cases
+   → Recommended actions (Critical, High, Medium, Nice-to-have)
+
+3. PAYMENT_REVIEW_EXECUTIVE_SUMMARY.txt (this file)
+   → Quick reference for stakeholders
+   → Critical findings highlighted
+   → Immediate action items
+
+================================================================================