# GoodGo POS System — Audit Fix Plan

**Date:** 2026-03-23
**Owner:** CEO Agent
**Source:** 14 agent audit reports (94 total findings)
**Status:** Active

---

## Summary

| Category | Critical | High | Medium | Low | Total |
|---|:---:|:---:|:---:|:---:|:---:|
| Security | 5 | 10 | 5 | 1 | **21** |
| Backend | 4 | 5 | 3 | 0 | **12** |
| Frontend | 5 | 9 | 5 | 4 | **23** |
| DevOps | 4 | 12 | 5 | 0 | **21** |
| Testing | 4 | 7 | 3 | 1 | **15** |
| Documentation | 0 | 2 | 0 | 0 | **2** |
| **Total** | **22** | **45** | **21** | **6** | **94** |

---

## Wave 1 — P0 Blockers (Target: 24-48h)

### Security Blockers (assign: Security Engineer)

| ID | Finding | File | Fix |
|---|---|---|---|
| SEC-C-01 | DB credentials hardcoded in git (19 services) | All `appsettings.json` | Replace with env vars, add to `.gitignore` |
| SEC-C-02 | JWT token in MCP server `.env` committed | `services/goodgo-mcp-server/.env` | Revoke, remove from git, purge history |
| SEC-C-03 | `AddDeveloperSigningCredential()` in all envs | `iam-service-net/.../DependencyInjection.cs:142` | Wrap in `if (env.IsDevelopment())` |
| SEC-C-04 | Debug endpoints `[AllowAnonymous]` — privilege escalation | `merchant-service-net/.../StaffController.cs:249-390` | Delete or restrict to dev + SuperAdmin |
| SEC-C-05 | SQL injection via string interpolation | `merchant-service-net/.../StaffController.cs:307,367` | Use parameterized queries |

### DevOps Blockers (assign: DevOps Engineer)

| ID | Finding | File | Fix |
|---|---|---|---|
| DEVOPS-C-01 | K8s `:latest` image tag in production | All `production/kubernetes/*.yaml` | Use `IMAGE_TAG` placeholder + SHA |
| DEVOPS-C-02 | Alertmanager not configured — alerts silent | `prometheus/prometheus.yml:29` | Configure Alertmanager + receivers |
| DEVOPS-C-03 | CI pushes `:latest` to Docker Hub | `.github/workflows/docker-build.yml:99-103` | Remove `:latest`, use SHA only |
| DEVOPS-C-04 | 4 mkt-* services port 5000 conflict | `docker-compose.yml` | Assign ports 5021-5024 |

---

## Wave 2 — P1 Urgent (Target: 1 week)

### Security High (assign: Security Engineer)

| ID | Finding | Fix |
|---|---|---|
| SEC-W-02 | No Content-Security-Policy header | Add CSP to Traefik `middlewares.yml` |
| SEC-W-03 | CORS `allowCredentials: true` with dev origins | Separate per-env CORS config |
| SEC-W-04 | `sslRedirect: false` in shared config | Set `true` in staging/prod |
| SEC-W-05 | `Jwt__RequireHttpsMetadata=false` in docker-compose | Verify K8s ConfigMaps don't have this |
| SEC-W-14 | BFF CORS wildcard `AllowAnyOrigin()` | Whitelist specific origins |
| SEC-W-15 | JWT validation skipped in dev (4 services) | Always validate signatures |

### Backend Critical (assign: Senior Backend Engineer)

| ID | Finding | Fix |
|---|---|---|
| BACK-C-01 | `AllowAnyOrigin()` on all 26 services | Restrict origins in production |
| BACK-C-02 | Idempotency missing in 23/26 services | Implement `IRequestManager` (wallet, booking first) |
| BACK-C-03 | Error response format inconsistent | Standardize to `{ success, error: { code, message } }` |
| BACK-C-04 | ProblemDetails mapping incomplete in template | Update template with full exception mapping |
| BACK-W-02 | TenantMiddleware SQL string interpolation | Parameterized queries in 5 services |

### Frontend Critical (assign: Senior Frontend Engineer)

| ID | Finding | Fix |
|---|---|---|
| SEC-W-11 | Client secret in WASM (extractable) | Move to BFF server-side |
| SEC-W-12 | Password grant deprecated | Migrate to PKCE flow |
| SEC-W-01 | JWT in localStorage (XSS risk) | Migrate to httpOnly cookies via BFF |
| FRONT-C-04 | No route guards for auth pages | Add `[Authorize]` + `AuthorizeView` |
| FRONT-C-05 | shopId not validated against permissions | Backend verification call |
| FRONT-W-01 | Token refresh not implemented | Add background refresh timer |
| FRONT-W-02 | Global HttpClient header mutation (race) | Per-request headers via `DelegatingHandler` |
| SEC-W-13 | No CDN SRI for Lucide icons | Add SRI hash, pin version |

### DevOps High (assign: DevOps Engineer)

| ID | Finding | Fix |
|---|---|---|
| DEVOPS-W-02 | 15+ services missing CI/CD pipelines | Generate CI workflows from template |
| DEVOPS-W-03 | `pr-checks.yml` no .NET build/test | Add matrix build for .NET |
| DEVOPS-W-10 | `RequireHttpsMetadata=false` in staging K8s | Set `true` in staging/prod |
| DEVOPS-W-11 | booking-service missing K8s manifest | Create staging manifest |
| DEVOPS-W-12 | 13 Traefik routes missing | Add routes for all missing services |

### Testing Critical (assign: QA Engineer)

| ID | Finding | Fix |
|---|---|---|
| TEST-C-01 | Only 1/26 services has CI test pipeline | Generate CI for 25 services |
| TEST-C-02 | MCP server zero tests | Add Vitest test suite |
| TEST-C-03 | No coverage thresholds enforced | Add `.runsettings` with 80% threshold |

---

## Wave 3 — P2 High (Target: 2 weeks)

### Architecture (assign: Architect)

| ID | Finding | Fix |
|---|---|---|
| FRONT-I-01 | No shared UI component package | Extract shared Razor Class Library |
| FRONT-I-02 | ARIA/accessibility gaps | Add ARIA attributes to all components |
| FRONT-I-03 | No design-to-code token sync | Style Dictionary pipeline |
| FRONT-I-04 | `eval()` in OtpInput | Create JS module for focus |

### Backend Architecture (assign: Senior Backend Engineer)

| ID | Finding | Fix |
|---|---|---|
| BACK-I-01 | No OpenAPI specs in repo | Add `dotnet swagger tofile` to CI |
| BACK-I-02 | Missing Prometheus `/metrics` | Add OpenTelemetry + Prometheus exporter |
| BACK-W-01 | HttpContextAccessor in handlers | Inject contextual data from Controller |
| BACK-W-03 | Dapper no `commandTimeout` | Set explicit timeout on all queries |

### Frontend Improvements (assign: Senior Frontend Engineer)

| ID | Finding | Fix |
|---|---|---|
| FRONT-W-03 | ~20% POS pages incomplete backend integration | Implement 21 missing API integrations |
| FRONT-W-04 | Fragile multi-format deserialization | Standardize API response envelope |
| FRONT-W-06 | MudBlazor providers duplicated | Move to `App.razor` once |
| FRONT-W-07 | localStorage logic duplicated 5 files | Extract `LocalStorageService` |

### DevOps Improvements (assign: DevOps Engineer)

| ID | Finding | Fix |
|---|---|---|
| DEVOPS-W-01 | redis-exporter missing from compose | Add or remove scrape job |
| DEVOPS-W-04 | Redis single instance (SPOF) | Redis Sentinel or Cluster |
| DEVOPS-W-05 | No K8s NetworkPolicy | Add default-deny + whitelist |
| DEVOPS-M-01 | No image vulnerability scanning | Add Trivy to CI |

### Testing Improvements (assign: QA Engineer)

| ID | Finding | Fix |
|---|---|---|
| TEST-C-04 | No contract testing | Implement Pact.io for top 5 boundaries |
| TEST-W-01 | Shared packages zero tests | Add unit tests for 6 packages |
| TEST-W-04 | No performance/load testing | Add k6 load tests |
| TEST-W-05 | No frontend component tests | Add unit tests for key components |

### Documentation (assign: Technical Writer)

| ID | Finding | Fix |
|---|---|---|
| DOC-W-01 | Test credentials in ROADMAP.md | Remove credentials |
| DOC-W-02 | No ADR for Marketing dual-theme | Create ADR |

---

## Wave 4 — P3 Medium (Target: 1 month)

Lower priority items — tracked but deferred:
- FRONT-W-05: Lucide re-init on every render
- FRONT-W-08: Incomplete vi-VN translations
- FRONT-W-09: No IFormatProvider in JsonStringLocalizer
- FRONT-W-10: Event handler leak (no IAsyncDisposable)
- FRONT-W-11: Hardcoded Vietnamese in AuthInput
- FRONT-I-05 through FRONT-I-09: Component library expansion
- BACK-I-03: Outbox pattern (5d effort)
- BACK-I-04: Saga pattern (5d effort)
- DEVOPS-I-01 through DEVOPS-I-04: GitOps, PDB, Secrets Manager
- SEC-W-06 through SEC-W-10: Medium security items

---

## Agent Assignment Matrix

| Agent | Wave 1 | Wave 2 | Wave 3 | Total Items |
|---|:---:|:---:|:---:|:---:|
| **Security Engineer** | 5 | 6 | 0 | **11** |
| **Senior Backend Engineer** | 0 | 5 | 4 | **9** |
| **Senior Frontend Engineer** | 0 | 8 | 4 | **12** |
| **DevOps Engineer** | 4 | 5 | 4 | **13** |
| **QA Engineer** | 0 | 3 | 4 | **7** |
| **Architect** | 0 | 0 | 4 | **4** |
| **Technical Writer** | 0 | 0 | 2 | **2** |
| **CTO** | — | — | — | Review all |

---

## QA Verification Plan

After each wave completes:
1. Docker Compose rebuild: `docker-compose down && docker-compose up --build -d`
2. Health check all services: `curl http://localhost:{port}/health/live`
3. Run E2E tests: verify 38/41+ pass rate maintained
4. Security scan: verify hardcoded credentials removed
5. K8s dry-run: `kubectl apply --dry-run=server -f deployments/staging/kubernetes/`

---

## Success Criteria

- **Wave 1**: All 9 P0 blockers resolved, zero hardcoded credentials in git
- **Wave 2**: All 22 P1 items resolved, CI pipelines for all services
- **Wave 3**: Architecture improvements in place, test coverage >50%
- **Overall**: Project health score from 6.5/10 to 8.5/10