# CTO Fix Tracker — Post-Audit Action Plan

> Generated: 2026-03-13 | Source: Per-service code audit (24 SERVICE_DOCS.md)
> Status: ALL WAVES COMPLETE ✅

---

## Executive Summary

Audit 24 microservices phát hiện **6 loại vấn đề cross-cutting** và **nhiều bug cụ thể per-service**.
Ưu tiên theo impact: Security > Runtime Bugs > Code Quality > Tech Debt.

---

## P0 — CRITICAL (Security & Runtime Failures)

### P0-1: Missing Authentication/Authorization
**Impact**: Tất cả endpoints public, bất kỳ ai cũng gọi được API
**Affected**: 18/24 services (chỉ IAM + merchant có auth đầy đủ)

| Service | Status | Fix |
|---------|--------|-----|
| catalog-service-net | No [Authorize] | Add auth middleware + attributes |
| order-service-net | No [Authorize] | Add auth middleware + attributes |
| booking-service-net | Public endpoints (only admin has auth) | Add [Authorize] to public controllers |
| fnb-engine-net | No [Authorize] | Add auth middleware + attributes |
| inventory-service-net | No [Authorize] | Add auth middleware + attributes |
| social-service-net | No JWT middleware in pipeline | Add UseAuthentication/UseAuthorization |
| mining-service-net | No [Authorize] | Add auth middleware + attributes |
| chat-service-net | Has [Authorize] ✅ | OK |
| membership-service-net | No [Authorize] | Add auth middleware + attributes |
| wallet-service-net | Has [Authorize] ✅ | OK |
| storage-service-net | Has [Authorize] ✅ | OK |
| ads-manager-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
| ads-serving-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
| ads-billing-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
| ads-tracking-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
| ads-analytics-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
| promotion-service-net | No [Authorize] | Add auth middleware + attributes |
| mission-service-net | No [Authorize] | Add auth middleware + attributes |
| mkt-facebook-service-net | No auth middleware | Add UseAuthentication/UseAuthorization |
| mkt-whatsapp-service-net | No [Authorize] | Add auth middleware + attributes |
| mkt-x-service-net | No [Authorize] | Add auth middleware + attributes |
| mkt-zalo-service-net | No [Authorize] | Add auth middleware + attributes |

### P0-2: Template Artifacts (Runtime Failures)
**Impact**: Services connect to wrong database or fail to build Docker image

| Service | Issue | Fix |
|---------|-------|-----|
| mission-service-net | DB name `myservice_db` instead of `mission_service` | Fix appsettings connection string |
| mkt-facebook-service-net | Dockerfile references `MyService.API` | Rename to FacebookService.API |
| mkt-whatsapp-service-net | DbContext file named `MyServiceContext.cs`, DB `myservice_db` | Rename file + fix connection string |
| promotion-service-net | docker-compose uses template naming | Fix service naming |

### P0-3: Critical Handler Bugs

| Service | Bug | Impact |
|---------|-----|--------|
| ads-tracking-service-net | `TrackPixelEventCommandHandler` creates PixelEvent but NEVER persists | All tracking data lost |
| ads-tracking-service-net | `RecordConversionCommand` has handler but NO controller exposes it | Dead code |
| booking-service-net | `UpdateResourceCommand` accepts Name/Capacity but only applies IsActive | Silent data loss |
| ads-manager-service-net | `ListPendingAdsQuery` filters "Pending" but enum is "pending_review" | Always returns empty |
| mining-service-net | `BanMinerCommand` calls Suspend() not Ban(); `ResetMinerStreakCommand` is no-op | Admin actions broken |
| order-service-net | Missing DB columns referenced by Dapper queries | Runtime SQL errors |
| mkt-x-service-net | Only ISampleRepository in DI; 8 other repos missing registration | Runtime DI failures |

---

## P1 — HIGH (Data Integrity & Correctness)

### P1-1: Missing FluentValidation Validators
**Impact**: Invalid data enters system without validation

| Service | Commands without validators |
|---------|---------------------------|
| ads-manager-service-net | ALL 10 commands |
| ads-serving-service-net | ALL queries (no commands exist) |
| ads-billing-service-net | ALL 3 commands |
| ads-tracking-service-net | 2/3 commands |
| ads-analytics-service-net | ALL commands |
| mining-service-net | ALL commands |
| mission-service-net | ALL 4 commands |
| promotion-service-net | ALL 12 commands |
| social-service-net | ALL 8 commands |

### P1-2: Missing Command/Query Handlers

| Service | Missing Handler |
|---------|----------------|
| promotion-service-net | ExchangeVoucherCommand, PurchaseVoucherCommand (no handlers) |
| promotion-service-net | SearchVouchersQuery, GetCampaignStatisticsQuery, GetCampaignVouchersQuery (no handlers) |
| mission-service-net | GetUserMissionProgressQuery (no handler) |
| mkt-facebook-service-net | GetConversationsQuery, GetCustomersQuery (no handlers) |
| mkt-whatsapp-service-net | GetConversationsQuery (no handler, controller queries repo directly) |
| ads-manager-service-net | Audience query handlers missing |

### P1-3: Repository Pattern Violations

| Service | Issue |
|---------|-------|
| catalog-service-net | Category handlers use DbContext directly, bypass repository |
| booking-service-net | 3 repo interfaces in Infrastructure instead of Domain |
| ads-billing-service-net | No repository pattern at all, direct DbContext |
| ads-analytics-service-net | No repository pattern |
| ads-serving-service-net | No repository pattern |

---

## P2 — MEDIUM (Code Quality & Conventions)

### P2-1: Response Format Inconsistency
Standard: `{ success: bool, data: T }` — Many services return raw DTOs

| Service | Issue |
|---------|-------|
| chat-service-net | Returns raw DTOs |
| membership-service-net | Mixed (Members raw, StampCards wrapped) |
| social-service-net | Returns raw DTOs |
| ads-* services | Returns raw DTOs |
| booking-service-net | Returns raw DTOs |

### P2-2: Domain Events Defined but No Handlers

| Service | Unused Events |
|---------|--------------|
| membership-service-net | MembershipLevelChangedDomainEvent (never raised) |
| social-service-net | UserUnblockedDomainEvent (never raised) |
| ads-manager-service-net | All events dispatched but no handlers |
| promotion-service-net | VoucherRedeemedDomainEvent (never consumed) |
| booking-service-net | Events defined but unused |

### P2-3: Missing EF Migrations

| Service | Issue |
|---------|-------|
| mkt-facebook-service-net | No migrations exist |
| ads-billing-service-net | Spurious InvoiceId1 FK column |
| ads-analytics-service-net | ClientRequest table missing from migration |

### P2-4: Unused Dependencies (Tech Debt)
Redis, Dapper, Polly registered but unused in: booking, social, mining, mission, promotion, ads-* services

---

## Fix Execution Plan

### Wave 1 — P0 Security + Template (Parallel Agents)
- Agent 1: Fix auth for core services (catalog, order, booking, fnb-engine, inventory)
- Agent 2: Fix auth for social services (social, mining, membership, mission)
- Agent 3: Fix auth for ads services (ads-manager, ads-serving, ads-billing, ads-tracking, ads-analytics)
- Agent 4: Fix auth for mkt services (mkt-facebook, mkt-whatsapp, mkt-x, mkt-zalo, promotion)
- Agent 5: Fix template artifacts (mission, mkt-facebook, mkt-whatsapp, promotion)
- Agent 6: Fix critical handler bugs (ads-tracking, booking, ads-manager, mining, mkt-x)

### Wave 2 — P1 Validators + Missing Handlers
- Agent 7-12: Add FluentValidation per service group
- Agent 13-15: Implement missing handlers

### Wave 3 — P2 Code Quality
- Response format standardization
- Migration fixes
- Cleanup unused dependencies

---

## Progress Tracking

| Wave | Task | Status | Commit |
|------|------|--------|--------|
| 1 | Auth: core services (catalog, order, booking, fnb, inventory) | ✅ DONE | f8606e0 |
| 1 | Auth: social services (social, mining, membership, mission) | ✅ DONE | f8606e0 |
| 1 | Auth: ads services (5 services) | ✅ DONE | f8606e0 |
| 1 | Auth: mkt services + promotion | ✅ DONE | f8606e0 |
| 1 | Template artifacts (mission, mkt-facebook, mkt-whatsapp, promotion) | ✅ DONE | f8606e0 |
| 1 | Critical handler bugs (7 bugs across 5 services) | ✅ DONE | f8606e0 |
| 2 | Validators: ads services (16 validators) | ✅ DONE | 59b2cec |
| 2 | Validators: social+mining+mission+promotion (41 validators) | ✅ DONE | 59b2cec |
| 2 | Missing handlers (10 handlers across 4 services) | ✅ DONE | 59b2cec |
| 3 | Response format standardization (30 controllers, 8 services) | ✅ DONE | efabe49 |
| 3 | Migration fixes (InvoiceId1 FK, idempotency cleanup) | ✅ DONE | efabe49 |
| 3 | Cleanup unused dependencies (no DI registrations found) | ✅ N/A | — |