38 KiB
Audit Report — POS System - AI
Date: 2026-03-20
Compiled from: 15 specialist audit reports (CEO, CTO, Architect, API Architect, Backend, Frontend, Database Architect, DevOps, Security, Product Manager, QA, UX/UI Designer, Founding Engineer, Research Analyst, Technical Writer)
Platform: GoodGo POS — 26 .NET 10 microservices, 5 frontend apps, MCP AI server
Branch: master (d0211e5)
Executive Summary
GoodGo POS is a multi-vertical point-of-sale platform in late-MVP / pre-production phase. The architecture is exemplary — Clean Architecture + CQRS enforced across all 26 services, bilingual documentation (EN/VI), and a comprehensive observability stack. The core POS flow works end-to-end with 93% E2E test pass rate (38/41). The MCP AI server (12 tools) is a unique market differentiator no competitor offers.
However, the platform has severe security vulnerabilities that must be addressed before any deployment: production database credentials are committed to git (CVSS 9.8), debug endpoints allow unauthenticated privilege escalation, JWT tokens are stored in localStorage, and the IdentityServer uses developer signing credentials in all environments. Test coverage sits at ~15% against a 70% target. Five services remain incomplete, and the entire marketing/CRM suite is demo-only with hardcoded fake data.
Overall Project Health Score: 5.5 / 10
| Category | Score | Key Factor |
|---|---|---|
| Architecture & Patterns | 9/10 | Clean Architecture + CQRS exemplary across all services |
| Code Quality | 8/10 | Strong DDD, bilingual docs, consistent patterns |
| Security | 2/10 | Production credentials in git, debug endpoints, no CSP |
| Test Coverage | 3/10 | ~15% coverage, 1/26 services has CI tests |
| Infrastructure & DevOps | 6/10 | Good stack, K8s gaps, alerting non-functional |
| Frontend & UX | 5/10 | Solid foundation, critical a11y failures, 2,316 inline styles |
| Documentation | 7/10 | 102+ docs, but 96% OpenAPI specs missing |
| Production Readiness | 4/10 | POS core ready, platform incomplete |
| Mobile Readiness | 2/10 | iOS partial, Android template only |
| Product Completeness | 5/10 | Core POS works, marketing/analytics are stubs |
Critical Issues
Issues that are showstoppers and must be fixed before any staging or production deployment.
SEC-1: Production Database Credentials Committed to Git (CVSS 9.8)
Source: Security Audit (CRIT-01)
Severity: BLOCKER
Affected: All 19 .NET microservices appsettings.json
The Neon PostgreSQL production password (npg_Ssfy6HKO0cXI), Redis production password (Velik@2026 with public IP 167.114.174.113), SMTP credentials, and JWT signing secret are all hardcoded in appsettings.json files tracked by git. Anyone with repository read access can authenticate directly to the production database and Redis. All customer data, merchant data, orders, wallets, and PII are at risk.
Files: services/*/src/*/appsettings.json (all 19 services)
Fix: Rotate ALL credentials immediately (within 24 hours). Replace with environment variable placeholders. Purge from git history with git filter-repo or BFG Repo Cleaner. Adopt Kubernetes External Secrets Operator or HashiCorp Vault.
SEC-2: Active JWT Bearer Token Committed in MCP Server .env
Source: Security Audit (CRIT-02)
Severity: BLOCKER
File: services/goodgo-mcp-server/.env:3
A live, signed JWT bearer token is committed to git. Any party with repository access can replay this token to authenticate as the associated service account. The MCP server has 12 operational tools that can read/write F&B data.
Fix: Revoke token immediately. Remove .env from git tracking. Purge from history.
SEC-3: Debug Endpoints Allow Unauthenticated Privilege Escalation
Source: CTO (C1), Backend (C1), CEO (referenced)
Severity: BLOCKER
File: services/merchant-service-net/src/MerchantService.API/Controllers/StaffController.cs:249-390
Five [AllowAnonymous] debug endpoints in production code:
POST /api/v1/staff/debug/seed— creates arbitrary staff dataPOST /api/v1/staff/debug/update-userid— overwrites any staff's userId via reflectionPOST /api/v1/staff/debug/update-merchant— overwrites any merchantId
Any attacker can escalate privileges or tamper with merchant data.
Fix: Delete these endpoints entirely or wrap with if (env.IsDevelopment()) + [Authorize(Roles = "SuperAdmin")].
SEC-4: SQL Injection in StaffController
Source: CTO (C2), Backend (C2)
Severity: BLOCKER
File: services/merchant-service-net/src/MerchantService.API/Controllers/StaffController.cs:307, 367
String interpolation used directly in SQL queries. While current Guid types self-sanitize, any future refactor changing types to string creates an immediate injection vulnerability.
cmd.CommandText = $"UPDATE merchants SET user_id = '{userId}' WHERE id = '{merchantId}'";
Fix: Use parameterized queries (cmd.Parameters.AddWithValue()).
SEC-5: IdentityServer Using Developer Signing Credential in All Environments
Source: Security Audit (CRIT-03)
Severity: CRITICAL
File: services/iam-service-net/src/IamService.Infrastructure/DependencyInjection.cs:142
AddDeveloperSigningCredential() is called unconditionally — no environment check. The signing key is regenerated on every restart, invalidating all active sessions. No certificate-based signing exists for production.
Fix: Use cert-based signing for non-development environments. Store RSA key in Vault or K8s TLS Secret.
SEC-6: JWT Stored in localStorage (XSS Risk)
Source: Frontend (CRIT-01), Security (WARN-01)
Severity: CRITICAL
File: apps/web-client-tpos-net/src/WebClientTpos.Client/Services/AuthService.cs:147-148
JWT tokens stored in localStorage are accessible to any JavaScript on the same origin. A single XSS vulnerability allows full token theft and account impersonation.
Fix: Migrate to httpOnly cookies via the BFF server. Add CSP headers.
SEC-7: Client Secret Hardcoded in Browser-Delivered WASM Code
Source: Frontend (CRIT-02)
Severity: CRITICAL
File: apps/web-client-tpos-net/src/WebClientTpos.Client/Services/AuthService.cs:39-40
private const string ClientId = "password-client";
private const string ClientSecret = "password-client-secret";
Blazor WASM compiles to WebAssembly served to browsers. Constants are extractable via developer tools.
Fix: Move OAuth2 token exchange to the BFF. The BFF holds secrets server-side.
SEC-8: Deprecated Password Grant (OAuth2) Used
Source: Frontend (CRIT-03)
Severity: CRITICAL
File: apps/web-client-tpos-net/src/WebClientTpos.Client/Services/AuthService.cs:136
Resource Owner Password Credentials grant is deprecated in OAuth 2.1. It cannot support MFA properly and exposes credentials to the client application.
Fix: Migrate to Authorization Code Flow with PKCE.
SEC-9: JWT Signature Validation Disabled in Development (4 Services)
Source: Backend (C3), Founding Engineer (C4)
Severity: CRITICAL
Files: merchant-service-net, ads-serving-service-net, ads-tracking-service-net, ads-billing-service-net — all Program.cs
ValidateIssuerSigningKey = builder.Environment.IsDevelopment() ? false : true,
If ASPNETCORE_ENVIRONMENT is misconfigured on a server, all JWT signatures are bypassed. Any self-crafted token is accepted.
Fix: Use a shared deterministic development signing key via environment variable. Always validate signatures.
SEC-10: BFF CORS Wildcard + All 26 Services Use AllowAnyOrigin()
Source: CTO (C3), Backend (W1), Founding Engineer (C1)
Severity: CRITICAL
Files: All 26 services Program.cs, BFF Program.cs:74-78
Every service allows any origin to make cross-origin requests. Enables CSRF attacks and violates same-origin policy.
Fix: Configure per-environment origin whitelists. Production: only https://goodgo.vn, https://admin.goodgo.vn.
SEC-11: No Content-Security-Policy Header
Source: Security (WARN-02), Frontend (IMP-02)
Severity: CRITICAL
File: infra/traefik/dynamic/middlewares.yml
The secure-headers middleware is missing CSP, Referrer-Policy, and Permissions-Policy headers. Without CSP, the browser has no defense against XSS exploitation.
Fix: Add CSP with default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; and related policies.
INFRA-1: Production K8s Manifests Hardcode :latest Image Tag
Source: DevOps (CRIT-1), CEO (referenced)
Severity: CRITICAL
Files: deployments/production/kubernetes/*.yaml
All production Kubernetes deployments use goodgo/*:latest. Not reproducible, no rollback capability.
Fix: Use commit SHA tags. Inject via Kustomize/Helm or pipeline sed-replace.
INFRA-2: Alertmanager Not Configured — All Alert Rules Silent
Source: DevOps (CRIT-2)
Severity: CRITICAL
File: infra/observability/prometheus/prometheus.yml:29
Prometheus alerting.alertmanagers.targets is empty ([]). All defined alert rules (ServiceDown, HighErrorRate, HighLatencyP95) fire into the void. Production incidents will have zero notification.
Fix: Deploy Alertmanager with Slack/PagerDuty receivers. Update targets to ['alertmanager:9093'].
INFRA-3: Health Check Endpoints Require Authentication (18/23 Services)
Source: Founding Engineer (C2)
Severity: CRITICAL
Files: 18 services missing .AllowAnonymous() on health endpoints
Kubernetes kubelet cannot authenticate. Liveness/readiness probes return 401 Unauthorized, causing pod restart loops.
Fix: Add .AllowAnonymous() to all MapHealthChecks() calls.
DATA-1: InventoryItem.CreatedAt Backing Field Not Mapped — Silent Data Loss
Source: Database Architect (C-1)
Severity: CRITICAL
File: services/inventory-service-net/src/InventoryService.Infrastructure/EntityConfigurations/InventoryItemEntityTypeConfiguration.cs:34
builder.Ignore(i => i.CreatedAt) discards the property but never maps the private backing field _createdAt. Every entity loaded from the database has CreatedAt == DateTime.MinValue.
Fix: Map _createdAt backing field to created_at column. No migration needed.
DATA-2: No Optimistic Concurrency on Wallet Balances — Race Condition
Source: Database Architect (C-2)
Severity: CRITICAL
File: services/wallet-service-net/src/WalletService.Infrastructure/EntityConfigurations/WalletItemEntityTypeConfiguration.cs
Two concurrent POS transactions can read the same balance and overwrite each other. Money disappears silently.
Fix: Add builder.UseXminAsConcurrencyToken() (Npgsql built-in). No migration needed.
SVC-1: 5 Services Still In-Progress (22% Incomplete)
Source: CEO (C2), Research Analyst (CRIT-01) Severity: CRITICAL
| Service | Status |
|---|---|
promotion-service-net |
0 commands, 0 queries — controllers reference non-existent logic |
mission-service-net |
Domain model done, 0 CQRS handlers |
inventory-service-net |
1 command handler out of 12+ endpoints needed |
ads-analytics-service-net |
Minimal commands, incomplete aggregation |
ads-billing-service-net |
3 of 8+ command handlers |
Impact: Cannot deliver full feature coverage. Order fulfillment blocked (no stock validation). Voucher campaigns non-functional.
Fix: 3 backend engineers, 2-3 weeks dedicated effort.
SVC-2: ads-serving-service-net is READ-ONLY
Source: CEO (C3), Research Analyst (WARN-02) Severity: CRITICAL
Zero command handlers. Auction logic is query-only. Cannot create or manage ad placements programmatically. Ads platform is non-functional for write operations.
PROD-1: Marketing Suite is 100% Demo — Zero Backend Integration
Source: Product Manager (CI-1)
Severity: CRITICAL
Files: 6 Marketing pages (AiChatbot.razor, CustomerCrm.razor, LivechatConsole.razor, AiContentStudio.razor, ChatbotAutomation.razor, SocialHub.razor)
All 6 pages use hardcoded demo data arrays with fake customer records. This is marketed as a key differentiator vs. KiotViet/Sapo/iPOS but delivers zero actual functionality. Merchants who sign up for Growth/Pro plans expecting CRM and AI chatbot will experience immediate trust damage.
Fix: Hide Marketing section with "Coming Soon" label, or implement real backend integration (2+ weeks).
PROD-2: Analytics & Reporting — 0% Wired to Real Data
Source: Product Manager (CI-4) Severity: CRITICAL
Revenue Dashboard, Staff Performance, and EOD Report pages exist with full UI but all KPI values (revenue, transactions, avg order value, growth %) are hardcoded demo values. Merchants making business decisions based on fake numbers will lose real money.
Fix: Wire to order-service data. Add GetDailyRevenueQuery and GetTopProductsQuery.
API-1: Response Format Fragmentation (3 Incompatible Patterns)
Source: API Architect (CRIT-1), Frontend (WARN-08) Severity: CRITICAL
Three response patterns exist: IAM uses typed ApiResponse<T>, Order/Catalog use anonymous objects, and Merchant returns raw entities. Frontend compensates with a "4-format smart deserializer" — a fragile workaround. SDK auto-generation is blocked.
Fix: Extract ApiResponse<T> to shared NuGet package. Enforce across all services.
TEST-1: Only 1 of 26 Services Has CI Test Pipeline
Source: QA (C1), CTO (W2) Severity: CRITICAL
Only iam-service-net runs tests in CI. Regressions in 25 other services are undetected until staging deployment. The deploy-staging.yml runs migrations but NOT tests before deployment.
Fix: Generate CI pipelines for all 25 missing services using ci-iam-service.yml as template.
CROSS-1: Cross-Service Messaging Not Implemented
Source: CTO (C5) Severity: CRITICAL
All IntegrationEvents/EventHandlers/ directories across 10+ services are empty. RabbitMQ is provisioned in docker-compose but no service publishes or consumes messages. System works via HTTP tight coupling, which will fail at scale.
Fix: Implement IEventBus abstraction with RabbitMQ backend. Start with OrderCreatedIntegrationEvent to inventory deduction.
Warnings
Issues that should be addressed within the next 2-4 weeks.
Security Warnings
| ID | Issue | Source | Files |
|---|---|---|---|
| W-SEC-1 | CORS allowCredentials: true with localhost origins in shared middleware config |
Security (WARN-03) | infra/traefik/dynamic/middlewares.yml:27 |
| W-SEC-2 | sslRedirect: false in shared middleware — applies to all environments |
Security (WARN-04), CTO | infra/traefik/dynamic/middlewares.yml:5 |
| W-SEC-3 | Jwt__RequireHttpsMetadata=false in staging K8s ConfigMap |
DevOps (WARN-10), Security (WARN-05) | deployments/staging/kubernetes/configmap.yaml:21 |
| W-SEC-4 | Test credentials hardcoded in ROADMAP.md (checked into git) | CTO (W8) | ROADMAP.md Section IX |
| W-SEC-5 | K8s staging secrets file contains literal placeholder strings | Security (WARN-09) | deployments/staging/kubernetes/secrets.yaml |
| W-SEC-6 | AllowedHosts: "*" in IAM service — DNS rebinding risk |
Security (WARN-08) | services/iam-service-net/appsettings.json:79 |
| W-SEC-7 | No CDN Subresource Integrity on Lucide script from unpkg.com | Frontend (CRIT-04) | index.html:19 |
| W-SEC-8 | TOTP verification window allows 90-second replay (no used-code tracking) | Security (WARN-10) | TotpTwoFactorService.cs:86 |
| W-SEC-9 | Unauthenticated ad tracking endpoints without rate limiting | Security (WARN-07) | Routes for /api/v1/pixels, /api/v1/conversions |
| W-SEC-10 | Traefik dashboard exposed without authentication in local dev | Security (WARN-06), DevOps (WARN-8) | docker-compose.yml:121 |
Infrastructure Warnings
| ID | Issue | Source | Files |
|---|---|---|---|
| W-INF-1 | Docker Compose port conflicts — 4 mkt-* services all bind port 5000 | CEO (W1), CTO (C4) | docker-compose.yml |
| W-INF-2 | Missing K8s manifests — Staging: 9 missing, Production: 11 missing | CEO (W2), CTO (W3) | deployments/*/kubernetes/ |
| W-INF-3 | 13 services missing Traefik gateway routes — bypass security middleware | CTO (W4), API Architect (CRIT-3) | infra/traefik/dynamic/routes.yml |
| W-INF-4 | 15+ services not in CI/CD deployment pipeline | DevOps (WARN-2) | .github/workflows/deploy-*.yml |
| W-INF-5 | redis-exporter scraped by Prometheus but missing from docker-compose |
DevOps (WARN-1) | prometheus.yml:132 |
| W-INF-6 | Redis deployed as single instance in K8s — SPOF for real-time features | DevOps (WARN-4) | deployments/staging/kubernetes/redis.yaml |
| W-INF-7 | No Kubernetes NetworkPolicy manifests — all pods can communicate freely | DevOps (WARN-5) | Missing from all K8s dirs |
| W-INF-8 | Distributed tracing (Jaeger) commented out — no cross-service request correlation | DevOps (WARN-7) | docker-compose.yml:1230-1241 |
| W-INF-9 | docker-build.yml pushes :latest tag to Docker Hub from main branch |
DevOps (CRIT-3) | .github/workflows/docker-build.yml:99-103 |
| W-INF-10 | PR checks only validate Node.js — no .NET build/test in PR pipeline | DevOps (WARN-3) | .github/workflows/pr-checks.yml |
| W-INF-11 | MinIO uses default credentials minioadmin/minioadmin123 |
DevOps (WARN-6) | docker-compose.yml:78-79 |
Frontend Warnings
| ID | Issue | Source | Files |
|---|---|---|---|
| W-FE-1 | Token refresh not implemented — silent 401 failures on token expiry | Frontend (WARN-01) | AuthStateService.cs |
| W-FE-2 | Global HttpClient header mutation — race condition under concurrent requests | Frontend (WARN-02) | PosDataService.cs:40-47 |
| W-FE-3 | No route guards — admin layout renders before auth check | Frontend (WARN-06) | All layouts |
| W-FE-4 | shopId not validated against user permissions — URL manipulation possible |
Frontend (WARN-07) | AdminLayout.razor:246-286 |
| W-FE-5 | ~20% of POS pages have incomplete backend integration (21 TODOs) | Frontend (WARN-10) | Multiple POS pages |
| W-FE-6 | MudBlazor ThemeProvider declared in multiple layouts — duplicate instances | Frontend (WARN-04) | All layout files |
| W-FE-7 | localStorage logic duplicated across 5 files | Frontend (WARN-05) | AuthService.cs, layouts, LanguageSwitcher.razor |
| W-FE-8 | eval() used for DOM focus management in OTP input |
Architect (W-2) | OtpInput.razor |
| W-FE-9 | Incomplete vi-VN translations vs en-US.json | Frontend (WARN-11) | wwwroot/locales/vi-VN.json |
UX/Accessibility Warnings
| ID | Issue | Source | Files |
|---|---|---|---|
| W-UX-1 | No :focus-visible styles — keyboard navigation invisible (WCAG 2.4.7) |
UX/UI (Issue 1) | All CSS files |
| W-UX-2 | Clickable <div> elements instead of <button> in POS pages (WCAG 4.1.2) |
UX/UI (Issue 2) | All *Desktop.razor |
| W-UX-3 | No ARIA labels on icon-only interactive elements (WCAG 4.1.2) | UX/UI (Issue 3), Architect (C-2) | Auth components, layouts |
| W-UX-4 | Error/success messages missing role="alert" (WCAG 4.1.3) |
UX/UI (Issue 4) | Login pages, POS |
| W-UX-5 | Hardcoded Vietnamese strings in POS UI — breaks English localization | UX/UI (Issue 5) | All POS vertical pages, layouts |
| W-UX-6 | 2,316 inline style attributes undermine design system | UX/UI (Issue 7) | All pages |
| W-UX-7 | Hardcoded color values instead of CSS variables | UX/UI (Issue 6) | POS pages, Dashboard |
| W-UX-8 | No focus trap in modal overlays (WCAG 2.1.2) | UX/UI (Issue 13) | Layouts, dialogs |
| W-UX-9 | Secondary text contrast may fail WCAG AA | UX/UI (Issue 9) | admin.css |
Database Warnings
| ID | Issue | Source | Files |
|---|---|---|---|
| W-DB-1 | UUID v4 used everywhere instead of UUID v7 — index fragmentation at scale | DB Architect (C-3) | All 23 service domain entities |
| W-DB-2 | IAM Phase4A migration created PascalCase tables — breaks snake_case convention | DB Architect (C-4) | IAM migration Phase4A_AuditAndCompliance.cs |
| W-DB-3 | Missing global query filter for soft-deleted Merchant/Shop records | DB Architect (W-1) | MerchantServiceContext.cs |
| W-DB-4 | Missing composite indexes on high-traffic query patterns | DB Architect (W-2) | order, catalog, booking, inventory services |
| W-DB-5 | Debug.WriteLine left in OrderContext production code |
DB Architect (W-4) | OrderContext.cs:59,71 |
| W-DB-6 | ads-analytics and ads-billing bypass Repository pattern | DB Architect (W-6) | ads-analytics-service-net, ads-billing-service-net |
API & Backend Warnings
| ID | Issue | Source | Files |
|---|---|---|---|
| W-API-1 | API versioning inconsistency — 3 different patterns across services | API Architect (CRIT-2) | Multiple Program.cs, controllers |
| W-API-2 | Authorization pattern fragmentation — no policy-based auth, audience validation disabled | API Architect (WARN-2) | All services |
| W-API-3 | Health check implementation non-standard across services | API Architect (WARN-3) | Multiple services |
| W-API-4 | Idempotency only in 3/26 services — wallet and booking at risk of double-charge | Backend (W2) | wallet-service-net, booking-service-net |
| W-API-5 | TenantMiddleware uses string interpolation in SQL SET (5 services) | CTO (W1) | order, inventory, wallet, catalog, fnb-engine |
| W-API-6 | Fire-and-forget Task in mkt-whatsapp — errors silently swallowed | CTO (W5) | WebhooksController.cs:88 |
Testing Warnings
| ID | Issue | Source |
|---|---|---|
| W-TST-1 | MCP Server has zero tests (12 production tools) | QA (C2) |
| W-TST-2 | No coverage thresholds enforced — Coverlet installed but unconfigured | QA (C3) |
| W-TST-3 | No contract testing between microservices | QA (C4) |
| W-TST-4 | All 6 shared Node.js packages have zero tests | QA (W1) |
| W-TST-5 | E2E tests require live backend with no mocking — brittle in CI | QA (W2) |
| W-TST-6 | Playwright tests are read-only — no mutation/transaction coverage | QA (W3) |
| W-TST-7 | No performance/load testing anywhere in the stack | QA (W4) |
| W-TST-8 | Frontend has no component-level tests | QA (W5) |
Product Warnings
| ID | Issue | Source |
|---|---|---|
| W-PRD-1 | Voucher redemption broken — backend exists but no UI in payment flow | Product Manager (CI-2) |
| W-PRD-2 | Payment gateway live/sandbox status unclear | Product Manager (CI-3) |
| W-PRD-3 | QR Menu customer ordering — post-cart flow has gaps | Product Manager (W-4) |
| W-PRD-4 | Spa vertical — appointment walk-in flow unclear | Product Manager (W-2) |
| W-PRD-5 | Mobile apps incomplete — iOS partial, Android template only | CEO (W3), Research (WARN-03) |
Documentation Warnings
| ID | Issue | Source |
|---|---|---|
| W-DOC-1 | OpenAPI specs missing for 24/25 services | Technical Writer (C1) |
| W-DOC-2 | Postman collections directory is empty | Technical Writer (C2) |
| W-DOC-3 | README.md missing for 13/25 services | Technical Writer (W1) |
| W-DOC-4 | No CHANGELOG or release notes | Technical Writer (W4) |
Design System Warnings
| ID | Issue | Source |
|---|---|---|
| W-DS-1 | No shared UI component package — components trapped in single app | Architect (C-1) |
| W-DS-2 | Theme token duplication between AppTheme.cs and app.css |
Architect (W-1) |
| W-DS-3 | No responsive breakpoint tokens — hardcoded media queries | Architect (W-3) |
| W-DS-4 | Marketing module uses separate theme with no documented rationale | Architect (W-6) |
| W-DS-5 | No shared NuGet for DTOs — duplicated across web apps | Architect (W-7) |
Improvements
Enhancements that would improve quality, maintainability, and competitive positioning.
Architecture & Code Quality
- Extract MediatR behaviors to shared NuGet — 3,450+ lines duplicated across 23 services (Founding Engineer C3)
- Extract
ApiResponse<T>to shared package — enforce uniform response format (API Architect IMP-1) - Implement transactional outbox pattern for domain events — prevents event loss on process crash (Backend I1)
- Implement Saga orchestration for order placement flow — prevent inconsistent state across wallet/inventory/promotion (Backend I4)
- Create shared Blazor Razor Class Library (
@goodgo/blazor-ui) — enable cross-app component reuse (Architect I-1) - Implement Style Dictionary token pipeline — single source of truth for CSS vars and C# constants (Architect I-2)
- Replace
Guid.NewGuid()withGuid.CreateVersion7()across all domain entities — prevents B-tree index fragmentation (DB Architect C-3)
Infrastructure & DevOps
- Adopt GitOps with ArgoCD — drift detection, automatic rollback, audit trail (DevOps IMP-1)
- Add PodDisruptionBudgets for production services (DevOps IMP-2)
- Enable distributed tracing (Jaeger or Grafana Tempo) — critical for debugging 26-service interactions (DevOps WARN-7)
- Add image vulnerability scanning (
trivy-action) to CI pipeline (DevOps IMP-5) - Implement External Secrets Operator for K8s production secrets (DevOps IMP-8)
- Add PgBouncer for local development — 25+ services can exhaust PostgreSQL connections (DB Architect I-2)
- Enable
pg_stat_statementsin PostgreSQLinit.sqlfor query monitoring (DB Architect I-1) - Add Prometheus business metrics — orders/hour, conversion rate, revenue per vertical (Research IMP-04)
Security Hardening
- Add Serilog sensitive data destructuring — prevent accidental PII/credential logging (Security IMP-02)
- Add security scanning to CI — GitLeaks, CodeQL SAST,
dotnet list package --vulnerable(Security IMP-03) - Implement refresh token rotation — one-time-use refresh tokens (Security IMP-04)
- Add
Referrer-PolicyandPermissions-Policyheaders (Security IMP-05)
Testing
- Add Vitest test suite to MCP server — 12 untested production tools (QA I2)
- Enforce coverage thresholds via
.runsettings— 80% minimum (QA I3) - Add Pact.io contract tests for top 5 service boundaries (QA I4)
- Add k6 performance tests for critical paths — order creation, catalog listing, ad events (QA I7)
- Add mutation E2E tests — test actual order creation, payment, booking flows (QA I5)
Product & Market
- Integrate MoMo QR + ZaloPay — 60% of Vietnam digital payment market share, all competitors support them (Research IMP-01)
- E-invoice compliance (Nghi Dinh 123/2020) — legal requirement for all VN businesses since 2022 (Research IMP-02)
- Wire analytics dashboards to real data — replace demo arrays with actual order-service queries (Product IMP-2)
- Implement voucher redemption in POS payment flow — highest ROI product fix, RICE score 1,350 (Product IMP-1)
- Expand MCP AI tools to Karaoke and Retail verticals — strengthen unique differentiator (Research IMP-03)
- Add customer feedback loop post-payment (QR rating) — feature no competitor has (Product IMP-4)
- Implement Redis application-level caching for catalog, shop config — reduce DB load (Research IMP-05)
UX/Accessibility
- WCAG 2.1 AA accessibility pass — focus-visible styles, semantic buttons, ARIA attributes, focus traps (UX/UI)
- Extract inline styles to CSS classes — 2,316 instances undermining design system (UX/UI Issue 7)
- Add responsive breakpoint tokens and standardize spacing scale (Architect W-3, UX/UI Issue 8)
- Add password strength indicator to registration (UX/UI Improvement B)
- Lazy-load POS vertical assemblies — reduce initial Blazor WASM download size (Frontend IMP-04)
Documentation
- Export and commit OpenAPI specs for all 24 missing services (Technical Writer A1)
- Create Postman collections from Swagger specs (Technical Writer A2)
- Add system architecture Mermaid diagram to
system-design.md(Technical Writer I1) - Deploy VitePress documentation site via CI to
docs.goodgo.vn(Technical Writer I2) - Add CHANGELOG.md with automated generation (Technical Writer W4)
Action Items
Prioritized checklist with assignee suggestions and effort estimates.
P0 — IMMEDIATE (Within 24-48 Hours)
| # | Action | Assignee | Effort | Source |
|---|---|---|---|---|
| 1 | Rotate ALL production credentials (PostgreSQL, Redis, SMTP, JWT secret) | CTO + DevOps | 4h | SEC-1 |
| 2 | Revoke MCP server JWT token, remove .env from git, purge history |
DevOps | 1h | SEC-2 |
| 3 | Delete debug endpoints from StaffController.cs:249-390 |
Backend Dev | 30m | SEC-3 |
| 4 | Fix SQL injection — parameterized queries in StaffController.cs |
Backend Dev | 30m | SEC-4 |
| 5 | Replace AllowAnyOrigin() with environment-based whitelist in all 26 services |
Backend Dev | 2h | SEC-10 |
| 6 | Add .AllowAnonymous() to health check endpoints in 18 services |
Founding Eng | 1h | INFRA-3 |
| 7 | Replace AddDeveloperSigningCredential() with cert-based signing for non-dev |
Backend Lead | 2h | SEC-5 |
| 8 | Remove :latest from production K8s manifests — use SHA tags |
DevOps | 2h | INFRA-1 |
| 9 | Configure Alertmanager with Slack/PagerDuty receivers | DevOps | 4h | INFRA-2 |
| 10 | Remove credentials from ROADMAP.md | CTO | 5m | W-SEC-4 |
P0 — THIS WEEK (Within 7 Days)
| # | Action | Assignee | Effort | Source |
|---|---|---|---|---|
| 11 | Fix Docker Compose port conflicts (mkt-* services: assign 5021-5024) | DevOps | 2h | W-INF-1 |
| 12 | Add CSP header to Traefik secure-headers middleware |
DevOps | 1h | SEC-11 |
| 13 | Fix BFF CORS — replace AllowAnyOrigin() with whitelist |
Backend Dev | 15m | SEC-10 |
| 14 | Fix InventoryItem._createdAt backing field mapping | Backend Dev | 30m | DATA-1 |
| 15 | Add optimistic concurrency token to wallet_items | Backend Dev | 1h | DATA-2 |
| 16 | Add 13 missing Traefik routes (chat, social, mining, ads-, mkt-, promotion, mission) | DevOps | 2h | W-INF-3 |
| 17 | Enable SSL redirect in staging/production Traefik config | DevOps | 15m | W-SEC-2 |
| 18 | Hide Marketing section with "Coming Soon" label | Frontend Dev | 1d | PROD-1 |
| 19 | Remove :latest push from docker-build.yml |
DevOps | 30m | W-INF-9 |
P1 — THIS MONTH (Within 30 Days)
| # | Action | Assignee | Effort | Source |
|---|---|---|---|---|
| 20 | Complete 5 in-progress services (promotion, mission, inventory, ads-analytics, ads-billing) | 3 Backend Devs | 2-3 weeks | SVC-1 |
| 21 | Migrate JWT storage to httpOnly cookies via BFF | Frontend Dev | 2d | SEC-6 |
| 22 | Replace password grant with Authorization Code + PKCE | Frontend + Backend | 3d | SEC-8 |
| 23 | Generate CI pipelines for 25 missing services | DevOps | 1d | TEST-1 |
| 24 | Implement voucher redemption in POS payment flow | Backend + Frontend | 1 week | W-PRD-1 |
| 25 | Wire analytics dashboards to real order data | Backend + Frontend | 1 week | PROD-2 |
| 26 | Add .NET build/test to PR checks pipeline | DevOps | 2h | W-INF-10 |
| 27 | Complete remaining K8s manifests (9 staging + 11 production) | DevOps | 1 week | W-INF-2 |
| 28 | Add route guards / AuthorizeView to all layouts | Frontend Dev | 1d | W-FE-3 |
| 29 | Validate shopId against user permissions in AdminLayout | Frontend Dev | 4h | W-FE-4 |
| 30 | Implement token refresh logic | Frontend Dev | 1d | W-FE-1 |
| 31 | Add :focus-visible styles and semantic buttons to POS pages |
Frontend Dev | 3d | W-UX-1, W-UX-2 |
| 32 | Add ARIA attributes to all interactive custom components | Frontend Dev | 2d | W-UX-3 |
| 33 | Implement IEventBus skeleton + first integration event (OrderCreated to inventory) | Backend Dev | 3-5d | CROSS-1 |
| 34 | Extract MediatR behaviors to shared NuGet package | Founding Eng | 4h | Founding Eng C3 |
| 35 | Add Vitest test suite to MCP server (12 tools) | Backend Dev | 3-5d | W-TST-1 |
| 36 | Increase test coverage to 50% — focus on wallet, catalog, booking | QA + Devs | 3 weeks | CEO P0 |
| 37 | Add HasQueryFilter for soft-deleted Merchant + Shop | Backend Dev | 1h | W-DB-3 |
| 38 | Migrate IAM AuditLogs to snake_case table names | Backend Dev | 2h | W-DB-2 |
| 39 | Implement idempotency for wallet-service and booking-service | Backend Dev | 2d | W-API-4 |
| 40 | Separate CORS config by environment — remove localhost from production | DevOps | 1h | W-SEC-1 |
| 41 | Confirm payment gateway status (VNPay live/sandbox, plan for MoMo/ZaloPay) | CTO + Backend | 3d | W-PRD-2 |
P2 — NEXT QUARTER (Within 90 Days)
| # | Action | Assignee | Effort | Source |
|---|---|---|---|---|
| 42 | Implement MoMo QR + ZaloPay payment integration | Backend Dev | 2-3 weeks | Research IMP-01 |
| 43 | E-invoice integration (Nghi Dinh 123/2020) | Backend Dev | 2 weeks | Research IMP-02 |
| 44 | Replace Guid.NewGuid() with Guid.CreateVersion7() globally |
Backend Dev | 4h | W-DB-1 |
| 45 | Add composite indexes on high-traffic query patterns | Backend Dev | 1h | W-DB-4 |
| 46 | Deploy PgBouncer for local development | DevOps | 2h | DB I-2 |
| 47 | iOS app feature development (SwiftUI, core POS screens) | Mobile Dev | 4-6 weeks | W-PRD-5 |
| 48 | Performance baseline (k6 load testing) on staging | QA | 3d | W-TST-7 |
| 49 | Add Pact.io contract tests for top 5 service boundaries | Backend Dev | 5-7d | W-TST-3 |
| 50 | Export and commit OpenAPI specs for all 24 services | Backend + DevOps | 2d | W-DOC-1 |
| 51 | Add security scanning to CI (GitLeaks, CodeQL, vulnerability audit) | DevOps | 1d | Security IMP-03 |
| 52 | Standardize API versioning across all services | Backend Lead | 3d | W-API-1 |
| 53 | Implement policy-based authorization with scope validation | IAM Dev | 1 week | W-API-2 |
| 54 | Redis HA (Sentinel) for staging/production | DevOps | 4h | W-INF-6 |
| 55 | Add NetworkPolicy manifests to K8s | DevOps | 4h | W-INF-7 |
| 56 | Enable distributed tracing (Jaeger/Grafana Tempo) | DevOps | 2h | W-INF-8 |
| 57 | Implement secrets management pipeline (Vault / External Secrets) | DevOps | 1 week | Security IMP-01 |
| 58 | Extract inline styles to CSS classes (2,316 instances) | Frontend Dev | 1-2 weeks | W-UX-6 |
| 59 | Move hardcoded Vietnamese strings to localization keys | Frontend Dev | 1 week | W-UX-5 |
| 60 | Production pilot with 1-2 enterprise merchants (Cafe/Restaurant) | Product + CTO | Ongoing | CEO recommendation |
P3 — BACKLOG
| # | Action | Assignee | Effort | Source |
|---|---|---|---|---|
| 61 | Create shared Blazor Razor Class Library (blazor-ui) |
Architect + Frontend | 1 week | Architect I-1 |
| 62 | Implement Style Dictionary token pipeline | Architect | 3d | Architect I-2 |
| 63 | Add README.md to 13 missing services | Tech Lead | 1d | W-DOC-3 |
| 64 | Create CHANGELOG.md + automate generation | DevOps | 2h | W-DOC-4 |
| 65 | Deploy VitePress docs site via CI | DevOps | 2h | Tech Writer I2 |
| 66 | Expand MCP AI tools to Karaoke + Retail verticals | Backend Dev | 4-6 weeks | Research IMP-03 |
| 67 | MAUI Android app feature development | Mobile Dev | 6-8 weeks | W-PRD-5 |
| 68 | Add customer feedback loop post-payment (QR rating) | Backend + Frontend | 2 weeks | Product IMP-4 |
| 69 | Implement Saga orchestration for order placement flow | Backend Dev | 2 weeks | Backend I4 |
| 70 | Add materialized view for daily sales reporting | Backend Dev | 2d | DB I-5 |
| 71 | Adopt ArgoCD for GitOps | DevOps | 2-3d | DevOps IMP-1 |
| 72 | Create system architecture Mermaid diagram | Technical Writer | 2h | Tech Writer I1 |
Competitive Positioning
| Feature | GoodGo Status | KiotViet | Sapo POS | iPOS |
|---|---|---|---|---|
| Multi-vertical POS (5+) | LEAD | Retail only | Limited | 2 verticals |
| AI-powered operations (MCP) | UNIQUE | None | None | None |
| KDS Kitchen Display | Production | None | Yes | Yes |
| Microservices scalability | LEAD | Monolith | Monolith | Monolith |
| Real-time analytics | STUB (demo data) | Production | Production | Production |
| Marketing CRM | STUB (demo data) | Basic | Production | None |
| Mobile app (production) | GAP | Production | Production | Production |
| Payment (MoMo/ZaloPay) | GAP | Production | Production | Production |
| E-invoice compliance | GAP | Production | Production | Production |
| Booking/Scheduling | Production | None | None | Yes |
| Loyalty stamps/levels | Production | Basic | Basic | Yes |
Assessment: GoodGo has architectural and AI advantages no competitor matches. The critical gaps are: (1) real analytics/reporting, (2) payment gateway breadth, (3) mobile apps, and (4) e-invoice compliance. Fixing items 1 and 2 alone would make GoodGo competitive for enterprise SMB acquisition.
Recommendation
Phase 1 (Week 1-2): Security Lockdown Rotate all credentials, fix debug endpoints, fix SQL injection, add CSP, remove secrets from git history. This is non-negotiable before any deployment.
Phase 2 (Week 2-4): Staging Deployment Deploy the 15 production-ready services to staging. Fix health check auth, complete K8s manifests, configure Alertmanager. Add CI test pipelines.
Phase 3 (Month 2): Service Completion + Product Gaps Complete the 5 in-progress services. Wire analytics to real data. Implement voucher redemption. Confirm payment gateway status. Increase test coverage to 50%.
Phase 4 (Month 3): Production Pilot Production pilot with 1-2 enterprise merchants in Cafe/Restaurant verticals. Integrate MoMo/ZaloPay. Begin e-invoice compliance work.
Success probability: 75% given current momentum, architecture quality, and the severity of security issues that need immediate resolution. The architecture is excellent — the gaps are in security hygiene, test coverage, and last-mile product completeness.
Report compiled from 15 specialist audits on 2026-03-20 Overall Health Score: 5.5 / 10 — Strong architecture, critical security debt, incomplete features