admin/pos-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0e99b1d6543a5cd48fcb660fde8bd22be44f7345
pos-system/microservices/docs/audit/FIX-PLAN.md
Ho Ngoc Hai 76d75c753b Migrate
2026-05-23 18:37:02 +07:00

8.7 KiB
Raw Blame History

GoodGo POS System — Audit Fix Plan

Date: 2026-03-23 Owner: CEO Agent Source: 14 agent audit reports (94 total findings) Status: Active

Summary

Category Critical High Medium Low Total
Security 5 10 5 1 21
Backend 4 5 3 0 12
Frontend 5 9 5 4 23
DevOps 4 12 5 0 21
Testing 4 7 3 1 15
Documentation 0 2 0 0 2
Total 22 45 21 6 94

Wave 1 — P0 Blockers (Target: 24-48h)

Security Blockers (assign: Security Engineer)

ID Finding File Fix
SEC-C-01 DB credentials hardcoded in git (19 services) All appsettings.json Replace with env vars, add to .gitignore
SEC-C-02 JWT token in MCP server .env committed services/goodgo-mcp-server/.env Revoke, remove from git, purge history
SEC-C-03 AddDeveloperSigningCredential() in all envs iam-service-net/.../DependencyInjection.cs:142 Wrap in if (env.IsDevelopment())
SEC-C-04 Debug endpoints [AllowAnonymous] — privilege escalation merchant-service-net/.../StaffController.cs:249-390 Delete or restrict to dev + SuperAdmin
SEC-C-05 SQL injection via string interpolation merchant-service-net/.../StaffController.cs:307,367 Use parameterized queries

DevOps Blockers (assign: DevOps Engineer)

ID Finding File Fix
DEVOPS-C-01 K8s :latest image tag in production All production/kubernetes/*.yaml Use IMAGE_TAG placeholder + SHA
DEVOPS-C-02 Alertmanager not configured — alerts silent prometheus/prometheus.yml:29 Configure Alertmanager + receivers
DEVOPS-C-03 CI pushes :latest to Docker Hub .github/workflows/docker-build.yml:99-103 Remove :latest, use SHA only
DEVOPS-C-04 4 mkt-* services port 5000 conflict docker-compose.yml Assign ports 5021-5024

Wave 2 — P1 Urgent (Target: 1 week)

Security High (assign: Security Engineer)

ID Finding Fix
SEC-W-02 No Content-Security-Policy header Add CSP to Traefik middlewares.yml
SEC-W-03 CORS allowCredentials: true with dev origins Separate per-env CORS config
SEC-W-04 sslRedirect: false in shared config Set true in staging/prod
SEC-W-05 Jwt__RequireHttpsMetadata=false in docker-compose Verify K8s ConfigMaps don't have this
SEC-W-14 BFF CORS wildcard AllowAnyOrigin() Whitelist specific origins
SEC-W-15 JWT validation skipped in dev (4 services) Always validate signatures

Backend Critical (assign: Senior Backend Engineer)

ID Finding Fix
BACK-C-01 AllowAnyOrigin() on all 26 services Restrict origins in production
BACK-C-02 Idempotency missing in 23/26 services Implement IRequestManager (wallet, booking first)
BACK-C-03 Error response format inconsistent Standardize to { success, error: { code, message } }
BACK-C-04 ProblemDetails mapping incomplete in template Update template with full exception mapping
BACK-W-02 TenantMiddleware SQL string interpolation Parameterized queries in 5 services

Frontend Critical (assign: Senior Frontend Engineer)

ID Finding Fix
SEC-W-11 Client secret in WASM (extractable) Move to BFF server-side
SEC-W-12 Password grant deprecated Migrate to PKCE flow
SEC-W-01 JWT in localStorage (XSS risk) Migrate to httpOnly cookies via BFF
FRONT-C-04 No route guards for auth pages Add [Authorize] + AuthorizeView
FRONT-C-05 shopId not validated against permissions Backend verification call
FRONT-W-01 Token refresh not implemented Add background refresh timer
FRONT-W-02 Global HttpClient header mutation (race) Per-request headers via DelegatingHandler
SEC-W-13 No CDN SRI for Lucide icons Add SRI hash, pin version

DevOps High (assign: DevOps Engineer)

ID Finding Fix
DEVOPS-W-02 15+ services missing CI/CD pipelines Generate CI workflows from template
DEVOPS-W-03 pr-checks.yml no .NET build/test Add matrix build for .NET
DEVOPS-W-10 RequireHttpsMetadata=false in staging K8s Set true in staging/prod
DEVOPS-W-11 booking-service missing K8s manifest Create staging manifest
DEVOPS-W-12 13 Traefik routes missing Add routes for all missing services

Testing Critical (assign: QA Engineer)

ID Finding Fix
TEST-C-01 Only 1/26 services has CI test pipeline Generate CI for 25 services
TEST-C-02 MCP server zero tests Add Vitest test suite
TEST-C-03 No coverage thresholds enforced Add .runsettings with 80% threshold

Wave 3 — P2 High (Target: 2 weeks)

Architecture (assign: Architect)

ID Finding Fix
FRONT-I-01 No shared UI component package Extract shared Razor Class Library
FRONT-I-02 ARIA/accessibility gaps Add ARIA attributes to all components
FRONT-I-03 No design-to-code token sync Style Dictionary pipeline
FRONT-I-04 eval() in OtpInput Create JS module for focus

Backend Architecture (assign: Senior Backend Engineer)

ID Finding Fix
BACK-I-01 No OpenAPI specs in repo Add dotnet swagger tofile to CI
BACK-I-02 Missing Prometheus /metrics Add OpenTelemetry + Prometheus exporter
BACK-W-01 HttpContextAccessor in handlers Inject contextual data from Controller
BACK-W-03 Dapper no commandTimeout Set explicit timeout on all queries

Frontend Improvements (assign: Senior Frontend Engineer)

ID Finding Fix
FRONT-W-03 ~20% POS pages incomplete backend integration Implement 21 missing API integrations
FRONT-W-04 Fragile multi-format deserialization Standardize API response envelope
FRONT-W-06 MudBlazor providers duplicated Move to App.razor once
FRONT-W-07 localStorage logic duplicated 5 files Extract LocalStorageService

DevOps Improvements (assign: DevOps Engineer)

ID Finding Fix
DEVOPS-W-01 redis-exporter missing from compose Add or remove scrape job
DEVOPS-W-04 Redis single instance (SPOF) Redis Sentinel or Cluster
DEVOPS-W-05 No K8s NetworkPolicy Add default-deny + whitelist
DEVOPS-M-01 No image vulnerability scanning Add Trivy to CI

Testing Improvements (assign: QA Engineer)

ID Finding Fix
TEST-C-04 No contract testing Implement Pact.io for top 5 boundaries
TEST-W-01 Shared packages zero tests Add unit tests for 6 packages
TEST-W-04 No performance/load testing Add k6 load tests
TEST-W-05 No frontend component tests Add unit tests for key components

Documentation (assign: Technical Writer)

ID Finding Fix
DOC-W-01 Test credentials in ROADMAP.md Remove credentials
DOC-W-02 No ADR for Marketing dual-theme Create ADR

Wave 4 — P3 Medium (Target: 1 month)

Lower priority items — tracked but deferred:

  • FRONT-W-05: Lucide re-init on every render
  • FRONT-W-08: Incomplete vi-VN translations
  • FRONT-W-09: No IFormatProvider in JsonStringLocalizer
  • FRONT-W-10: Event handler leak (no IAsyncDisposable)
  • FRONT-W-11: Hardcoded Vietnamese in AuthInput
  • FRONT-I-05 through FRONT-I-09: Component library expansion
  • BACK-I-03: Outbox pattern (5d effort)
  • BACK-I-04: Saga pattern (5d effort)
  • DEVOPS-I-01 through DEVOPS-I-04: GitOps, PDB, Secrets Manager
  • SEC-W-06 through SEC-W-10: Medium security items

Agent Assignment Matrix

Agent Wave 1 Wave 2 Wave 3 Total Items
Security Engineer 5 6 0 11
Senior Backend Engineer 0 5 4 9
Senior Frontend Engineer 0 8 4 12
DevOps Engineer 4 5 4 13
QA Engineer 0 3 4 7
Architect 0 0 4 4
Technical Writer 0 0 2 2
CTO Review all

QA Verification Plan

After each wave completes:

  1. Docker Compose rebuild: docker-compose down && docker-compose up --build -d
  2. Health check all services: curl http://localhost:{port}/health/live
  3. Run E2E tests: verify 38/41+ pass rate maintained
  4. Security scan: verify hardcoded credentials removed
  5. K8s dry-run: kubectl apply --dry-run=server -f deployments/staging/kubernetes/

Success Criteria

  • Wave 1: All 9 P0 blockers resolved, zero hardcoded credentials in git
  • Wave 2: All 22 P1 items resolved, CI pipelines for all services
  • Wave 3: Architecture improvements in place, test coverage >50%
  • Overall: Project health score from 6.5/10 to 8.5/10
Reference in New Issue View Git Blame Copy Permalink