Files

Ho Ngoc Hai 36a0a9c256 feat: Add functional tests for MktZaloService, new contract and load tests, and audit documentation, while removing a legacy infrastructure project and updating service configurations.

2026-03-25 15:00:05 +07:00

8.7 KiB

Raw Blame History

GoodGo POS System — Audit Fix Plan

Date: 2026-03-23 Owner: CEO Agent Source: 14 agent audit reports (94 total findings) Status: Active

Summary

Category	Critical	High	Medium	Low	Total
Security	5	10	5	1	21
Backend	4	5	3	0	12
Frontend	5	9	5	4	23
DevOps	4	12	5	0	21
Testing	4	7	3	1	15
Documentation	0	2	0	0	2
Total	22	45	21	6	94

Wave 1 — P0 Blockers (Target: 24-48h)

Security Blockers (assign: Security Engineer)

ID	Finding	File	Fix
SEC-C-01	DB credentials hardcoded in git (19 services)	All `appsettings.json`	Replace with env vars, add to `.gitignore`
SEC-C-02	JWT token in MCP server `.env` committed	`services/goodgo-mcp-server/.env`	Revoke, remove from git, purge history
SEC-C-03	`AddDeveloperSigningCredential()` in all envs	`iam-service-net/.../DependencyInjection.cs:142`	Wrap in `if (env.IsDevelopment())`
SEC-C-04	Debug endpoints `[AllowAnonymous]` — privilege escalation	`merchant-service-net/.../StaffController.cs:249-390`	Delete or restrict to dev + SuperAdmin
SEC-C-05	SQL injection via string interpolation	`merchant-service-net/.../StaffController.cs:307,367`	Use parameterized queries

DevOps Blockers (assign: DevOps Engineer)

ID	Finding	File	Fix
DEVOPS-C-01	K8s `:latest` image tag in production	All `production/kubernetes/*.yaml`	Use `IMAGE_TAG` placeholder + SHA
DEVOPS-C-02	Alertmanager not configured — alerts silent	`prometheus/prometheus.yml:29`	Configure Alertmanager + receivers
DEVOPS-C-03	CI pushes `:latest` to Docker Hub	`.github/workflows/docker-build.yml:99-103`	Remove `:latest`, use SHA only
DEVOPS-C-04	4 mkt-* services port 5000 conflict	`docker-compose.yml`	Assign ports 5021-5024

Wave 2 — P1 Urgent (Target: 1 week)

Security High (assign: Security Engineer)

ID	Finding	Fix
SEC-W-02	No Content-Security-Policy header	Add CSP to Traefik `middlewares.yml`
SEC-W-03	CORS `allowCredentials: true` with dev origins	Separate per-env CORS config
SEC-W-04	`sslRedirect: false` in shared config	Set `true` in staging/prod
SEC-W-05	`Jwt__RequireHttpsMetadata=false` in docker-compose	Verify K8s ConfigMaps don't have this
SEC-W-14	BFF CORS wildcard `AllowAnyOrigin()`	Whitelist specific origins
SEC-W-15	JWT validation skipped in dev (4 services)	Always validate signatures

Backend Critical (assign: Senior Backend Engineer)

ID	Finding	Fix
BACK-C-01	`AllowAnyOrigin()` on all 26 services	Restrict origins in production
BACK-C-02	Idempotency missing in 23/26 services	Implement `IRequestManager` (wallet, booking first)
BACK-C-03	Error response format inconsistent	Standardize to `{ success, error: { code, message } }`
BACK-C-04	ProblemDetails mapping incomplete in template	Update template with full exception mapping
BACK-W-02	TenantMiddleware SQL string interpolation	Parameterized queries in 5 services

Frontend Critical (assign: Senior Frontend Engineer)

ID	Finding	Fix
SEC-W-11	Client secret in WASM (extractable)	Move to BFF server-side
SEC-W-12	Password grant deprecated	Migrate to PKCE flow
SEC-W-01	JWT in localStorage (XSS risk)	Migrate to httpOnly cookies via BFF
FRONT-C-04	No route guards for auth pages	Add `[Authorize]` + `AuthorizeView`
FRONT-C-05	shopId not validated against permissions	Backend verification call
FRONT-W-01	Token refresh not implemented	Add background refresh timer
FRONT-W-02	Global HttpClient header mutation (race)	Per-request headers via `DelegatingHandler`
SEC-W-13	No CDN SRI for Lucide icons	Add SRI hash, pin version

DevOps High (assign: DevOps Engineer)

ID	Finding	Fix
DEVOPS-W-02	15+ services missing CI/CD pipelines	Generate CI workflows from template
DEVOPS-W-03	`pr-checks.yml` no .NET build/test	Add matrix build for .NET
DEVOPS-W-10	`RequireHttpsMetadata=false` in staging K8s	Set `true` in staging/prod
DEVOPS-W-11	booking-service missing K8s manifest	Create staging manifest
DEVOPS-W-12	13 Traefik routes missing	Add routes for all missing services

Testing Critical (assign: QA Engineer)

ID	Finding	Fix
TEST-C-01	Only 1/26 services has CI test pipeline	Generate CI for 25 services
TEST-C-02	MCP server zero tests	Add Vitest test suite
TEST-C-03	No coverage thresholds enforced	Add `.runsettings` with 80% threshold

Wave 3 — P2 High (Target: 2 weeks)

Architecture (assign: Architect)

ID	Finding	Fix
FRONT-I-01	No shared UI component package	Extract shared Razor Class Library
FRONT-I-02	ARIA/accessibility gaps	Add ARIA attributes to all components
FRONT-I-03	No design-to-code token sync	Style Dictionary pipeline
FRONT-I-04	`eval()` in OtpInput	Create JS module for focus

Backend Architecture (assign: Senior Backend Engineer)

ID	Finding	Fix
BACK-I-01	No OpenAPI specs in repo	Add `dotnet swagger tofile` to CI
BACK-I-02	Missing Prometheus `/metrics`	Add OpenTelemetry + Prometheus exporter
BACK-W-01	HttpContextAccessor in handlers	Inject contextual data from Controller
BACK-W-03	Dapper no `commandTimeout`	Set explicit timeout on all queries

Frontend Improvements (assign: Senior Frontend Engineer)

ID	Finding	Fix
FRONT-W-03	~20% POS pages incomplete backend integration	Implement 21 missing API integrations
FRONT-W-04	Fragile multi-format deserialization	Standardize API response envelope
FRONT-W-06	MudBlazor providers duplicated	Move to `App.razor` once
FRONT-W-07	localStorage logic duplicated 5 files	Extract `LocalStorageService`

DevOps Improvements (assign: DevOps Engineer)

ID	Finding	Fix
DEVOPS-W-01	redis-exporter missing from compose	Add or remove scrape job
DEVOPS-W-04	Redis single instance (SPOF)	Redis Sentinel or Cluster
DEVOPS-W-05	No K8s NetworkPolicy	Add default-deny + whitelist
DEVOPS-M-01	No image vulnerability scanning	Add Trivy to CI

Testing Improvements (assign: QA Engineer)

ID	Finding	Fix
TEST-C-04	No contract testing	Implement Pact.io for top 5 boundaries
TEST-W-01	Shared packages zero tests	Add unit tests for 6 packages
TEST-W-04	No performance/load testing	Add k6 load tests
TEST-W-05	No frontend component tests	Add unit tests for key components

Documentation (assign: Technical Writer)

ID	Finding	Fix
DOC-W-01	Test credentials in ROADMAP.md	Remove credentials
DOC-W-02	No ADR for Marketing dual-theme	Create ADR

Wave 4 — P3 Medium (Target: 1 month)

Lower priority items — tracked but deferred:

FRONT-W-05: Lucide re-init on every render
FRONT-W-08: Incomplete vi-VN translations
FRONT-W-09: No IFormatProvider in JsonStringLocalizer
FRONT-W-10: Event handler leak (no IAsyncDisposable)
FRONT-W-11: Hardcoded Vietnamese in AuthInput
FRONT-I-05 through FRONT-I-09: Component library expansion
BACK-I-03: Outbox pattern (5d effort)
BACK-I-04: Saga pattern (5d effort)
DEVOPS-I-01 through DEVOPS-I-04: GitOps, PDB, Secrets Manager
SEC-W-06 through SEC-W-10: Medium security items

Agent Assignment Matrix

Agent	Wave 1	Wave 2	Wave 3	Total Items
Security Engineer	5	6	0	11
Senior Backend Engineer	0	5	4	9
Senior Frontend Engineer	0	8	4	12
DevOps Engineer	4	5	4	13
QA Engineer	0	3	4	7
Architect	0	0	4	4
Technical Writer	0	0	2	2
CTO	—	—	—	Review all

QA Verification Plan

After each wave completes:

Docker Compose rebuild: docker-compose down && docker-compose up --build -d
Health check all services: curl http://localhost:{port}/health/live
Run E2E tests: verify 38/41+ pass rate maintained
Security scan: verify hardcoded credentials removed
K8s dry-run: kubectl apply --dry-run=server -f deployments/staging/kubernetes/

Success Criteria

Wave 1: All 9 P0 blockers resolved, zero hardcoded credentials in git
Wave 2: All 22 P1 items resolved, CI pipelines for all services
Wave 3: Architecture improvements in place, test coverage >50%
Overall: Project health score from 6.5/10 to 8.5/10

8.7 KiB Raw Blame History