pos-system/CTO_FIX_TRACKER.md

CTO Fix Tracker — Post-Audit Action Plan

Generated: 2026-03-13 | Source: Per-service code audit (24 SERVICE_DOCS.md) Status: ALL WAVES COMPLETE ✅

---

Executive Summary

Audit 24 microservices phát hiện 6 loại vấn đề cross-cutting và nhiều bug cụ thể per-service. Ưu tiên theo impact: Security > Runtime Bugs > Code Quality > Tech Debt.

---

P0 — CRITICAL (Security & Runtime Failures)

P0-1: Missing Authentication/Authorization

Impact: Tất cả endpoints public, bất kỳ ai cũng gọi được API Affected: 18/24 services (chỉ IAM + merchant có auth đầy đủ)

Service	Status	Fix
catalog-service-net	No [Authorize]	Add auth middleware + attributes
order-service-net	No [Authorize]	Add auth middleware + attributes
booking-service-net	Public endpoints (only admin has auth)	Add [Authorize] to public controllers
fnb-engine-net	No [Authorize]	Add auth middleware + attributes
inventory-service-net	No [Authorize]	Add auth middleware + attributes
social-service-net	No JWT middleware in pipeline	Add UseAuthentication/UseAuthorization
mining-service-net	No [Authorize]	Add auth middleware + attributes
chat-service-net	Has [Authorize] ✅	OK
membership-service-net	No [Authorize]	Add auth middleware + attributes
wallet-service-net	Has [Authorize] ✅	OK
storage-service-net	Has [Authorize] ✅	OK
ads-manager-service-net	No auth middleware	Add UseAuthentication/UseAuthorization
ads-serving-service-net	No auth middleware	Add UseAuthentication/UseAuthorization
ads-billing-service-net	No auth middleware	Add UseAuthentication/UseAuthorization
ads-tracking-service-net	No auth middleware	Add UseAuthentication/UseAuthorization
ads-analytics-service-net	No auth middleware	Add UseAuthentication/UseAuthorization
promotion-service-net	No [Authorize]	Add auth middleware + attributes
mission-service-net	No [Authorize]	Add auth middleware + attributes
mkt-facebook-service-net	No auth middleware	Add UseAuthentication/UseAuthorization
mkt-whatsapp-service-net	No [Authorize]	Add auth middleware + attributes
mkt-x-service-net	No [Authorize]	Add auth middleware + attributes
mkt-zalo-service-net	No [Authorize]	Add auth middleware + attributes

P0-2: Template Artifacts (Runtime Failures)

Impact: Services connect to wrong database or fail to build Docker image

Service	Issue	Fix
mission-service-net	DB name myservice_db instead of mission_service	Fix appsettings connection string
mkt-facebook-service-net	Dockerfile references MyService.API	Rename to FacebookService.API
mkt-whatsapp-service-net	DbContext file named MyServiceContext.cs, DB myservice_db	Rename file + fix connection string
promotion-service-net	docker-compose uses template naming	Fix service naming

P0-3: Critical Handler Bugs

Service	Bug	Impact
ads-tracking-service-net	TrackPixelEventCommandHandler creates PixelEvent but NEVER persists	All tracking data lost
ads-tracking-service-net	RecordConversionCommand has handler but NO controller exposes it	Dead code
booking-service-net	UpdateResourceCommand accepts Name/Capacity but only applies IsActive	Silent data loss
ads-manager-service-net	ListPendingAdsQuery filters "Pending" but enum is "pending_review"	Always returns empty
mining-service-net	BanMinerCommand calls Suspend() not Ban(); ResetMinerStreakCommand is no-op	Admin actions broken
order-service-net	Missing DB columns referenced by Dapper queries	Runtime SQL errors
mkt-x-service-net	Only ISampleRepository in DI; 8 other repos missing registration	Runtime DI failures

---

P1 — HIGH (Data Integrity & Correctness)

P1-1: Missing FluentValidation Validators

Impact: Invalid data enters system without validation

Service	Commands without validators
ads-manager-service-net	ALL 10 commands
ads-serving-service-net	ALL queries (no commands exist)
ads-billing-service-net	ALL 3 commands
ads-tracking-service-net	2/3 commands
ads-analytics-service-net	ALL commands
mining-service-net	ALL commands
mission-service-net	ALL 4 commands
promotion-service-net	ALL 12 commands
social-service-net	ALL 8 commands

P1-2: Missing Command/Query Handlers

Service	Missing Handler
promotion-service-net	ExchangeVoucherCommand, PurchaseVoucherCommand (no handlers)
promotion-service-net	SearchVouchersQuery, GetCampaignStatisticsQuery, GetCampaignVouchersQuery (no handlers)
mission-service-net	GetUserMissionProgressQuery (no handler)
mkt-facebook-service-net	GetConversationsQuery, GetCustomersQuery (no handlers)
mkt-whatsapp-service-net	GetConversationsQuery (no handler, controller queries repo directly)
ads-manager-service-net	Audience query handlers missing

P1-3: Repository Pattern Violations

Service	Issue
catalog-service-net	Category handlers use DbContext directly, bypass repository
booking-service-net	3 repo interfaces in Infrastructure instead of Domain
ads-billing-service-net	No repository pattern at all, direct DbContext
ads-analytics-service-net	No repository pattern
ads-serving-service-net	No repository pattern

---

P2 — MEDIUM (Code Quality & Conventions)

P2-1: Response Format Inconsistency

Standard: { success: bool, data: T } — Many services return raw DTOs

Service	Issue
chat-service-net	Returns raw DTOs
membership-service-net	Mixed (Members raw, StampCards wrapped)
social-service-net	Returns raw DTOs
ads-* services	Returns raw DTOs
booking-service-net	Returns raw DTOs

P2-2: Domain Events Defined but No Handlers

Service	Unused Events
membership-service-net	MembershipLevelChangedDomainEvent (never raised)
social-service-net	UserUnblockedDomainEvent (never raised)
ads-manager-service-net	All events dispatched but no handlers
promotion-service-net	VoucherRedeemedDomainEvent (never consumed)
booking-service-net	Events defined but unused

P2-3: Missing EF Migrations

Service	Issue
mkt-facebook-service-net	No migrations exist
ads-billing-service-net	Spurious InvoiceId1 FK column
ads-analytics-service-net	ClientRequest table missing from migration

P2-4: Unused Dependencies (Tech Debt)

Redis, Dapper, Polly registered but unused in: booking, social, mining, mission, promotion, ads-* services

---

Fix Execution Plan

Wave 1 — P0 Security + Template (Parallel Agents)

• Agent 1: Fix auth for core services (catalog, order, booking, fnb-engine, inventory)
• Agent 2: Fix auth for social services (social, mining, membership, mission)
• Agent 3: Fix auth for ads services (ads-manager, ads-serving, ads-billing, ads-tracking, ads-analytics)
• Agent 4: Fix auth for mkt services (mkt-facebook, mkt-whatsapp, mkt-x, mkt-zalo, promotion)
• Agent 5: Fix template artifacts (mission, mkt-facebook, mkt-whatsapp, promotion)
• Agent 6: Fix critical handler bugs (ads-tracking, booking, ads-manager, mining, mkt-x)

Wave 2 — P1 Validators + Missing Handlers

• Agent 7-12: Add FluentValidation per service group
• Agent 13-15: Implement missing handlers

Wave 3 — P2 Code Quality

• Response format standardization
• Migration fixes
• Cleanup unused dependencies

---

Progress Tracking

Wave	Task	Status	Commit
1	Auth: core services (catalog, order, booking, fnb, inventory)	✅ DONE	f8606e0
1	Auth: social services (social, mining, membership, mission)	✅ DONE	f8606e0
1	Auth: ads services (5 services)	✅ DONE	f8606e0
1	Auth: mkt services + promotion	✅ DONE	f8606e0
1	Template artifacts (mission, mkt-facebook, mkt-whatsapp, promotion)	✅ DONE	f8606e0
1	Critical handler bugs (7 bugs across 5 services)	✅ DONE	f8606e0
2	Validators: ads services (16 validators)	✅ DONE	59b2cec
2	Validators: social+mining+mission+promotion (41 validators)	✅ DONE	59b2cec
2	Missing handlers (10 handlers across 4 services)	✅ DONE	59b2cec
3	Response format standardization (30 controllers, 8 services)	✅ DONE	efabe49
3	Migration fixes (InvoiceId1 FK, idempotency cleanup)	✅ DONE	efabe49
3	Cleanup unused dependencies (no DI registrations found)	✅ N/A	—