ryan/lunarfront-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
lunarfront-app/planning/22_Audit_Phase2_Review.md
Ryan Moon 9400828f62 Rename Forte to LunarFront, generalize for any small business 
Rebrand from Forte (music-store-specific) to LunarFront (any small business):
- Package namespace @forte/* → @lunarfront/*
- Database forte/forte_test → lunarfront/lunarfront_test
- Docker containers, volumes, connection strings
- UI branding, localStorage keys, test emails
- All documentation and planning docs

Generalize music-specific terminology:
- instrumentDescription → itemDescription
- instrumentCount → itemCount
- instrumentType → itemCategory (on service templates)
- New migration 0027_generalize_terminology for column renames
- Seed data updated with generic examples
- RBAC descriptions updated
2026-03-30 08:51:54 -05:00

151 lines
8.1 KiB
Markdown
Raw Permalink Blame History

LunarFront — Small Business Management Platform
Phase 2 Audit: Code Review, Security, and Feature Gap Analysis
Date: 2026-03-27
# 1. Built vs Planning Docs
## 1.1 Phase 1 — Complete
All deliverables built: monorepo config, Docker Compose (Postgres 16 + Valkey 8), Fastify server with Pino logging and request ID tracing, Drizzle ORM, health endpoint, seed script, test setup.
## 1.2 Phase 2 — Mostly Complete
Area | Status | Notes
Auth (JWT + bcrypt) | Complete | Self-issued JWTs, role enum, register/login routes
User table | Complete | company_id FK, unique email, 5 roles
Account table | Complete | Added is_active, primary_member_id, auto-generated account_number
Member table | Complete | Added updated_at, member_number, isMinor manual override
Member identifiers | Complete | DL/passport/school ID with front/back image storage
Account processor link | Complete | Processor-agnostic payment linking
Account payment method | Complete | Card references with default flag, requires_update for migrations
Tax exemptions | Complete | Separate table with approve/revoke workflow and audit trail
Category table | Complete | Added parent_id for hierarchy, sort_order, is_active
Supplier table | Complete | All columns present
Product table | Complete | Cost removed — moved to stock_receipt (FIFO)
Inventory unit table | Complete | Condition and status via lookup tables (not enums), serial number
Lookup tables | Complete | inventory_unit_status and item_condition as company-scoped configurable tables
Shared Zod schemas | Complete | Auth, account, member, identifier, payment method, tax exemption, lookup, inventory schemas
Admin frontend | Complete | React + Vite + shadcn/ui, accounts CRUD, members list, theme system
## 1.3 Additions Not in Original Planning
Table | Purpose | Notes
stock_receipt | FIFO cost tracking per purchase event | Replaces product.cost column
price_history | Logs every retail price change | Auto-logged on product update
consignment_detail | Consignment product linking | Links product to consignor account with commission %
product_supplier | Many-to-many product ↔ supplier | Tracks supplier SKU and preferred supplier
inventory_unit_status | Lookup table replacing pgEnum | Company-scoped, is_system flag, custom values allowed
item_condition | Lookup table replacing pgEnum | Same pattern as unit status
member_identifier | Identity documents per member | DL, passport, school ID with base64 image storage
tax_exemption | Tax exempt certificates per account | Approve/revoke workflow with audit trail
account_payment_method | Card references per account | Processor-agnostic, default flag, migration support
## 1.4 Planning Doc Inconsistencies
Issue | Details | Resolution
product.cost column | Planning doc 03 specifies cost on product table | Intentionally removed — cost now tracked per stock_receipt for FIFO accuracy. Doc 03 needs updating.
stripe_customer_id on account | Doc 02 originally had this | Replaced by account_processor_link table. Doc updated.
student entity | Docs originally used "student" | Renamed to "member" across all docs. Code uses member.
# 2. Security Audit
## 2.1 Issues Found and Fixed
Issue | Severity | Fix Applied
Auth routes trusted x-company-id header blindly | HIGH | Register now validates company exists in DB before creating user. Login derives company from user record (no header needed).
No rate limiting on auth routes | HIGH | Added @fastify/rate-limit — 10 attempts per 15 minutes per IP on register and login.
Dev auth had no production guard | HIGH | Dev auth plugin throws error if NODE_ENV is not development/test. Main.ts throws error if JWT_SECRET missing in production.
## 2.2 Issues Found — Not Yet Fixed (Lower Priority)
Issue | Severity | Notes
CORS in production is false | Medium | Blocks all cross-origin requests. Needs origin whitelist via CORS_ORIGINS env var. Admin frontend uses Vite proxy in dev — CORS not needed yet.
~~No pagination on list endpoints~~ | ~~Medium~~ | FIXED — All list endpoints now support server-side pagination, search, and sort.
Path parameters not validated as UUIDs | Low | Cast with `as { id: string }` but not validated. Drizzle handles gracefully (returns null). Add Zod param validation later.
Login schema accepts min(1) password | Low | Should match register's min(8) for consistency. Not a real security risk since bcrypt compare handles it.
No JWT secret strength validation | Low | Only checks if set, not length/entropy. Add min 32 char check.
Price conversion to string is scattered | Low | .toString() on every numeric field. Extract helper function.
Inconsistent search validation | Low | Supplier search uses manual check, others use Zod schema. Standardize.
## 2.3 Security — No Issues Found
Area | Status
SQL injection | SECURE — all queries via Drizzle ORM parameterized queries
Password storage | SECURE — bcrypt with 10 salt rounds, password never returned in API responses
Error information leakage | SECURE — stack traces only in development mode
JWT payload | SECURE — contains only id, companyId, role (no sensitive data)
Soft delete | SECURE — financial records use soft delete, never hard delete
# 3. Duplicate Code Patterns
## 3.1 Identified Patterns
Pattern | Occurrences | Recommendation
Zod validation + 400 response | 20+ routes | Extract validateBody(schema) helper
404 not-found response | 16+ locations | Extract notFound(reply, entity) helper
Service getById pattern | 4 services | Consider base service or utility function
Service softDelete pattern | 4 services | Same as getById
Search with ilike pattern | 3 services | Standardize search utility
Numeric .toString() conversion | Multiple services | Extract toDbNumeric() helper
## 3.2 Assessment
The duplication is structural — the same patterns repeated across different domains. Not urgent to fix now. When Phase 3 (POS) adds more routes, the repetition will grow. Good time to extract helpers is before Phase 3 starts.
# 4. Standard POS Feature Gap Analysis
## 4.1 Well Covered
Feature | Score | Notes
Transaction processing | 9/10 | Multiple payment methods, Stripe Terminal, processor abstraction
Inventory management | 8/10 | Serialized + non-serialized, FIFO costing, stock receipts
Customer management | 8/10 | Account/member model, family billing, search
Instrument rentals | 9/10 | 4 rental types, RTO equity, billing consolidation
Lessons | 9/10 | Scheduling, attendance, curriculum, grading, parent portal
Repairs | 9/10 | Full lifecycle, parts inventory, flat-rate billing, bulk/batch
Consignment | 9/10 | Commission tracking, settlement workflow, accounting
Sales commission | 8/10 | Rate hierarchy, per-employee, category overrides
Personnel | 8/10 | Time clock, scheduling, time off, payroll export
## 4.2 Previously Missing — Now Planned (added to domain docs)
Feature | Planning Doc | Module
Trade-in workflow | 07_Domain_Sales_POS.md §6 | Core
Tax exemptions | 02_Domain_Accounts_Customers.md + 07_Domain_Sales_POS.md §8 | Core
Inventory cycle counts | 03_Domain_Inventory.md §9 | Core
Returns/exchanges workflow | 07_Domain_Sales_POS.md §7 | Core
Purchase orders | 03_Domain_Inventory.md §10 | Core
Product bundles / kits | 03_Domain_Inventory.md §11 | Core
Barcode label printing | 03_Domain_Inventory.md §12 | Core
Backorders | 03_Domain_Inventory.md §13 | Core
In-home trials | 07_Domain_Sales_POS.md §9 | Core
Instrument sizing | 03_Domain_Inventory.md §8 | Core
Rental agreement contracts | 04_Domain_Rentals.md §7 | MOD-RENTALS
Warranty tracking | 06_Domain_Repairs.md §7 | MOD-REPAIRS
Maintenance schedules | 06_Domain_Repairs.md §8 | MOD-REPAIRS
Gift cards / store credits | 08_Domain_Payments_Billing.md §8 | MOD-GIFTCARD (premium)
Layaway / payment plans | 08_Domain_Payments_Billing.md §9 | MOD-LAYAWAY (premium)
## 4.3 Still Missing — Lower Priority / Future
Feature | Notes
Customer loyalty / rewards | Point accumulation and redemption
E-commerce / online store | Product catalog, cart, online payments
Shipping integration | Carrier APIs, label printing, tracking
Multi-currency | Exchange rates, currency-specific pricing
## 4.4 Music-Specific Gaps — Remaining
Feature | Notes
Rental insurance certificates | Certificate generation for rental instruments. Common parent request.
Reference in New Issue View Git Blame Copy Permalink