9400828f62
Rebrand from Forte (music-store-specific) to LunarFront (any small business): - Package namespace @forte/* → @lunarfront/* - Database forte/forte_test → lunarfront/lunarfront_test - Docker containers, volumes, connection strings - UI branding, localStorage keys, test emails - All documentation and planning docs Generalize music-specific terminology: - instrumentDescription → itemDescription - instrumentCount → itemCount - instrumentType → itemCategory (on service templates) - New migration 0027_generalize_terminology for column renames - Seed data updated with generic examples - RBAC descriptions updated
8.1 KiB
LunarFront — Small Business Management Platform
Phase 2 Audit: Code Review, Security, and Feature Gap Analysis
Date: 2026-03-27
1. Built vs Planning Docs
1.1 Phase 1 — Complete
All deliverables built: monorepo config, Docker Compose (Postgres 16 + Valkey 8), Fastify server with Pino logging and request ID tracing, Drizzle ORM, health endpoint, seed script, test setup.
1.2 Phase 2 — Mostly Complete
Area | Status | Notes Auth (JWT + bcrypt) | Complete | Self-issued JWTs, role enum, register/login routes User table | Complete | company_id FK, unique email, 5 roles Account table | Complete | Added is_active, primary_member_id, auto-generated account_number Member table | Complete | Added updated_at, member_number, isMinor manual override Member identifiers | Complete | DL/passport/school ID with front/back image storage Account processor link | Complete | Processor-agnostic payment linking Account payment method | Complete | Card references with default flag, requires_update for migrations Tax exemptions | Complete | Separate table with approve/revoke workflow and audit trail Category table | Complete | Added parent_id for hierarchy, sort_order, is_active Supplier table | Complete | All columns present Product table | Complete | Cost removed — moved to stock_receipt (FIFO) Inventory unit table | Complete | Condition and status via lookup tables (not enums), serial number Lookup tables | Complete | inventory_unit_status and item_condition as company-scoped configurable tables Shared Zod schemas | Complete | Auth, account, member, identifier, payment method, tax exemption, lookup, inventory schemas Admin frontend | Complete | React + Vite + shadcn/ui, accounts CRUD, members list, theme system
1.3 Additions Not in Original Planning
Table | Purpose | Notes stock_receipt | FIFO cost tracking per purchase event | Replaces product.cost column price_history | Logs every retail price change | Auto-logged on product update consignment_detail | Consignment product linking | Links product to consignor account with commission % product_supplier | Many-to-many product ↔ supplier | Tracks supplier SKU and preferred supplier inventory_unit_status | Lookup table replacing pgEnum | Company-scoped, is_system flag, custom values allowed item_condition | Lookup table replacing pgEnum | Same pattern as unit status member_identifier | Identity documents per member | DL, passport, school ID with base64 image storage tax_exemption | Tax exempt certificates per account | Approve/revoke workflow with audit trail account_payment_method | Card references per account | Processor-agnostic, default flag, migration support
1.4 Planning Doc Inconsistencies
Issue | Details | Resolution product.cost column | Planning doc 03 specifies cost on product table | Intentionally removed — cost now tracked per stock_receipt for FIFO accuracy. Doc 03 needs updating. stripe_customer_id on account | Doc 02 originally had this | Replaced by account_processor_link table. Doc updated. student entity | Docs originally used "student" | Renamed to "member" across all docs. Code uses member.
2. Security Audit
2.1 Issues Found and Fixed
Issue | Severity | Fix Applied Auth routes trusted x-company-id header blindly | HIGH | Register now validates company exists in DB before creating user. Login derives company from user record (no header needed). No rate limiting on auth routes | HIGH | Added @fastify/rate-limit — 10 attempts per 15 minutes per IP on register and login. Dev auth had no production guard | HIGH | Dev auth plugin throws error if NODE_ENV is not development/test. Main.ts throws error if JWT_SECRET missing in production.
2.2 Issues Found — Not Yet Fixed (Lower Priority)
Issue | Severity | Notes
CORS in production is false | Medium | Blocks all cross-origin requests. Needs origin whitelist via CORS_ORIGINS env var. Admin frontend uses Vite proxy in dev — CORS not needed yet.
No pagination on list endpoints | Medium | FIXED — All list endpoints now support server-side pagination, search, and sort.
Path parameters not validated as UUIDs | Low | Cast with as { id: string } but not validated. Drizzle handles gracefully (returns null). Add Zod param validation later.
Login schema accepts min(1) password | Low | Should match register's min(8) for consistency. Not a real security risk since bcrypt compare handles it.
No JWT secret strength validation | Low | Only checks if set, not length/entropy. Add min 32 char check.
Price conversion to string is scattered | Low | .toString() on every numeric field. Extract helper function.
Inconsistent search validation | Low | Supplier search uses manual check, others use Zod schema. Standardize.
2.3 Security — No Issues Found
Area | Status SQL injection | SECURE — all queries via Drizzle ORM parameterized queries Password storage | SECURE — bcrypt with 10 salt rounds, password never returned in API responses Error information leakage | SECURE — stack traces only in development mode JWT payload | SECURE — contains only id, companyId, role (no sensitive data) Soft delete | SECURE — financial records use soft delete, never hard delete
3. Duplicate Code Patterns
3.1 Identified Patterns
Pattern | Occurrences | Recommendation Zod validation + 400 response | 20+ routes | Extract validateBody(schema) helper 404 not-found response | 16+ locations | Extract notFound(reply, entity) helper Service getById pattern | 4 services | Consider base service or utility function Service softDelete pattern | 4 services | Same as getById Search with ilike pattern | 3 services | Standardize search utility Numeric .toString() conversion | Multiple services | Extract toDbNumeric() helper
3.2 Assessment
The duplication is structural — the same patterns repeated across different domains. Not urgent to fix now. When Phase 3 (POS) adds more routes, the repetition will grow. Good time to extract helpers is before Phase 3 starts.
4. Standard POS Feature Gap Analysis
4.1 Well Covered
Feature | Score | Notes Transaction processing | 9/10 | Multiple payment methods, Stripe Terminal, processor abstraction Inventory management | 8/10 | Serialized + non-serialized, FIFO costing, stock receipts Customer management | 8/10 | Account/member model, family billing, search Instrument rentals | 9/10 | 4 rental types, RTO equity, billing consolidation Lessons | 9/10 | Scheduling, attendance, curriculum, grading, parent portal Repairs | 9/10 | Full lifecycle, parts inventory, flat-rate billing, bulk/batch Consignment | 9/10 | Commission tracking, settlement workflow, accounting Sales commission | 8/10 | Rate hierarchy, per-employee, category overrides Personnel | 8/10 | Time clock, scheduling, time off, payroll export
4.2 Previously Missing — Now Planned (added to domain docs)
Feature | Planning Doc | Module Trade-in workflow | 07_Domain_Sales_POS.md §6 | Core Tax exemptions | 02_Domain_Accounts_Customers.md + 07_Domain_Sales_POS.md §8 | Core Inventory cycle counts | 03_Domain_Inventory.md §9 | Core Returns/exchanges workflow | 07_Domain_Sales_POS.md §7 | Core Purchase orders | 03_Domain_Inventory.md §10 | Core Product bundles / kits | 03_Domain_Inventory.md §11 | Core Barcode label printing | 03_Domain_Inventory.md §12 | Core Backorders | 03_Domain_Inventory.md §13 | Core In-home trials | 07_Domain_Sales_POS.md §9 | Core Instrument sizing | 03_Domain_Inventory.md §8 | Core Rental agreement contracts | 04_Domain_Rentals.md §7 | MOD-RENTALS Warranty tracking | 06_Domain_Repairs.md §7 | MOD-REPAIRS Maintenance schedules | 06_Domain_Repairs.md §8 | MOD-REPAIRS Gift cards / store credits | 08_Domain_Payments_Billing.md §8 | MOD-GIFTCARD (premium) Layaway / payment plans | 08_Domain_Payments_Billing.md §9 | MOD-LAYAWAY (premium)
4.3 Still Missing — Lower Priority / Future
Feature | Notes Customer loyalty / rewards | Point accumulation and redemption E-commerce / online store | Product catalog, cart, online payments Shipping integration | Carrier APIs, label printing, tracking Multi-currency | Exchange rates, currency-specific pricing
4.4 Music-Specific Gaps — Remaining
Feature | Notes Rental insurance certificates | Certificate generation for rental instruments. Common parent request.