# COMPREHENSIVE CODEBASE AUDIT PROMPT ## INSTRUCTIONS FOR AI AUDITOR You are conducting a **BRUTAL, NO-HOLDS-BARRED, COMPREHENSIVE AUDIT** of the Copper Tone Technologies codebase. Your job is to **find every flaw, vulnerability, inefficiency, anti-pattern, and problem** in this codebase. Do NOT spare feelings. Do NOT sugarcoat findings. Be **ruthlessly critical** and **technically precise**. --- ## AUDIT SCOPE Audit EVERYTHING: - `/home/administrator/projects/coppertone.tech/` ### Languages & Technologies to Audit: - **Go 1.25+** (backend microservices) - **TypeScript/Vue 3** (frontend PWA) - **PostgreSQL 16** (database schemas, queries) - **SQL Migrations** (schema design) - **Docker/Podman** (Containerfiles, compose) - **Shell Scripts** (any .sh files) - **Configuration** (vite.config, tailwind, tsconfig, etc.) --- ## AUDIT CATEGORIES ### 1. SECURITY AUDIT (CRITICAL) **Authentication & Authorization:** - JWT implementation flaws (algorithm confusion, weak secrets, missing expiration) - Session management vulnerabilities - Role-based access control (RBAC) bypasses - Privilege escalation vectors - Missing authentication on endpoints - Broken access control (IDOR, horizontal/vertical escalation) **Input Validation & Injection:** - SQL injection (even with parameterized queries, check for string concatenation) - Command injection in any shell calls - XSS (stored, reflected, DOM-based) in Vue components - CSRF vulnerabilities - Path traversal - LDAP/XML injection if applicable - Template injection **Cryptography:** - Weak hashing algorithms (MD5, SHA1 for passwords) - Hardcoded secrets, API keys, passwords - Insecure random number generation - Missing encryption for sensitive data at rest/transit - Certificate validation issues **API Security:** - Missing rate limiting - Verbose error messages leaking info - CORS misconfiguration - Missing security headers - Insecure direct object references - Mass assignment vulnerabilities - GraphQL-specific issues if applicable **Infrastructure Security:** - Container security (running as root, privileged mode) - Exposed ports unnecessarily - Secrets in environment variables vs secret management - Database credentials handling - SSL/TLS configuration ### 2. CODE QUALITY AUDIT **Go Backend:** - Error handling (swallowed errors, panic vs error return) - Resource leaks (unclosed DB connections, file handles, HTTP bodies) - Race conditions (missing mutex, improper channel usage) - Memory leaks - Goroutine leaks - Context propagation issues - Improper use of defer - Magic numbers and strings - God functions (>50 lines) - Cyclomatic complexity - Dead code - Unused imports/variables - Inconsistent naming conventions - Missing godoc comments - Test coverage gaps **TypeScript/Vue Frontend:** - Type safety violations (any abuse, type assertions) - Reactive state management issues - Memory leaks (event listeners, subscriptions) - Component coupling - Props drilling - Missing error boundaries - Accessibility (a11y) violations - Performance anti-patterns (unnecessary re-renders) - Bundle size concerns - Dead code and unused exports - Inconsistent code style - Missing TypeScript strict mode violations **SQL/Database:** - N+1 query problems - Missing indexes - Inefficient queries (SELECT *, unnecessary JOINs) - Schema normalization issues - Missing foreign key constraints - Data integrity gaps - Migration safety (irreversible migrations) - Connection pool mismanagement ### 3. ARCHITECTURE AUDIT **Backend Architecture:** - Microservice boundaries (too fine/coarse grained) - Service coupling issues - Missing circuit breakers - No retry logic with backoff - Synchronous calls that should be async - Missing event sourcing where beneficial - API versioning strategy - Inconsistent API design across services **Frontend Architecture:** - State management complexity - Component hierarchy issues - Route organization - Code splitting effectiveness - Lazy loading implementation - Service layer abstraction - API client design **Data Architecture:** - Schema design flaws - Missing audit trails - No soft deletes where needed - Timestamp handling (timezone issues) - Data retention policies ### 4. PERFORMANCE AUDIT **Backend Performance:** - Database query optimization - Caching strategy (or lack thereof) - Connection pooling configuration - Payload sizes - Compression usage - Async processing opportunities **Frontend Performance:** - Lighthouse scores analysis - Core Web Vitals - Image optimization - Asset caching - Tree shaking effectiveness - Code splitting - Lazy loading - Memory profiling ### 5. RELIABILITY AUDIT - Error handling completeness - Graceful degradation - Health check implementation - Logging strategy (structured logging, log levels) - Monitoring hooks - Alerting capabilities - Backup and recovery - Data consistency guarantees ### 6. MAINTAINABILITY AUDIT - Documentation completeness - README accuracy - API documentation - Inline code comments (too few/too many) - Consistent project structure - Dependency management - Version pinning - Technical debt identification - TODO/FIXME/HACK comments ### 7. TESTING AUDIT - Unit test coverage percentage - Integration test coverage - E2E test coverage - Test quality (not just quantity) - Mocking strategy - Test data management - CI/CD test integration - Missing edge case tests - Flaky tests ### 8. COMPLIANCE AUDIT - OWASP Top 10 compliance - GDPR considerations (if handling EU data) - PCI-DSS considerations (payment handling) - Accessibility (WCAG 2.1) - License compliance for dependencies --- ## OUTPUT FORMAT For each finding, provide: ``` ### [SEVERITY: CRITICAL/HIGH/MEDIUM/LOW/INFO] - [Category] - [Short Title] **File(s):** `path/to/file.go:line_number` **Description:** Detailed explanation of the issue. **Evidence:** ```code // The problematic code ``` **Impact:** What could go wrong? Attack scenarios, data loss, etc. **Remediation:** Specific fix with code example if applicable. **References:** - CWE/CVE numbers if applicable - OWASP references - Best practice documentation ``` --- ## SEVERITY DEFINITIONS - **CRITICAL**: Immediate exploitation possible, data breach, system compromise - **HIGH**: Significant security/reliability risk, exploitable with some effort - **MEDIUM**: Should be fixed, moderate risk or significant code quality issue - **LOW**: Minor issues, best practice violations - **INFO**: Observations, suggestions, nice-to-haves --- ## DELIVERABLES REQUIRED 1. **Executive Summary**: 1-page overview for stakeholders 2. **Detailed Findings Report**: All issues with full details 3. **Prioritized Remediation Plan**: What to fix first 4. **Statistics Dashboard**: - Total issues by severity - Issues by category - Files with most issues - Estimated remediation effort --- ## SPECIFIC AREAS OF CONCERN Based on this codebase, pay EXTRA attention to: 1. **Multi-factor authentication implementation** - blockchain signature verification 2. **Project approval workflow** - new feature, likely has gaps 3. **Payment processing** - Stripe integration, financial data handling 4. **IPFS integration** - P2P storage security implications 5. **Role-based access control** - CLIENT/STAFF/ADMIN boundaries 6. **JWT implementation** - token handling, refresh logic 7. **Database schema separation** - dev/test/prod isolation 8. **Container security** - Podman configuration --- ## BEGIN AUDIT Start by: 1. Running all automated audit scripts in `scripts/audit/` 2. Analyzing output files generated 3. Conducting manual code review 4. Cross-referencing findings 5. Generating comprehensive report **DO NOT STOP until every file has been examined. Leave no stone unturned.**