copper-tone-tech/web-hosts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
web-hosts/domains/coppertone.tech/prompts/audit-full-scale.md
Derek Williams c7d6786039 Add full web-hosts state
2025-12-26 13:38:04 +01:00

7.5 KiB
Raw Permalink Blame History

COMPREHENSIVE CODEBASE AUDIT PROMPT

INSTRUCTIONS FOR AI AUDITOR

You are conducting a BRUTAL, NO-HOLDS-BARRED, COMPREHENSIVE AUDIT of the Copper Tone Technologies codebase. Your job is to find every flaw, vulnerability, inefficiency, anti-pattern, and problem in this codebase. Do NOT spare feelings. Do NOT sugarcoat findings. Be ruthlessly critical and technically precise.

AUDIT SCOPE

Audit EVERYTHING:

  • /home/administrator/projects/coppertone.tech/

Languages & Technologies to Audit:

  • Go 1.25+ (backend microservices)
  • TypeScript/Vue 3 (frontend PWA)
  • PostgreSQL 16 (database schemas, queries)
  • SQL Migrations (schema design)
  • Docker/Podman (Containerfiles, compose)
  • Shell Scripts (any .sh files)
  • Configuration (vite.config, tailwind, tsconfig, etc.)

AUDIT CATEGORIES

1. SECURITY AUDIT (CRITICAL)

Authentication & Authorization:

  • JWT implementation flaws (algorithm confusion, weak secrets, missing expiration)
  • Session management vulnerabilities
  • Role-based access control (RBAC) bypasses
  • Privilege escalation vectors
  • Missing authentication on endpoints
  • Broken access control (IDOR, horizontal/vertical escalation)

Input Validation & Injection:

  • SQL injection (even with parameterized queries, check for string concatenation)
  • Command injection in any shell calls
  • XSS (stored, reflected, DOM-based) in Vue components
  • CSRF vulnerabilities
  • Path traversal
  • LDAP/XML injection if applicable
  • Template injection

Cryptography:

  • Weak hashing algorithms (MD5, SHA1 for passwords)
  • Hardcoded secrets, API keys, passwords
  • Insecure random number generation
  • Missing encryption for sensitive data at rest/transit
  • Certificate validation issues

API Security:

  • Missing rate limiting
  • Verbose error messages leaking info
  • CORS misconfiguration
  • Missing security headers
  • Insecure direct object references
  • Mass assignment vulnerabilities
  • GraphQL-specific issues if applicable

Infrastructure Security:

  • Container security (running as root, privileged mode)
  • Exposed ports unnecessarily
  • Secrets in environment variables vs secret management
  • Database credentials handling
  • SSL/TLS configuration

2. CODE QUALITY AUDIT

Go Backend:

  • Error handling (swallowed errors, panic vs error return)
  • Resource leaks (unclosed DB connections, file handles, HTTP bodies)
  • Race conditions (missing mutex, improper channel usage)
  • Memory leaks
  • Goroutine leaks
  • Context propagation issues
  • Improper use of defer
  • Magic numbers and strings
  • God functions (>50 lines)
  • Cyclomatic complexity
  • Dead code
  • Unused imports/variables
  • Inconsistent naming conventions
  • Missing godoc comments
  • Test coverage gaps

TypeScript/Vue Frontend:

  • Type safety violations (any abuse, type assertions)
  • Reactive state management issues
  • Memory leaks (event listeners, subscriptions)
  • Component coupling
  • Props drilling
  • Missing error boundaries
  • Accessibility (a11y) violations
  • Performance anti-patterns (unnecessary re-renders)
  • Bundle size concerns
  • Dead code and unused exports
  • Inconsistent code style
  • Missing TypeScript strict mode violations

SQL/Database:

  • N+1 query problems
  • Missing indexes
  • Inefficient queries (SELECT *, unnecessary JOINs)
  • Schema normalization issues
  • Missing foreign key constraints
  • Data integrity gaps
  • Migration safety (irreversible migrations)
  • Connection pool mismanagement

3. ARCHITECTURE AUDIT

Backend Architecture:

  • Microservice boundaries (too fine/coarse grained)
  • Service coupling issues
  • Missing circuit breakers
  • No retry logic with backoff
  • Synchronous calls that should be async
  • Missing event sourcing where beneficial
  • API versioning strategy
  • Inconsistent API design across services

Frontend Architecture:

  • State management complexity
  • Component hierarchy issues
  • Route organization
  • Code splitting effectiveness
  • Lazy loading implementation
  • Service layer abstraction
  • API client design

Data Architecture:

  • Schema design flaws
  • Missing audit trails
  • No soft deletes where needed
  • Timestamp handling (timezone issues)
  • Data retention policies

4. PERFORMANCE AUDIT

Backend Performance:

  • Database query optimization
  • Caching strategy (or lack thereof)
  • Connection pooling configuration
  • Payload sizes
  • Compression usage
  • Async processing opportunities

Frontend Performance:

  • Lighthouse scores analysis
  • Core Web Vitals
  • Image optimization
  • Asset caching
  • Tree shaking effectiveness
  • Code splitting
  • Lazy loading
  • Memory profiling

5. RELIABILITY AUDIT

  • Error handling completeness
  • Graceful degradation
  • Health check implementation
  • Logging strategy (structured logging, log levels)
  • Monitoring hooks
  • Alerting capabilities
  • Backup and recovery
  • Data consistency guarantees

6. MAINTAINABILITY AUDIT

  • Documentation completeness
  • README accuracy
  • API documentation
  • Inline code comments (too few/too many)
  • Consistent project structure
  • Dependency management
  • Version pinning
  • Technical debt identification
  • TODO/FIXME/HACK comments

7. TESTING AUDIT

  • Unit test coverage percentage
  • Integration test coverage
  • E2E test coverage
  • Test quality (not just quantity)
  • Mocking strategy
  • Test data management
  • CI/CD test integration
  • Missing edge case tests
  • Flaky tests

8. COMPLIANCE AUDIT

  • OWASP Top 10 compliance
  • GDPR considerations (if handling EU data)
  • PCI-DSS considerations (payment handling)
  • Accessibility (WCAG 2.1)
  • License compliance for dependencies

OUTPUT FORMAT

For each finding, provide:

### [SEVERITY: CRITICAL/HIGH/MEDIUM/LOW/INFO] - [Category] - [Short Title]

**File(s):** `path/to/file.go:line_number`

**Description:**
Detailed explanation of the issue.

**Evidence:**
```code
// The problematic code

Impact: What could go wrong? Attack scenarios, data loss, etc.

Remediation: Specific fix with code example if applicable.

References:

  • CWE/CVE numbers if applicable
  • OWASP references
  • Best practice documentation

---

## SEVERITY DEFINITIONS

- **CRITICAL**: Immediate exploitation possible, data breach, system compromise
- **HIGH**: Significant security/reliability risk, exploitable with some effort
- **MEDIUM**: Should be fixed, moderate risk or significant code quality issue
- **LOW**: Minor issues, best practice violations
- **INFO**: Observations, suggestions, nice-to-haves

---

## DELIVERABLES REQUIRED

1. **Executive Summary**: 1-page overview for stakeholders
2. **Detailed Findings Report**: All issues with full details
3. **Prioritized Remediation Plan**: What to fix first
4. **Statistics Dashboard**:
   - Total issues by severity
   - Issues by category
   - Files with most issues
   - Estimated remediation effort

---

## SPECIFIC AREAS OF CONCERN

Based on this codebase, pay EXTRA attention to:

1. **Multi-factor authentication implementation** - blockchain signature verification
2. **Project approval workflow** - new feature, likely has gaps
3. **Payment processing** - Stripe integration, financial data handling
4. **IPFS integration** - P2P storage security implications
5. **Role-based access control** - CLIENT/STAFF/ADMIN boundaries
6. **JWT implementation** - token handling, refresh logic
7. **Database schema separation** - dev/test/prod isolation
8. **Container security** - Podman configuration

---

## BEGIN AUDIT

Start by:
1. Running all automated audit scripts in `scripts/audit/`
2. Analyzing output files generated
3. Conducting manual code review
4. Cross-referencing findings
5. Generating comprehensive report

**DO NOT STOP until every file has been examined. Leave no stone unturned.**
Reference in New Issue View Git Blame Copy Permalink