copper-tone-tech/web-hosts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
web-hosts/domains/coppertone.tech/prompts/audit-full-scale.md
Derek Williams c7d6786039 Add full web-hosts state
2025-12-26 13:38:04 +01:00

284 lines
7.5 KiB
Markdown
Raw Permalink Blame History

# COMPREHENSIVE CODEBASE AUDIT PROMPT
## INSTRUCTIONS FOR AI AUDITOR
You are conducting a **BRUTAL, NO-HOLDS-BARRED, COMPREHENSIVE AUDIT** of the Copper Tone Technologies codebase. Your job is to **find every flaw, vulnerability, inefficiency, anti-pattern, and problem** in this codebase. Do NOT spare feelings. Do NOT sugarcoat findings. Be **ruthlessly critical** and **technically precise**.
---
## AUDIT SCOPE
Audit EVERYTHING:
- `/home/administrator/projects/coppertone.tech/`
### Languages & Technologies to Audit:
- **Go 1.25+** (backend microservices)
- **TypeScript/Vue 3** (frontend PWA)
- **PostgreSQL 16** (database schemas, queries)
- **SQL Migrations** (schema design)
- **Docker/Podman** (Containerfiles, compose)
- **Shell Scripts** (any .sh files)
- **Configuration** (vite.config, tailwind, tsconfig, etc.)
---
## AUDIT CATEGORIES
### 1. SECURITY AUDIT (CRITICAL)
**Authentication & Authorization:**
- JWT implementation flaws (algorithm confusion, weak secrets, missing expiration)
- Session management vulnerabilities
- Role-based access control (RBAC) bypasses
- Privilege escalation vectors
- Missing authentication on endpoints
- Broken access control (IDOR, horizontal/vertical escalation)
**Input Validation & Injection:**
- SQL injection (even with parameterized queries, check for string concatenation)
- Command injection in any shell calls
- XSS (stored, reflected, DOM-based) in Vue components
- CSRF vulnerabilities
- Path traversal
- LDAP/XML injection if applicable
- Template injection
**Cryptography:**
- Weak hashing algorithms (MD5, SHA1 for passwords)
- Hardcoded secrets, API keys, passwords
- Insecure random number generation
- Missing encryption for sensitive data at rest/transit
- Certificate validation issues
**API Security:**
- Missing rate limiting
- Verbose error messages leaking info
- CORS misconfiguration
- Missing security headers
- Insecure direct object references
- Mass assignment vulnerabilities
- GraphQL-specific issues if applicable
**Infrastructure Security:**
- Container security (running as root, privileged mode)
- Exposed ports unnecessarily
- Secrets in environment variables vs secret management
- Database credentials handling
- SSL/TLS configuration
### 2. CODE QUALITY AUDIT
**Go Backend:**
- Error handling (swallowed errors, panic vs error return)
- Resource leaks (unclosed DB connections, file handles, HTTP bodies)
- Race conditions (missing mutex, improper channel usage)
- Memory leaks
- Goroutine leaks
- Context propagation issues
- Improper use of defer
- Magic numbers and strings
- God functions (>50 lines)
- Cyclomatic complexity
- Dead code
- Unused imports/variables
- Inconsistent naming conventions
- Missing godoc comments
- Test coverage gaps
**TypeScript/Vue Frontend:**
- Type safety violations (any abuse, type assertions)
- Reactive state management issues
- Memory leaks (event listeners, subscriptions)
- Component coupling
- Props drilling
- Missing error boundaries
- Accessibility (a11y) violations
- Performance anti-patterns (unnecessary re-renders)
- Bundle size concerns
- Dead code and unused exports
- Inconsistent code style
- Missing TypeScript strict mode violations
**SQL/Database:**
- N+1 query problems
- Missing indexes
- Inefficient queries (SELECT *, unnecessary JOINs)
- Schema normalization issues
- Missing foreign key constraints
- Data integrity gaps
- Migration safety (irreversible migrations)
- Connection pool mismanagement
### 3. ARCHITECTURE AUDIT
**Backend Architecture:**
- Microservice boundaries (too fine/coarse grained)
- Service coupling issues
- Missing circuit breakers
- No retry logic with backoff
- Synchronous calls that should be async
- Missing event sourcing where beneficial
- API versioning strategy
- Inconsistent API design across services
**Frontend Architecture:**
- State management complexity
- Component hierarchy issues
- Route organization
- Code splitting effectiveness
- Lazy loading implementation
- Service layer abstraction
- API client design
**Data Architecture:**
- Schema design flaws
- Missing audit trails
- No soft deletes where needed
- Timestamp handling (timezone issues)
- Data retention policies
### 4. PERFORMANCE AUDIT
**Backend Performance:**
- Database query optimization
- Caching strategy (or lack thereof)
- Connection pooling configuration
- Payload sizes
- Compression usage
- Async processing opportunities
**Frontend Performance:**
- Lighthouse scores analysis
- Core Web Vitals
- Image optimization
- Asset caching
- Tree shaking effectiveness
- Code splitting
- Lazy loading
- Memory profiling
### 5. RELIABILITY AUDIT
- Error handling completeness
- Graceful degradation
- Health check implementation
- Logging strategy (structured logging, log levels)
- Monitoring hooks
- Alerting capabilities
- Backup and recovery
- Data consistency guarantees
### 6. MAINTAINABILITY AUDIT
- Documentation completeness
- README accuracy
- API documentation
- Inline code comments (too few/too many)
- Consistent project structure
- Dependency management
- Version pinning
- Technical debt identification
- TODO/FIXME/HACK comments
### 7. TESTING AUDIT
- Unit test coverage percentage
- Integration test coverage
- E2E test coverage
- Test quality (not just quantity)
- Mocking strategy
- Test data management
- CI/CD test integration
- Missing edge case tests
- Flaky tests
### 8. COMPLIANCE AUDIT
- OWASP Top 10 compliance
- GDPR considerations (if handling EU data)
- PCI-DSS considerations (payment handling)
- Accessibility (WCAG 2.1)
- License compliance for dependencies
---
## OUTPUT FORMAT
For each finding, provide:
```
### [SEVERITY: CRITICAL/HIGH/MEDIUM/LOW/INFO] - [Category] - [Short Title]
**File(s):** `path/to/file.go:line_number`
**Description:**
Detailed explanation of the issue.
**Evidence:**
```code
// The problematic code
```
**Impact:**
What could go wrong? Attack scenarios, data loss, etc.
**Remediation:**
Specific fix with code example if applicable.
**References:**
- CWE/CVE numbers if applicable
- OWASP references
- Best practice documentation
```
---
## SEVERITY DEFINITIONS
- **CRITICAL**: Immediate exploitation possible, data breach, system compromise
- **HIGH**: Significant security/reliability risk, exploitable with some effort
- **MEDIUM**: Should be fixed, moderate risk or significant code quality issue
- **LOW**: Minor issues, best practice violations
- **INFO**: Observations, suggestions, nice-to-haves
---
## DELIVERABLES REQUIRED
1. **Executive Summary**: 1-page overview for stakeholders
2. **Detailed Findings Report**: All issues with full details
3. **Prioritized Remediation Plan**: What to fix first
4. **Statistics Dashboard**:
- Total issues by severity
- Issues by category
- Files with most issues
- Estimated remediation effort
---
## SPECIFIC AREAS OF CONCERN
Based on this codebase, pay EXTRA attention to:
1. **Multi-factor authentication implementation** - blockchain signature verification
2. **Project approval workflow** - new feature, likely has gaps
3. **Payment processing** - Stripe integration, financial data handling
4. **IPFS integration** - P2P storage security implications
5. **Role-based access control** - CLIENT/STAFF/ADMIN boundaries
6. **JWT implementation** - token handling, refresh logic
7. **Database schema separation** - dev/test/prod isolation
8. **Container security** - Podman configuration
---
## BEGIN AUDIT
Start by:
1. Running all automated audit scripts in `scripts/audit/`
2. Analyzing output files generated
3. Conducting manual code review
4. Cross-referencing findings
5. Generating comprehensive report
**DO NOT STOP until every file has been examined. Leave no stone unturned.**
Reference in New Issue View Git Blame Copy Permalink