Senoa MonoRepo — Project Audit Report

Date: 2026-06-29 Repo: SenoaMonoRepo (branch development) Scope: Full monorepo — backend, blockchain indexer, web, admin-panel, infra/CI

---

1. Executive Summary

Senoa is a Web3 social + marketplace platform built as a Turbo/PNPM monorepo. It comprises a large NestJS backend (42 modules, crypto custody, KYC/KYB, accounting, affiliate/MLM rewards), a Next.js 15 web client, a Vite/React admin panel, and a NestJS blockchain events indexer.

The architecture is reasonable and the code is consistently structured, but the project is not production-ready. The dominant themes are:

• - Critically low test coverage across every app (backend 0.97%, web 0 tests, admin 1 file, blockchain 1 broken test).
• - Security misconfigurations — wildcard CORS with credentials, JWTs in localStorage, a hardcoded Alchemy RPC key, hardcoded DB/JWT secrets in docker-compose.yml, default Swagger password, no rate-limiting or security headers.
• - Incomplete financial logic — reward distribution and price-oracle integration are stubbed with TODOs; non-stablecoin exchange rates are hardcoded to 1.00.
• - Operational gaps — blockchain indexer has no reorg handling, no idempotency, and no retries.

Overall production-readiness: ~70%. Risk level: HIGH.

---

2. Project Structure & Stack

Tooling: Turbo + PNPM 10.15, TypeScript, Tailwind, Docker, AWS Elastic Beanstalk (GitHub Actions deploy).

Repo-wide metrics: 37 TODO/FIXME, 264 console.* in TS files, 208 remote branches (significant branch sprawl).

---

3. Critical Findings (fix before any production use)

C1 — Hardcoded Alchemy RPC API key (committed secret)

apps/blockchain/src/app.service.ts:31

new ethers.providers.JsonRpcProvider(
  `https://polygon-amoy.g.alchemy.com/v2/fBeW2OzQkFjcaNQVXzqx5rDBeO_AwMFO`)

Live key in source + git history. Rotate immediately, move to process.env.

C2 — Secrets hardcoded in docker-compose.yml

DB passwords (P71\Q4;jlpyJ, jRw0hf56E6x') and JWT_SECRET=your-super-secret-jwt-key-change-in-production are committed. Also scripts/init.sql ships appuser/rootpassword. Move to secrets/.env (prod already uses AWS SSM Parameter Store via the EB prebuild hook — good — but compose does not).

C3 — Wildcard CORS with credentials

apps/backend/src/main.ts:91-96 and gateway/chat.gateway.ts use origin: "*" with credentials: true. CSRF / cross-origin credential exposure risk. Pin to explicit origins.

C4 — Near-zero test coverage everywhere

Backend 6 trivial .spec files (0.97%), web 0, admin 1, blockchain 1 (and that e2e test asserts the wrong string, so it fails). No tests on auth, custody, accounting, KYC/KYB, or rewards.

C5 — Incomplete / incorrect financial logic

• - accounting.service.ts:655,752,877 — non-USDT exchangeRate hardcoded to "1.00" (TODO: price oracle). All non-stablecoin ledger values are wrong.
• - circle.service.ts:1297-1346 — reward distribution has TODO: [DB INSERT] placeholders; rewards are computed but never recorded. Users would not be paid.

C6 — JWT stored in localStorage (web + admin)

43 reads in web, plus admin panel. XSS-exfiltratable. Client-side-only token expiry (token-init-date) is trivially bypassed. Move to httpOnly cookies; rely on server 401s for expiry.

---

4. High-Severity Findings

---

5. Medium / Low Findings

• - Lint disabled in web and admin-panel ("lint": "echo skipped"); blockchain too. ESLint configs exist but never run.
• - TypeScript strictness off in admin (strict:false, noUnusedLocals:false) and blockchain (strictNullChecks:false, noImplicitAny:false). Web is strict.
• - **264 console.* calls** in TS (185 in web, 57 backend) — no structured logging / log-level control; some log raw event/error objects.
• - **188 any usages** in web reduce type safety (esp. error handling).
• - Redis & DB defaults in blockchain fall back to localhost / empty password — won't fail fast in prod.
• - **API_BASE_URL duplicated** ~58× in web with http://localhost:3000 fallback baked into production component files.
• - Docker uses unpinned node:latest (non-reproducible builds); no .nvmrc/engines despite CI pinning Node 22.
• - CI gap: the "Run Tests" job only builds — it never runs npm test. Deploys to prod/dev on push with npm install (not npm ci).
• - **Migration 1768461271858-auto.ts** is an auto-generated schema sync — review for unintended changes.
• - **.gitignore** lists !.env.example but never ignores .env itself (real .env files are not gitignored — currently none committed, but the guard is missing).
• - README is stale — describes a generic "PoC monorepo", mentions MongoDB while code uses Postgres.

---

6. What's Done Well

• - Clean, consistent NestJS module structure; DI used throughout.
• - Strong input validation: global ValidationPipe with whitelist+forbidNonWhitelisted; 385 class-validator decorators across 173 DTOs.
• - No SQL injection surface — TypeORM parameterized queries; raw SQL only in migrations.
• - Sound crypto hygiene: bcrypt (rounds 10), crypto.randomBytes(32) reset tokens, AES encryption of custody API keys via CUSTODY_ENCRYPTION_KEY.
• - Global JSON exception filter; consistent Nest exceptions (547 throws).
• - Production secrets sourced from AWS SSM Parameter Store at deploy time.
• - Double-entry accounting uses DB transactions and immutable ledger entries.
• - Web app: TanStack Query caching, strict TS, sensible provider layering, thirdweb (no self-custody keys).

---

7. Prioritized Remediation Roadmap

Immediate (hours):

1. 1. Rotate the Alchemy key (C1); move it + Redis/DB config to env.
2. 2. Strip secrets from docker-compose.yml / init.sql (C2).
3. 3. Pin CORS origins on HTTP + WebSocket (C3); remove default Swagger password (H2).
4. 4. Fix the broken blockchain e2e test; make CI actually run tests.

Short term (1–2 weeks):

1. 5. Complete reward DB inserts and integrate a price oracle (C5) — financial correctness.
2. 6. Add helmet + @nestjs/throttler (H3); hash reset tokens (H5); UUID-prefix S3 uploads (H4).
3. 7. Move JWTs to httpOnly cookies + add CSRF (C6, H8); replace dangerouslySetInnerHTML with DOMPurify (H1).
4. 8. Re-enable lint and TS strictness in admin/web/blockchain.

Medium term (1–2 months):

1. 9. Build out test suites — target ≥50–70% on auth, custody, accounting, rewards (C4). Est. 100–150 hrs backend alone.
2. 10. Add reorg handling + idempotency + retries to the indexer (H7).
3. 11. Refactor oversized files (H9); centralize API_BASE_URL/avatar-URL utilities; add KYC workflow + audit trail (H6).
4. 12. Prune the 208 remote branches.

---

8. Per-App Risk Summary

Bottom line: solid foundation and architecture, but treat as a late-stage prototype. Address the six critical items before exposing this to real users or funds.

Module Architecture — Overview

NestJS backend (apps/backend). Each node is a feature module; arrows show **imports** dependencies declared in each *.module.ts (A --> B = A imports B).

AppModule is the composition root and imports all 40 feature modules (edges omitted for clarity). Several edges are mutual (forwardRef) — e.g. auth ⇄ user, user ⇄ notification.

Module inventory (42)

Note: crypto-prices, feed, recommended, commission-structure, notifications are leaf modules (no inter-module imports); they are consumed by others and registered directly in AppModule.

For a per-module breakdown (each module + its connections), switch to the Architecture Explorer.

Database Schema — Overview

Generated from the 66 TypeORM entities in apps/backend/src. Boxes are tables (with columns; PK = primary key, FK = foreign-key column). Relationship lines reflect the actual relation decorators:

Labels has 1 / has 2 … distinguish multiple FKs from the same table to the same target (e.g. Post → User author vs. editor; UserConnection → User requester vs. addressee).

User is the central hub. 11 standalone tables have no entity-level relations (config/log/derived data): CryptoPrice, DynamicCompression, ErrorLog, FeeConfiguration, Feed, MediaAsset, MonthlyPool, MonthlyPoolDistribution, Pledge, Recommended, WalletBalance.

For a per-table breakdown (each table + its relations), switch to the Architecture Explorer.