Files
alla-tms/docs/reviews/full-system-audit-summary.md
2026-07-16 09:53:14 +07:00

22 KiB

Full System Audit Summary

Executive Summary

Across Phases 1-7, the system shows strong implementation momentum but is not yet ready for production release. The codebase builds successfully, core CRUD flows are largely functional, and server-side authorization is present in many sensitive paths. However, the combined review found material gaps in security hardening, permission consistency, legacy architecture migration, operational readiness, and feature completeness.

The most serious blockers are concentrated in a few areas: public exposure of online-lesson assets, unsafe spreadsheet import posture, missing automated release gates, incomplete backup and rollback readiness, and an authorization model that is not yet consistently enforced from one source of truth. In parallel, the architecture still carries unresolved drift between the intended users-centric model and legacy employees usage, while several major workflow files are too large and too coupled for low-risk iteration.

Overall recommendation: No-Go until Wave 0 and Wave 1 remediation items are complete.

Overall System Health

Dimension Status Notes
Build Health Partially Healthy lint, tsc, and build pass, but no test script or CI gate exists.
Functional Coverage Partially Healthy Core CRUD works, but reports, review workflow, and training-policy lifecycle are incomplete.
Authorization Model At Risk Guards exist, but enforcement is split between permission templates and legacy role helpers.
Security Posture At Risk Public lesson assets, unbounded spreadsheet imports, and unresolved dependency advisories remain.
UI/UX Consistency At Risk Encoding corruption and cross-feature inconsistency materially reduce production quality.
Maintainability At Risk Oversized route handlers, large client forms, and duplicated workflow logic raise regression risk.
Production Operations Not Ready No CI/CD workflow, no health endpoint, no verified restore/rollback process, stale docs.

Findings Summary by Severity

High

  • F-001 Runtime architecture still depends heavily on legacy employees despite the documented users-first target model.
  • F-002 Training-record review workflow lacks a true rejected path.
  • F-003 Reports module is incomplete for expected report coverage and export formats.
  • F-004 Training-policy lifecycle is incomplete: delete/soft delete, effective dating, and versioning are missing.
  • F-005 Permission templates are not the true single source of truth; sensitive paths still rely on compatibility role helpers.
  • F-006 Thai text encoding corruption is widespread in production UI.
  • F-007 Several route handlers, server data modules, and client workflow forms are oversized and over-coupled.
  • F-008 Online-lesson uploaded assets are publicly accessible by direct URL.
  • F-009 Spreadsheet import endpoints accept unbounded .xlsx uploads and rely on a dependency with active high-severity advisories.
  • F-010 Production release discipline is incomplete: no automated tests, no CI pipeline, and no health/readiness endpoint.

Medium

  • F-011 Production dashboard still exposes demo/template/legacy routes.
  • F-012 Page guards, nav guards, and API guards are inconsistent across modules.
  • F-013 Announcements and online lessons lack scheduling/versioning capabilities expected for publishing workflows.
  • F-014 Notifications are limited and incomplete as a delivery system.
  • F-015 Reports bypass shared table patterns and remain visually dense.
  • F-016 API/client/error handling and some data integrity rules are still generic or app-level only.
  • F-017 Rate limiting, CSRF/origin hardening, and explicit security headers are not implemented centrally.
  • F-018 Deployment and environment docs are stale and partly inherited from the starter template.

Low

  • F-019 Proxy perimeter coverage is incomplete but partially compensated by route-handler guards.
  • F-020 Encoding corruption also appears in permission metadata and supporting UI text, reducing trust and maintainability.

Findings Summary by Module

Module Key Findings
Auth / Session / Proxy Permission model split, inconsistent perimeter, fallback secret posture, missing abuse protection.
Users / Employees Architecture drift between intended users runtime model and legacy employees dependencies.
Training Records Review workflow incomplete, large form boundary, import hardening needed.
Reports Functional gaps, role-scoped authorization drift, duplicated scope resolution, coupled export/data logic, dense UX.
Training Policy Missing lifecycle completeness and version/effective-date controls.
Training Matrix Missing route target, inconsistent page/API guard placement.
Announcements Large workflow handler, publishing lifecycle gaps, attachment UX differs from other modules.
Online Lessons Public asset exposure, large client form, attachment workflow inconsistency, publishing capability gaps.
Permission Management Template model not yet authoritative, metadata encoding issues, DB integrity TODO remains.
Overview / Dashboard Large server aggregation modules, legacy/demo routes still present in production surface.
Platform / Ops No CI/CD, no tests, no health endpoint, stale docs, incomplete runbooks.

Production Blockers

Blocker Problem Impact Module Recommended Owner Dependency Acceptance Criteria
PB-01 Online-lesson files are served as public URLs from public/uploads/.... Unauthorized data access and uncontrolled file distribution. Online Lessons / Storage Backend Storage refactor Lesson assets require authenticated, organization-aware download access.
PB-02 Spreadsheet import accepts unbounded .xlsx uploads and uses vulnerable parsing dependency. DoS risk and unsafe untrusted file parsing. Training Records / Employees Import Backend Dependency upgrade File-size limits, MIME validation, rate limits, and upgraded parser are in place.
PB-03 Authorization decisions are not consistently permission-first across pages, nav, and APIs. Privilege drift and inconsistent access behavior. Auth / Reports / Matrix / Employees / Audit Logs Backend Permission model cleanup Sensitive routes and pages resolve access from the same permission source of truth.
PB-04 No CI pipeline, no automated test suite, no release gate. Regressions can reach production without enforcement. Platform / Repo DevOps / Full-stack Test baseline PR workflow runs lint, typecheck, build, and targeted tests before merge.
PB-05 No health/readiness endpoint and no documented rollback or restore procedure. Slow incident detection and unsafe deployment recovery. Platform / Deployment / DB Ops DevOps Operational docs Health endpoint exists and restore/rollback runbooks are documented and verified.
PB-06 Docs and deployment artifacts still contain stale starter-template and Clerk-oriented assumptions. Incorrect deployment setup and operator confusion. Docs / Docker / README Full-stack Architecture alignment README, env docs, Docker notes, and deployment instructions match current Auth.js TMS behavior.
PB-07 No automated tests or verified smoke coverage for critical business workflows. Production behavior cannot be trusted after fixes or releases. Whole System Full-stack / QA Test harness Critical workflows have automated coverage and manual smoke checklist.

Cross-Phase Root Causes

  • Incomplete migration from the original starter/template application into a focused TMS product.
  • Incomplete migration from legacy employees ownership to the documented users-centric runtime model.
  • Incomplete migration from compatibility role checks to permission-first authorization.
  • Workflow-heavy features have grown inside large route handlers and large client components instead of being decomposed into smaller services.
  • Shared UI primitives exist, but design-system governance is inconsistent across older and newer modules.
  • Operational maturity lagged behind feature delivery: testing, CI/CD, monitoring depth, and runbooks were not finished alongside implementation.

Risk Matrix

Risk ID Risk Likelihood Impact Overall
R-01 Unauthorized access to online-lesson assets High High Critical
R-02 Spreadsheet import abuse or parser exploitation High High Critical
R-03 Permission drift exposes data incorrectly across reports and admin modules Medium High High
R-04 Release regression reaches production without test or CI gate High High Critical
R-05 Incident recovery fails due to absent backup/rollback process Medium High High
R-06 Large coupled modules cause high-risk regressions during remediation High Medium High
R-07 Users lose trust due to corrupted Thai content and inconsistent workflows High Medium High
R-08 Architecture drift around employees vs users blocks future feature correctness Medium High High

Traceability Matrix

Finding ID Phase Severity Module Production Blocker Recommended Wave Related Finding
F-001 1 High Users / Employees / Reports No Wave 2 F-003, F-012
F-002 2 High Training Records No Wave 1 F-007
F-003 2 High Reports No Wave 2 F-001, F-005, F-015
F-004 2 High Training Policy No Wave 2 F-007
F-005 3 High Auth / Permissions / Reports Yes (PB-03) Wave 1 F-012, F-019
F-006 4 High Shared UI / Content No Wave 1 F-020
F-007 5 High Announcements / Reports / Overview / Training Records No Wave 2 F-016
F-008 6 High Online Lessons / Storage Yes (PB-01) Wave 0 F-013, F-017
F-009 6 High Import Endpoints / Dependencies Yes (PB-02) Wave 0 F-017
F-010 7 High Repo / Platform / Deployment Yes (PB-04, PB-05, PB-07) Wave 1 F-018
F-011 1 Medium Dashboard Surface No Wave 1 F-018
F-012 1,3 Medium Page Guards / APIs / Nav No Wave 1 F-005, F-001
F-013 2 Medium Announcements / Online Lessons No Wave 3 F-008
F-014 2 Medium Notifications No Wave 3 F-003
F-015 4 Medium Reports UI No Wave 2 F-003
F-016 5 Medium API Client / Permission Data / Shared Utils No Wave 2 F-007
F-017 6 Medium Security Platform No Wave 1 F-008, F-009
F-018 7 Medium Docs / Env / Docker Yes (PB-06) Wave 1 F-011
F-019 1,6 Low Proxy / Perimeter No Wave 3 F-005
F-020 3,4 Low Permission Metadata / Shared UI Copy No Wave 1 F-006

Remediation Roadmap

Wave 0 - Emergency Fix

  • Close public access to online-lesson assets and replace direct file URLs with guarded delivery.
  • Harden spreadsheet import surfaces with file-size limits, MIME validation, rate limiting, dependency upgrades, and safer parsing controls.
  • Re-run dependency audit and clear high-severity advisories affecting active runtime paths.

Wave 1 - Pre-Production Fix

  • Unify authorization around permission-first server checks for reports, matrix, employees, audit logs, and org-management paths.
  • Remove, quarantine, or explicitly disable demo/template production routes that should not ship.
  • Fix Thai text encoding corruption across navigation, forms, labels, pagination, and permission metadata.
  • Add CI release gates: lint, typecheck, build, and critical test workflow.
  • Add health/readiness endpoints plus rollback, restore, and deployment runbooks.
  • Update README, env documentation, Docker instructions, and release notes to match current Auth.js TMS architecture.

Wave 2 - Stabilization

  • Refactor oversized route handlers, report data modules, overview aggregators, and workflow-heavy forms into smaller service boundaries.
  • Complete missing business lifecycle behavior in training-policy and training-record review flows.
  • Normalize reporting architecture: authorization scope resolution, export generation, and shared UI patterns.
  • Add missing data integrity constraints, typed error models, and reusable validation utilities.
  • Continue the employees to users migration in runtime-critical flows.

Wave 3 - Continuous Improvement

  • Add scheduling/versioning features to content publishing modules where required by the product.
  • Mature notification delivery beyond current in-app limitations.
  • Expand structured logging, correlation IDs, security headers, CSP, and abuse monitoring.
  • Tighten perimeter protection and continue cleanup of legacy/demo/dead code.

Coding Phase Backlog

AUDIT-001 Secure Online Lesson Asset Delivery

  • Problem: lesson files are directly accessible without authenticated authorization checks.
  • Scope: move online-lesson file access to guarded download/stream endpoints and stop serializing raw public URLs.
  • Out of Scope: full cloud object-storage migration.
  • Files / Modules: src/lib/online-lesson-storage.ts, src/features/online-lessons/server/online-lesson-data.ts, src/features/online-lessons/components/online-lesson-detail-page.tsx, related route handlers.
  • Acceptance Criteria: unauthenticated direct URL access fails; authorized users can still view/download assets through guarded endpoints.
  • Test Required: route authorization tests, manual cross-role smoke test, file access regression test.
  • Dependency: AUDIT-006.
  • Severity: High.
  • Priority: P0.

AUDIT-002 Harden Spreadsheet Import Surface

  • Problem: imports rely on extension-only validation, unbounded memory reads, and vulnerable parsing dependency.
  • Scope: add file-size caps, MIME checks, rate limits, parser upgrade/replacement, and explicit failure telemetry.
  • Out of Scope: redesign of import mapping UX.
  • Files / Modules: src/app/api/training-records/import/route.ts, src/app/api/import-employees/route.ts, package.json, lockfile.
  • Acceptance Criteria: oversized or invalid files are rejected early; dependency audit shows no high advisory on active import path.
  • Test Required: upload validation tests, negative import smoke tests, dependency audit verification.
  • Dependency: none.
  • Severity: High.
  • Priority: P0.

AUDIT-003 Unify Permission Enforcement

  • Problem: permission templates and role compatibility helpers produce inconsistent access rules.
  • Scope: define authoritative permission checks for pages, APIs, and nav visibility in sensitive modules.
  • Out of Scope: complete product-wide RBAC redesign beyond current permission catalog.
  • Files / Modules: src/lib/auth/session.ts, src/lib/auth/roles.ts, reports, training-matrix, employees, audit logs, organizer access paths.
  • Acceptance Criteria: the same permission decision applies across nav, page load, and API action for each reviewed module.
  • Test Required: authorization matrix tests by role/permission, manual direct-URL verification.
  • Dependency: AUDIT-008.
  • Severity: High.
  • Priority: P0.

AUDIT-004 Establish Release Gate and Smoke Coverage

  • Problem: repository has no CI workflow, no automated tests, and no production release gate.
  • Scope: add CI workflow for lint, typecheck, build, and critical smoke/test jobs; add npm test or equivalent script.
  • Out of Scope: full end-to-end suite for every feature.
  • Files / Modules: .github/workflows/*, package.json, test harness folders.
  • Acceptance Criteria: pull requests fail on broken lint/type/build/tests; critical user flows have executable automated checks.
  • Test Required: CI self-verification on a test branch.
  • Dependency: none.
  • Severity: High.
  • Priority: P0.

AUDIT-005 Add Health, Rollback, and Restore Readiness

  • Problem: operational recovery and readiness signals are missing.
  • Scope: add health/readiness endpoints and document rollback, backup, and restore procedures.
  • Out of Scope: full SRE platform implementation.
  • Files / Modules: src/app/api/*, README.md, ops docs, deployment docs.
  • Acceptance Criteria: operators can verify service health and follow documented restore/rollback steps.
  • Test Required: endpoint smoke tests, tabletop recovery walkthrough.
  • Dependency: AUDIT-004.
  • Severity: High.
  • Priority: P0.

AUDIT-006 Remove Public File URL Assumptions

  • Problem: file-serving patterns are inconsistent across modules, and online lessons diverge from guarded download patterns already used elsewhere.
  • Scope: standardize protected file access conventions across announcements, certificates, and lesson assets.
  • Out of Scope: media CDN optimization.
  • Files / Modules: file storage helpers, download routes, serialization contracts.
  • Acceptance Criteria: protected uploads are never exposed as unconditional public URLs.
  • Test Required: file access regression tests.
  • Dependency: none.
  • Severity: Medium.
  • Priority: P1.

AUDIT-007 Repair Thai Encoding and Shared UX Copy

  • Problem: corrupted Thai text degrades usability and trust across the product.
  • Scope: fix encoding/copy corruption in nav, forms, pagination, empty states, and permission metadata.
  • Out of Scope: net-new content strategy.
  • Files / Modules: shared UI copy, feature labels, permission metadata catalogs.
  • Acceptance Criteria: reviewed screens display valid Thai copy consistently.
  • Test Required: manual UI verification across major screens.
  • Dependency: none.
  • Severity: High.
  • Priority: P1.

AUDIT-008 Refactor Oversized Workflow Modules

  • Problem: several large route handlers and components hold too many responsibilities.
  • Scope: split report data logic, announcement workflows, overview aggregation, and training-record form orchestration into smaller units.
  • Out of Scope: unrelated feature redesign.
  • Files / Modules: src/app/api/announcements/[id]/route.ts, src/features/reports/server/report-data.ts, src/features/overview/server/overview-data.ts, src/features/training-records/components/training-record-form.tsx.
  • Acceptance Criteria: each target module has clearer single-responsibility boundaries and lower regression surface.
  • Test Required: focused regression tests around refactored workflows.
  • Dependency: AUDIT-004.
  • Severity: High.
  • Priority: P1.

AUDIT-009 Complete Missing Business Workflow Paths

  • Problem: training-record rejection, training-policy lifecycle, and report coverage remain incomplete.
  • Scope: implement rejected review path, policy lifecycle operations, and prioritized missing report outputs.
  • Out of Scope: non-priority analytics expansion.
  • Files / Modules: training-records, training-policy, reports.
  • Acceptance Criteria: required workflow states and agreed report set are supported end-to-end.
  • Test Required: workflow tests, export smoke tests, role-scoped manual verification.
  • Dependency: AUDIT-003.
  • Severity: High.
  • Priority: P1.

AUDIT-010 Align Runtime Data Model Around users

  • Problem: architecture documentation and runtime implementation still diverge on person ownership.
  • Scope: identify remaining runtime-critical employees dependencies and migrate them toward users-based ownership where required.
  • Out of Scope: historical legacy-data archival strategy.
  • Files / Modules: auth/session joins, reports, overview, training-policy, training-record participant flows.
  • Acceptance Criteria: runtime-critical training flows no longer require legacy employees as the effective source of truth.
  • Test Required: data-scope regression tests and migration verification.
  • Dependency: AUDIT-003, AUDIT-009.
  • Severity: High.
  • Priority: P2.

Testing Strategy After Fix

  • Run mandatory gates on every change set: npm run lint, npx tsc --noEmit, npm run build, and the new automated test command.
  • Add authorization matrix tests covering nav/page/API behavior for super_admin, admin, and user.
  • Add storage access tests for protected download and streaming routes.
  • Add import validation tests for size, file type, malformed spreadsheet, and permission failure cases.
  • Add regression tests for training-record review transitions and prioritized report exports.
  • Run a manual production-like smoke checklist covering login, org switching, CRUD basics, imports, exports, file access, and audit logging.

The release gate should require all of the following:

  • Wave 0 completed and verified.
  • Wave 1 completed for permission consistency, encoding repair, CI gate, health/readiness, and documentation alignment.
  • No unresolved high-severity security advisory on active runtime dependencies.
  • Critical-path automated coverage exists for auth, authorization, imports, exports, and protected file delivery.
  • Backup, restore, and rollback procedures are documented and exercised at least once.
  • Final UAT is re-run after remediation on a production-like environment.

Final Go-live Recommendation

No-Go.

The system is close enough to justify continued investment, but not close enough to justify production release. The combination of security blockers, missing release discipline, authorization inconsistency, and operational readiness gaps creates too much avoidable risk for go-live.

No material contradiction was found across Phases 1-7. The findings reinforce one another: structural drift identified in the architecture and permission reviews directly explains later quality, security, and production-readiness issues.

Appendix: Source Reports