teOS/.claude/agent-memory/senior-code-reviewer/phase7-backend-review.md

Phase 7 - Full Backend Code Review (2026-02-06)

Overall Score: 7.8/10

Module Scores

Module	Score	Key Issue
Auth (guards, strategy, decorators)	8/10	Role names leaked in error messages
Prisma (service, module)	7/10	cleanDatabase() ignores FK constraints
HR/Employees	8/10	as any type casts for encrypted data
HR/Time Tracking	7/10	Break tracking via string parsing, private method access
HR/Absences	8/10	Missing holiday calc, vacation carry-over TODO
LEAN/Skill Matrix	8/10	N+1 in analyzeGaps, non-transactional bulkUpsert
LEAN/Morning Meeting	7/10	ALL endpoints use DASHBOARD_VIEW permission
LEAN/S3 Planning	8/10	File upload MIME not validated, N+1 in findAll
Dashboard	8/10	Hardcoded role strings
Common (filters, interceptors)	8/10	Logging/Timeout interceptors never registered
Users	8/10	GET /users has no permission restriction
Audit	7/10	oldData always undefined, salary not sanitized
app.module + main.ts	9/10	enableImplicitConversion risk

Critical Issues (3)

1. Morning Meeting Permission Escalation

• File: apps/api/src/modules/lean/morning-meeting/morning-meeting.controller.ts
• Lines: 47, 59, 66, 79, 99, 120, 149, 159, 170, 183, 193, 211, 221, 234, 249, 259, 270
• Issue: ALL endpoints (including create, update, delete) use Permission.DASHBOARD_VIEW
• Impact: Any authenticated user with dashboard access can create/modify/delete morning meetings

2. Private Method Access via Bracket Notation

• File: apps/api/src/modules/hr/time-tracking/time-tracking.controller.ts
• Lines: 237-239
• Issue: this.timeTrackingService['getEmployeeByUserId'](user.sub) accesses private method
• Impact: Circumvents TypeScript access modifiers, fragile to refactoring

3. Prisma cleanDatabase() with Promise.all

• File: apps/api/src/prisma/prisma.service.ts
• Lines: 48-61
• Issue: Deletes all tables in parallel ignoring foreign key constraints
• Impact: Can fail in production/staging if FK constraints exist; should use sequential deletion or raw SQL truncate cascade

Important Issues (14)

1. Roles guard leaks role names - roles.guard.ts L31-33
2. Permissions guard leaks permission names - permissions.guard.ts
3. enableImplicitConversion in ValidationPipe - main.ts L44
4. Break tracking via note string parsing - time-tracking.service.ts L216-219, L257-258
5. No backdating limit for manual time entries
6. Holiday calculation missing in absences calculateWorkingDays
7. Vacation carry-over not implemented - absences.service.ts L979 (BUrlG)
8. Event queue in-memory only - absences.service.ts L1414
9. N+1 query in analyzeGaps - skill-entries.service.ts L515-523
10. bulkUpsert not transactional - skill-entries.service.ts L429-476
11. File upload MIME not validated - s3-planning.controller.ts
12. LoggingInterceptor + TimeoutInterceptor never registered
13. GET /users no permission check - users.controller.ts L88-97
14. Audit oldData always undefined - audit.interceptor.ts L60

Positive Observations

• JWT verification (not just decode) with user existence check on every request
• AES-256-GCM encryption for sensitive employee data (salary, bank account)
• Consistent error response format via global HttpExceptionFilter
• Response envelope pattern via TransformInterceptor
• ArbZG break rules correctly implemented in time tracking
• Comprehensive absence workflow with approval chain
• Global ValidationPipe with whitelist + forbidNonWhitelisted
• Proper soft delete patterns for employees
• Well-structured module hierarchy (HrModule -> sub-modules)
• Swagger/OpenAPI documentation on all endpoints