# SPBU Manager — Audit Brief (Current State)

> Generated by project-audit · 2026-04-11
> Handoff target: senior-backend + senior-frontend
> Source: existing codebase audit (brownfield)

## Overview
SPBU Manager adalah sistem manajemen operasional multi-SPBU yang sudah mature — ~80% fitur operasional selesai. Arsitektur sudah solid (router→service→repository). Masalah utama bukan di arsitektur tapi di **authorization gaps** yang konsisten di seluruh codebase dan beberapa CVE dependencies.

## Detected Stack
- **Frontend**: Next.js 16.2.2 + React 19 + TypeScript + Tabler CSS
- **Backend**: FastAPI + SQLAlchemy 2.0 async + PostgreSQL (asyncpg)
- **Auth**: JWT (HS256 via python-jose) + bcrypt + cookie-based token storage
- **File Storage**: Local filesystem (dev) / Google Drive (prod)
- **Testing**: pytest tersedia di deps tapi **zero test files**
- **Deployment**: Nginx reverse proxy + PM2, `https://spbu.goteku.com`

## Environment at Audit Time
- CodeGraph: ❌ tidak tersedia
- Scanners run: `npm audit` ✅
- bandit, pip-audit: ❌ tidak terinstall
- Git history analyzed: ✅
- Files read: ~25 files

## Feature Modules (Current State)

| Module | Current location(s) | Cohesion | Status |
|---|---|---|---|
| auth | `routers/auth.py`, `services/auth_service.py`, `core/security.py` | ✅ | Done |
| penjualan | `routers/laporan_shift.py`, `services/operational_service.py` | ✅ | Done |
| stock | `routers/stock_adjustment.py`, `services/stock_service.py` | ✅ | Done |
| penebusan | `routers/penebusan.py`, `services/penebusan_service.py` | ✅ | Done |
| penerimaan | `routers/penerimaan.py`, `services/penerimaan_service.py` | ✅ | Done |
| expenses | `routers/expenses.py`, `services/expense_service.py` | ✅ | Done |
| penyetoran | `routers/penyetoran.py`, `services/penyetoran_service.py` | ✅ | Done |
| rekonsiliasi | `routers/end_to_end.py`, `routers/rekonsiliasi.py` | ✅ / ❌ | E2E done, Harian TODO |
| users | `routers/users.py`, `services/user_service.py` | ✅ | Done (permission gaps) |
| roles | `routers/roles.py`, `services/role_service.py` | ✅ | Done |
| spbu | `routers/spbu.py`, `services/spbu_service.py` | ✅ | Done |
| products | `routers/products.py` | ✅ | Done |
| general-affairs | `routers/general_affairs.py`, `services/general_affairs_service.py` | ✅ | Done |
| system | `routers/system.py`, `services/system_service.py` | ✅ | Done |
| file-storage | `utils/file_upload.py` | ✅ | Done (auth missing) |
| dashboard | `routers/dashboard.py` | ❌ | Router stub, belum implemented |
| laporan | `routers/laporan.py` | ❌ | Router stub, belum implemented |
| analytics | `routers/analytics.py` | ❌ | Router stub, belum implemented |
| anomali | `routers/anomali.py` | ❌ | Router stub, belum implemented |
| audit-log | tidak ada | ❌ | TODO (compliance) |

## Known Limitations of This Audit
- Tidak bisa cek runtime config production (nilai SECRET_KEY, apakah SUPERADMIN_PASSWORD di-override)
- bandit + pip-audit tidak tersedia — Python deps tidak di-scan untuk CVE
- Tidak bisa akses live DB untuk cek missing indexes
- Nginx config production tidak bisa dibaca dari local

## Handoff Notes

**Untuk senior-backend:**
- Stack: FastAPI + SQLAlchemy 2.0 async + Pydantic v2 + PostgreSQL
- Eksekusi refactor dalam urutan: R-01→R-02→R-03→R-04 (quick security wins), lalu R-08 (IDOR fix terbesar)
- Watch for: (1) SPBU IDOR ada di hampir semua service — perlu helper `assert_spbu_access` yang di-apply konsisten, (2) permission checks di user endpoints nyaris tidak ada, (3) jangan upgrade bcrypt ke 5.x (passlib incompatibility)

**Untuk senior-frontend:**
- Stack: Next.js 16 App Router + TypeScript strict + Tabler CSS (bukan Tailwind/shadcn)
- Eksekusi: R-01 (axios), R-12 (next.js) dulu, lalu update file URL handling setelah R-07 selesai di backend
- Watch for: Middleware HARUS bernama `proxy.ts` dengan fungsi `proxy()` — jangan rename