From the post-#121 security audit.
Severity: minor
File(s): server/api/controllers/project.controller.js (approveM2, requestChanges, confirmPayment, createContinuation)
Why: program-level mutations (program.update, sponsor.*, signups.*, admin.*, application.<status>) already log via auditLog.logSafe. Project-level mutations don't — confirmPayment in particular is high-value because it records on-chain payout proof.
Suggestion: wire auditLog.logSafe AFTER res.json for each, with programId = project.program_id || null. Continuations also worth auditing (post-M2 follow-up trail).
🤖 Generated with Claude Code
From the post-#121 security audit.
Severity: minor
File(s):
server/api/controllers/project.controller.js(approveM2,requestChanges,confirmPayment,createContinuation)Why: program-level mutations (
program.update,sponsor.*,signups.*,admin.*,application.<status>) already log viaauditLog.logSafe. Project-level mutations don't —confirmPaymentin particular is high-value because it records on-chain payout proof.Suggestion: wire
auditLog.logSafeAFTERres.jsonfor each, withprogramId = project.program_id || null. Continuations also worth auditing (post-M2 follow-up trail).🤖 Generated with Claude Code