Gap Register — Acme Notes

Date: 2026-07-15

Every Amber or Red control from the audit report is one row. Not Verified items live in the report's questions section unless the project owner later confirms them as actual gaps.

IDFeatureControlGapStatePriority*EvidenceRecommended actionOwnerTarget date
G1Payments3.4Live-looking Stripe secret key committed to tracked sourceRed1config/settings.py:42, prefix matches sk_live_Rotate the key immediately; add secret scanning to CI
G2Account management14.2Soft-deleted accounts remain queryable via admin searchRed1src/admin/search.ts:88 — query has no deletedAt IS NULL filterAdd the filter; add a purge job for the underlying rows
G3Deployment & infra3.3CI runs but is not a required check on the default branchRed4Branch protection API: no required status checks configuredMark the existing test workflow as required
G4Authentication5.4Login and password-reset flows have unit tests only, no integration coverageAmber5tests/auth/ — all specs mock the database layerAdd one integration test exercising the real login flow end to end
G5Notes management11.1/api/notes list endpoint returns unbounded resultsRed5src/routes/notes.ts:21Note.findAll() with no paginationAdd cursor or offset pagination with a sane default page size
G6Notes management11.2Note tags fetched in a per-item loop instead of a batch queryAmber5src/routes/notes.ts:35-41Batch-load tags with a single join or WHERE IN query
G7Deployment & infra9.3Sentry installed but project owner confirmed no alert rules are configuredRed6Owner confirmation, 2026-07-14Configure at least an error-rate alert routed to on-call
G8Notes management11.4No caching on the notes-search endpoint despite a raised timeout in configAmber7config/timeouts.yml — search timeout raised from 5s to 15s, no cache layer presentAdd a cache layer or precompute the search index
G9Deployment & infra12.1Public API has no OpenAPI spec or published clientAmber7No spec file found; routes documented only in codePublish an OpenAPI spec for the /api/v1/ surface
*Risk priority (lower = more urgent):
  1. Security, privacy, secrets, sensitive-data exposure
  2. Missing/unreliable backup, recovery, or rollback
  3. Uncontrolled production access
  4. Unreviewed changes or missing CI safeguards
  5. Missing tests or performance safeguards around critical business behavior
  6. Unclear ownership and operational responsibility
  7. Documentation and maintainability
Owner and target date are left blank for the project team to fill in — this skill does not assign ownership on their behalf.