# CashHive.ai Audit Todo

## Critical
- Rotate compromised secrets with provider-side replacements:
  - DB credentials
  - offers DB credentials
  - xAI/Grok API keys
  - Stripe keys
- Audit duplicate API files under `/api` and `/public/api` and reduce drift before they diverge again.
- Remove or replace any remaining DeepLeaf/deepleafai branding in live pages and services.

## Critical Done
- Removed verification token leakage from survey responses.
- Made email verification activate accounts fully:
  - set `status = active`
  - set `email_verified = 1`
  - set `email_verified_at`
  - clear one-time verification state
- Killed the offer-click paywall bypass:
  - clicks/visits/calls no longer unlock premium
  - premium unlock now requires verified completions
  - direct fake `action=complete` calls now require an internal completion key
- Closed public admin offer CRUD:
  - `offers_manage.php` now requires an authenticated admin session
  - admin credentials now come from server-side environment, not a hardcoded default password
- Removed hardcoded live secrets from public code paths:
  - `public/api/openai_chat.php`
  - `public/api/grok_api.py`
  - `public/api/offers_manage.php`
  - affiliate endpoints no longer fall back to a hardcoded DB password
- Blocked web access to backup/source artifacts in `/public/api` and removed `openai_chat.php.backup`.
- Removed placeholder sponsor inventory:
  - deactivated all active `example.com` offers from `tbl_offers`
  - `api/offers.php` now suppresses placeholder rows instead of serving them
  - offer services now fail closed instead of recreating fake sponsor catalogs
- Collapsed more duplicate endpoint drift:
  - root `public/auth.php` now delegates to canonical auth backend
  - root `public/admin_auth.php` now delegates to canonical admin auth backend
  - deprecated legacy chat/offer-completion endpoints now return `410` instead of serving stale logic

## High
- Decide whether payments are live or disabled:
  - if live, install `sk_live` / `pk_live`
  - if not live, block checkout on production instead of serving Stripe test sessions
- Clean up subdomain reality vs config:
  - `email.cashhive.ai`
  - `strategy.cashhive.ai`
  - `ocr.cashhive.ai`
- Build a safe admin credential rotation workflow:
  - replace the generated bootstrap admin password after first use
  - decide whether admin auth should move to DB-backed users or stay env-based

## High Done
- Fixed auth and verification branding drift in the live registration/reset flow.
- Added real `robots.txt` and `sitemap.xml`.
- Removed remaining DeepLeaf branding from the live verify-email and forgot-password pages.
- Updated legacy email verification service copy from DeepLeaf AI to CashHive.ai.

## Medium
- Unify token/session handling across landing, register, survey, dashboard, offers, billing, and chat.
- Replace fake progress/chat-history placeholders with real tables or remove the UI.
- Add a deploy-time check that fails if public files contain key-shaped strings or hardcoded passwords.
- Add a deploy-time check that fails if Apache env files contain malformed `SetEnv` lines.
- Finish scrubbing DeepLeaf branding and hardcoded notification mail settings from secondary legacy/admin files:
  - `public/api/notification_helper.php`
  - `public/api/notifications.php`
  - other non-routed legacy helpers still carrying DeepLeaf references

## Medium Done
- Removed dashboard demo fallbacks and now require a valid session.

## Operational
- Add smoke tests for:
  - survey submit
  - verify email
  - register/login/session validate
  - offer gating
  - checkout guardrails
  - admin auth
  - offers admin CRUD auth
- Add server-side alerts for:
  - failed verification bursts
  - suspicious offer completion bursts
  - test-key usage on production hosts

## Operational Done
- Put the app in a local git repo and started preserving fix batches as commits.