Backend code analysis report: design and quality review

[Copilot]

ℹ️ Issue

📝 Description

Deep analysis of the backend folder covering all 6 Lambda microservices, database schema, Docker infrastructure, and CLI tooling. The report (apps/backend/BACKEND_ANALYSIS.md) documents 28 findings across security, architecture, code quality, and testing.

Top findings:

• Security (4 🔴): Unsanitized input passed directly to .set(body) in PUT /projects, no validation on PATCH /users, debug console.log leaking data, missing CORS preflight
• Code duplication: ~2,000+ lines copy-pasted across services (db.ts, dev-server.ts, swagger-utils.ts, db-types.d.ts, json() helper, Dockerfile) — shared/ directory exists but is empty
• Inconsistent patterns: Different response envelopes per service, mixed validation approaches (Error vs ValidationResult<T> vs inline), event: any despite importing APIGatewayProxyEvent
• Testing gaps: Donors has zero tests, projects "unit" tests hit real DB, jest in production dependencies
• Schema: Destructive DROP SCHEMA CASCADE on init, no migration system, missing updated_at columns

1. Added apps/backend/BACKEND_ANALYSIS.md with prioritized findings and recommendations.

✔️ Verification

• Read every .ts, .json, .yaml, Dockerfile, and .sql file across all 6 services
• Cross-referenced patterns across services to identify duplication and inconsistencies
• Verified security findings against actual source (e.g., projects/handler.ts:34 passes raw body to .set())
• Ran CodeQL — no new vulnerabilities introduced (documentation-only change)

🏕️ (Optional) Future Work / Notes

The report itself contains a prioritized recommendations table. Highest priority items:

• Whitelist fields in PUT /projects .set() call
• Add input validation to PATCH /users
• Extract shared code into the empty shared/ package
• Move jest from dependencies to devDependencies in all services
• Implement a migration system to replace the destructive DROP SCHEMA CASCADE setup script

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.