Prioritized list of issues to fix before production deployment.
Progress Summary
Last Updated: January 13, 2026
| Phase |
Total Items |
Completed |
Progress |
| Phase 1: Security |
12 |
7 |
🟡 58% |
| Phase 2: Compliance |
12 |
0 |
⬜ 0% |
| Phase 3: Reliability |
13 |
3 |
🟡 23% |
| Phase 4: Performance |
10 |
0 |
⬜ 0% |
| Phase 5: Quality |
18 |
3 |
🟡 17% |
| Total |
65 |
13 |
20% |
Recently Completed (Jan 13, 2026)
- ✅ SEC-001: Webhook authentication fail-closed in production
- ✅ SEC-002: API key authentication fail-closed in production
- ✅ SEC-003: Secret validation fail-closed
- ✅ SEC-005/006: CORS whitelist required in production
- ✅ SEC-011/012: Helmet.js security headers + CSP
- ✅ REL-007/008/009: Shared database connection pool
- ✅ QUAL-005/006/007: Dead file cleanup (vapiEndpoints variants)
Backlog Overview
┌─────────────────────────────────────────────────────────────────────┐
│ REMEDIATION BACKLOG │
├─────────────────────────────────────────────────────────────────────┤
│ Phase 1: Security Foundation │ ~16 hours │ Week 1-2 │
│ Phase 2: Compliance │ ~24 hours │ Week 3-4 │
│ Phase 3: Reliability │ ~20 hours │ Week 5-6 │
│ Phase 4: Performance │ ~24 hours │ Week 7-8 │
│ Phase 5: Quality │ ~40 hours │ Week 9-12 │
├─────────────────────────────────────────────────────────────────────┤
│ TOTAL ESTIMATED EFFORT │ ~124 hours │ │
└─────────────────────────────────────────────────────────────────────┘
Phase 1: Security Foundation (CRITICAL)
Must complete before ANY real patient data enters the system.
1.1 Fix Authentication Bypasses
| ID |
Task |
File |
Status |
| SEC-001 |
Remove webhook secret placeholder bypass |
voice-agent/server.js:90-112 |
✅ DONE |
| SEC-002 |
Remove API key bypass |
voice-agent/vapiEndpoints.js:62-99 |
✅ DONE |
| SEC-003 |
Fail startup if secrets not configured |
All services |
✅ DONE (fail-closed in production) |
| SEC-004 |
Add JWT secret validation |
admin-dashboard/middleware/auth.js |
⬜ TODO |
Acceptance Criteria:
- [x] Services refuse requests without proper secrets in production
- [x] No "skip auth for testing" code paths in production mode
- [ ] All secrets validated at startup (JWT still pending)
1.2 Lock Down CORS
| ID |
Task |
File |
Status |
| SEC-005 |
Replace wildcard CORS with whitelist |
voice-agent/server.js:41-65 |
✅ DONE |
| SEC-006 |
Configure allowed origins per environment |
Environment config |
✅ DONE |
Acceptance Criteria:
- [x] CORS_ORIGIN required in production
- [x] Specific domains whitelisted
- [x] No wildcard * in production
| ID |
Task |
File |
Status |
| SEC-007 |
Add Joi/Zod schemas for all endpoints |
voice-agent/vapiEndpoints.js |
⬜ TODO |
| SEC-008 |
Validate phone number formats |
All phone inputs |
⬜ TODO |
| SEC-009 |
Validate date/time formats |
Appointment endpoints |
⬜ TODO |
| SEC-010 |
Sanitize patient name inputs |
Registration endpoint |
⬜ TODO |
Acceptance Criteria:
- [ ] All endpoints validate input before processing
- [ ] Invalid input returns 400 with clear error
- [ ] No SQL injection vectors
| ID |
Task |
File |
Status |
| SEC-011 |
Add helmet.js middleware |
voice-agent/server.js:20-35 |
✅ DONE |
| SEC-012 |
Configure CSP headers |
voice-agent/server.js:22-33 |
✅ DONE |
Acceptance Criteria:
- [x] All security headers present (helmet.js)
- [x] CSP configured for API service
- [ ] Admin dashboard headers (pending)
Phase 2: Compliance (REQUIRED FOR HEALTHCARE)
2.1 Implement Audit Logging
| ID |
Task |
File |
Status |
| COMP-001 |
Create audit log service |
New file |
⬜ TODO |
| COMP-002 |
Log all PHI access |
Database queries |
⬜ TODO |
| COMP-003 |
Log all admin actions |
Admin dashboard |
⬜ TODO |
| COMP-004 |
Make audit logs immutable |
Database constraints |
⬜ TODO |
| COMP-005 |
Add audit log retention policy |
Scheduled job |
⬜ TODO |
Acceptance Criteria:
- [ ] Every PHI access logged with who, what, when, why
- [ ] Audit logs cannot be modified or deleted
- [ ] Retention policy enforced (7 years for PHIPA)
2.2 Encrypt Stored Credentials
| ID |
Task |
File |
Status |
| COMP-006 |
Implement encryption service |
New file |
⬜ TODO |
| COMP-007 |
Encrypt OAuth secrets at rest |
clinic_config table |
⬜ TODO |
| COMP-008 |
Implement key rotation |
Key management |
⬜ TODO |
| COMP-009 |
Migrate existing plaintext secrets |
Migration script |
⬜ TODO |
Acceptance Criteria:
- [ ] All secrets encrypted with AES-256-GCM
- [ ] Encryption keys managed via KMS/Vault
- [ ] Key rotation documented and tested
2.3 Add RBAC Enforcement
| ID |
Task |
File |
Status |
| COMP-010 |
Define permission matrix |
Documentation |
⬜ TODO |
| COMP-011 |
Implement permission checks |
All protected routes |
⬜ TODO |
| COMP-012 |
Add clinic isolation checks |
All data queries |
⬜ TODO |
Acceptance Criteria:
- [ ] Users can only access their clinic's data
- [ ] Role-based permissions enforced
- [ ] Superadmin access logged
Phase 3: Reliability
3.1 Add Rate Limiting
| ID |
Task |
File |
Status |
| REL-001 |
Add rate limiting to webhook endpoint |
server.js |
⬜ TODO |
| REL-002 |
Implement per-clinic rate limits |
All Vapi endpoints |
⬜ TODO |
| REL-003 |
Use Redis for rate limit storage |
Rate limit middleware |
⬜ TODO |
3.2 Implement Circuit Breaker
| ID |
Task |
File |
Status |
| REL-004 |
Add opossum circuit breaker |
oscarService.js |
⬜ TODO |
| REL-005 |
Configure breaker thresholds |
Config |
⬜ TODO |
| REL-006 |
Add breaker status to health check |
Health endpoint |
⬜ TODO |
3.3 Fix Connection Pooling
| ID |
Task |
File |
Status |
| REL-007 |
Create shared pool module |
voice-agent/db/pool.js |
✅ DONE |
| REL-008 |
Remove duplicate pool creations |
vitaraDb.js, clinicRouter.js |
✅ DONE |
| REL-009 |
Add pool monitoring |
db/pool.js:healthCheck() |
✅ DONE |
3.4 Improve Health Checks
| ID |
Task |
File |
Status |
| REL-010 |
Add database health check |
Health endpoint |
⬜ TODO |
| REL-011 |
Add OSCAR connectivity check |
Health endpoint |
⬜ TODO |
| REL-012 |
Add Redis health check |
Health endpoint |
⬜ TODO |
| REL-013 |
Return proper HTTP codes |
200 OK, 503 degraded |
⬜ TODO |
4.1 Add Caching Layer
| ID |
Task |
File |
Status |
| PERF-001 |
Add Redis caching |
New cache service |
⬜ TODO |
| PERF-002 |
Cache clinic config |
clinicRouter.js |
⬜ TODO |
| PERF-003 |
Cache provider list |
Provider endpoints |
⬜ TODO |
| PERF-004 |
Add cache invalidation |
Admin updates |
⬜ TODO |
4.2 Fix N+1 Queries
| ID |
Task |
File |
Status |
| PERF-005 |
Refactor getClinicInfo to use JOINs |
vitaraDb.js |
⬜ TODO |
| PERF-006 |
Batch provider queries |
find-earliest endpoint |
⬜ TODO |
| PERF-007 |
Add query performance logging |
Database layer |
⬜ TODO |
4.3 Async Processing
| ID |
Task |
File |
Status |
| PERF-008 |
Add request queue for OSCAR |
New queue service |
⬜ TODO |
| PERF-009 |
Move long operations to workers |
OSCAR calls |
⬜ TODO |
| PERF-010 |
Add request timeout handling |
All external calls |
⬜ TODO |
Phase 5: Quality
5.1 Replace Debug Logging
| ID |
Task |
File |
Status |
| QUAL-001 |
Add structured logger (pino) |
New logger service |
⬜ TODO |
| QUAL-002 |
Replace all console.log |
All files |
⬜ TODO |
| QUAL-003 |
Add log redaction for PHI |
Logger config |
⬜ TODO |
| QUAL-004 |
Configure log levels per environment |
Environment config |
⬜ TODO |
5.2 Consolidate Code
| ID |
Task |
File |
Status |
| QUAL-005 |
Identify canonical vapiEndpoints |
vapiEndpoints.js |
✅ DONE |
| QUAL-006 |
Merge functionality |
Single file |
✅ DONE (canonical identified) |
| QUAL-007 |
Delete dead versions |
Removed -updated.js, -vitara.js |
✅ DONE |
| QUAL-008 |
Standardize error response format |
All endpoints |
⬜ TODO |
5.3 Fix Schema Drift
| ID |
Task |
File |
Status |
| QUAL-009 |
Choose canonical schema |
Decision |
⬜ TODO |
| QUAL-010 |
Create migration path |
Migration script |
⬜ TODO |
| QUAL-011 |
Remove deprecated schema |
Delete old file |
⬜ TODO |
| QUAL-012 |
Add schema validation in CI |
CI pipeline |
⬜ TODO |
5.4 Add Test Suite
| ID |
Task |
File |
Status |
| QUAL-013 |
Set up Jest test framework |
Package config |
⬜ TODO |
| QUAL-014 |
Write unit tests for utils |
utils.test.js |
⬜ TODO |
| QUAL-015 |
Write unit tests for validators |
validators.test.js |
⬜ TODO |
| QUAL-016 |
Write integration tests for endpoints |
api.test.js |
⬜ TODO |
| QUAL-017 |
Add test coverage reporting |
Jest config |
⬜ TODO |
| QUAL-018 |
Set minimum coverage threshold (60%) |
CI pipeline |
⬜ TODO |
5.5 Move Hardcoded Values
| ID |
Task |
File |
Status |
| QUAL-019 |
Create constants config file |
New config/constants.js |
⬜ TODO |
| QUAL-020 |
Extract all magic numbers |
All files |
⬜ TODO |
| QUAL-021 |
Document all configuration options |
README |
⬜ TODO |
Quick Wins (< 1 Hour Each)
These can be done immediately to improve security posture:
- [ ] Add
.env.example without real placeholder values
- [ ] Enable strict CORS in production
- [ ] Add
helmet.js to Express apps
- [ ] Remove
console.log statements with PHI
- [ ] Add
express-validator to one endpoint as template
- [ ] Add
process.on('uncaughtException') handler
- [ ] Set
NODE_ENV=production in deployment
Tracking Template
Copy this template to track progress:
## Sprint: [DATE]
### Completed
- [ ] SEC-001: Remove webhook secret placeholder bypass
### In Progress
- [ ] SEC-002: Remove API key bypass
### Blocked
- [ ] COMP-006: Waiting for KMS access
### Notes
- [Any relevant notes]
Definition of Done
An item is complete when:
- ✅ Code changes implemented
- ✅ Unit tests written and passing
- ✅ Integration tests updated if needed
- ✅ Documentation updated
- ✅ Code reviewed and approved
- ✅ Deployed to staging
- ✅ Verified in staging environment
- ✅ Merged to main branch
Backlog created: January 2026
Last updated: January 2026