# LotusCloud Platform Audit Report — 2026-03-09

## Executive Summary

LotusCloud is a **Vietnamese enterprise cloud platform** (AWS/GCP-style) built with **44 Go microservices**, a **Next.js web console**, and full observability stack. This audit covers codebase review, security analysis, bug identification, and deployment verification.

---

## 1. Architecture Overview

| Layer | Technology | Status |
|-------|-----------|--------|
| **Backend** | Go 1.24, Gin framework, GORM ORM | ✅ Production |
| **Database** | PostgreSQL 16 (shared, per-service schemas) | ✅ Running |
| **Cache** | Redis 7 | ✅ Running |
| **Messaging** | RabbitMQ 3 (AMQP) | ✅ Running |
| **Frontend** | Next.js (lotus-console) | ✅ Running :3100 |
| **API Gateway** | Custom Go reverse proxy | ✅ Running :8080 |
| **Observability** | OpenTelemetry → Jaeger, Prometheus, Grafana | ✅ Running |
| **Deployment** | Docker Compose (dev), Kubernetes Helm (prod), Terraform IaC | ✅ Ready |

### Service Categories (44 total)

| Category | Services | Ports |
|----------|----------|-------|
| **Core Platform** | iam, api-gateway, compute, storage, network, billing, sql | 8080-8086 |
| **Network & Security** | load-balancer, dns, firewall, vpn-gateway, nat-gateway, private-link, global-lb, waf | 8087-8088, 8095-8096, 8107, 8117-8118, 8125 |
| **Compute & Orchestration** | container, appservice, serverless, scheduler, autoscale, ai-agent, gpu | 8090, 8094, 8098, 8105, 8109, 8130-8131 |
| **Data & Storage** | postgres, mysql, redis, mongo, object-storage, block-storage, vector-db | 8116, 8120-8124, 8133 |
| **Management** | resource-manager, monitor, audit, notification, logging, metrics, costmgmt | 8091-8092, 8103, 8114-8115, 8126-8127 |
| **Platform** | keyvault, registry, cdn, cache, apim, eventgrid, servicebus, policy, quota, workflow, image, snapshot, backup, migration, git-deploy, model-registry, subscription, ddos, ipam | 8089, 8093, 8097, 8099-8102, 8104, 8106, 8108, 8110-8113, 8119, 8128-8129, 8132, 8134 |

### Shared Packages (7)

| Package | Purpose |
|---------|---------|
| `logger` | Zerolog structured logging |
| `dbconnector` | GORM + PostgreSQL connection pool (30 max, 10 idle) |
| `rbac` | Remote IAM authorization middleware |
| `errorhandler` | Standardized API response format |
| `events` | RabbitMQ billing event publisher (with DLQ & retry) |
| `tracing` | OpenTelemetry + Jaeger distributed tracing |
| `geoip` | Geo IP lookup |

---

## 2. Real Infrastructure Features (Implemented)

### 2.1 Compute Service — Docker Container Runtime
| Feature | Description |
|---------|------------|
| `CreateInstance` | Launches Docker containers with CPU/memory limits, labels, networking |
| `Start/Stop/Restart/Delete` | Full lifecycle via Docker CLI |
| `Console (ExecCommand)` | Execute commands inside containers (with injection protection) |
| `Logs` | Stream container logs via `docker logs --tail` |
| **Flavor Specs** | `lc.small` (1 CPU, 512MB) → `lc.xlarge` (8 CPU, 4GB) |
| **Image Map** | ubuntu-22.04, ubuntu-24.04, debian-12, centos-stream, alpine-3.19 |

### 2.2 Object Storage — Real File I/O
| Feature | Description |
|---------|------------|
| `PutObject` | Writes to disk with MD5 ETag + `.meta` sidecar |
| `GetObject` | Streams file with Content-Type headers |
| `DeleteObject` | Removes file + metadata |
| `ListObjects` | Prefix-filtered directory walk |
| **S3-Compatible Routes** | `PUT/GET/DELETE /s3/buckets/:name/objects/*key` |
| **Path Traversal Protection** | Regex whitelist + resolved path verification |

### 2.3 Edge Router — Domain→Container Routing
| Feature | Description |
|---------|------------|
| `RegisterRoute` | Maps domain/subdomain → container backend |
| `Handler()` | `httputil.ReverseProxy` for HTTP forwarding |
| `GenerateNginxConfig` | Produces Nginx server blocks with proxy_pass + WebSocket |
| **Port Discovery** | Auto-detects host port via `docker port` |
| **Admin API** | `GET /edge-router/routes` |

### 2.4 Build Cache System
| Feature | Description |
|---------|------------|
| `CacheKey` | SHA-256 of lockfiles (package-lock, yarn.lock, go.sum, Cargo.lock, etc.) |
| `Restore/Save` | Framework-specific cache layers (node_modules, .next/cache, .pip_cache, .gomod_cache) |
| `CleanExpired` | Auto-expire after 7 days |
| **Pipeline Integration** | Restore before build, save after success |

### 2.5 Preview Deploy
| Feature | Description |
|---------|------------|
| `POST /apps/:id/preview` | Creates `{app}-preview-{branch}` subdomain |
| **Branch Sanitization** | Replaces `/_.space` → hyphen, max 20 chars |
| **Separate Build** | Enqueues with `trigger=preview` |

### 2.6 Container Health Monitor
| Feature | Description |
|---------|------------|
| **Periodic Polling** | Docker stats (CPU, memory, network, restart count) |
| **Unhealthy Alerts** | Callback on non-running or unhealthy containers |
| `AutoRestart` | `docker restart` for crashed containers |
| **API Endpoints** | `GET /container-health`, `GET /container-health/:name`, `POST /container-health/:name/restart` |

### 2.7 AI Agent Service — Project Generator
| Feature | Description |
|---------|------------|
| Code generation engine | Generates full project scaffolding (Go, Next.js, FastAPI, etc.) |
| Action system | AI-driven insight and automation actions |

### 2.8 Git Deploy Service — Full CI/CD Pipeline
| Feature | Description |
|---------|------------|
| Framework detection | Auto-detects Next.js, Python, Go, Rust, Node.js, Docker, static |
| Build pipeline | Clone → detect → cache restore → build → cache save → push → deploy |
| Docker-based deployment | Container per app with resource limits |
| GitHub webhook integration | Auto-deploy on push |

---

## 3. Security Audit

### 3.1 Vulnerabilities Found & Fixed (2026-03-09)

#### CRITICAL — Fixed ✅

| # | Vulnerability | File | Fix Applied |
|---|--------------|------|-------------|
| 1 | **Command Injection — Console Exec** | compute-service/runtime/docker.go | Replaced `sh -c` with split args + regex whitelist `[a-zA-Z0-9 _./\-=:@]` |
| 2 | **Command Injection — Git Clone** | git-deploy-service/engine/engine.go | Added URL scheme validation (https/http/ssh/git) + branch name regex `[a-zA-Z0-9._/-]` |
| 3 | **Command Injection — Docker Build Args** | git-deploy-service/engine/engine.go | Added env var format validation, rejects shell metacharacters `;&\|$(){}[]<>!` |
| 4 | **Path Traversal — Object Storage** | object-storage-service/storage/filesystem.go | Replaced simple `..` removal with: regex whitelist, absolute path rejection, resolved path containment check |

#### HIGH — Fixed ✅

| # | Vulnerability | File | Fix Applied |
|---|--------------|------|-------------|
| 5 | **Insecure File Permissions** | object-storage-service/storage/filesystem.go | Changed `.meta` files from `0644` → `0600` |
| 6 | **Unvalidated Docker Filter** | monitor-service/healthcheck/checker.go | Added `[a-zA-Z0-9._-]` regex validation on filter parameter |

#### MEDIUM — Remaining (recommendations)

| # | Issue | Recommendation |
|---|-------|---------------|
| 7 | Rate limiting is global per-IP | Add per-user + per-endpoint rate limits |
| 8 | CORS allows all methods globally | Restrict methods per origin |
| 9 | API key wildcard `*` scope | Restrict to service accounts only |
| 10 | No JWT key rotation mechanism | Implement multi-key support with rotation |

#### LOW — Remaining (recommendations)

| # | Issue | Recommendation |
|---|-------|---------------|
| 11 | No audit logging for API key operations | Add audit trail for sensitive actions |
| 12 | Build logs may contain secrets | Implement log redaction for URLs with credentials |

### 3.2 Security Strengths

- ✅ **JWT + RBAC** — Action-based permissions with project isolation
- ✅ **MFA (TOTP)** — Multi-factor authentication with backup codes
- ✅ **Refresh Token Rotation** — Old tokens invalidated on reuse
- ✅ **PBKDF2 Hashing** — API keys and tokens properly hashed
- ✅ **Service Principals** — Machine-to-machine auth with limited TTL
- ✅ **Centralized Auth** — All requests validated through API Gateway
- ✅ **Health Checks** — All services report health status
- ✅ **Event-Driven Billing** — RabbitMQ with DLQ and retry

---

## 4. Deployment Status (This Machine)

### Server Specs
| Resource | Value |
|----------|-------|
| **CPU** | 32 cores |
| **RAM** | 94 GB |
| **Disk** | 78 GB free / 353 GB total |
| **Docker** | 29.0.2 + Compose v2.40.3 |
| **OS** | Linux (Ubuntu) |

### Running Services
All 44 services + infrastructure (PostgreSQL, Redis, RabbitMQ, Jaeger, Prometheus, Grafana, lotus-console) deployed via `docker compose up -d`.

### Access Points

| Service | URL |
|---------|-----|
| **API Gateway** | http://localhost:8080 |
| **Web Console** | http://localhost:3100 |
| **Grafana** | http://localhost:3300 |
| **Jaeger UI** | http://localhost:16686 |
| **Prometheus** | http://localhost:9090 |
| **RabbitMQ UI** | http://localhost:15672 |

### Smoke Test Results
```
GET /healthz → {"success":true,"data":{"status":"ok"}}
POST /api/v1/auth/login → Properly rejects invalid credentials
```

---

## 5. Missing Features & Recommendations

### 5.1 Infrastructure Gaps

| Feature | Priority | Description |
|---------|----------|-------------|
| **Service Mesh** | HIGH | No Istio/Linkerd — add mTLS between services |
| **Circuit Breaker** | HIGH | No circuit breaking pattern — add resilience4j equivalent |
| **gRPC** | MEDIUM | Services communicate via HTTP only — add gRPC for internal calls |
| **Database Migrations** | MEDIUM | Using AutoMigrate — switch to versioned migrations (golang-migrate) |
| **Redis Caching** | MEDIUM | Redis deployed but no cache middleware in gateway |
| **API Validation** | MEDIUM | Relies on Gin binding tags only — add JSON Schema validation |
| **Full-Text Search** | LOW | No Elasticsearch integration |
| **GraphQL** | LOW | REST-only API |

### 5.2 Operational Gaps

| Feature | Priority | Description |
|---------|----------|-------------|
| **Secrets Rotation** | HIGH | Static env vars — need dynamic secret injection (Vault) |
| **Centralized Logging** | MEDIUM | Each service logs independently — need ELK/Loki aggregation |
| **Chaos Engineering** | LOW | No fault injection testing |
| **API Versioning** | LOW | Single /api/v1 — plan for v2 |

---

## 6. Service Port Map (Quick Reference)

```
8080  api-gateway          8105  autoscale-service
8081  iam-service           8106  servicebus-service
8082  compute-service       8107  private-link-service
8083  storage-service       8108  ddos-service
8084  network-service       8109  scheduler-service
8085  billing-service       8110  quota-service
8086  sql-service           8111  workflow-engine
8087  load-balancer-service 8112  image-service
8088  dns-service           8113  snapshot-service
8089  keyvault-service      8114  audit-service
8090  container-service     8115  notification-service
8091  monitor-service       8116  mongo-service
8092  resource-manager      8117  nat-gateway-service
8093  registry-service      8118  global-lb-service
8094  appservice-service    8119  ipam-service
8095  vpn-gateway-service   8120  postgres-service
8096  firewall-service      8121  mysql-service
8097  backup-service        8122  redis-service
8098  serverless-service    8123  object-storage-service
8099  cdn-service           8124  block-storage-service
8100  cache-service         8125  waf-service
8101  apim-service          8126  logging-service
8102  eventgrid-service     8127  metrics-service
8103  costmgmt-service      8128  migration-service
8104  policy-service        8129  git-deploy-service
                            8130  ai-agent-service
3100  lotus-console         8131  gpu-service
3300  grafana               8132  model-registry-service
5432  postgres              8133  vector-db-service
5672  rabbitmq              8134  subscription-service
9090  prometheus
16686 jaeger
```

---

## 7. API Quick Reference

### Authentication
```bash
# Register
POST /api/v1/auth/register
{"email":"...", "password":"...", "full_name":"..."}

# Login
POST /api/v1/auth/login
{"email":"...", "password":"..."}
# Returns: access_token, refresh_token

# Refresh
POST /api/v1/auth/refresh
{"refresh_token":"..."}
```

### Compute
```bash
# Create Instance
POST /api/v1/instances
Headers: Authorization: Bearer <token>, X-Project-ID: <uuid>
{"name":"web-1", "flavor":"lc.small", "image":"ubuntu-22.04"}

# Console
POST /api/v1/instances/:id/console
{"command":"ls -la"}

# Logs
GET /api/v1/instances/:id/logs?lines=100
```

### Object Storage
```bash
# Create Bucket
POST /api/v1/buckets
{"name":"my-bucket"}

# Upload Object
PUT /api/v1/s3/buckets/:name/objects/path/to/file.txt
Body: <file content>

# Download Object
GET /api/v1/s3/buckets/:name/objects/path/to/file.txt
```

### Git Deploy
```bash
# Deploy App
POST /api/v1/deploy-apps
{"name":"my-app", "subdomain":"my-app", "repo_url":"https://github.com/..."}

# Trigger Deploy
POST /api/v1/deploy-apps/:id/deploy
{"branch":"main", "commit_sha":"abc123"}

# Preview Deploy
POST /api/v1/deploy-apps/:id/preview
{"branch":"feature/login"}
```

---

*Generated: 2026-03-09 | LotusCloud v1.0 Phase 1 Audit*
