🟡 MEDIUM SEVERITY / MEDIUM EFFORT
| # |
File |
Issue |
Why It Matters |
Fix Approach |
| 11 |
api/src/routes/callbacks.ts |
Race condition in pending check - Two concurrent requests can bypass status check |
Double-processing of callbacks |
Add status: 'pending' to update where clause or use Prisma transaction |
| 12 |
api/tests/callbacks.ai.test.ts:28 |
Test sends PHI - Creates patient with real phone number "+15555550999" |
Test data pollution, potential phone spam |
Use test-dedicated phone prefix like +15551234TEST |
| 13 |
api/src/routes/voice.ts:113-115 |
No rate limiting on voice webhooks - Twilio endpoints exposed without rate limit |
Voice API abuse possible |
Add apiLimiter to voice routes |
| 14 |
web/src/pages/Dashboard.tsx:57 |
Polling vs real-time - 15-second polling interval causes UI lag |
Poor UX, unnecessary API load |
Replace with Server-Sent Events (SSE) or WebSocket for live updates |
| 15 |
api/src/services/appointments.ts |
Exported but unused - Contains business logic not imported anywhere |
Dead code, maintenance burden |
Either integrate into routes or remove |
🟡 MEDIUM SEVERITY / MEDIUM EFFORT