# Backend Services - Bug Analysis

> 25 issues found in `src/services/`

---

## CRITICAL (4)

### 1. No Timeout on OpenAI API Calls
**File:** `ai.js`
**Lines:** 72, 135, 260, 329, 768, 889, 973, 1034, 1075, 1189, 1353, 1576, 1645, 1709, 1889, 1936
**Description:** `openai.chat.completions.create()` has no timeout. Can hang indefinitely.
**Impact:** Server resources exhausted, frontend frozen.
**Fix:**
```javascript
const response = await openai.chat.completions.create({
  ...options,
  timeout: 30000
});
```

### 2. No Timeout on Slack Webhook
**File:** `slack.js:19`
**Description:** Slack fetch has no timeout.
**Impact:** Notifications block indefinitely.
**Fix:** Add `signal: AbortSignal.timeout(5000)`

### 3. No Timeout on Platform Sync
**File:** `platformSync.js:33`
**Description:** Platform API fetches can hang.
**Impact:** Sync jobs stuck, data never refreshes.

### 4. No Timeout on Perplexity API
**File:** `perplexity.js:24, 282, 568, 665`
**Description:** Research calls can hang indefinitely.
**Impact:** Company/person research blocks.

---

## HIGH (6)

### 5. Missing Error Handling in Learning System
**File:** `learning.js:256-297`
**Description:** `updateObjectionResponseEffectiveness` loop has no try-catch per item.
**Impact:** Partial data loss, silent failures.

### 6. Missing Null Checks on AI Responses
**File:** `ai.js`
**Lines:** 79, 142, 267, 775, 897, 980, 1041, 1082, 1197, 1360, 1583, 1716
**Description:** `JSON.parse(response.choices[0].message.content)` crashes if null.
**Fix:** `const content = response.choices?.[0]?.message?.content;`

### 7. Infinite Loop Risk
**File:** `compliance.js:237-246`
**Description:** `findBannedPhrases` while loop can infinite loop on empty phrase.
**Fix:** Skip empty/whitespace phrases.

### 8. Memory Leak in Deepgram
**File:** `deepgram.js`
**Description:** WebSocket URLs returned without cleanup mechanism.
**Impact:** Connection details accumulate.

### 9. Race Condition in Compliance Cache
**File:** `compliance.js:17-46`
**Description:** No locking during cache refresh. Duplicate queries possible.
**Fix:** Add pending flag pattern.

### 10. Unbounded Array Growth
**File:** `learning.js:165-171`
**Description:** `communicationTimeline` stores ALL communications in JSONB.
**Impact:** Database bloat, slow queries.
**Fix:** Limit to last 50 communications.

---

## MEDIUM (9)

### 11. Missing Null Check on Query Results
**File:** `ai.js:1098-1124`
**Description:** `wins.map()` called without checking if `wins` is null.
**Fix:** `(wins || []).map()`

### 12. Array Access Without Length Check
**File:** `learning.js:49-50`
**Description:** `comms[0]` and `comms[comms.length-1]` without empty check.

### 13. No Retry Logic for External APIs
**Files:** slack.js, perplexity.js, platformSync.js
**Description:** Transient failures immediately fail.
**Fix:** Implement exponential backoff.

### 14. No Rate Limiting for Twilio Batch
**File:** `twilio.js:115-135`
**Description:** 100ms delay may exceed Twilio limits.
**Fix:** Respect 50 msg/second limit.

### 15. No Bounds Check on Scores
**File:** `scoring.js:178`
**Description:** Penalties calculated before clamping.

### 16. Null Check After DB Query
**File:** `platformSync.js:251-325`
**Description:** `existingLead` accessed without full null check.

### 17. Missing Optional Chaining
**File:** `platformSync.js:285`
**Description:** Direct property access without null coalescing.

### 18. JSON Parse Without Debug Context
**File:** `perplexity.js:130-145, 290-301, 576-587, 672-687`
**Description:** Parse errors don't log the malformed content.

### 19. Async forEach Issue
**File:** `perplexity.js:431-446`
**Description:** `forEach` with async doesn't await properly.
**Fix:** Use `for...of` loop.

---

## LOW (6)

### 20. Inefficient Regex Compilation
**File:** `compliance.js:216`
**Description:** Regex compiled inside loop every iteration.
**Fix:** Pre-compile and cache regexes.

### 21. Inefficient DB Queries
**File:** `learning.js:260-280`
**Description:** `.single()` throws on multiple matches.
**Fix:** Use `.limit(1).maybeSingle()`

### 22. Unused Variable
**File:** `perplexity.js:411`
**Description:** `normalized` calculated but never used.

### 23. Type Inconsistency
**File:** `platformSync.js:431-433`
**Description:** `created_at` vs `createdAt` handled inconsistently.

### 24. Missing Documentation
**File:** `learning.js`
**Description:** Complex pattern capture lacks docstrings.

### 25. Potential Slack Injection
**File:** `slack.js`
**Description:** Unescaped user input in mrkdwn text.
**Fix:** Escape special characters.