agent/php/Mod/Api/FOLLOWUP.md

# API Follow-Up

Foundation delivered in this slice:
- `ApiKey`, `WebhookEndpoint`, and `WebhookDelivery` models with root migrations.
- `WebhookService::dispatch()` wrapped in `DB::transaction()` with queued jobs using `->afterCommit()`.
- `DeliverWebhookJob`, `WebhookSignature`, `RateLimitService`, and API key middleware with Sanctum fallback.
- New `Boot` event listener for `ApiRoutesRegistering`.
- Canonical controller split: `DocsController` for public work and `DocumentationController` for protected admin work.

Remaining RFC work:
- Register the new API module provider in the package entry point so the nested module boots without explicit test registration.
- Build the REST surface: webhook CRUD, API key CRUD, delivery inspection, retry endpoints, and gateway controllers.
- Wire real documentation views, OpenAPI generation, and protected admin docs routes.
- Add rate-limit middleware integration, response headers, and per-endpoint policy wiring on the route layer.
- Extend webhook delivery operations with queue maintenance, replay tooling, and the remaining backoff policy edge cases.
- Add broader coverage for middleware auth flows, docs protection, and end-to-end queue delivery.
feat(agent/api): RFC foundation — API keys, webhooks, rate limiting, docs split Foundation slice for Mantis #844 php/Mod/Api RFC implementation: * New php/Mod/Api/ package: Boot, Controllers, Documentation, Jobs, Middleware, Models, RateLimit, Routes, Services * Models: ApiKey, WebhookEndpoint, WebhookDelivery * WebhookService::dispatch() with DB::transaction + afterCommit * DeliverWebhookJob with retry/backoff * WebhookSignature with timing-safe verification + 5-minute tolerance + dual-secret rotation support * Sliding-window rate limiter in RateLimit/RateLimitService.php * AuthenticateApiKey middleware: hk_ prefix + Sanctum fallback * DocsController / DocumentationController split * 3 root migrations: api_keys, webhook_endpoints, webhook_deliveries * Foundation tests under php/tests/Feature/Mod/Api/ * FOLLOWUP.md tracks remaining RFC scope php -l clean across 21 PHP files. Pest unrunnable in sandbox (no vendor/). Co-authored-by: Codex <noreply@openai.com> Closes tasks.lthn.sh/view.php?id=844 2026-04-25 21:01:54 +01:00			`# API Follow-Up`

			`Foundation delivered in this slice:`
			- `ApiKey`, `WebhookEndpoint`, and `WebhookDelivery` models with root migrations.
			- `WebhookService::dispatch()` wrapped in `DB::transaction()` with queued jobs using `->afterCommit()`.
			- `DeliverWebhookJob`, `WebhookSignature`, `RateLimitService`, and API key middleware with Sanctum fallback.
			- New `Boot` event listener for `ApiRoutesRegistering`.
			- Canonical controller split: `DocsController` for public work and `DocumentationController` for protected admin work.

			`Remaining RFC work:`
			`- Register the new API module provider in the package entry point so the nested module boots without explicit test registration.`
			`- Build the REST surface: webhook CRUD, API key CRUD, delivery inspection, retry endpoints, and gateway controllers.`
			`- Wire real documentation views, OpenAPI generation, and protected admin docs routes.`
			`- Add rate-limit middleware integration, response headers, and per-endpoint policy wiring on the route layer.`
			`- Extend webhook delivery operations with queue maintenance, replay tooling, and the remaining backoff policy edge cases.`
			`- Add broader coverage for middleware auth flows, docs protection, and end-to-end queue delivery.`