core/agent
8
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions
agent/php/Mod/Api/FOLLOWUP.md
Snider 5385385314 feat(agent/api): RFC foundation — API keys, webhooks, rate limiting, docs split 
Foundation slice for Mantis #844 php/Mod/Api RFC implementation:

* New php/Mod/Api/ package: Boot, Controllers, Documentation, Jobs,
  Middleware, Models, RateLimit, Routes, Services
* Models: ApiKey, WebhookEndpoint, WebhookDelivery
* WebhookService::dispatch() with DB::transaction + afterCommit
* DeliverWebhookJob with retry/backoff
* WebhookSignature with timing-safe verification + 5-minute tolerance +
  dual-secret rotation support
* Sliding-window rate limiter in RateLimit/RateLimitService.php
* AuthenticateApiKey middleware: hk_ prefix + Sanctum fallback
* DocsController / DocumentationController split
* 3 root migrations: api_keys, webhook_endpoints, webhook_deliveries
* Foundation tests under php/tests/Feature/Mod/Api/
* FOLLOWUP.md tracks remaining RFC scope

php -l clean across 21 PHP files. Pest unrunnable in sandbox (no vendor/).

Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=844
2026-04-25 21:01:54 +01:00

16 lines
1.2 KiB
Markdown
Raw Blame History

# API Follow-Up
Foundation delivered in this slice:
- `ApiKey`, `WebhookEndpoint`, and `WebhookDelivery` models with root migrations.
- `WebhookService::dispatch()` wrapped in `DB::transaction()` with queued jobs using `->afterCommit()`.
- `DeliverWebhookJob`, `WebhookSignature`, `RateLimitService`, and API key middleware with Sanctum fallback.
- New `Boot` event listener for `ApiRoutesRegistering`.
- Canonical controller split: `DocsController` for public work and `DocumentationController` for protected admin work.
Remaining RFC work:
- Register the new API module provider in the package entry point so the nested module boots without explicit test registration.
- Build the REST surface: webhook CRUD, API key CRUD, delivery inspection, retry endpoints, and gateway controllers.
- Wire real documentation views, OpenAPI generation, and protected admin docs routes.
- Add rate-limit middleware integration, response headers, and per-endpoint policy wiring on the route layer.
- Extend webhook delivery operations with queue maintenance, replay tooling, and the remaining backoff policy edge cases.
- Add broader coverage for middleware auth flows, docs protection, and end-to-end queue delivery.
Reference in a new issue View git blame Copy permalink