core/agent
8
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions
agent/php/Mod/Api/FOLLOWUP.md
Snider 5385385314 feat(agent/api): RFC foundation — API keys, webhooks, rate limiting, docs split 
Foundation slice for Mantis #844 php/Mod/Api RFC implementation:

* New php/Mod/Api/ package: Boot, Controllers, Documentation, Jobs,
  Middleware, Models, RateLimit, Routes, Services
* Models: ApiKey, WebhookEndpoint, WebhookDelivery
* WebhookService::dispatch() with DB::transaction + afterCommit
* DeliverWebhookJob with retry/backoff
* WebhookSignature with timing-safe verification + 5-minute tolerance +
  dual-secret rotation support
* Sliding-window rate limiter in RateLimit/RateLimitService.php
* AuthenticateApiKey middleware: hk_ prefix + Sanctum fallback
* DocsController / DocumentationController split
* 3 root migrations: api_keys, webhook_endpoints, webhook_deliveries
* Foundation tests under php/tests/Feature/Mod/Api/
* FOLLOWUP.md tracks remaining RFC scope

php -l clean across 21 PHP files. Pest unrunnable in sandbox (no vendor/).

Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=844
2026-04-25 21:01:54 +01:00

1.2 KiB
Raw Blame History

API Follow-Up

Foundation delivered in this slice:

  • ApiKey, WebhookEndpoint, and WebhookDelivery models with root migrations.
  • WebhookService::dispatch() wrapped in DB::transaction() with queued jobs using ->afterCommit().
  • DeliverWebhookJob, WebhookSignature, RateLimitService, and API key middleware with Sanctum fallback.
  • New Boot event listener for ApiRoutesRegistering.
  • Canonical controller split: DocsController for public work and DocumentationController for protected admin work.

Remaining RFC work:

  • Register the new API module provider in the package entry point so the nested module boots without explicit test registration.
  • Build the REST surface: webhook CRUD, API key CRUD, delivery inspection, retry endpoints, and gateway controllers.
  • Wire real documentation views, OpenAPI generation, and protected admin docs routes.
  • Add rate-limit middleware integration, response headers, and per-endpoint policy wiring on the route layer.
  • Extend webhook delivery operations with queue maintenance, replay tooling, and the remaining backoff policy edge cases.
  • Add broader coverage for middleware auth flows, docs protection, and end-to-end queue delivery.