core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

chore: remove stale docs, update installers to Forge
Some checks failed
Deploy / build (push) Failing after 3s
Details
Security Scan / security (push) Successful in 13s
Details

Browse source 
Remove: Makefile, infra.yaml, GEMINI.md, AUDIT-DEPENDENCIES.md,
ISSUES_TRIAGE.md, github-projects-recovery.md

Update install.sh and install.bat to use forge.lthn.ai/core/cli
instead of dead github.com/host-uk/core.

Co-Authored-By: Virgil <virgil@lethean.io>
This commit is contained in:
Snider 2026-02-21 21:29:21 +00:00
parent fb52e03f50
commit 1b99ea22f1
8 changed files with 10 additions and 1063 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

143
AUDIT-DEPENDENCIES.md
View file

@ -1,143 +0,0 @@
# Dependency Security Audit
**Date:** 2026-02-02
**Auditor:** Claude Code
**Project:** host-uk/core (Go CLI)
## Executive Summary
**No vulnerabilities found** in current dependencies.
All modules verified successfully with `go mod verify` and `govulncheck`.
---
## Dependency Analysis
### Direct Dependencies (15)
| Package | Version | Purpose | Status |
|---------|---------|---------|--------|
| github.com/Snider/Borg | v0.1.0 | Framework utilities | ✅ Verified |
| github.com/getkin/kin-openapi | v0.133.0 | OpenAPI parsing | ✅ Verified |
| github.com/leaanthony/debme | v1.2.1 | Debounce utilities | ✅ Verified |
| github.com/leaanthony/gosod | v1.0.4 | Go service utilities | ✅ Verified |
| github.com/minio/selfupdate | v0.6.0 | Self-update mechanism | ✅ Verified |
| github.com/modelcontextprotocol/go-sdk | v1.2.0 | MCP SDK | ✅ Verified |
| github.com/oasdiff/oasdiff | v1.11.8 | OpenAPI diff | ✅ Verified |
| github.com/spf13/cobra | v1.10.2 | CLI framework | ✅ Verified |
| github.com/stretchr/testify | v1.11.1 | Testing assertions | ✅ Verified |
| golang.org/x/mod | v0.32.0 | Module utilities | ✅ Verified |
| golang.org/x/net | v0.49.0 | Network utilities | ✅ Verified |
| golang.org/x/oauth2 | v0.34.0 | OAuth2 client | ✅ Verified |
| golang.org/x/term | v0.39.0 | Terminal utilities | ✅ Verified |
| golang.org/x/text | v0.33.0 | Text processing | ✅ Verified |
| gopkg.in/yaml.v3 | v3.0.1 | YAML parser | ✅ Verified |
### Transitive Dependencies
- **Total modules:** 161 indirect dependencies
- **Verification:** All modules verified via `go mod verify`
- **Integrity:** go.sum contains 18,380 bytes of checksums
### Notable Indirect Dependencies
| Package | Purpose | Risk Assessment |
|---------|---------|-----------------|
| github.com/go-git/go-git/v5 | Git operations | Low - well-maintained |
| github.com/ProtonMail/go-crypto | Cryptography | Low - security-focused org |
| github.com/cloudflare/circl | Cryptographic primitives | Low - Cloudflare maintained |
| cloud.google.com/go | Google Cloud SDK | Low - Google maintained |
---
## Vulnerability Scan Results
### govulncheck Output
```
$ govulncheck ./...
No vulnerabilities found.
```
### go mod verify Output
```
$ go mod verify
all modules verified
```
---
## Lock Files
| File | Status | Notes |
|------|--------|-------|
| go.mod | ✅ Committed | 2,995 bytes, properly formatted |
| go.sum | ✅ Committed | 18,380 bytes, integrity hashes present |
| go.work | ✅ Committed | Workspace configuration |
| go.work.sum | ✅ Committed | Workspace checksums |
---
## Supply Chain Assessment
### Package Sources
- ✅ All dependencies from official Go module proxy (proxy.golang.org)
- ✅ No private/unverified package sources
- ✅ Checksum database verification enabled (sum.golang.org)
### Typosquatting Risk
- **Low risk** - all dependencies are from well-known organizations:
- golang.org/x/* (Go team)
- github.com/spf13/* (Steve Francia - Cobra maintainer)
- github.com/stretchr/* (Stretchr - testify maintainers)
- cloud.google.com/go/* (Google)
### Build Process Security
- ✅ Go modules with verified checksums
- ✅ Reproducible builds via go.sum
- ✅ CI runs `go mod verify` before builds
---
## Recommendations
### Immediate Actions
None required - no vulnerabilities detected.
### Ongoing Maintenance
1. **Enable Dependabot** - Automated dependency updates via GitHub
2. **Regular audits** - Run `govulncheck ./...` in CI pipeline
3. **Version pinning** - All dependencies are properly pinned
### CI Integration
Add to CI workflow:
```yaml
- name: Verify dependencies
run: go mod verify
- name: Check vulnerabilities
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
```
---
## Appendix: Full Dependency Tree
Run `go mod graph` to generate the complete dependency tree.
Total dependency relationships: 445
---
*Audit generated by Claude Code on 2026-02-02*

55
GEMINI.md
View file

@ -1,55 +0,0 @@
# GEMINI.md
This file provides guidance for agentic interactions within this repository, specifically for Gemini and other MCP-compliant agents.
## Agentic Context & MCP
This project is built with an **Agentic** design philosophy. It is not exclusive to any single LLM provider (like Claude).
- **MCP Support**: The system is designed to leverage the Model Context Protocol (MCP) to provide rich context and tools to agents.
- **Developer Image**: You are running within a standardized developer image (`host-uk/core` dev environment), ensuring consistent tooling and configuration.
## Core CLI (Agent Interface)
The `core` command is the primary interface for agents to manage the project. Agents should **always** prefer `core` commands over raw shell commands (like `go test`, `php artisan`, etc.).
### Key Commands for Agents
| Task | Command | Notes |
|------|---------|-------|
| **Health Check** | `core doctor` | Verify tools and environment |
| **Repo Status** | `core dev health` | Quick summary of all repos |
| **Work Status** | `core dev work --status` | Detailed dirty/ahead status |
| **Run Tests** | `core go test` | Run Go tests with correct flags |
| **Coverage** | `core go cov` | Generate coverage report |
| **Build** | `core build` | Build the project safely |
| **Search Code** | `core pkg search` | Find packages/repos |
## Project Architecture
Core is a Web3 Framework written in Go using Wails v3.
### Core Framework
- **Services**: Managed via dependency injection (`ServiceFor[T]()`).
- **Lifecycle**: `OnStartup` and `OnShutdown` hooks.
- **IPC**: Message-passing system for service communication.
### Development Workflow
1. **Check State**: `core dev work --status`
2. **Make Changes**: Modify code, add tests.
3. **Verify**: `core go test` (or `core php test` for PHP components).
4. **Commit**: `core dev commit` (or standard git if automated).
5. **Push**: `core dev push` (handles multiple repos).
## Testing Standards
- **Suffix Pattern**:
- `_Good`: Happy path
- `_Bad`: Expected errors
- `_Ugly`: Edge cases/panics
## Go Workspace
The project uses Go workspaces (`go.work`). Always run `core go work sync` after modifying modules.

166
ISSUES_TRIAGE.md
View file

@ -1,166 +0,0 @@
# Issues Triage
Generated: 2026-02-02
## Summary
- **Total Open Issues**: 46
- **High Priority**: 6
- **Audit Meta-Issues**: 13 (for Jules AI)
- **Audit Derived Issues**: 20 (created from audits)
---
## High Priority Issues
| # | Title | Labels |
|---|-------|--------|
| 183 | audit: OWASP Top 10 security review | priority:high, jules |
| 189 | audit: Test coverage and quality | priority:high, jules |
| 191 | audit: API design and consistency | priority:high, jules |
| 218 | Increase test coverage for low-coverage packages | priority:high, testing |
| 219 | Add tests for edge cases, error paths, integration | priority:high, testing |
| 168 | feat(crypt): Implement standalone pkg/crypt | priority:high, enhancement |
---
## Audit Meta-Issues (For Jules AI)
These are high-level audit tasks that spawn sub-issues:
| # | Title | Complexity |
|---|-------|------------|
| 183 | audit: OWASP Top 10 security review | large |
| 184 | audit: Authentication and authorization flows | medium |
| 186 | audit: Secrets, credentials, and configuration security | medium |
| 187 | audit: Error handling and logging practices | medium |
| 188 | audit: Code complexity and maintainability | large |
| 189 | audit: Test coverage and quality | large |
| 190 | audit: Performance bottlenecks and optimization | large |
| 191 | audit: API design and consistency | large |
| 192 | audit: Documentation completeness and quality | large |
| 193 | audit: Developer experience (DX) review | large |
| 197 | [Audit] Concurrency and Race Condition Analysis | medium |
| 198 | [Audit] CI/CD Pipeline Security | medium |
| 199 | [Audit] Architecture Patterns | large |
| 201 | [Audit] Error Handling and Recovery | medium |
| 202 | [Audit] Configuration Management | medium |
---
## By Category
### Security (4 issues)
| # | Title | Priority |
|---|-------|----------|
| 221 | Remove StrictHostKeyChecking=no from SSH commands | - |
| 222 | Sanitize user input in execInContainer to prevent injection | - |
| 183 | audit: OWASP Top 10 security review | high |
| 213 | Add logging for security events (authentication, access) | - |
### Testing (3 issues)
| # | Title | Priority |
|---|-------|----------|
| 218 | Increase test coverage for low-coverage packages | high |
| 219 | Add tests for edge cases, error paths, integration | high |
| 220 | Configure branch coverage measurement in test tooling | - |
### Error Handling (4 issues)
| # | Title |
|---|-------|
| 227 | Standardize on cli.Error for user-facing errors, deprecate cli.Fatal |
| 228 | Implement panic recovery mechanism with graceful shutdown |
| 229 | Log all errors at handling point with contextual information |
| 230 | Centralize user-facing error strings in i18n translation files |
### Documentation (6 issues)
| # | Title |
|---|-------|
| 231 | Update README.md to reflect actual configuration management |
| 233 | Add CONTRIBUTING.md with contribution guidelines |
| 234 | Add CHANGELOG.md to track version changes |
| 235 | Add user documentation: user guide, FAQ, troubleshooting |
| 236 | Add configuration documentation to README |
| 237 | Add Architecture Decision Records (ADRs) |
### Architecture (3 issues)
| # | Title |
|---|-------|
| 215 | Refactor Core struct to smaller, focused components |
| 216 | Introduce typed messaging system for IPC (replace interface{}) |
| 232 | Create centralized configuration service |
### Performance (2 issues)
| # | Title |
|---|-------|
| 224 | Add streaming API to pkg/io/local for large file handling |
| 225 | Use background goroutines for long-running operations |
### Logging (3 issues)
| # | Title |
|---|-------|
| 212 | Implement structured logging (JSON format) |
| 213 | Add logging for security events |
| 214 | Implement log retention policy |
### New Features (7 issues)
| # | Title | Priority |
|---|-------|----------|
| 168 | feat(crypt): Implement standalone pkg/crypt | high |
| 167 | feat(config): Implement standalone pkg/config | - |
| 170 | feat(plugin): Consolidate pkg/module into pkg/plugin | - |
| 171 | feat(cli): Implement build variants | - |
| 217 | Implement authentication and authorization features | - |
| 211 | feat(setup): add .core/setup.yaml for dev environment | - |
### Help System (5 issues)
| # | Title | Complexity |
|---|-------|------------|
| 133 | feat(help): Implement display-agnostic help system | large |
| 134 | feat(help): Remove Wails dependencies from pkg/help | large |
| 135 | docs(help): Create help content for core CLI | large |
| 136 | feat(help): Add CLI help command | small |
| 138 | feat(help): Implement Catalog and Topic types | large |
| 139 | feat(help): Implement full-text search | small |
---
## Potential Duplicates / Overlaps
1. **Error Handling**: #187, #201, #227-230 all relate to error handling
2. **Documentation**: #192, #231-237 all relate to documentation
3. **Configuration**: #202, #167, #232 all relate to configuration
4. **Security Audits**: #183, #184, #186, #221, #222 all relate to security
---
## Recommendations
1. **Close audit meta-issues as work is done**: Issues #183-202 are meta-audit issues that should be closed once their derived issues are created/completed.
2. **Link related issues**: Create sub-issue relationships:
- #187 (audit: error handling) -> #227, #228, #229, #230
- #192 (audit: docs) -> #231, #233, #234, #235, #236, #237
- #202 (audit: config) -> #167, #232
3. **Good first issues**: #136, #139 are marked as good first issues
4. **Consider closing duplicates**:
- #187 vs #201 (both about error handling)
- #192 vs #231-237 (documentation)
5. **Priority order for development**:
1. Security fixes (#221, #222)
2. Test coverage (#218, #219)
3. Core infrastructure (#168 - crypt, #167 - config)
4. Error handling standardization (#227-230)
5. Documentation (#233-237)

20
Makefile
View file

@ -1,20 +0,0 @@
.PHONY: all dev prod-docs development-docs
all:
(cd cmd/core-gui && task build)
.ONESHELL:
dev:
(cd cmd/core-gui && task dev)
pre-commit:
coderabbit review --prompt-only
development-docs:
@echo "Running development documentation Website..."
@(cd pkg/core/docs && mkdocs serve -w src)
prod-docs:
@echo "Generating documentation tp Repo Root..."
@(cd pkg/core/docs && mkdocs build -d public && cp -r src public)
@echo "Documentation generated at docs/index.html"

403
github-projects-recovery.md
View file

@ -1,403 +0,0 @@
# GitHub Projects Recovery — host-uk org
> Recovered 2026-02-08 from flagged GitHub org before potential data loss.
> Projects 1 (Core.Framework) was empty. Projects 2, 3, 4 captured below.
---
## Project 2: Workstation (43 items)
> Agentic task queue — issues labelled agent:ready across all host-uk repos.
| # | Title | Issue |
|---|-------|-------|
| 1 | feat: add workspace.yaml support for unified package commands | #38 |
| 2 | feat: add core setup command for GitHub repo configuration | #45 |
| 3 | docs sync ignores packages_dir from workspace.yaml | #46 |
| 4 | feat: add core qa command area for CI/workflow monitoring | #47 |
| 5 | feat: add core security command to expose Dependabot and code scanning alerts | #48 |
| 6 | feat: add core monitor to aggregate free tier scanner results | #49 |
| 7 | feat: add core qa issues for intelligent issue triage | #61 |
| 8 | feat: add core qa review for PR review status | #62 |
| 9 | feat: add core qa health for aggregate CI health | #63 |
| 10 | feat(dev): add safe git operations for AI agents | #53 |
| 11 | docs(mcp): Document MCP server setup and usage | #125 |
| 12 | feat: Implement persistent MCP server in daemon mode | #118 |
| 13 | chore(io): Migrate pkg/agentic to Medium abstraction | #104 |
| 14 | feat: Evolve pkg/io from Medium abstraction to io.Node (Borg + Enchantrix) | #101 |
| 15 | Add streaming API to pkg/io/local for large file handling | #224 |
| 16 | feat(hooks): Add core ai hook for async test running | #262 |
| 17 | feat(ai): Add core ai spawn for parallel agent tasks | #260 |
| 18 | feat(ai): Add core ai cost for budget tracking | #261 |
| 19 | feat(ai): Add core ai session for session management | #259 |
| 20 | feat(test): Add smart test detection to core test | #258 |
| 21 | feat(test): Add core test --watch continuous testing mode | #257 |
| 22 | feat(collect): Add core collect dispatch event hook system | #256 |
| 23 | feat(collect): Add core collect process command | #255 |
| 24 | feat(collect): Add core collect excavate command | #254 |
| 25 | feat(collect): Add core collect papers command | #253 |
| 26 | feat(collect): Add core collect bitcointalk command | #251 |
| 27 | feat(collect): Add core collect market command | #252 |
| 28 | feat(collect): Add core collect github command | #250 |
| 29 | epic(security): workspace isolation and authorisation hardening | #31 |
| 30 | epic(security): SQL query validation and execution safety | #32 |
| 31 | epic(fix): namespace and import corrections | #33 |
| 32 | epic(chore): configuration and documentation standardisation | #34 |
| 33 | Epic: Webhook Security Hardening | #27 |
| 34 | Epic: API Performance Optimisation | #28 |
| 35 | Epic: MCP API Hardening | #29 |
| 36 | Epic: API Test Coverage | #30 |
| 37 | Epic: Security Hardening | #104 |
| 38 | Epic: Input Validation & Sanitisation | #105 |
| 39 | Epic: Test Coverage | #106 |
| 40 | Epic: Error Handling & Observability | #107 |
| 41 | Epic: Performance Optimisation | #108 |
| 42 | Epic: Code Quality & Architecture | #109 |
| 43 | Epic: Documentation | #110 |
---
## Project 4: Core.GO & Core.CLI (97 items)
> Go framework and CLI development — host-uk/core repo. Filter by lang:go label.
| # | Title | Issue |
|---|-------|-------|
| 1 | feat: add workspace.yaml support for unified package commands | #38 |
| 2 | feat: add core setup command for GitHub repo configuration | #45 |
| 3 | docs sync ignores packages_dir from workspace.yaml | #46 |
| 4 | feat: add core qa command area for CI/workflow monitoring | #47 |
| 5 | feat: add core security command to expose Dependabot and code scanning alerts | #48 |
| 6 | feat: add core monitor to aggregate free tier scanner results | #49 |
| 7 | feat(crypt): Implement standalone pkg/crypt with modern cryptographic primitives | #168 |
| 8 | feat(cli): Implement build variants for reduced attack surface | #171 |
| 9 | feat(config): Implement standalone pkg/config with layered configuration | #167 |
| 10 | feat(io): Fix pkg/io import and add symlink-safe path validation | #169 |
| 11 | feat(plugin): Consolidate pkg/module into pkg/plugin with GitHub installation | #170 |
| 12 | feat(help): Implement full-text search | #139 |
| 13 | feat(help): Implement Catalog and Topic types | #138 |
| 14 | feat(help): Implement markdown parsing and section extraction | #137 |
| 15 | feat(help): Remove Wails dependencies from pkg/help | #134 |
| 16 | feat(help): Add CLI help command | #136 |
| 17 | docs(help): Create help content for core CLI | #135 |
| 18 | feat(help): Implement display-agnostic help system for CLI and GUI | #133 |
| 19 | chore(log): Remove deprecated pkg/errors package | #131 |
| 20 | feat(log): Add combined log-and-return error helpers | #129 |
| 21 | chore(log): Create pkg/errors deprecation alias | #128 |
| 22 | feat(log): Unify pkg/errors and pkg/log into single logging package | #127 |
| 23 | feat(mcp): Add TCP transport | #126 |
| 24 | docs(mcp): Document MCP server setup and usage | #125 |
| 25 | feat(mcp): Add MCP command for manual server control | #124 |
| 26 | feat(mcp): Create MCPService for framework integration | #122 |
| 27 | feat(mcp): Add health check integration | #123 |
| 28 | chore(log): Migrate pkg/errors imports to pkg/log | #130 |
| 29 | feat(mcp): Add connection management and graceful draining | #121 |
| 30 | feat(mcp): Add daemon mode detection and auto-start | #119 |
| 31 | feat(mcp): Add Unix socket transport | #120 |
| 32 | feat: Implement persistent MCP server in daemon mode | #118 |
| 33 | chore(io): Migrate internal/cmd/setup to Medium abstraction | #116 |
| 34 | chore(io): Migrate internal/cmd/docs to Medium abstraction | #113 |
| 35 | chore(io): Migrate remaining internal/cmd/* to Medium abstraction | #117 |
| 36 | chore(io): Migrate internal/cmd/dev to Medium abstraction | #114 |
| 37 | chore(io): Migrate internal/cmd/sdk to Medium abstraction | #115 |
| 38 | chore(io): Migrate internal/cmd/php to Medium abstraction | #112 |
| 39 | feat(log): Add error creation functions to pkg/log | #132 |
| 40 | chore(io): Migrate pkg/cache to Medium abstraction | #111 |
| 41 | chore(io): Migrate pkg/devops to Medium abstraction | #110 |
| 42 | chore(io): Migrate pkg/cli to Medium abstraction | #107 |
| 43 | chore(io): Migrate pkg/build to Medium abstraction | #109 |
| 44 | chore(io): Migrate pkg/container to Medium abstraction | #105 |
| 45 | chore(io): Migrate pkg/repos to Medium abstraction | #108 |
| 46 | feat(io): Migrate pkg/mcp to use Medium abstraction | #103 |
| 47 | chore(io): Migrate pkg/release to Medium abstraction | #106 |
| 48 | chore(io): Migrate pkg/agentic to Medium abstraction | #104 |
| 49 | feat(io): Extend Medium interface with missing operations | #102 |
| 50 | fix(php): core php ci improvements needed | #92 |
| 51 | CLI Output: Color contrast audit and terminal adaptation | #99 |
| 52 | feat: Evolve pkg/io from Medium abstraction to io.Node (Borg + Enchantrix) | #101 |
| 53 | Documentation: Improve Accessibility | #89 |
| 54 | Web UI: Audit Angular App Accessibility | #88 |
| 55 | Add configuration documentation to README | #236 |
| 56 | Add Architecture Decision Records (ADRs) | #237 |
| 57 | Add user documentation: user guide, FAQ, troubleshooting guide | #235 |
| 58 | Add CHANGELOG.md to track version changes | #234 |
| 59 | Add CONTRIBUTING.md with contribution guidelines | #233 |
| 60 | Create centralized configuration service to reduce code duplication | #232 |
| 61 | Update README.md to reflect actual configuration management implementation | #231 |
| 62 | Centralize user-facing error strings in i18n translation files | #230 |
| 63 | Log all errors at handling point with contextual information | #229 |
| 64 | Implement panic recovery mechanism with graceful shutdown | #228 |
| 65 | Standardize on cli.Error for user-facing errors, deprecate cli.Fatal | #227 |
| 66 | Add linker flags (-s -w) to reduce binary size | #226 |
| 67 | Use background goroutines for long-running operations to prevent UI blocking | #225 |
| 68 | Add streaming API to pkg/io/local for large file handling | #224 |
| 69 | Fix Go environment to run govulncheck for dependency scanning | #223 |
| 70 | Sanitize user input in execInContainer to prevent injection | #222 |
| 71 | Configure branch coverage measurement in test tooling | #220 |
| 72 | Remove StrictHostKeyChecking=no from SSH commands | #221 |
| 73 | Implement authentication and authorization features described in README | #217 |
| 74 | Add tests for edge cases, error paths, and integration scenarios | #219 |
| 75 | Increase test coverage for low-coverage packages (cli, internal/cmd/dev) | #218 |
| 76 | Introduce typed messaging system for IPC (replace interface{}) | #216 |
| 77 | Refactor Core struct to smaller, focused components (ServiceManager, MessageBus, LifecycleManager) | #215 |
| 78 | Implement structured logging (JSON format) | #212 |
| 79 | Implement log retention policy | #214 |
| 80 | Add logging for security events (authentication, access) | #213 |
| 81 | feat(setup): add .core/setup.yaml for dev environment bootstrapping | #211 |
| 82 | audit: Documentation completeness and quality | #192 |
| 83 | audit: API design and consistency | #191 |
| 84 | [Audit] Concurrency and Race Condition Analysis | #197 |
| 85 | feat(hooks): Add core ai hook for async test running | #262 |
| 86 | feat(ai): Add core ai spawn for parallel agent tasks | #260 |
| 87 | feat(ai): Add core ai cost for budget tracking | #261 |
| 88 | feat(ai): Add core ai session for session management | #259 |
| 89 | feat(test): Add smart test detection to core test | #258 |
| 90 | feat(test): Add core test --watch continuous testing mode | #257 |
| 91 | feat(collect): Add core collect dispatch event hook system | #256 |
| 92 | feat(collect): Add core collect process command | #255 |
| 93 | feat(collect): Add core collect excavate command | #254 |
| 94 | feat(collect): Add core collect bitcointalk command | #251 |
| 95 | feat(collect): Add core collect papers command | #253 |
| 96 | feat(collect): Add core collect market command | #252 |
| 97 | feat(collect): Add core collect github command | #250 |
---
## Project 3: Core.PHP (195 items)
> Laravel/PHP ecosystem — all core-* packages. Filter by lang:php label.
| # | Title | Issue |
|---|-------|-------|
| 1 | Dependency: Consider adding security scanning to CI pipeline | #31 |
| 2 | Concurrency: Sanitiser preset registration not thread-safe | #32 |
| 3 | Documentation: Missing SECURITY.md with vulnerability reporting process | #30 |
| 4 | Error Handling: ResilientSession redirect loop potential | #28 |
| 5 | Configuration: ConfigValue encryption may cause issues during APP_KEY rotation | #25 |
| 6 | Testing: Missing test coverage for critical security components | #23 |
| 7 | Security: HadesEncrypt embeds hardcoded public key | #21 |
| 8 | Security: SafeWebhookUrl DNS rebinding vulnerability | #17 |
| 9 | Performance: selectRaw queries may have missing indexes | #19 |
| 10 | Core Bouncer: Request Whitelisting System | #14 |
| 11 | Security: ManagesTokens trait stores tokens in memory without protection | #18 |
| 12 | Trees: Consolidate subscriber monthly command from Commerce module | #12 |
| 13 | Trees: Webhook/API for TFTF confirmation | #13 |
| 14 | CSRF token not automatically attached in bootstrap.js | #17 |
| 15 | Missing exception handling configuration in bootstrap/app.php | #15 |
| 16 | CI workflow only runs on main branch but repo uses dev as main | #14 |
| 17 | Minimal test coverage for a best-practices template | #16 |
| 18 | Missing declare(strict_types=1) in PHP files violates coding standards | #12 |
| 19 | Dependencies using dev-main branches instead of stable versions | #13 |
| 20 | Security: No HTTPS enforcement in production | #11 |
| 21 | Security: SESSION_ENCRYPT=false in .env.example is insecure default | #8 |
| 22 | Security: No rate limiting configured for any routes | #10 |
| 23 | Security: Missing security headers middleware by default | #9 |
| 24 | Security: ActivityLog query vulnerable to SQL wildcard injection | #20 |
| 25 | Missing: Rate limiting not applied to Livewire component methods | #17 |
| 26 | Missing: Log redaction patterns incomplete for common sensitive data | #16 |
| 27 | Code Quality: Livewire components duplicate checkHadesAccess() method | #19 |
| 28 | Error Handling: RemoteServerManager writeFile() has command injection via base64 | #15 |
| 29 | Missing: phpseclib3 not in composer.json dependencies | #18 |
| 30 | Performance: Query logging enabled unconditionally in local environment | #12 |
| 31 | Testing: Test suite does not verify Hades authorization enforcement | #11 |
| 32 | Error Handling: LogReaderService silently fails on file operations | #10 |
| 33 | Security: Telescope hides insufficient request headers in production | #14 |
| 34 | Security: IP validation missing for Server model | #13 |
| 35 | Security: Hades cookie has 1-year expiry with no rotation | #8 |
| 36 | Security: DevController authorize() method undefined | #7 |
| 37 | Security: Missing HADES_TOKEN configuration in .env.example | #9 |
| 38 | Security: Missing workspace authorization check when creating Server records | #6 |
| 39 | Security: SQL injection vulnerability in Database query tool - stacked query bypass | #4 |
| 40 | Security: Server SSH connection test uses StrictHostKeyChecking=no | #5 |
| 41 | Missing: Webhook endpoint URL scheme validation | #19 |
| 42 | Missing: Tests for WebhookSecretRotationService grace period edge cases | #20 |
| 43 | Performance: ApiUsageDaily recordFromUsage performs multiple queries | #18 |
| 44 | Security: API key scopes exposed in 403 error responses | #17 |
| 45 | Missing: Webhook delivery retry job lacks idempotency key | #15 |
| 46 | Configuration: No environment variable validation for API config | #16 |
| 47 | Error Handling: MCP registry YAML files read without validation | #14 |
| 48 | Missing: Index on webhook_deliveries for needsDelivery scope | #12 |
| 49 | Code Quality: WebhookSignature generateSecret uses Str::random instead of cryptographic RNG | #13 |
| 50 | Error Handling: recordUsage() called synchronously on every request | #10 |
| 51 | Security: Rate limit sliding window stores individual timestamps - memory growth concern | #9 |
| 52 | Security: WebhookSecretController lacks authorization checks | #11 |
| 53 | Security: Webhook secret visible in API response after rotation | #7 |
| 54 | Missing: Tests for MCP API Controller tool execution | #8 |
| 55 | Performance: API key lookup requires loading all candidates with matching prefix | #6 |
| 56 | Security: Webhook URL SSRF vulnerability - no validation of internal/private network URLs | #4 |
| 57 | Security: MCP tool execution uses proc_open without output sanitization | #5 |
| 58 | Missing tests for Social API controllers | #2 |
| 59 | Verify ProductApiController implementation | #3 |
| 60 | Session data stored without encryption (SESSION_ENCRYPT=false) | #18 |
| 61 | Mass assignment vulnerability in ContentEditor save method | #17 |
| 62 | AdminPageSearchProvider returns hardcoded URLs without auth checking | #16 |
| 63 | Missing rate limiting on sensitive admin operations | #14 |
| 64 | XSS risk in GlobalSearch component's JSON encoding | #13 |
| 65 | Missing validation for sortField parameter allows SQL injection | #10 |
| 66 | Missing test coverage for critical admin operations | #11 |
| 67 | Cache flush in Platform.php may cause service disruption | #12 |
| 68 | Missing CSRF protection for Livewire file uploads | #9 |
| 69 | N+1 query risk in ContentManager computed properties | #8 |
| 70 | Missing route authentication middleware on admin routes | #7 |
| 71 | Missing authorization check on Dashboard and Console components | #4 |
| 72 | SQL injection risk via LIKE wildcards in search queries | #5 |
| 73 | Bug: CheckMcpQuota middleware checks wrong attribute name | #22 |
| 74 | Security: DataRedactor does not handle object properties | #21 |
| 75 | Performance: QueryDatabase tool fetches all results before truncation | #20 |
| 76 | Documentation: Missing env validation for sensitive configuration | #23 |
| 77 | Security: McpAuditLog hash chain has race condition in transaction | #18 |
| 78 | Configuration: Missing MCP config file with database and security settings | #17 |
| 79 | Security: ApiKeyManager Livewire component missing CSRF and rate limiting | #19 |
| 80 | Error Handling: QueryExecutionService swallows timeout configuration errors | #16 |
| 81 | Security: SqlQueryValidator whitelist regex may allow SQL injection via JOINs | #15 |
| 82 | Test Coverage: Missing tests for critical security components | #14 |
| 83 | Security: McpApiController namespace mismatch and missing authorization | #11 |
| 84 | Security: AuditLogService export method has no authorization check | #13 |
| 85 | Bug: UpgradePlan tool imports RequiresWorkspaceContext from wrong namespace | #10 |
| 86 | Security: McpAuthenticate accepts API key in query string | #8 |
| 87 | Performance: AuditLogService hash chain verification loads entire log table | #12 |
| 88 | Bug: CircuitBreaker imports wrong namespace for CircuitOpenException | #9 |
| 89 | Security: ListTables tool uses MySQL-specific SHOW TABLES query | #7 |
| 90 | Security: ListTables tool exposes all database tables without authorization | #6 |
| 91 | Security: CreateCoupon tool missing strict_types declaration | #4 |
| 92 | Multi-server federation for MCP | #3 |
| 93 | Security: CreateCoupon tool missing workspace context/authorization | #5 |
| 94 | WebSocket support for real-time MCP updates | #2 |
| 95 | Incomplete account deletion may leave orphaned data | #13 |
| 96 | Error handling gap: Webhook secret returned in creation response | #14 |
| 97 | Missing environment validation for sensitive configuration | #18 |
| 98 | Potential timing attack in invitation token verification | #17 |
| 99 | Race condition in workspace default switching | #11 |
| 100 | Missing test coverage for TotpService TOTP verification | #12 |
| 101 | Missing authorisation check in EntitlementApiController::summary | #10 |
| 102 | Missing rate limiting on sensitive entitlement API endpoints | #9 |
| 103 | Security: Hardcoded test credentials in DemoTestUserSeeder | #7 |
| 104 | Security: SQL injection-like pattern in search query | #8 |
| 105 | Complete UserStatsService TODO items | #2 |
| 106 | Security: SSRF protection missing DNS rebinding defence in webhook dispatch job | #6 |
| 107 | Refund::markAsSucceeded not wrapped in transaction with payment update | #28 |
| 108 | Missing strict_types in Refund model | #30 |
| 109 | CreditNoteService::autoApplyCredits lacks transaction wrapper | #27 |
| 110 | Fail-open VAT validation could allow tax evasion | #25 |
| 111 | Missing strict_types in CreditNote model | #29 |
| 112 | Missing tests for CommerceController API endpoints | #26 |
| 113 | API controller returns raw exception messages to clients | #22 |
| 114 | Missing rate limiting on Commerce API endpoints | #23 |
| 115 | ProcessDunning console command lacks mutex/locking for concurrent runs | #24 |
| 116 | Race condition in CreditNote::recordUsage without row locking | #21 |
| 117 | Missing strict_types in PaymentMethodService.php | #20 |
| 118 | Missing strict_types in CreditNoteService.php | #19 |
| 119 | Missing tests for UsageBillingService | #16 |
| 120 | Missing strict_types in RefundService.php | #18 |
| 121 | Missing return type declarations in CreditNote model scopes | #14 |
| 122 | Missing tests for PaymentMethodService | #17 |
| 123 | MySQL-specific raw SQL breaks database portability | #13 |
| 124 | Missing strict_types declaration in UsageBillingService.php | #11 |
| 125 | Weak random number generation in CreditNote reference number | #12 |
| 126 | Missing tests for CreditNoteService | #15 |
| 127 | Missing tests for critical fraud detection paths | #9 |
| 128 | Missing strict_types declaration in TaxService.php | #10 |
| 129 | Missing index validation and SQL injection protection in Coupon scopes | #6 |
| 130 | Missing database transaction in referral payout commission assignment | #8 |
| 131 | Potential N+1 query in StripeGateway::createCheckoutSession | #7 |
| 132 | Race condition in Order number generation | #5 |
| 133 | Missing strict type declaration in SubscriptionService.php | #3 |
| 134 | Warehouse & Fulfillment System | #2 |
| 135 | Race condition in Invoice number generation | #4 |
| 136 | [Audit] Architecture Patterns | #50 |
| 137 | [Audit] Database Query Optimization | #48 |
| 138 | [Audit] Error Handling and Recovery | #51 |
| 139 | [Audit] Concurrency and Race Condition Analysis | #47 |
| 140 | audit: API design and consistency | #44 |
| 141 | audit: Performance bottlenecks and optimization | #43 |
| 142 | [Audit] Multi-Tenancy Security | #23 |
| 143 | fix(composer): simplify dependencies for hello world setup | #21 |
| 144 | [Audit] Database Query Optimization | #23 |
| 145 | audit: Test coverage and quality | #42 |
| 146 | audit: Code complexity and maintainability | #41 |
| 147 | audit: Authentication and authorization flows | #38 |
| 148 | audit: Dependency vulnerabilities and supply chain | #39 |
| 149 | [Audit] Database Query Optimization | #22 |
| 150 | audit: OWASP Top 10 security review | #36 |
| 151 | audit: Input validation and sanitization | #37 |
| 152 | security(mcp): ContentTools.php accepts workspace as request parameter enabling cross-tenant access | #29 |
| 153 | quality(mcp): standardise tool schema and request input patterns to match MCP spec | #30 |
| 154 | epic(security): workspace isolation and authorisation hardening | #31 |
| 155 | epic(security): SQL query validation and execution safety | #32 |
| 156 | epic(fix): namespace and import corrections | #33 |
| 157 | epic(chore): configuration and documentation standardisation | #34 |
| 158 | Epic: Webhook Security Hardening | #27 |
| 159 | Epic: API Performance Optimisation | #28 |
| 160 | Epic: MCP API Hardening | #29 |
| 161 | Epic: API Test Coverage | #30 |
| 162 | security(trees): fix race condition in PlantTreeWithTFTF job | #77 |
| 163 | security(auth): replace LthnHash with bcrypt for password hashing | #78 |
| 164 | security(helpers): fix SSRF in File.php via unvalidated Http::get | #79 |
| 165 | security(input): sanitise route parameters in Sanitiser middleware | #80 |
| 166 | security(trees): validate $model parameter in TreeStatsController | #81 |
| 167 | security(tests): remove hardcoded API token from test file | #82 |
| 168 | quality(bouncer): move env() call to config file in BouncerMiddleware | #83 |
| 169 | security(api): prevent upstream body leakage in BuildsResponse | #84 |
| 170 | security(auth): add session configuration file | #85 |
| 171 | quality(logging): add correlation IDs to request logging | #86 |
| 172 | security(logging): prevent PII leakage in LogsActivity trait | #87 |
| 173 | performance(queries): fix N+1 queries in ConfigResolver, AdminMenuRegistry, activity feed, SeoScoreTrend | #88 |
| 174 | performance(queries): replace ::all() with chunking/cursors | #89 |
| 175 | security(bouncer): review overly permissive bypass patterns | #90 |
| 176 | performance(http): add caching headers middleware | #91 |
| 177 | quality(scanner): refactor ModuleScanner namespace detection | #92 |
| 178 | security(input): extend superglobal sanitisation to cookies and server vars | #93 |
| 179 | docs(arch): add architecture diagram | #94 |
| 180 | docs(decisions): add Architecture Decision Records | #95 |
| 181 | docs(changelog): create formal changelog | #96 |
| 182 | docs(guide): add user guide, FAQ, and troubleshooting | #97 |
| 183 | quality(tenant): fix BelongsToWorkspace trait location discrepancy | #98 |
| 184 | quality(errors): implement custom exception hierarchy | #99 |
| 185 | quality(registry): reduce code duplication in ModuleRegistry | #100 |
| 186 | test(unit): add unit tests for src/ classes | #101 |
| 187 | test(security): add security-specific test suite | #102 |
| 188 | test(integration): add integration tests | #103 |
| 189 | Epic: Performance Optimisation | #108 |
| 190 | Epic: Code Quality & Architecture | #109 |
| 191 | Epic: Documentation | #110 |
| 192 | Epic: Input Validation & Sanitisation | #105 |
| 193 | Epic: Security Hardening | #104 |
| 194 | Epic: Test Coverage | #106 |
| 195 | Epic: Error Handling & Observability | #107 |
---
## Summary
| Project | Items | Focus |
|---------|-------|-------|
| #1 Core.Framework | 0 (empty) | 10,000ft architectural decisions |
| #2 Workstation | 43 | Agentic task queue, cross-repo |
| #3 Core.PHP | 195 | Laravel/PHP security, quality, tests |
| #4 Core.GO & Core.CLI | 97 | Go framework, CLI, MCP, io abstraction |
| **Total** | **335** | |
### Categories at a glance
**Core.PHP (#3)** — Dominated by security findings and audit results:
- ~60 security vulnerabilities (SQL injection, SSRF, XSS, auth bypass, race conditions)
- ~30 missing strict_types / coding standards
- ~25 missing test coverage
- ~15 performance issues (N+1 queries, missing indexes)
- ~10 epics grouping related work
- ~10 audit tasks
- Misc: docs, config, quality
**Core.GO (#4)** — Feature development and refactoring:
- ~15 io/Medium abstraction migrations
- ~10 MCP server features (transports, daemon, health)
- ~10 help system features
- ~8 log/error unification
- ~8 collect commands (data gathering)
- ~7 ai/test commands
- ~7 documentation/config audit
- Misc: security hardening, accessibility
**Workstation (#2)** — Subset of #3 and #4 tagged for agentic execution:
- Features ready for AI agent implementation
- Epics spanning both Go and PHP

268
infra.yaml
View file

@ -1,268 +0,0 @@
# Infrastructure Configuration — Host UK Production
# This file is the source of truth for production topology.
# Used by: core prod status, core prod setup, core deploy ansible
# --- Hosts ---
hosts:
noc:
fqdn: noc.host.uk.com
ip: 77.42.42.205
private_ip: 10.0.0.4
type: hcloud
role: bastion
ssh:
user: root
key: ~/.ssh/hostuk
port: 22
services:
- coolify
de:
fqdn: de.host.uk.com
ip: 116.202.82.115
type: hrobot
role: app
ssh:
user: root
key: ~/.ssh/hostuk
port: 22
services:
- traefik
- app
- web
- horizon
- scheduler
- mcp
- redis
- galera
de2:
fqdn: de2.host.uk.com
ip: 88.99.195.41
type: hrobot
role: app
ssh:
user: root
key: ~/.ssh/hostuk
port: 22
services:
- traefik
- app
- web
- horizon
- scheduler
- mcp
- redis
- galera
build:
fqdn: build.de.host.uk.com
ip: 46.224.93.62
private_ip: 10.0.0.5
type: hcloud
role: builder
ssh:
user: root
key: ~/.ssh/hostuk
port: 22
services:
- forgejo-runner
# --- Load Balancer ---
load_balancer:
name: hermes
fqdn: hermes.lb.host.uk.com
provider: hetzner
type: lb11
location: fsn1
algorithm: round_robin
backends:
- host: de
port: 80
- host: de2
port: 80
health_check:
protocol: http
path: /health
interval: 15
listeners:
- frontend: 443
backend: 80
protocol: https
proxy_protocol: true
ssl:
certificate: "*.host.uk.com"
san:
- host.uk.com
# --- Private Network ---
network:
cidr: 10.0.0.0/16
name: host-uk-internal
# --- DNS ---
dns:
provider: cloudns
nameservers:
- ns1.lthn.io
- ns2.lthn.io
- ns3.lthn.io
- ns4.lthn.io
zones:
host.uk.com:
records:
- name: "@"
type: A
value: "{{.lb_ip}}"
ttl: 300
- name: "*"
type: CNAME
value: hermes.lb.host.uk.com
ttl: 300
- name: hermes.lb
type: A
value: "{{.lb_ip}}"
ttl: 300
- name: noc
type: A
value: 77.42.42.205
ttl: 300
- name: de
type: A
value: 116.202.82.115
ttl: 300
- name: de2
type: A
value: 88.99.195.41
ttl: 300
- name: build.de
type: A
value: 46.224.93.62
ttl: 300
# --- SSL ---
ssl:
wildcard:
domains:
- "*.host.uk.com"
- host.uk.com
method: dns-01
dns_provider: cloudns
termination: load_balancer
# --- Database ---
database:
engine: mariadb
version: "11"
cluster: galera
nodes:
- host: de
port: 3306
- host: de2
port: 3306
sst_method: mariabackup
backup:
schedule: "0 3 * * *"
destination: s3
bucket: hostuk
prefix: backup/galera/
# --- Cache ---
cache:
engine: redis
version: "7"
sentinel: true
nodes:
- host: de
port: 6379
- host: de2
port: 6379
# --- Containers (per app server) ---
containers:
app:
image: host-uk/app:latest
port: 9000
runtime: php-fpm
replicas: 1
web:
image: host-uk/web:latest
port: 80
runtime: nginx
depends_on: [app]
horizon:
image: host-uk/app:latest
command: php artisan horizon
replicas: 1
scheduler:
image: host-uk/app:latest
command: php artisan schedule:work
replicas: 1
mcp:
image: host-uk/core:latest
port: 9000
command: core mcp serve
replicas: 1
# --- Object Storage ---
s3:
endpoint: fsn1.your-objectstorage.com
buckets:
hostuk:
purpose: infra
paths:
- backup/galera/
- backup/coolify/
- backup/certs/
host-uk:
purpose: media
paths:
- uploads/
- assets/
# --- CDN ---
cdn:
provider: bunnycdn
origin: hermes.lb.host.uk.com
zones:
- "*.host.uk.com"
# --- CI/CD ---
cicd:
provider: forgejo
url: https://gitea.snider.dev
runner: build.de
registry: gitea.snider.dev
deploy_hook: coolify
# --- Monitoring ---
monitoring:
health_endpoints:
- url: https://host.uk.com/health
interval: 60
- url: https://bio.host.uk.com/health
interval: 60
alerts:
galera_cluster_size: 2
redis_sentinel_quorum: 2
# --- Backups ---
backups:
daily:
- name: galera
type: mysqldump
destination: s3://hostuk/backup/galera/
- name: coolify
type: tar
destination: s3://hostuk/backup/coolify/
- name: certs
type: tar
destination: s3://hostuk/backup/certs/
weekly:
- name: snapshot
type: hcloud-snapshot
hosts: [noc, build]

9
install.bat
View file

@ -27,13 +27,14 @@ if "!VARIANT!"=="{{CORE_VARIANT}}" (
REM === Configuration ===
set "VERSION=%~1"
if "%VERSION%"=="" set "VERSION=latest"
set "REPO=host-uk/core"
set "FORGE=https://forge.lthn.ai"
set "REPO=core/cli"
set "BINARY=core"
set "INSTALL_DIR=%LOCALAPPDATA%\Programs\core"
REM === Resolve Version ===
if "%VERSION%"=="latest" (
for /f "tokens=2 delims=:" %%a in ('curl -fsSL --max-time 10 "https://api.github.com/repos/%REPO%/releases/latest" ^| findstr "tag_name"') do (
for /f "tokens=2 delims=:" %%a in ('curl -fsSL --max-time 10 "%FORGE%/api/v1/repos/%REPO%/releases/latest" ^| findstr "tag_name"') do (
set "VERSION=%%a"
set "VERSION=!VERSION:"=!"
set "VERSION=!VERSION: =!"
@ -121,7 +122,7 @@ set "_result=%~2"
REM Try variant-specific first, then full
if not "%_variant%"=="" (
set "_try=%BINARY%-%_variant%-windows-amd64.zip"
curl -fsSLI --max-time 10 "https://github.com/%REPO%/releases/download/!VERSION!/!_try!" 2>nul | findstr /r "HTTP/[12].* [23][0-9][0-9]" >nul
curl -fsSLI --max-time 10 "%FORGE%/%REPO%/releases/download/!VERSION!/!_try!" 2>nul | findstr /r "HTTP/[12].* [23][0-9][0-9]" >nul
if not errorlevel 1 (
set "%_result%=!_try!"
exit /b 0
@ -133,7 +134,7 @@ set "%_result%=%BINARY%-windows-amd64.zip"
exit /b 0
:download_and_extract
curl -fsSL --connect-timeout 10 "https://github.com/%REPO%/releases/download/!VERSION!/!ARCHIVE!" -o "%TEMP%\!ARCHIVE!"
curl -fsSL --connect-timeout 10 "%FORGE%/%REPO%/releases/download/!VERSION!/!ARCHIVE!" -o "%TEMP%\!ARCHIVE!"
if errorlevel 1 (
echo ERROR: Failed to download !ARCHIVE!
exit /b 1

9
install.sh
View file

@ -25,7 +25,8 @@ VARIANT="{{CORE_VARIANT}}" # go, php, agent (when MODE=variant)
# === Configuration ===
VERSION="${1:-latest}"
REPO="host-uk/core"
FORGE="https://forge.lthn.ai"
REPO="core/cli"
BINARY="core"
# === Colours ===
@ -62,9 +63,9 @@ detect_platform() {
resolve_version() {
if [ "$VERSION" = "latest" ]; then
info "Fetching latest version..."
VERSION=$(curl -fsSL --max-time 10 "https://api.github.com/repos/${REPO}/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
VERSION=$(curl -fsSL --max-time 10 "${FORGE}/api/v1/repos/${REPO}/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
if [ -z "$VERSION" ]; then
error "Failed to fetch latest version from GitHub API"
error "Failed to fetch latest version from Forge API"
fi
fi
}
@ -88,7 +89,7 @@ find_archive() {
candidates+=("${base}-${OS}-${ARCH}.tar.gz")
for archive in "${candidates[@]}"; do
local url="https://github.com/${REPO}/releases/download/${VERSION}/${archive}"
local url="${FORGE}/${REPO}/releases/download/${VERSION}/${archive}"
if url_exists "$url"; then
ARCHIVE="$archive"
DOWNLOAD_URL="$url"