# GitHub Projects Recovery — host-uk org

> Recovered 2026-02-08 from flagged GitHub org before potential data loss.
> Projects 1 (Core.Framework) was empty. Projects 2, 3, 4 captured below.

---

## Project 2: Workstation (43 items)

> Agentic task queue — issues labelled agent:ready across all host-uk repos.

| # | Title | Issue |
|---|-------|-------|
| 1 | feat: add workspace.yaml support for unified package commands | #38 |
| 2 | feat: add core setup command for GitHub repo configuration | #45 |
| 3 | docs sync ignores packages_dir from workspace.yaml | #46 |
| 4 | feat: add core qa command area for CI/workflow monitoring | #47 |
| 5 | feat: add core security command to expose Dependabot and code scanning alerts | #48 |
| 6 | feat: add core monitor to aggregate free tier scanner results | #49 |
| 7 | feat: add core qa issues for intelligent issue triage | #61 |
| 8 | feat: add core qa review for PR review status | #62 |
| 9 | feat: add core qa health for aggregate CI health | #63 |
| 10 | feat(dev): add safe git operations for AI agents | #53 |
| 11 | docs(mcp): Document MCP server setup and usage | #125 |
| 12 | feat: Implement persistent MCP server in daemon mode | #118 |
| 13 | chore(io): Migrate pkg/agentic to Medium abstraction | #104 |
| 14 | feat: Evolve pkg/io from Medium abstraction to io.Node (Borg + Enchantrix) | #101 |
| 15 | Add streaming API to pkg/io/local for large file handling | #224 |
| 16 | feat(hooks): Add core ai hook for async test running | #262 |
| 17 | feat(ai): Add core ai spawn for parallel agent tasks | #260 |
| 18 | feat(ai): Add core ai cost for budget tracking | #261 |
| 19 | feat(ai): Add core ai session for session management | #259 |
| 20 | feat(test): Add smart test detection to core test | #258 |
| 21 | feat(test): Add core test --watch continuous testing mode | #257 |
| 22 | feat(collect): Add core collect dispatch event hook system | #256 |
| 23 | feat(collect): Add core collect process command | #255 |
| 24 | feat(collect): Add core collect excavate command | #254 |
| 25 | feat(collect): Add core collect papers command | #253 |
| 26 | feat(collect): Add core collect bitcointalk command | #251 |
| 27 | feat(collect): Add core collect market command | #252 |
| 28 | feat(collect): Add core collect github command | #250 |
| 29 | epic(security): workspace isolation and authorisation hardening | #31 |
| 30 | epic(security): SQL query validation and execution safety | #32 |
| 31 | epic(fix): namespace and import corrections | #33 |
| 32 | epic(chore): configuration and documentation standardisation | #34 |
| 33 | Epic: Webhook Security Hardening | #27 |
| 34 | Epic: API Performance Optimisation | #28 |
| 35 | Epic: MCP API Hardening | #29 |
| 36 | Epic: API Test Coverage | #30 |
| 37 | Epic: Security Hardening | #104 |
| 38 | Epic: Input Validation & Sanitisation | #105 |
| 39 | Epic: Test Coverage | #106 |
| 40 | Epic: Error Handling & Observability | #107 |
| 41 | Epic: Performance Optimisation | #108 |
| 42 | Epic: Code Quality & Architecture | #109 |
| 43 | Epic: Documentation | #110 |

---

## Project 4: Core.GO & Core.CLI (97 items)

> Go framework and CLI development — host-uk/core repo. Filter by lang:go label.

| # | Title | Issue |
|---|-------|-------|
| 1 | feat: add workspace.yaml support for unified package commands | #38 |
| 2 | feat: add core setup command for GitHub repo configuration | #45 |
| 3 | docs sync ignores packages_dir from workspace.yaml | #46 |
| 4 | feat: add core qa command area for CI/workflow monitoring | #47 |
| 5 | feat: add core security command to expose Dependabot and code scanning alerts | #48 |
| 6 | feat: add core monitor to aggregate free tier scanner results | #49 |
| 7 | feat(crypt): Implement standalone pkg/crypt with modern cryptographic primitives | #168 |
| 8 | feat(cli): Implement build variants for reduced attack surface | #171 |
| 9 | feat(config): Implement standalone pkg/config with layered configuration | #167 |
| 10 | feat(io): Fix pkg/io import and add symlink-safe path validation | #169 |
| 11 | feat(plugin): Consolidate pkg/module into pkg/plugin with GitHub installation | #170 |
| 12 | feat(help): Implement full-text search | #139 |
| 13 | feat(help): Implement Catalog and Topic types | #138 |
| 14 | feat(help): Implement markdown parsing and section extraction | #137 |
| 15 | feat(help): Remove Wails dependencies from pkg/help | #134 |
| 16 | feat(help): Add CLI help command | #136 |
| 17 | docs(help): Create help content for core CLI | #135 |
| 18 | feat(help): Implement display-agnostic help system for CLI and GUI | #133 |
| 19 | chore(log): Remove deprecated pkg/errors package | #131 |
| 20 | feat(log): Add combined log-and-return error helpers | #129 |
| 21 | chore(log): Create pkg/errors deprecation alias | #128 |
| 22 | feat(log): Unify pkg/errors and pkg/log into single logging package | #127 |
| 23 | feat(mcp): Add TCP transport | #126 |
| 24 | docs(mcp): Document MCP server setup and usage | #125 |
| 25 | feat(mcp): Add MCP command for manual server control | #124 |
| 26 | feat(mcp): Create MCPService for framework integration | #122 |
| 27 | feat(mcp): Add health check integration | #123 |
| 28 | chore(log): Migrate pkg/errors imports to pkg/log | #130 |
| 29 | feat(mcp): Add connection management and graceful draining | #121 |
| 30 | feat(mcp): Add daemon mode detection and auto-start | #119 |
| 31 | feat(mcp): Add Unix socket transport | #120 |
| 32 | feat: Implement persistent MCP server in daemon mode | #118 |
| 33 | chore(io): Migrate internal/cmd/setup to Medium abstraction | #116 |
| 34 | chore(io): Migrate internal/cmd/docs to Medium abstraction | #113 |
| 35 | chore(io): Migrate remaining internal/cmd/* to Medium abstraction | #117 |
| 36 | chore(io): Migrate internal/cmd/dev to Medium abstraction | #114 |
| 37 | chore(io): Migrate internal/cmd/sdk to Medium abstraction | #115 |
| 38 | chore(io): Migrate internal/cmd/php to Medium abstraction | #112 |
| 39 | feat(log): Add error creation functions to pkg/log | #132 |
| 40 | chore(io): Migrate pkg/cache to Medium abstraction | #111 |
| 41 | chore(io): Migrate pkg/devops to Medium abstraction | #110 |
| 42 | chore(io): Migrate pkg/cli to Medium abstraction | #107 |
| 43 | chore(io): Migrate pkg/build to Medium abstraction | #109 |
| 44 | chore(io): Migrate pkg/container to Medium abstraction | #105 |
| 45 | chore(io): Migrate pkg/repos to Medium abstraction | #108 |
| 46 | feat(io): Migrate pkg/mcp to use Medium abstraction | #103 |
| 47 | chore(io): Migrate pkg/release to Medium abstraction | #106 |
| 48 | chore(io): Migrate pkg/agentic to Medium abstraction | #104 |
| 49 | feat(io): Extend Medium interface with missing operations | #102 |
| 50 | fix(php): core php ci improvements needed | #92 |
| 51 | CLI Output: Color contrast audit and terminal adaptation | #99 |
| 52 | feat: Evolve pkg/io from Medium abstraction to io.Node (Borg + Enchantrix) | #101 |
| 53 | Documentation: Improve Accessibility | #89 |
| 54 | Web UI: Audit Angular App Accessibility | #88 |
| 55 | Add configuration documentation to README | #236 |
| 56 | Add Architecture Decision Records (ADRs) | #237 |
| 57 | Add user documentation: user guide, FAQ, troubleshooting guide | #235 |
| 58 | Add CHANGELOG.md to track version changes | #234 |
| 59 | Add CONTRIBUTING.md with contribution guidelines | #233 |
| 60 | Create centralized configuration service to reduce code duplication | #232 |
| 61 | Update README.md to reflect actual configuration management implementation | #231 |
| 62 | Centralize user-facing error strings in i18n translation files | #230 |
| 63 | Log all errors at handling point with contextual information | #229 |
| 64 | Implement panic recovery mechanism with graceful shutdown | #228 |
| 65 | Standardize on cli.Error for user-facing errors, deprecate cli.Fatal | #227 |
| 66 | Add linker flags (-s -w) to reduce binary size | #226 |
| 67 | Use background goroutines for long-running operations to prevent UI blocking | #225 |
| 68 | Add streaming API to pkg/io/local for large file handling | #224 |
| 69 | Fix Go environment to run govulncheck for dependency scanning | #223 |
| 70 | Sanitize user input in execInContainer to prevent injection | #222 |
| 71 | Configure branch coverage measurement in test tooling | #220 |
| 72 | Remove StrictHostKeyChecking=no from SSH commands | #221 |
| 73 | Implement authentication and authorization features described in README | #217 |
| 74 | Add tests for edge cases, error paths, and integration scenarios | #219 |
| 75 | Increase test coverage for low-coverage packages (cli, internal/cmd/dev) | #218 |
| 76 | Introduce typed messaging system for IPC (replace interface{}) | #216 |
| 77 | Refactor Core struct to smaller, focused components (ServiceManager, MessageBus, LifecycleManager) | #215 |
| 78 | Implement structured logging (JSON format) | #212 |
| 79 | Implement log retention policy | #214 |
| 80 | Add logging for security events (authentication, access) | #213 |
| 81 | feat(setup): add .core/setup.yaml for dev environment bootstrapping | #211 |
| 82 | audit: Documentation completeness and quality | #192 |
| 83 | audit: API design and consistency | #191 |
| 84 | [Audit] Concurrency and Race Condition Analysis | #197 |
| 85 | feat(hooks): Add core ai hook for async test running | #262 |
| 86 | feat(ai): Add core ai spawn for parallel agent tasks | #260 |
| 87 | feat(ai): Add core ai cost for budget tracking | #261 |
| 88 | feat(ai): Add core ai session for session management | #259 |
| 89 | feat(test): Add smart test detection to core test | #258 |
| 90 | feat(test): Add core test --watch continuous testing mode | #257 |
| 91 | feat(collect): Add core collect dispatch event hook system | #256 |
| 92 | feat(collect): Add core collect process command | #255 |
| 93 | feat(collect): Add core collect excavate command | #254 |
| 94 | feat(collect): Add core collect bitcointalk command | #251 |
| 95 | feat(collect): Add core collect papers command | #253 |
| 96 | feat(collect): Add core collect market command | #252 |
| 97 | feat(collect): Add core collect github command | #250 |

---

## Project 3: Core.PHP (195 items)

> Laravel/PHP ecosystem — all core-* packages. Filter by lang:php label.

| # | Title | Issue |
|---|-------|-------|
| 1 | Dependency: Consider adding security scanning to CI pipeline | #31 |
| 2 | Concurrency: Sanitiser preset registration not thread-safe | #32 |
| 3 | Documentation: Missing SECURITY.md with vulnerability reporting process | #30 |
| 4 | Error Handling: ResilientSession redirect loop potential | #28 |
| 5 | Configuration: ConfigValue encryption may cause issues during APP_KEY rotation | #25 |
| 6 | Testing: Missing test coverage for critical security components | #23 |
| 7 | Security: HadesEncrypt embeds hardcoded public key | #21 |
| 8 | Security: SafeWebhookUrl DNS rebinding vulnerability | #17 |
| 9 | Performance: selectRaw queries may have missing indexes | #19 |
| 10 | Core Bouncer: Request Whitelisting System | #14 |
| 11 | Security: ManagesTokens trait stores tokens in memory without protection | #18 |
| 12 | Trees: Consolidate subscriber monthly command from Commerce module | #12 |
| 13 | Trees: Webhook/API for TFTF confirmation | #13 |
| 14 | CSRF token not automatically attached in bootstrap.js | #17 |
| 15 | Missing exception handling configuration in bootstrap/app.php | #15 |
| 16 | CI workflow only runs on main branch but repo uses dev as main | #14 |
| 17 | Minimal test coverage for a best-practices template | #16 |
| 18 | Missing declare(strict_types=1) in PHP files violates coding standards | #12 |
| 19 | Dependencies using dev-main branches instead of stable versions | #13 |
| 20 | Security: No HTTPS enforcement in production | #11 |
| 21 | Security: SESSION_ENCRYPT=false in .env.example is insecure default | #8 |
| 22 | Security: No rate limiting configured for any routes | #10 |
| 23 | Security: Missing security headers middleware by default | #9 |
| 24 | Security: ActivityLog query vulnerable to SQL wildcard injection | #20 |
| 25 | Missing: Rate limiting not applied to Livewire component methods | #17 |
| 26 | Missing: Log redaction patterns incomplete for common sensitive data | #16 |
| 27 | Code Quality: Livewire components duplicate checkHadesAccess() method | #19 |
| 28 | Error Handling: RemoteServerManager writeFile() has command injection via base64 | #15 |
| 29 | Missing: phpseclib3 not in composer.json dependencies | #18 |
| 30 | Performance: Query logging enabled unconditionally in local environment | #12 |
| 31 | Testing: Test suite does not verify Hades authorization enforcement | #11 |
| 32 | Error Handling: LogReaderService silently fails on file operations | #10 |
| 33 | Security: Telescope hides insufficient request headers in production | #14 |
| 34 | Security: IP validation missing for Server model | #13 |
| 35 | Security: Hades cookie has 1-year expiry with no rotation | #8 |
| 36 | Security: DevController authorize() method undefined | #7 |
| 37 | Security: Missing HADES_TOKEN configuration in .env.example | #9 |
| 38 | Security: Missing workspace authorization check when creating Server records | #6 |
| 39 | Security: SQL injection vulnerability in Database query tool - stacked query bypass | #4 |
| 40 | Security: Server SSH connection test uses StrictHostKeyChecking=no | #5 |
| 41 | Missing: Webhook endpoint URL scheme validation | #19 |
| 42 | Missing: Tests for WebhookSecretRotationService grace period edge cases | #20 |
| 43 | Performance: ApiUsageDaily recordFromUsage performs multiple queries | #18 |
| 44 | Security: API key scopes exposed in 403 error responses | #17 |
| 45 | Missing: Webhook delivery retry job lacks idempotency key | #15 |
| 46 | Configuration: No environment variable validation for API config | #16 |
| 47 | Error Handling: MCP registry YAML files read without validation | #14 |
| 48 | Missing: Index on webhook_deliveries for needsDelivery scope | #12 |
| 49 | Code Quality: WebhookSignature generateSecret uses Str::random instead of cryptographic RNG | #13 |
| 50 | Error Handling: recordUsage() called synchronously on every request | #10 |
| 51 | Security: Rate limit sliding window stores individual timestamps - memory growth concern | #9 |
| 52 | Security: WebhookSecretController lacks authorization checks | #11 |
| 53 | Security: Webhook secret visible in API response after rotation | #7 |
| 54 | Missing: Tests for MCP API Controller tool execution | #8 |
| 55 | Performance: API key lookup requires loading all candidates with matching prefix | #6 |
| 56 | Security: Webhook URL SSRF vulnerability - no validation of internal/private network URLs | #4 |
| 57 | Security: MCP tool execution uses proc_open without output sanitization | #5 |
| 58 | Missing tests for Social API controllers | #2 |
| 59 | Verify ProductApiController implementation | #3 |
| 60 | Session data stored without encryption (SESSION_ENCRYPT=false) | #18 |
| 61 | Mass assignment vulnerability in ContentEditor save method | #17 |
| 62 | AdminPageSearchProvider returns hardcoded URLs without auth checking | #16 |
| 63 | Missing rate limiting on sensitive admin operations | #14 |
| 64 | XSS risk in GlobalSearch component's JSON encoding | #13 |
| 65 | Missing validation for sortField parameter allows SQL injection | #10 |
| 66 | Missing test coverage for critical admin operations | #11 |
| 67 | Cache flush in Platform.php may cause service disruption | #12 |
| 68 | Missing CSRF protection for Livewire file uploads | #9 |
| 69 | N+1 query risk in ContentManager computed properties | #8 |
| 70 | Missing route authentication middleware on admin routes | #7 |
| 71 | Missing authorization check on Dashboard and Console components | #4 |
| 72 | SQL injection risk via LIKE wildcards in search queries | #5 |
| 73 | Bug: CheckMcpQuota middleware checks wrong attribute name | #22 |
| 74 | Security: DataRedactor does not handle object properties | #21 |
| 75 | Performance: QueryDatabase tool fetches all results before truncation | #20 |
| 76 | Documentation: Missing env validation for sensitive configuration | #23 |
| 77 | Security: McpAuditLog hash chain has race condition in transaction | #18 |
| 78 | Configuration: Missing MCP config file with database and security settings | #17 |
| 79 | Security: ApiKeyManager Livewire component missing CSRF and rate limiting | #19 |
| 80 | Error Handling: QueryExecutionService swallows timeout configuration errors | #16 |
| 81 | Security: SqlQueryValidator whitelist regex may allow SQL injection via JOINs | #15 |
| 82 | Test Coverage: Missing tests for critical security components | #14 |
| 83 | Security: McpApiController namespace mismatch and missing authorization | #11 |
| 84 | Security: AuditLogService export method has no authorization check | #13 |
| 85 | Bug: UpgradePlan tool imports RequiresWorkspaceContext from wrong namespace | #10 |
| 86 | Security: McpAuthenticate accepts API key in query string | #8 |
| 87 | Performance: AuditLogService hash chain verification loads entire log table | #12 |
| 88 | Bug: CircuitBreaker imports wrong namespace for CircuitOpenException | #9 |
| 89 | Security: ListTables tool uses MySQL-specific SHOW TABLES query | #7 |
| 90 | Security: ListTables tool exposes all database tables without authorization | #6 |
| 91 | Security: CreateCoupon tool missing strict_types declaration | #4 |
| 92 | Multi-server federation for MCP | #3 |
| 93 | Security: CreateCoupon tool missing workspace context/authorization | #5 |
| 94 | WebSocket support for real-time MCP updates | #2 |
| 95 | Incomplete account deletion may leave orphaned data | #13 |
| 96 | Error handling gap: Webhook secret returned in creation response | #14 |
| 97 | Missing environment validation for sensitive configuration | #18 |
| 98 | Potential timing attack in invitation token verification | #17 |
| 99 | Race condition in workspace default switching | #11 |
| 100 | Missing test coverage for TotpService TOTP verification | #12 |
| 101 | Missing authorisation check in EntitlementApiController::summary | #10 |
| 102 | Missing rate limiting on sensitive entitlement API endpoints | #9 |
| 103 | Security: Hardcoded test credentials in DemoTestUserSeeder | #7 |
| 104 | Security: SQL injection-like pattern in search query | #8 |
| 105 | Complete UserStatsService TODO items | #2 |
| 106 | Security: SSRF protection missing DNS rebinding defence in webhook dispatch job | #6 |
| 107 | Refund::markAsSucceeded not wrapped in transaction with payment update | #28 |
| 108 | Missing strict_types in Refund model | #30 |
| 109 | CreditNoteService::autoApplyCredits lacks transaction wrapper | #27 |
| 110 | Fail-open VAT validation could allow tax evasion | #25 |
| 111 | Missing strict_types in CreditNote model | #29 |
| 112 | Missing tests for CommerceController API endpoints | #26 |
| 113 | API controller returns raw exception messages to clients | #22 |
| 114 | Missing rate limiting on Commerce API endpoints | #23 |
| 115 | ProcessDunning console command lacks mutex/locking for concurrent runs | #24 |
| 116 | Race condition in CreditNote::recordUsage without row locking | #21 |
| 117 | Missing strict_types in PaymentMethodService.php | #20 |
| 118 | Missing strict_types in CreditNoteService.php | #19 |
| 119 | Missing tests for UsageBillingService | #16 |
| 120 | Missing strict_types in RefundService.php | #18 |
| 121 | Missing return type declarations in CreditNote model scopes | #14 |
| 122 | Missing tests for PaymentMethodService | #17 |
| 123 | MySQL-specific raw SQL breaks database portability | #13 |
| 124 | Missing strict_types declaration in UsageBillingService.php | #11 |
| 125 | Weak random number generation in CreditNote reference number | #12 |
| 126 | Missing tests for CreditNoteService | #15 |
| 127 | Missing tests for critical fraud detection paths | #9 |
| 128 | Missing strict_types declaration in TaxService.php | #10 |
| 129 | Missing index validation and SQL injection protection in Coupon scopes | #6 |
| 130 | Missing database transaction in referral payout commission assignment | #8 |
| 131 | Potential N+1 query in StripeGateway::createCheckoutSession | #7 |
| 132 | Race condition in Order number generation | #5 |
| 133 | Missing strict type declaration in SubscriptionService.php | #3 |
| 134 | Warehouse & Fulfillment System | #2 |
| 135 | Race condition in Invoice number generation | #4 |
| 136 | [Audit] Architecture Patterns | #50 |
| 137 | [Audit] Database Query Optimization | #48 |
| 138 | [Audit] Error Handling and Recovery | #51 |
| 139 | [Audit] Concurrency and Race Condition Analysis | #47 |
| 140 | audit: API design and consistency | #44 |
| 141 | audit: Performance bottlenecks and optimization | #43 |
| 142 | [Audit] Multi-Tenancy Security | #23 |
| 143 | fix(composer): simplify dependencies for hello world setup | #21 |
| 144 | [Audit] Database Query Optimization | #23 |
| 145 | audit: Test coverage and quality | #42 |
| 146 | audit: Code complexity and maintainability | #41 |
| 147 | audit: Authentication and authorization flows | #38 |
| 148 | audit: Dependency vulnerabilities and supply chain | #39 |
| 149 | [Audit] Database Query Optimization | #22 |
| 150 | audit: OWASP Top 10 security review | #36 |
| 151 | audit: Input validation and sanitization | #37 |
| 152 | security(mcp): ContentTools.php accepts workspace as request parameter enabling cross-tenant access | #29 |
| 153 | quality(mcp): standardise tool schema and request input patterns to match MCP spec | #30 |
| 154 | epic(security): workspace isolation and authorisation hardening | #31 |
| 155 | epic(security): SQL query validation and execution safety | #32 |
| 156 | epic(fix): namespace and import corrections | #33 |
| 157 | epic(chore): configuration and documentation standardisation | #34 |
| 158 | Epic: Webhook Security Hardening | #27 |
| 159 | Epic: API Performance Optimisation | #28 |
| 160 | Epic: MCP API Hardening | #29 |
| 161 | Epic: API Test Coverage | #30 |
| 162 | security(trees): fix race condition in PlantTreeWithTFTF job | #77 |
| 163 | security(auth): replace LthnHash with bcrypt for password hashing | #78 |
| 164 | security(helpers): fix SSRF in File.php via unvalidated Http::get | #79 |
| 165 | security(input): sanitise route parameters in Sanitiser middleware | #80 |
| 166 | security(trees): validate $model parameter in TreeStatsController | #81 |
| 167 | security(tests): remove hardcoded API token from test file | #82 |
| 168 | quality(bouncer): move env() call to config file in BouncerMiddleware | #83 |
| 169 | security(api): prevent upstream body leakage in BuildsResponse | #84 |
| 170 | security(auth): add session configuration file | #85 |
| 171 | quality(logging): add correlation IDs to request logging | #86 |
| 172 | security(logging): prevent PII leakage in LogsActivity trait | #87 |
| 173 | performance(queries): fix N+1 queries in ConfigResolver, AdminMenuRegistry, activity feed, SeoScoreTrend | #88 |
| 174 | performance(queries): replace ::all() with chunking/cursors | #89 |
| 175 | security(bouncer): review overly permissive bypass patterns | #90 |
| 176 | performance(http): add caching headers middleware | #91 |
| 177 | quality(scanner): refactor ModuleScanner namespace detection | #92 |
| 178 | security(input): extend superglobal sanitisation to cookies and server vars | #93 |
| 179 | docs(arch): add architecture diagram | #94 |
| 180 | docs(decisions): add Architecture Decision Records | #95 |
| 181 | docs(changelog): create formal changelog | #96 |
| 182 | docs(guide): add user guide, FAQ, and troubleshooting | #97 |
| 183 | quality(tenant): fix BelongsToWorkspace trait location discrepancy | #98 |
| 184 | quality(errors): implement custom exception hierarchy | #99 |
| 185 | quality(registry): reduce code duplication in ModuleRegistry | #100 |
| 186 | test(unit): add unit tests for src/ classes | #101 |
| 187 | test(security): add security-specific test suite | #102 |
| 188 | test(integration): add integration tests | #103 |
| 189 | Epic: Performance Optimisation | #108 |
| 190 | Epic: Code Quality & Architecture | #109 |
| 191 | Epic: Documentation | #110 |
| 192 | Epic: Input Validation & Sanitisation | #105 |
| 193 | Epic: Security Hardening | #104 |
| 194 | Epic: Test Coverage | #106 |
| 195 | Epic: Error Handling & Observability | #107 |

---

## Summary

| Project | Items | Focus |
|---------|-------|-------|
| #1 Core.Framework | 0 (empty) | 10,000ft architectural decisions |
| #2 Workstation | 43 | Agentic task queue, cross-repo |
| #3 Core.PHP | 195 | Laravel/PHP security, quality, tests |
| #4 Core.GO & Core.CLI | 97 | Go framework, CLI, MCP, io abstraction |
| **Total** | **335** | |

### Categories at a glance

**Core.PHP (#3)** — Dominated by security findings and audit results:
- ~60 security vulnerabilities (SQL injection, SSRF, XSS, auth bypass, race conditions)
- ~30 missing strict_types / coding standards
- ~25 missing test coverage
- ~15 performance issues (N+1 queries, missing indexes)
- ~10 epics grouping related work
- ~10 audit tasks
- Misc: docs, config, quality

**Core.GO (#4)** — Feature development and refactoring:
- ~15 io/Medium abstraction migrations
- ~10 MCP server features (transports, daemon, health)
- ~10 help system features
- ~8 log/error unification
- ~8 collect commands (data gathering)
- ~7 ai/test commands
- ~7 documentation/config audit
- Misc: security hardening, accessibility

**Workstation (#2)** — Subset of #3 and #4 tagged for agentic execution:
- Features ready for AI agent implementation
- Epics spanning both Go and PHP