roadmap: php-api production readiness #20
Labels
No labels
P1
P2
P3
PHP
agent-ready
bug
clotho
discovery
docs
epic
refactor
review
security
testing
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: core/php-api#20
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
PHP API Production Readiness Roadmap
This roadmap tracks all improvements needed to bring
core/php-apito production-ready status. All items were auto-discovered via comprehensive codebase scan on 2026-02-20.🔴 High Priority - Security & Critical Testing
Security Testing
Critical Missing Tests
🟡 Medium Priority - Feature Completion & Testing
Missing Test Coverage
Code Quality - Refactoring
🟢 Low Priority - Polish & Documentation
Documentation
Infrastructure
📊 Summary Statistics
Total Issues Created: 17
Security-Sensitive: 3 issues (#3, #5, #8)
Needs Human Review: 2 issues (#5, #19)
✅ Already Production-Ready
Excellent Security Practices Found
✓ API Key Hashing - Bcrypt with legacy SHA-256 support
✓ Webhook Signatures - HMAC-SHA256 with timing-safe comparison
✓ Rate Limiting - Sophisticated sliding window with burst allowance
✓ SQL Injection Protection - All queries use Eloquent ORM parameterization
✓ XSS Protection - Proper output escaping
✓ Mass Assignment Protection - All models define $fillable arrays
✓ Secure Randomness - Uses Str::random() / random_bytes()
✓ Input Validation - Comprehensive request validation
Strong Test Coverage (11 existing test files)
✓ API Key Security (rotation, hashing, IP whitelisting)
✓ Webhook Delivery (signatures, retries, exponential backoff)
✓ Rate Limiting (tier-based, headers, quotas)
✓ Scope Enforcement (wildcards, inheritance)
✓ OpenAPI Documentation (schema generation, attributes)
🎯 Recommended Implementation Order
Phase 1: Security (Week 1)
Phase 2: Core Functionality (Week 2)
Phase 3: API Surface (Week 3)
Phase 4: Polish (Week 4)
Phase 5: Review & Deploy
📝 Notes
This is a mature, well-built API package that needs test coverage and minor polish, not major architectural changes.
Auto-generated by Clotho AI (agent201) on 2026-02-20
Scan covered 107 PHP files (71 production, 11 tests, 25 migrations/views)
Closing roadmap tracker — individual issues are labelled and triaged. Track progress via P1/P2/P3 labels.
— Charon