No description
Clotho
7c73d3c043
Phase 0 Assessment Summary: - Comprehensive codebase architecture review completed - 107 PHP files analysed across Core\Api and Core\Website\Api namespaces - Identified critical dependency blocker: host-uk/core package not found - Documented all architectural patterns, security features, and test coverage - Cannot run tests/lint/analysis until dependency resolved Key Findings: - ✅ Excellent architecture: event-driven, two-namespace design - ✅ Comprehensive test coverage: ~6,500 lines across 11 feature test files - ✅ Strong security: bcrypt hashing, IP whitelisting, HMAC-SHA256 webhooks - ✅ Production-ready rate limiting: sliding window with burst allowance - ✅ Sophisticated OpenAPI documentation: 819-line builder with attributes - ❌ BLOCKER: composer install fails (missing host-uk/core dependency) Deliverables: - FINDINGS.md: 15-section comprehensive assessment report - TODO-PHASE1.md: Dependency resolution roadmap with 7 tasks Architecture Highlights: - Event-driven boot system ($listens array pattern) - Immutable result objects (RateLimitResult) - IP restriction service (IPv4/IPv6/CIDR support) - Webhook delivery with exponential backoff - OpenAPI attribute-based documentation Test Coverage (cannot execute): - ApiKeySecurityTest (14.8 KB) - bcrypt, rotation, scopes - WebhookDeliveryTest (24.9 KB) - HMAC signatures, retries - RateLimitingTest (28.6 KB) - tier-based, burst allowance - ApiScopeEnforcementTest (29.8 KB) - wildcards, inheritance - OpenApiDocumentationComprehensiveTest (41.3 KB) - spec generation Next Steps (Phase 1): 1. Resolve host-uk/core dependency (path repo/private registry) 2. Add require-dev dependencies (Pest, Pint, PHPStan) 3. Run test suite and establish baseline 4. Document lint/static analysis results 5. Proceed to Phase 2 improvements Co-Authored-By: Clotho <clotho@lthn.ai> |
||
|---|---|---|
| .gemini | ||
| .github | ||
| app | ||
| bootstrap | ||
| changelog/2026/jan | ||
| config | ||
| database | ||
| docs | ||
| public | ||
| resources | ||
| routes | ||
| src | ||
| storage | ||
| tests | ||
| .editorconfig | ||
| .env.example | ||
| .gitattributes | ||
| .gitignore | ||
| AGENTS.md | ||
| artisan | ||
| CLAUDE.md | ||
| cliff.toml | ||
| composer.json | ||
| FINDINGS.md | ||
| GEMINI.md | ||
| LICENSE | ||
| package.json | ||
| phpunit.xml | ||
| postcss.config.js | ||
| README.md | ||
| tailwind.config.js | ||
| TODO-PHASE1.md | ||
| TODO.md | ||
| vite.config.js | ||
Core API Package
REST API infrastructure with OpenAPI documentation, rate limiting, webhook signing, and secure API key management.
Installation
composer require host-uk/core-api
Features
OpenAPI/Swagger Documentation
Auto-generated API documentation with multiple UI options:
use Core\Mod\Api\Documentation\Attributes\{ApiTag, ApiResponse};
#[ApiTag('Products')]
#[ApiResponse(200, ProductResource::class)]
class ProductController extends Controller
{
public function index()
{
return ProductResource::collection(Product::paginate());
}
}
Access documentation:
GET /api/docs- Scalar UI (default)GET /api/docs/swagger- Swagger UIGET /api/docs/redoc- ReDocGET /api/docs/openapi.json- OpenAPI spec
Secure API Keys
Bcrypt hashing with backward compatibility:
use Core\Mod\Api\Models\ApiKey;
$key = ApiKey::create([
'name' => 'Production API',
'workspace_id' => $workspace->id,
'scopes' => ['read', 'write'],
]);
// Returns the plain key (shown only once)
$plainKey = $key->getPlainKey();
Features:
- Bcrypt hashing for new keys
- Legacy SHA-256 support
- Key rotation with grace periods
- Scope-based permissions
Rate Limiting
Granular rate limiting per endpoint:
use Core\Mod\Api\RateLimit\RateLimit;
#[RateLimit(limit: 100, window: 60, burst: 1.2)]
class ProductController extends Controller
{
// Limited to 100 requests per 60 seconds
// With 20% burst allowance
}
Features:
- Per-endpoint limits
- Workspace isolation
- Tier-based limits
- Standard headers:
X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset
Webhook Signing
HMAC-SHA256 signatures for outbound webhooks:
use Core\Mod\Api\Models\WebhookEndpoint;
$endpoint = WebhookEndpoint::create([
'url' => 'https://example.com/webhooks',
'events' => ['order.created', 'order.updated'],
'secret' => WebhookEndpoint::generateSecret(),
]);
Verification:
$signature = hash_hmac('sha256', $timestamp . '.' . $payload, $secret);
hash_equals($signature, $request->header('X-Webhook-Signature'));
Scope Enforcement
Fine-grained API permissions:
use Core\Mod\Api\Middleware\EnforceApiScope;
Route::middleware(['api', EnforceApiScope::class.':write'])
->post('/products', [ProductController::class, 'store']);
Configuration
// config/api.php (after php artisan vendor:publish --tag=api-config)
return [
'rate_limits' => [
'default' => 60,
'tiers' => [
'free' => 100,
'pro' => 1000,
'enterprise' => 10000,
],
],
'docs' => [
'enabled' => env('API_DOCS_ENABLED', true),
'require_auth' => env('API_DOCS_REQUIRE_AUTH', false),
],
];
API Guides
The package includes comprehensive guides:
- Authentication - API key creation and usage
- Quick Start - Getting started in 5 minutes
- Rate Limiting - Understanding limits and tiers
- Webhooks - Setting up and verifying webhooks
- Errors - Error codes and handling
Access at: /api/guides
Requirements
- PHP 8.2+
- Laravel 11+ or 12+
Changelog
See changelog/2026/jan/features.md for recent changes.
Security
See changelog/2026/jan/security.md for security updates.
License
EUPL-1.2 - See LICENSE for details.