php-framework/changelog/2026/jan/code-review.md

# Core-PHP Code Review - January 2026

Comprehensive Opus-level code review of all Core/* modules.

## Summary

| Severity | Count | Status |
|----------|-------|--------|
| Critical | 15 | All Fixed |
| High | 52 | 51 Fixed |
| Medium | 38 | All Fixed |
| Low | 32 | All Fixed |

---

## Critical Issues Fixed

### Bouncer/BlocklistService.php
- **Missing table existence check** - Added cached `tableExists()` check.

### Cdn/Services/StorageUrlResolver.php
- **Weak token hashing** - Changed to HMAC-SHA256.

### Config/ConfigService.php
- **SQL injection via LIKE wildcards** - Added wildcard escaping.

### Console/Boot.php
- **References non-existent commands** - Commented out missing commands.

### Console/Commands/InstallCommand.php
- **Regex injection** - Added `preg_quote()`.

### Input/Sanitiser.php
- **Nested arrays become null** - Implemented recursive filtering.

### Mail/EmailShieldStat.php
- **Race condition** - Changed to atomic `insertOrIgnore()` + `increment()`.

### ModuleScanner.php
- **Duplicate code** - Removed duplicate.
- **Missing namespaces** - Added Website and Plug namespace handling.

### Search/Unified.php
- **Missing class_exists check** - Added guard.

### Seo/Schema.php, SchemaBuilderService.php, SeoMetadata.php
- **XSS vulnerability** - Added `JSON_HEX_TAG` flag.

### Storage/CacheResilienceProvider.php
- **Hardcoded phpredis** - Added Predis support with fallback.

---

## High Severity Issues Fixed

### Bouncer (3/3)
- BlocklistService auto-block workflow with pending/approved/rejected status
- TeapotController rate limiting with configurable max attempts
- HoneypotHit configurable severity levels

### Cdn (4/5)
- BunnyStorageService retry logic with exponential backoff
- BunnyStorageService file size validation
- BunnyCdnService API key redaction in errors
- StorageUrlResolver configurable signed URL expiry
- *Remaining: Integration tests*

### Config (4/4)
- ConfigService value type validation
- ConfigResolver max recursion depth
- Cache invalidation strategy documented

### Console (3/3)
- InstallCommand credential masking
- InstallCommand rollback on failure
- Created MakeModCommand, MakePlugCommand, MakeWebsiteCommand

### Crypt (3/3)
- LthnHash multi-key rotation support
- LthnHash MEDIUM_LENGTH and LONG_LENGTH options
- QuasiHash security documentation

### Events (3/3)
- Event prioritization via array syntax
- EventAuditLog for replay/audit logging
- Dead letter queue via recordFailure()

### Front (3/3)
- AdminMenuProvider permission checks
- Menu item caching with configurable TTL
- DynamicMenuProvider interface

### Headers (3/3)
- CSP configurable, unsafe-inline only in dev
- Permissions-Policy header with 19 feature controls
- Environment-specific header configuration

### Input (3/3)
- Schema-based per-field filter rules
- Unicode NFC normalisation
- Audit logging with PSR-3 logger

### Lang (3/3)
- LangServiceProvider auto-discovery
- Fallback locale chain support
- Translation key validation

### Mail (3/3)
- Disposable domain auto-update
- MX lookup caching
- Data retention cleanup command

### Media (4/4)
- Local abstracts to remove Core\Mod\Social dependency
- Memory limit checks before image processing
- HEIC/AVIF format support

### Search (3/3)
- Configurable API endpoints
- Search result caching
- Wildcard DoS protection

### Seo (3/3)
- Schema validation against schema.org
- Sitemap generation (already existed)

### Service (2/2)
- ServiceVersion with semver and deprecation
- HealthCheckable interface and HealthCheckResult

### Storage (3/3)
- RedisFallbackActivated event
- CacheWarmer with registration system
- Configurable exception throwing

---

## Medium Severity Issues Fixed

- Bouncer pagination for large blocklists
- CDN URL building consistency, content-type detection, health check
- Config soft deletes, sensitive value encryption, ConfigProvider interface
- Console progress bar, --dry-run option
- Crypt fast hash with xxHash, benchmark method
- Events PHPDoc annotations, event versioning
- Front icon validation, menu priority constants
- Headers nonce-based CSP, configuration UI
- Input HTML subset for rich text, max length enforcement
- Lang pluralisation rules, ICU message format
- Mail async validation, email normalisation
- Media queued conversions, EXIF stripping, progressive JPEG
- Search scoring tuning, fuzzy search, analytics tracking
- SEO lazy schema loading, OG image validation, canonical conflict detection
- Service dependency declaration, discovery mechanism
- Storage circuit breaker, metrics collection

---

## Low Severity Issues Fixed

- Bouncer unit tests, configuration documentation
- CDN PHPDoc return types, CdnUrlBuilder extraction
- Config import/export, versioning for rollback
- Console autocompletion, colorized output
- Crypt algorithm documentation, constant-time comparison docs
- Events listener profiling, flow diagrams
- Front fluent menu builder, menu grouping
- Headers testing utilities, CSP documentation
- Input filter presets, transformation hooks
- Lang translation coverage reporting, translation memory
- Mail validation caching, disposable domain documentation
- Media progress reporting, lazy thumbnail generation
- Search suggestions/autocomplete, result highlighting
- SEO score trend tracking, structured data testing
- Service registration validation, lifecycle documentation
- Storage hit rate monitoring, multi-tier caching

---

*Review performed by: Claude Opus 4.5 code review agents*
*Implementation: Claude Opus 4.5 fix agents (9 batches)*
refactor: update references from 'biolink' to 'page' and improve seeder structure 2026-01-26 14:24:25 +00:00			`# Core-PHP Code Review - January 2026`

			`Comprehensive Opus-level code review of all Core/* modules.`

			`## Summary`

			`\| Severity \| Count \| Status \|`
			`\|----------\|-------\|--------\|`
			`\| Critical \| 15 \| All Fixed \|`
			`\| High \| 52 \| 51 Fixed \|`
			`\| Medium \| 38 \| All Fixed \|`
			`\| Low \| 32 \| All Fixed \|`

			`---`

			`## Critical Issues Fixed`

			`### Bouncer/BlocklistService.php`
			- Missing table existence check - Added cached `tableExists()` check.

			`### Cdn/Services/StorageUrlResolver.php`
			`- Weak token hashing - Changed to HMAC-SHA256.`

			`### Config/ConfigService.php`
			`- SQL injection via LIKE wildcards - Added wildcard escaping.`

			`### Console/Boot.php`
			`- References non-existent commands - Commented out missing commands.`

			`### Console/Commands/InstallCommand.php`
			- Regex injection - Added `preg_quote()`.

			`### Input/Sanitiser.php`
			`- Nested arrays become null - Implemented recursive filtering.`

			`### Mail/EmailShieldStat.php`
			- Race condition - Changed to atomic `insertOrIgnore()` + `increment()`.

			`### ModuleScanner.php`
			`- Duplicate code - Removed duplicate.`
			`- Missing namespaces - Added Website and Plug namespace handling.`

			`### Search/Unified.php`
			`- Missing class_exists check - Added guard.`

			`### Seo/Schema.php, SchemaBuilderService.php, SeoMetadata.php`
			- XSS vulnerability - Added `JSON_HEX_TAG` flag.

			`### Storage/CacheResilienceProvider.php`
			`- Hardcoded phpredis - Added Predis support with fallback.`

			`---`

			`## High Severity Issues Fixed`

			`### Bouncer (3/3)`
			`- BlocklistService auto-block workflow with pending/approved/rejected status`
			`- TeapotController rate limiting with configurable max attempts`
			`- HoneypotHit configurable severity levels`

			`### Cdn (4/5)`
			`- BunnyStorageService retry logic with exponential backoff`
			`- BunnyStorageService file size validation`
			`- BunnyCdnService API key redaction in errors`
			`- StorageUrlResolver configurable signed URL expiry`
			`- Remaining: Integration tests`

			`### Config (4/4)`
			`- ConfigService value type validation`
			`- ConfigResolver max recursion depth`
			`- Cache invalidation strategy documented`

			`### Console (3/3)`
			`- InstallCommand credential masking`
			`- InstallCommand rollback on failure`
			`- Created MakeModCommand, MakePlugCommand, MakeWebsiteCommand`

			`### Crypt (3/3)`
			`- LthnHash multi-key rotation support`
			`- LthnHash MEDIUM_LENGTH and LONG_LENGTH options`
			`- QuasiHash security documentation`

			`### Events (3/3)`
			`- Event prioritization via array syntax`
			`- EventAuditLog for replay/audit logging`
			`- Dead letter queue via recordFailure()`

			`### Front (3/3)`
			`- AdminMenuProvider permission checks`
			`- Menu item caching with configurable TTL`
			`- DynamicMenuProvider interface`

			`### Headers (3/3)`
			`- CSP configurable, unsafe-inline only in dev`
			`- Permissions-Policy header with 19 feature controls`
			`- Environment-specific header configuration`

			`### Input (3/3)`
			`- Schema-based per-field filter rules`
			`- Unicode NFC normalisation`
			`- Audit logging with PSR-3 logger`

			`### Lang (3/3)`
			`- LangServiceProvider auto-discovery`
			`- Fallback locale chain support`
			`- Translation key validation`

			`### Mail (3/3)`
			`- Disposable domain auto-update`
			`- MX lookup caching`
			`- Data retention cleanup command`

			`### Media (4/4)`
			`- Local abstracts to remove Core\Mod\Social dependency`
			`- Memory limit checks before image processing`
			`- HEIC/AVIF format support`

			`### Search (3/3)`
			`- Configurable API endpoints`
			`- Search result caching`
			`- Wildcard DoS protection`

			`### Seo (3/3)`
			`- Schema validation against schema.org`
			`- Sitemap generation (already existed)`

			`### Service (2/2)`
			`- ServiceVersion with semver and deprecation`
			`- HealthCheckable interface and HealthCheckResult`

			`### Storage (3/3)`
			`- RedisFallbackActivated event`
			`- CacheWarmer with registration system`
			`- Configurable exception throwing`

			`---`

			`## Medium Severity Issues Fixed`

			`- Bouncer pagination for large blocklists`
			`- CDN URL building consistency, content-type detection, health check`
			`- Config soft deletes, sensitive value encryption, ConfigProvider interface`
			`- Console progress bar, --dry-run option`
			`- Crypt fast hash with xxHash, benchmark method`
			`- Events PHPDoc annotations, event versioning`
			`- Front icon validation, menu priority constants`
			`- Headers nonce-based CSP, configuration UI`
			`- Input HTML subset for rich text, max length enforcement`
			`- Lang pluralisation rules, ICU message format`
			`- Mail async validation, email normalisation`
			`- Media queued conversions, EXIF stripping, progressive JPEG`
			`- Search scoring tuning, fuzzy search, analytics tracking`
			`- SEO lazy schema loading, OG image validation, canonical conflict detection`
			`- Service dependency declaration, discovery mechanism`
			`- Storage circuit breaker, metrics collection`

			`---`

			`## Low Severity Issues Fixed`

			`- Bouncer unit tests, configuration documentation`
			`- CDN PHPDoc return types, CdnUrlBuilder extraction`
			`- Config import/export, versioning for rollback`
			`- Console autocompletion, colorized output`
			`- Crypt algorithm documentation, constant-time comparison docs`
			`- Events listener profiling, flow diagrams`
			`- Front fluent menu builder, menu grouping`
			`- Headers testing utilities, CSP documentation`
			`- Input filter presets, transformation hooks`
			`- Lang translation coverage reporting, translation memory`
			`- Mail validation caching, disposable domain documentation`
			`- Media progress reporting, lazy thumbnail generation`
			`- Search suggestions/autocomplete, result highlighting`
			`- SEO score trend tracking, structured data testing`
			`- Service registration validation, lifecycle documentation`
			`- Storage hit rate monitoring, multi-tier caching`

			`---`

			`Review performed by: Claude Opus 4.5 code review agents`
			`Implementation: Claude Opus 4.5 fix agents (9 batches)`