# Core-PHP Code Review - January 2026 Comprehensive Opus-level code review of all Core/* modules. ## Summary | Severity | Count | Status | |----------|-------|--------| | Critical | 15 | All Fixed | | High | 52 | 51 Fixed | | Medium | 38 | All Fixed | | Low | 32 | All Fixed | --- ## Critical Issues Fixed ### Bouncer/BlocklistService.php - **Missing table existence check** - Added cached `tableExists()` check. ### Cdn/Services/StorageUrlResolver.php - **Weak token hashing** - Changed to HMAC-SHA256. ### Config/ConfigService.php - **SQL injection via LIKE wildcards** - Added wildcard escaping. ### Console/Boot.php - **References non-existent commands** - Commented out missing commands. ### Console/Commands/InstallCommand.php - **Regex injection** - Added `preg_quote()`. ### Input/Sanitiser.php - **Nested arrays become null** - Implemented recursive filtering. ### Mail/EmailShieldStat.php - **Race condition** - Changed to atomic `insertOrIgnore()` + `increment()`. ### ModuleScanner.php - **Duplicate code** - Removed duplicate. - **Missing namespaces** - Added Website and Plug namespace handling. ### Search/Unified.php - **Missing class_exists check** - Added guard. ### Seo/Schema.php, SchemaBuilderService.php, SeoMetadata.php - **XSS vulnerability** - Added `JSON_HEX_TAG` flag. ### Storage/CacheResilienceProvider.php - **Hardcoded phpredis** - Added Predis support with fallback. --- ## High Severity Issues Fixed ### Bouncer (3/3) - BlocklistService auto-block workflow with pending/approved/rejected status - TeapotController rate limiting with configurable max attempts - HoneypotHit configurable severity levels ### Cdn (4/5) - BunnyStorageService retry logic with exponential backoff - BunnyStorageService file size validation - BunnyCdnService API key redaction in errors - StorageUrlResolver configurable signed URL expiry - *Remaining: Integration tests* ### Config (4/4) - ConfigService value type validation - ConfigResolver max recursion depth - Cache invalidation strategy documented ### Console (3/3) - InstallCommand credential masking - InstallCommand rollback on failure - Created MakeModCommand, MakePlugCommand, MakeWebsiteCommand ### Crypt (3/3) - LthnHash multi-key rotation support - LthnHash MEDIUM_LENGTH and LONG_LENGTH options - QuasiHash security documentation ### Events (3/3) - Event prioritization via array syntax - EventAuditLog for replay/audit logging - Dead letter queue via recordFailure() ### Front (3/3) - AdminMenuProvider permission checks - Menu item caching with configurable TTL - DynamicMenuProvider interface ### Headers (3/3) - CSP configurable, unsafe-inline only in dev - Permissions-Policy header with 19 feature controls - Environment-specific header configuration ### Input (3/3) - Schema-based per-field filter rules - Unicode NFC normalisation - Audit logging with PSR-3 logger ### Lang (3/3) - LangServiceProvider auto-discovery - Fallback locale chain support - Translation key validation ### Mail (3/3) - Disposable domain auto-update - MX lookup caching - Data retention cleanup command ### Media (4/4) - Local abstracts to remove Core\Mod\Social dependency - Memory limit checks before image processing - HEIC/AVIF format support ### Search (3/3) - Configurable API endpoints - Search result caching - Wildcard DoS protection ### Seo (3/3) - Schema validation against schema.org - Sitemap generation (already existed) ### Service (2/2) - ServiceVersion with semver and deprecation - HealthCheckable interface and HealthCheckResult ### Storage (3/3) - RedisFallbackActivated event - CacheWarmer with registration system - Configurable exception throwing --- ## Medium Severity Issues Fixed - Bouncer pagination for large blocklists - CDN URL building consistency, content-type detection, health check - Config soft deletes, sensitive value encryption, ConfigProvider interface - Console progress bar, --dry-run option - Crypt fast hash with xxHash, benchmark method - Events PHPDoc annotations, event versioning - Front icon validation, menu priority constants - Headers nonce-based CSP, configuration UI - Input HTML subset for rich text, max length enforcement - Lang pluralisation rules, ICU message format - Mail async validation, email normalisation - Media queued conversions, EXIF stripping, progressive JPEG - Search scoring tuning, fuzzy search, analytics tracking - SEO lazy schema loading, OG image validation, canonical conflict detection - Service dependency declaration, discovery mechanism - Storage circuit breaker, metrics collection --- ## Low Severity Issues Fixed - Bouncer unit tests, configuration documentation - CDN PHPDoc return types, CdnUrlBuilder extraction - Config import/export, versioning for rollback - Console autocompletion, colorized output - Crypt algorithm documentation, constant-time comparison docs - Events listener profiling, flow diagrams - Front fluent menu builder, menu grouping - Headers testing utilities, CSP documentation - Input filter presets, transformation hooks - Lang translation coverage reporting, translation memory - Mail validation caching, disposable domain documentation - Media progress reporting, lazy thumbnail generation - Search suggestions/autocomplete, result highlighting - SEO score trend tracking, structured data testing - Service registration validation, lifecycle documentation - Storage hit rate monitoring, multi-tier caching --- *Review performed by: Claude Opus 4.5 code review agents* *Implementation: Claude Opus 4.5 fix agents (9 batches)*