# TODO: Core PHP Framework Quality Improvement Plan **Repository**: core/php-framework **Branch**: dev **Assessment Date**: 2026-02-20 **Agent**: Clotho ## Executive Summary The framework is in **good baseline health**: - ✅ All 197 tests pass - ✅ Zero lint issues (Pint) - ✅ Zero static analysis errors (PHPStan Level 1) - ⚠️ Test coverage: 11.6% (63 test files / 542 PHP files) - ⚠️ PHPStan running at Level 1 (lowest) ## Phase 1: Fix Failing Tests **Status**: ✅ COMPLETE All 197 tests pass successfully: - 197 tests, 393 assertions - No failures, no errors - 1 PHPUnit warning (code coverage driver not available) **Action Items**: None required - all tests passing. --- ## Phase 2: Increase Coverage to 80%+ **Current Coverage**: 11.6% (63/542 files) **Target Coverage**: 80% (434 files need tests) **Priority**: High ### Phase 2A: Critical Business Packages (Priority 1) These packages are business-critical and require immediate test coverage: #### 2A.1 CDN Package (20 files, 0% coverage) **Impact**: Infrastructure for asset delivery **Files**: - \`src/Core/Cdn/Services/BunnyCdnService.php\` - \`src/Core/Cdn/Services/FluxCdnService.php\` - \`src/Core/Cdn/Services/StorageOffload.php\` - \`src/Core/Cdn/Console/\` (4 commands) - \`src/Core/Cdn/Middleware/\` (2 middleware) **Test Types Needed**: - Unit tests for services - Integration tests for storage offload - Feature tests for console commands - HTTP tests for middleware **Estimated Effort**: 40 hours **Files to Create**: \`src/Core/Cdn/Tests/Feature/\`, \`src/Core/Cdn/Tests/Unit/\` --- #### 2A.2 Config System (36 files, 3% coverage) **Impact**: Core configuration management **Current**: 1 test file for 36 files **Files**: - \`src/Core/Config/Services/ConfigService.php\` - \`src/Core/Config/Services/ConfigResolver.php\` - \`src/Core/Config/Models/\` (4 models) - \`src/Core/Config/Console/\` (8 commands) **Test Types Needed**: - Unit tests for ConfigService and ConfigResolver - Model tests for ConfigKey, ConfigValue, ConfigProfile, ConfigVersion - Feature tests for console commands - Integration tests for config resolution **Estimated Effort**: 60 hours **Files to Create**: Expand \`src/Core/Config/Tests/\` --- #### 2A.3 Media/Image Processing (23 files, 0% coverage) **Impact**: Content handling and user uploads **Files**: - \`src/Core/Media/Image/ImageOptimizer.php\` - \`src/Core/Media/Conversion/\` (5 files) - \`src/Core/Media/Thumbnail/\` (4 files) - \`src/Core/Media/Temp/\` (2 files) **Test Types Needed**: - Unit tests for image optimisation - Integration tests for conversion pipeline - Feature tests for thumbnail generation - Unit tests for temporary file handling **Estimated Effort**: 45 hours **Files to Create**: \`src/Core/Media/Tests/Feature/\`, \`src/Core/Media/Tests/Unit/\` --- #### 2A.4 SEO System (19 files, 0% coverage) **Impact**: Business visibility and search rankings **Files**: - \`src/Core/Seo/OgImage/\` (4 files) - \`src/Core/Seo/Schema/\` (5 files) - \`src/Core/Seo/Sitemap/\` (3 files) **Test Types Needed**: - Unit tests for OG image generation - Unit tests for schema validation - Integration tests for sitemap generation - HTTP tests for controllers **Estimated Effort**: 35 hours **Files to Create**: \`src/Core/Seo/Tests/Feature/\`, \`src/Core/Seo/Tests/Unit/\` --- #### 2A.5 Storage/Caching (9 files, 0% coverage) **Impact**: Performance and reliability **Files**: - \`src/Core/Storage/Cache/ResilientRedisStore.php\` - \`src/Core/Storage/Cache/TieredCache.php\` - \`src/Core/Storage/CircuitBreaker/\` (3 files) **Test Types Needed**: - Unit tests for resilient Redis store - Integration tests for tiered caching - Unit tests for circuit breaker pattern - Performance tests for cache warming **Estimated Effort**: 30 hours **Files to Create**: \`src/Core/Storage/Tests/Feature/\`, \`src/Core/Storage/Tests/Unit/\` --- ### Phase 2B: Infrastructure Packages (Priority 2) #### 2B.1 Activity Logging (8 files, 0% coverage) **Impact**: Audit trail and compliance **Estimated Effort**: 15 hours #### 2B.2 Helpers (16 files, 0% coverage) **Impact**: Widely used utility functions **Estimated Effort**: 25 hours #### 2B.3 Search (7 files, 0% coverage) **Impact**: User-facing functionality **Estimated Effort**: 15 hours #### 2B.4 Language/Translation (15 files, 0% coverage) **Impact**: i18n support **Estimated Effort**: 20 hours #### 2B.5 Events System (16 files, 0% coverage) **Impact**: Core lifecycle events **Estimated Effort**: 25 hours --- ### Phase 2C: Supporting Components (Priority 3) #### 2C.1 Headers/Security (11 files, 0% coverage) **Estimated Effort**: 18 hours #### 2C.2 Console Commands (7 files, 0% coverage) **Estimated Effort**: 12 hours #### 2C.3 Database/Seeders (7 files, 0% coverage) **Estimated Effort**: 12 hours #### 2C.4 Mail System (5 files, 0% coverage) **Estimated Effort**: 10 hours #### 2C.5 Validation Rules (2 files, 0% coverage) **Estimated Effort**: 5 hours #### 2C.6 Encryption/Crypt (2 files, 0% coverage) **Estimated Effort**: 5 hours --- ### Phase 2D: Improve Existing Coverage #### 2D.1 Bouncer (14 files, 21% coverage) **Current**: 3 test files **Target**: 11 more test files **Estimated Effort**: 20 hours #### 2D.2 Front Package (266 files, 0.4% coverage) **Note**: Many are Blade components that may not need unit tests **Strategy**: Focus on feature tests for key flows **Estimated Effort**: 40 hours (selective testing) #### 2D.3 Input (2 files, 50% coverage) **Current**: 1 test file **Target**: 1 more test file **Estimated Effort**: 2 hours #### 2D.4 Service (9 files, 33% coverage) **Current**: 3 test files **Target**: 6 more test files **Estimated Effort**: 12 hours --- ### Phase 2 Summary **Total Estimated Effort**: 446 hours (~11 weeks at 40 hrs/week) **Recommended Approach**: 1. Start with Phase 2A (critical packages) - 210 hours 2. Move to Phase 2B (infrastructure) - 100 hours 3. Complete Phase 2C (supporting) - 62 hours 4. Finish with Phase 2D (improve existing) - 74 hours **Success Metrics**: - Achieve 80%+ test coverage - All critical business logic covered - Integration tests for key workflows - Performance tests for caching/optimisation --- ## Phase 3: Fix All PHPStan Errors **Current Level**: 1 (lowest) **Current Errors**: 0 **Target Level**: 6+ (recommended for production) **Priority**: Medium ### Phase 3A: Gradually Increase PHPStan Level #### 3A.1 Run PHPStan at Level 2 **Action**: Update \`phpstan.neon\` to \`level: 2\` and fix errors **Estimated Errors**: 50-100 (typical for level increase) **Estimated Effort**: 10 hours #### 3A.2 Run PHPStan at Level 3 **Action**: Update to \`level: 3\` and fix errors **Estimated Errors**: 30-60 **Estimated Effort**: 8 hours #### 3A.3 Run PHPStan at Level 4 **Action**: Update to \`level: 4\` and fix errors **Estimated Errors**: 20-40 **Estimated Effort**: 8 hours #### 3A.4 Run PHPStan at Level 5 **Action**: Update to \`level: 5\` and fix errors **Estimated Errors**: 15-30 **Estimated Effort**: 10 hours #### 3A.5 Run PHPStan at Level 6+ **Action**: Update to \`level: 6\` or higher and fix errors **Estimated Errors**: 10-25 **Estimated Effort**: 12 hours --- ### Phase 3B: Remove Ignored Error Categories **Current Ignored Errors**: \`\`\` - '#Unsafe usage of new static#' - '#env\\(\\).*outside of the config directory#' - identifier: larastan.noEnvCallsOutsideOfConfig - identifier: trait.unused - identifier: class.notFound - identifier: function.deprecated - identifier: method.notFound \`\`\` **Action Items**: 1. Review each ignored category 2. Fix underlying issues 3. Remove from ignore list 4. Re-enable strict checking **Estimated Effort**: 15 hours --- ### Phase 3C: Remove Excluded Paths **Current Excluded Paths**: \`\`\` - src/Core/Activity - src/Core/Config/Tests - src/Core/Input/Tests - src/Core/Tests - src/Core/Bouncer/Tests - src/Core/Bouncer/Gate/Tests - src/Core/Service/Tests - src/Core/Front/Tests - src/Mod/Trees \`\`\` **Action**: Remove exclusions and fix errors in excluded paths **Estimated Effort**: 10 hours --- ### Phase 3 Summary **Total Estimated Effort**: 73 hours (~2 weeks) **Recommended Approach**: 1. Complete Phase 2A (critical test coverage) first 2. Incrementally increase PHPStan levels 3. Fix errors at each level before proceeding 4. Remove ignored categories and exclusions last **Success Metrics**: - PHPStan Level 6+ with zero errors - No ignored error categories - No excluded paths - Strict type checking enabled --- ## Phase 4: Security Review **Priority**: High **Prerequisites**: Phase 2A complete (critical packages tested) ### Phase 4A: Input Validation & Sanitisation #### 4A.1 Review Input Handling **Files to Review**: - \`src/Core/Input/Sanitiser.php\` ✅ (has tests) - All controllers and form requests - API endpoints **Security Checks**: - XSS prevention - SQL injection prevention - Command injection prevention - Path traversal prevention - Mass assignment protection **Estimated Effort**: 20 hours --- #### 4A.2 Review File Upload Handling **Files to Review**: - \`src/Core/Media/\` (all file handling) - Upload controllers - Storage configuration **Security Checks**: - File type validation - File size limits - Malicious file detection - Storage path security - CDN upload security **Estimated Effort**: 15 hours --- ### Phase 4B: Authentication & Authorisation #### 4B.1 Review Bouncer/Gate System **Files to Review**: - \`src/Core/Bouncer/\` (all files) - \`src/Core/Bouncer/Gate/\` (all files) **Security Checks**: - Authorisation logic correctness - Privilege escalation prevention - Session security - CSRF protection **Estimated Effort**: 15 hours --- #### 4B.2 Review Authentication Flows **Files to Review**: - Login controllers - Password reset flows - API authentication **Security Checks**: - Brute force protection - Password strength requirements - Token expiration - Multi-factor authentication support **Estimated Effort**: 10 hours --- ### Phase 4C: Data Security #### 4C.1 Review Encryption **Files to Review**: - \`src/Core/Crypt/\` (all files) - Any encrypted data storage **Security Checks**: - Encryption algorithm strength - Key management - Secure random generation - No hardcoded secrets **Estimated Effort**: 8 hours --- #### 4C.2 Review Data Exposure **Files to Review**: - API responses - Error messages - Log files - Debug output **Security Checks**: - No sensitive data in logs - No stack traces in production - API response sanitisation - Database query obfuscation **Estimated Effort**: 12 hours --- ### Phase 4D: Infrastructure Security #### 4D.1 Review Headers & CORS **Files to Review**: - \`src/Core/Headers/\` (all files) - CORS middleware - CSP configuration **Security Checks**: - Security headers present - CSP properly configured - CORS restrictions - XSS protection headers **Estimated Effort**: 8 hours --- #### 4D.2 Review CDN Security **Files to Review**: - \`src/Core/Cdn/\` (all files) **Security Checks**: - Signed URLs for private assets - Token validation - Rate limiting - Hotlink protection **Estimated Effort**: 10 hours --- ### Phase 4E: Dependency Security #### 4E.1 Review Composer Dependencies **Action**: Run \`composer audit\` and review **Files**: \`composer.json\`, \`composer.lock\` **Security Checks**: - Known vulnerabilities in dependencies - Outdated packages - Security advisories - Roave security-advisories integration ✅ (already present) **Estimated Effort**: 5 hours --- #### 4E.2 Update Vulnerable Dependencies **Action**: Update packages with known vulnerabilities **Estimated Effort**: 10 hours --- ### Phase 4 Summary **Total Estimated Effort**: 113 hours (~3 weeks) **Recommended Approach**: 1. Start with Phase 4A (input validation) - critical 2. Move to Phase 4B (auth/authz) - high priority 3. Complete Phase 4C (data security) 4. Review Phase 4D (infrastructure) 5. Finish with Phase 4E (dependencies) **Success Metrics**: - All inputs validated and sanitised - No authorisation bypasses - Encryption properly implemented - Security headers configured - Zero high-severity vulnerabilities - Security audit report created --- ## Phase 5: Performance Optimisation (Future) **Priority**: Low **Prerequisites**: Phases 1-4 complete ### Potential Areas: - Cache optimisation (already has resilient Redis) - Query optimisation - Asset optimisation - CDN configuration tuning - Database indexing review **Estimated Effort**: TBD (requires profiling first) --- ## Appendix: Reference Implementation The **Trees Module** (\`src/Mod/Trees/\`) serves as an excellent reference for test implementation: - **Coverage**: 47% (9 tests for 19 files) - **Test Types**: Feature tests, API tests, queue tests, integration tests - **Pattern**: Co-located tests in \`Tests/Feature/\` directory - **Quality**: Well-structured, comprehensive assertions **Recommendation**: Use Trees module as template when implementing tests for Core packages. --- ## Summary Timeline | Phase | Effort | Duration | Priority | |-------|--------|----------|----------| | Phase 1 | 0 hrs | ✅ Complete | High | | Phase 2A | 210 hrs | 5-6 weeks | High | | Phase 2B | 100 hrs | 2-3 weeks | Medium | | Phase 2C | 62 hrs | 1-2 weeks | Medium | | Phase 2D | 74 hrs | 2 weeks | Low | | Phase 3 | 73 hrs | 2 weeks | Medium | | Phase 4 | 113 hrs | 3 weeks | High | | **Total** | **632 hrs** | **~16 weeks** | - | **Recommended Execution Order**: 1. Phase 2A (Critical coverage) - 6 weeks 2. Phase 4A-4B (Critical security) - 2 weeks 3. Phase 3 (PHPStan improvements) - 2 weeks 4. Phase 2B-2D (Complete coverage) - 5 weeks 5. Phase 4C-4E (Complete security) - 1 week **Total Realistic Timeline**: ~16 weeks (4 months) with one full-time developer.