core/php-mcp
8
0
Fork 0
Code Issues 31 Pull requests Projects Releases Packages Wiki Activity Actions 3

roadmap: php-mcp production readiness #34

New issue
Open
opened 2026-02-21 01:03:59 +00:00 by Clotho · 0 comments
Clotho commented 2026-02-21 01:03:59 +00:00
Member
Copy link

php-mcp Production Readiness Roadmap

This is the master checklist for bringing host-uk/core-mcp to production readiness. All items were identified by automated discovery scan (issue #2).

🧪 Test Coverage (Critical Gaps)

  • #4test: add tests for ToolRegistry service
  • #5test: add tests for AuditLogService (security-critical)
  • #6test: add tests for CircuitBreaker service
  • #7test: add tests for DataRedactor service (security-critical)
  • #8test: add tests for McpHealthService
  • #9test: add tests for McpMetricsService
  • #10test: add tests for McpWebhookDispatcher
  • #11test: add tests for OpenApiGenerator
  • #12test: add tests for ToolRateLimiter (security-critical)
  • #13test: add tests for AgentSessionService
  • #14test: add tests for AgentToolRegistry
  • #15test: add integration tests for QueryDatabase tool

🔒 Security (Must-Fix Before Production)

  • #22chore: add CI/CD security regression tests
  • #27security: add monitoring and alerting for suspicious query patterns
  • #28security: review ContentTools for injection and data exposure risks (review required)
  • #29security: review commerce tools for payment data exposure (review required)

🔧 Refactoring (Code Quality)

  • #16refactor: extract SQL parser from regex to AST-based validation (architectural)
  • #17refactor: standardise tool responses with ToolResult DTO
  • #18refactor: fix PHPStan level 5 type errors across services
  • #19refactor: extract McpToolsRegistering tool registration from McpAgentServerCommand

📦 Infrastructure / Chores

  • #20chore: create missing ToolRegistry YAML server definition files (blocks ToolRegistry usage)
  • #21chore: add PHPStan and static analysis to dev dependencies
  • #31chore: add query result streaming for large result sets

🚀 Features

  • #23feat: add query template system
  • #24feat: add schema exploration tools (ListTables, DescribeTable, ListIndexes)
  • #25feat: add data export tool (CSV, JSON)
  • #26feat: add query result caching
  • #32feat: add query history tracking per workspace
  • #33feat: add data validation tool for database quality checks

📝 Documentation

  • #30docs: add inline documentation for ContentTools and commerce tools

Current State Summary

Category Count Status
Services 18 ~5 fully tested, 13 untested
Tools 10+ Only QueryDatabase well-tested
Models 8 No model-level tests
Middleware 5 2 partially tested
Security layers 6 Core layers tested, monitoring missing
Test files 9 Good coverage for core services
YAML configs 0 Missing (blocks ToolRegistry)
Static analysis None PHPStan not installed
CI security checks None No automated security regression

Priority Order

  1. P1 (Blocker): #20 (missing YAML configs), #28 (ContentTools security review), #29 (Commerce security review)
  2. P2 (Pre-production): #5, #7, #12 (security service tests), #22 (CI security tests), #27 (anomaly detection)
  3. P3 (Quality): #4, #6, #8-#15 (remaining tests), #16-#19 (refactors), #21 (PHPStan)
  4. P4 (Features): #23-#26, #31-#33 (new capabilities)

Generated by discovery scan on 2026-02-21. See issue #2 for the full scan process.

## php-mcp Production Readiness Roadmap This is the master checklist for bringing `host-uk/core-mcp` to production readiness. All items were identified by automated discovery scan (issue #2). --- ## 🧪 Test Coverage (Critical Gaps) - [ ] #4 — `test: add tests for ToolRegistry service` - [ ] #5 — `test: add tests for AuditLogService` *(security-critical)* - [ ] #6 — `test: add tests for CircuitBreaker service` - [ ] #7 — `test: add tests for DataRedactor service` *(security-critical)* - [ ] #8 — `test: add tests for McpHealthService` - [ ] #9 — `test: add tests for McpMetricsService` - [ ] #10 — `test: add tests for McpWebhookDispatcher` - [ ] #11 — `test: add tests for OpenApiGenerator` - [ ] #12 — `test: add tests for ToolRateLimiter` *(security-critical)* - [ ] #13 — `test: add tests for AgentSessionService` - [ ] #14 — `test: add tests for AgentToolRegistry` - [ ] #15 — `test: add integration tests for QueryDatabase tool` --- ## 🔒 Security (Must-Fix Before Production) - [ ] #22 — `chore: add CI/CD security regression tests` - [ ] #27 — `security: add monitoring and alerting for suspicious query patterns` - [ ] #28 — `security: review ContentTools for injection and data exposure risks` *(review required)* - [ ] #29 — `security: review commerce tools for payment data exposure` *(review required)* --- ## 🔧 Refactoring (Code Quality) - [ ] #16 — `refactor: extract SQL parser from regex to AST-based validation` *(architectural)* - [ ] #17 — `refactor: standardise tool responses with ToolResult DTO` - [ ] #18 — `refactor: fix PHPStan level 5 type errors across services` - [ ] #19 — `refactor: extract McpToolsRegistering tool registration from McpAgentServerCommand` --- ## 📦 Infrastructure / Chores - [ ] #20 — `chore: create missing ToolRegistry YAML server definition files` *(blocks ToolRegistry usage)* - [ ] #21 — `chore: add PHPStan and static analysis to dev dependencies` - [ ] #31 — `chore: add query result streaming for large result sets` --- ## 🚀 Features - [ ] #23 — `feat: add query template system` - [ ] #24 — `feat: add schema exploration tools (ListTables, DescribeTable, ListIndexes)` - [ ] #25 — `feat: add data export tool (CSV, JSON)` - [ ] #26 — `feat: add query result caching` - [ ] #32 — `feat: add query history tracking per workspace` - [ ] #33 — `feat: add data validation tool for database quality checks` --- ## 📝 Documentation - [ ] #30 — `docs: add inline documentation for ContentTools and commerce tools` --- ## Current State Summary | Category | Count | Status | |----------|-------|--------| | Services | 18 | ~5 fully tested, 13 untested | | Tools | 10+ | Only QueryDatabase well-tested | | Models | 8 | No model-level tests | | Middleware | 5 | 2 partially tested | | Security layers | 6 | Core layers tested, monitoring missing | | Test files | 9 | Good coverage for core services | | YAML configs | 0 | Missing (blocks ToolRegistry) | | Static analysis | None | PHPStan not installed | | CI security checks | None | No automated security regression | ## Priority Order 1. **P1 (Blocker):** #20 (missing YAML configs), #28 (ContentTools security review), #29 (Commerce security review) 2. **P2 (Pre-production):** #5, #7, #12 (security service tests), #22 (CI security tests), #27 (anomaly detection) 3. **P3 (Quality):** #4, #6, #8-#15 (remaining tests), #16-#19 (refactors), #21 (PHPStan) 4. **P4 (Features):** #23-#26, #31-#33 (new capabilities) --- *Generated by discovery scan on 2026-02-21. See issue #2 for the full scan process.*
Clotho added the
review
discovery
 labels 2026-02-21 01:03:59 +00:00
Snider added the
clotho
 label 2026-02-21 01:23:16 +00:00
Charon added the
agent-ready
 label 2026-02-21 01:30:08 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/issue-2-discovery-scan
feat/phase-0-assessment
dev
No results found.
Labels
Clear labels   
P1

Priority 1 - Critical

  
P2

Priority 2 - Important

  
P3

Priority 3 - Nice to have

  
PHP

PHP codebase

  
agent-ready

   
bug

Bug fix

  
clotho

Assigned to Clotho AI agent

  
discovery

Auto-discovered by agent

  
docs

Documentation

  
refactor

Code quality refactoring

  
review

Needs human review

  
security

Security hardening

  
testing

Test coverage

  
athena

Assign to Athena AI agent (M3 Ultra)

  
athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  
audit

Code audit task

  
clotho

Assign to Clotho AI agent for processing

  
clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  
codex

Dispatch to Codex CLI on gateway for analysis

  
darbs-claude

Dispatch to Claude on darbs (AU)

  
security

Security review task

  
wiki

Documentation/wiki update

No labels
P1
P2
P3
PHP
agent-ready
bug
clotho
discovery
docs
refactor
review
security
testing
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/php-mcp#34
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?