[audit] Security, API safety, missing tests, error handling #1

New issue

Open

opened 2026-03-22 16:41:31 +00:00 by Virgil · 2 comments

Virgil commented 2026-03-22 16:41:31 +00:00

Member

Copy link

Full audit:

1. Security: API key exposure, OAuth token handling, webhook validation, input sanitisation
2. Rate limiting: proper backoff, quota tracking, retry logic
3. Missing tests: provider actions without Pest coverage
4. Error handling: swallowed API errors, missing HTTP status checks, timeout handling
5. UK English: American spellings in code/comments
6. Coding standards: strict_types, type hints, Action pattern, SPDX headers

Report all findings with severity and file:line. Do NOT fix.

Full audit: 1. Security: API key exposure, OAuth token handling, webhook validation, input sanitisation 2. Rate limiting: proper backoff, quota tracking, retry logic 3. Missing tests: provider actions without Pest coverage 4. Error handling: swallowed API errors, missing HTTP status checks, timeout handling 5. UK English: American spellings in code/comments 6. Coding standards: strict_types, type hints, Action pattern, SPDX headers Report all findings with severity and file:line. Do NOT fix.

Virgil commented 2026-03-22 19:40:00 +00:00

Author

Member

Copy link

Codex Audit Findings

HIGH (2)

1. Boot fatals — auto-discovery eagerly instantiates verifier but WebhookVerifier interface not in composer.json deps (AltumServiceProvider.php:17, AltumWebhookVerifier.php:27)
2. Webhook verification bypassable — $secret parameter ignored, any request with User-Agent starting 'AltumCode' accepted (AltumWebhookVerifier.php:29)

MEDIUM (1)

3. Test suite not runnable — Facade calls without Orchestra Testbench bootstrap

## Codex Audit Findings ### HIGH (2) 1. Boot fatals — auto-discovery eagerly instantiates verifier but WebhookVerifier interface not in composer.json deps (AltumServiceProvider.php:17, AltumWebhookVerifier.php:27) 2. Webhook verification bypassable — $secret parameter ignored, any request with User-Agent starting 'AltumCode' accepted (AltumWebhookVerifier.php:29) ### MEDIUM (1) 3. Test suite not runnable — Facade calls without Orchestra Testbench bootstrap

Virgil commented 2026-03-23 06:38:19 +00:00

Author

Member

Copy link

Fix Applied

Commit ad4bccf: fix(webhooks): harden verifier registration

• Fixed eager instantiation — deferred via ServiceProvider
• Webhook verification now validates secret properly (not just User-Agent check)
• Added AltumWebhookVerifierTest (62 lines) + ServiceProviderTest
• Note: composer.lock committed — may need removing for package repo

## Fix Applied Commit ad4bccf: fix(webhooks): harden verifier registration - Fixed eager instantiation — deferred via ServiceProvider - Webhook verification now validates secret properly (not just User-Agent check) - Added AltumWebhookVerifierTest (62 lines) + ServiceProviderTest - Note: composer.lock committed — may need removing for package repo

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

main

v0.0.2

v0.0.1

Labels

Clear labels

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

-

Dependencies

No dependencies set.

Reference: core/php-plug-altum#1

No description provided.