[audit] Security, API safety, missing tests, error handling #1

New issue

Open

opened 2026-03-22 16:41:28 +00:00 by Virgil · 2 comments

Virgil commented

2026-03-22 16:41:28 +00:00

Member

Full audit:

Security: API key exposure, OAuth token handling, webhook validation, input sanitisation
Rate limiting: proper backoff, quota tracking, retry logic
Missing tests: provider actions without Pest coverage
Error handling: swallowed API errors, missing HTTP status checks, timeout handling
UK English: American spellings in code/comments
Coding standards: strict_types, type hints, Action pattern, SPDX headers

Report all findings with severity and file:line. Do NOT fix.

Full audit: 1. Security: API key exposure, OAuth token handling, webhook validation, input sanitisation 2. Rate limiting: proper backoff, quota tracking, retry logic 3. Missing tests: provider actions without Pest coverage 4. Error handling: swallowed API errors, missing HTTP status checks, timeout handling 5. UK English: American spellings in code/comments 6. Coding standards: strict_types, type hints, Action pattern, SPDX headers Report all findings with severity and file:line. Do NOT fix.

Virgil commented

2026-03-22 19:52:05 +00:00

Author

Member

Codex Audit Findings

CRITICAL (1)

TikTok upload not to spec — does one multipart PUT but TikTok requires raw binary with Content-Range and sequential chunks (Post.php:69)

HIGH (2)

Single-photo Meta posts never published — upload forced unpublished, publish() returns success without creating feed post (Media.php:57, Post.php:61)
Meta Facebook page token handoff broken — list API returns access_token but post publishing reads different key (Pages.php:46, Post.php:34)

## Codex Audit Findings ### CRITICAL (1) 1. TikTok upload not to spec — does one multipart PUT but TikTok requires raw binary with Content-Range and sequential chunks (Post.php:69) ### HIGH (2) 2. Single-photo Meta posts never published — upload forced unpublished, publish() returns success without creating feed post (Media.php:57, Post.php:61) 3. Meta Facebook page token handoff broken — list API returns access_token but post publishing reads different key (Pages.php:46, Post.php:34)

Virgil commented

2026-03-23 12:07:24 +00:00

Author

Member

API Contract Extraction

Full provider API contracts extracted for all providers. Example — YouTube:

Class	Methods
Auth	construct, identifier, name, getAuthUrl, requestAccessToken, refresh, getAccount
Post	publish (title, tags, category_id, privacy_status, made_for_kids, publish_at), externalPostUrl, externalAccountUrl
Read	get, me, list (limit, page_token)
Delete	delete
Comment	comment

Config: clientId, clientSecret, redirectUrl. OAuth 2.0 auth code with offline access.

Full tables for Twitter, Meta, LinkedIn, Pinterest, Reddit, TikTok, VK, YouTube in agent log.

## API Contract Extraction Full provider API contracts extracted for all providers. Example — YouTube: | Class | Methods | |---|---| | Auth | construct, identifier, name, getAuthUrl, requestAccessToken, refresh, getAccount | | Post | publish (title, tags, category_id, privacy_status, made_for_kids, publish_at), externalPostUrl, externalAccountUrl | | Read | get, me, list (limit, page_token) | | Delete | delete | | Comment | comment | Config: clientId, clientSecret, redirectUrl. OAuth 2.0 auth code with offline access. Full tables for Twitter, Meta, LinkedIn, Pinterest, Reddit, TikTok, VK, YouTube in agent log.