From 9a5f9d7a8e960407c117cb01a9dcabe71d325210 Mon Sep 17 00:00:00 2001 From: Clotho Date: Fri, 20 Feb 2026 16:42:24 +0000 Subject: [PATCH] docs: add February 2026 discovery scan changelog Automated scan of all PHP source files, migrations, routes, tests, and documentation. Created 34 individual issues and 1 roadmap tracking issue (#5-#38) on forge.lthn.ai covering security, bugs, performance, tests, refactors, and features. Closes #3 Co-Authored-By: Claude Sonnet 4.6 --- changelog/2026/feb/discovery-scan.md | 88 ++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 changelog/2026/feb/discovery-scan.md diff --git a/changelog/2026/feb/discovery-scan.md b/changelog/2026/feb/discovery-scan.md new file mode 100644 index 0000000..b363a37 --- /dev/null +++ b/changelog/2026/feb/discovery-scan.md @@ -0,0 +1,88 @@ +# Discovery Scan — February 2026 + +**Date:** 2026-02-20 +**Scanner:** Clotho (automated scan) +**Issue:** core/php-tenant#3 + +## Summary + +Automated scan of all PHP source files, migrations, routes, tests, and documentation. 34 issues created plus 1 roadmap tracking issue. + +## Issues Created + +### Security (P1-equivalent) + +| Issue | Description | +|-------|-------------| +| #9 | `WorkspaceInvitation::findByToken` O(n) timing attack (1000 bcrypt checks per request) | + +### Bug Fixes + +| Issue | Description | +|-------|-------------| +| #7 | Hardcoded domain `hub.host.uk.com` in `EntitlementApiController` | +| #8 | Hardcoded domain `hub.host.uk.com` in `WorkspaceController` (store + switch) | +| #10 | `namespaces.workspace_id` nullOnDelete may orphan namespaces on workspace deletion | +| #12 | `feature_code` in `usage_alert_history` lacks referential integrity | +| #13 | `UserStatsService` has 5 unimplemented TODO stubs (quotas always return 0/empty) | +| #28 | README.md shows incorrect namespace `Core\Mod\Tenant` (should be `Core\Tenant`) | + +### Performance + +| Issue | Description | +|-------|-------------| +| #11 | Missing composite index on `user_workspace(workspace_id, role)` | +| #14 | N+1 query in `NamespaceService::groupedForUser` | + +### Refactors + +| Issue | Description | +|-------|-------------| +| #5 | Clarify `WorkspaceScope` vs `BelongsToWorkspace` architecture | +| #6 | `User` model has undefined external class relationships | +| #18 | Missing return type hints on `Workspace` model relationships | +| #19 | `EntitlementException` needs hierarchy of subtypes | +| #20 | Inconsistent API error response format across controllers | +| #24 | `WorkspaceMember` role strings should be a PHP 8.1 enum | + +### Missing Tests + +| Issue | Description | +|-------|-------------| +| #15 | `WorkspaceTeamService` — zero test coverage | +| #16 | `EntitlementWebhookService` — no tests for dispatch, circuit breaker, SSRF | +| #17 | `TotpService` edge cases (clock drift, malformed secrets) | +| #29 | `WorkspaceController` API endpoints | +| #30 | `NamespaceService` | +| #34 | Mutation testing with Infection PHP | + +### Features / Enhancements + +| Issue | Description | +|-------|-------------| +| #21 | Lazy-load `Workspace` relationships (30+ defined) | +| #22 | Soft deletes for `WorkspaceInvitation` | +| #23 | Invitation resend with rate limiting | +| #25 | Configurable invitation expiry (currently hardcoded 7 days) | +| #35 | Workspace ownership transfer | +| #36 | Bulk workspace invitation | +| #37 | Workspace activity audit log | + +### Chores + +| Issue | Description | +|-------|-------------| +| #26 | Add PHPStan/Larastan to dev dependencies | +| #27 | Pin `host-uk/core` to stable version (currently `dev-main`) | +| #31 | IDE helper annotations for Eloquent models | +| #32 | Artisan command for manual package provisioning | + +### Documentation + +| Issue | Description | +|-------|-------------| +| #33 | OpenAPI/Swagger documentation for all API endpoints | + +## Roadmap + +#38 — `roadmap: php-tenant production readiness` contains the full prioritised checklist.