discovery: scan php-tenant and create improvement issues #3
Labels
No labels
P1
P2
P3
PHP
agent-ready
bug
clotho
discovery
docs
epic
refactor
review
security
testing
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: core/php-tenant#3
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Objective
Scan this module thoroughly and auto-create issues for everything that needs work.
Process
Creating Issues
For EACH finding, create an issue on forge.lthn.ai:
Issue types:
test: add tests for {Class/Method}— missing test coveragefix: {description}— bugs or broken functionalityrefactor: {description}— code quality improvementssecurity: {description}— security concerns (always label review)docs: {description}— documentation gapschore: {description}— dependency updates, config fixesLabel ALL created issues with
discovery. Label security/architectural concerns withreview.Also create ONE summary issue titled
roadmap: php-tenant production readinesswith a checklist of everything needed.Branch
Work from dev branch. This is a READ-ONLY scan - create issues, do not modify code.
Discovery Scan Complete
Automated scan completed on 2026-02-20. Here is a summary of findings.
Already Resolved (Jan 2026)
All P1 security items and several P2 items were fixed in January 2026:
New Issues Created
Security:
WorkspaceInvitation::findByToken— O(n) timing attack (loads 1000 records + bcrypt checks each)Bugs / Fixes:
hub.host.uk.comin EntitlementApiControllerhub.host.uk.comin WorkspaceController (store + switch)namespaces.workspace_idusesnullOnDelete— orphaned namespaces on workspace deletefeature_codeinusage_alert_historynot FK-constrained to features tableCore\Mod\TenantvsCore\Tenant)Performance:
user_workspace(workspace_id, role)NamespaceService::groupedForUser(1 query per workspace)Refactors:
Missing Tests:
Features:
Chores:
host-uk/coreaway fromdev-mainDocumentation:
Roadmap
#38 —
roadmap: php-tenant production readiness— full prioritised checklist of all open items.Total issues created: 34 individual + 1 roadmap = 35 issues
Second Pass — 4 additional issues
A background deep scan found 4 more items not captured in the initial report:
entitlement_features.parent_feature_idusesnullOnDelete— child features silently orphaned when parent deletedentitlement_webhook_deliveries((webhook_id, resend_at),status)EntitlementService::recordUsage()— concurrent requests can exceed usage limits (no DB locking)Total: 38 individual improvement issues + roadmap #38.