core/php-tenant
8
0
Fork 0
Code Issues 39 Pull requests Projects Releases Packages Wiki Activity Actions 3

discovery: scan php-tenant and create improvement issues #3

New issue
Closed
opened 2026-02-20 01:51:38 +00:00 by Clotho · 2 comments
Clotho commented 2026-02-20 01:51:38 +00:00
Member
Copy link

Objective

Scan this module thoroughly and auto-create issues for everything that needs work.

Process

  1. Read CLAUDE.md and TODO.md if they exist
  2. Scan all source files - look for:
    • Missing tests (files in src/ without corresponding test)
    • TODO/FIXME/HACK comments in code
    • Missing type hints or return types
    • Empty methods or stub implementations
    • Missing error handling
    • Missing or outdated documentation
    • Security concerns (SQL injection, XSS, mass assignment)
    • Dead code or unused imports
    • Missing migrations or seeders
    • Config files that need environment variables
  3. Check composer.json for:
    • Outdated dependencies
    • Missing dev dependencies (testing, analysis tools)
    • Autoload paths correctness
  4. Check tests/ for:
    • Test coverage gaps
    • Missing edge case tests
    • Tests that are skipped or incomplete

Creating Issues

For EACH finding, create an issue on forge.lthn.ai:

curl -sf -X POST \
  -H "Authorization: token $FORGE_TOKEN_PROD" \
  -H "Content-Type: application/json" \
  "https://forge.lthn.ai/api/v1/repos/core/php-tenant/issues" \
  -d "{\"title\":\"type: description\",\"body\":\"details\",\"labels\":[44,43]}"

Issue types:

  • test: add tests for {Class/Method} — missing test coverage
  • fix: {description} — bugs or broken functionality
  • refactor: {description} — code quality improvements
  • security: {description} — security concerns (always label review)
  • docs: {description} — documentation gaps
  • chore: {description} — dependency updates, config fixes

Label ALL created issues with discovery. Label security/architectural concerns with review.

Also create ONE summary issue titled roadmap: php-tenant production readiness with a checklist of everything needed.

Branch

Work from dev branch. This is a READ-ONLY scan - create issues, do not modify code.

## Objective Scan this module thoroughly and auto-create issues for everything that needs work. ## Process 1. **Read CLAUDE.md and TODO.md** if they exist 2. **Scan all source files** - look for: - Missing tests (files in src/ without corresponding test) - TODO/FIXME/HACK comments in code - Missing type hints or return types - Empty methods or stub implementations - Missing error handling - Missing or outdated documentation - Security concerns (SQL injection, XSS, mass assignment) - Dead code or unused imports - Missing migrations or seeders - Config files that need environment variables 3. **Check composer.json** for: - Outdated dependencies - Missing dev dependencies (testing, analysis tools) - Autoload paths correctness 4. **Check tests/** for: - Test coverage gaps - Missing edge case tests - Tests that are skipped or incomplete ## Creating Issues For EACH finding, create an issue on forge.lthn.ai: ```bash curl -sf -X POST \ -H "Authorization: token $FORGE_TOKEN_PROD" \ -H "Content-Type: application/json" \ "https://forge.lthn.ai/api/v1/repos/core/php-tenant/issues" \ -d "{\"title\":\"type: description\",\"body\":\"details\",\"labels\":[44,43]}" ``` Issue types: - `test: add tests for {Class/Method}` — missing test coverage - `fix: {description}` — bugs or broken functionality - `refactor: {description}` — code quality improvements - `security: {description}` — security concerns (always label review) - `docs: {description}` — documentation gaps - `chore: {description}` — dependency updates, config fixes Label ALL created issues with `discovery`. Label security/architectural concerns with `review`. Also create ONE summary issue titled `roadmap: php-tenant production readiness` with a checklist of everything needed. ## Branch Work from dev branch. This is a READ-ONLY scan - create issues, do not modify code.
Clotho added the
clotho
discovery
 labels 2026-02-20 01:51:38 +00:00
Snider added reference main 2026-02-20 01:57:30 +00:00
Charon added
PHP
P3
 and removed
clotho
discovery
 labels 2026-02-20 12:17:16 +00:00
Clotho commented 2026-02-20 16:41:15 +00:00
Author
Member
Copy link

Discovery Scan Complete

Automated scan completed on 2026-02-20. Here is a summary of findings.

Already Resolved (Jan 2026)

All P1 security items and several P2 items were fixed in January 2026:

  • SEC-001 to SEC-006: Rate limiting, auth validation, 2FA encryption, invitation token hashing, SSRF protection, workspace ID validation
  • DX-001/DX-002: strict_types compliance, EntitlementService documentation
  • TEST-001/002: Namespace entitlements, API integration tests
  • PERF-001/002: Cache tag invalidation, database indexes

New Issues Created

Security:

Issue Title
#9 WorkspaceInvitation::findByToken — O(n) timing attack (loads 1000 records + bcrypt checks each)

Bugs / Fixes:

Issue Title
#7 Hardcoded domain hub.host.uk.com in EntitlementApiController
#8 Hardcoded domain hub.host.uk.com in WorkspaceController (store + switch)
#10 namespaces.workspace_id uses nullOnDelete — orphaned namespaces on workspace delete
#12 feature_code in usage_alert_history not FK-constrained to features table
#13 5 TODO stubs in UserStatsService — quotas/activity always return placeholder data
#28 README.md examples use wrong namespace (Core\Mod\Tenant vs Core\Tenant)

Performance:

Issue Title
#11 Missing composite index on user_workspace(workspace_id, role)
#14 N+1 query in NamespaceService::groupedForUser (1 query per workspace)

Refactors:

Issue Title
#5 Clarify WorkspaceScope vs BelongsToWorkspace architecture
#6 User model has undefined external class relationships
#18 Missing return type hints on Workspace model relationships
#19 EntitlementException needs subtypes (LimitExceeded, PackageNotFound, etc.)
#20 Inconsistent API error response format across controllers
#24 WorkspaceMember role strings should be a PHP enum

Missing Tests:

Issue Title
#15 WorkspaceTeamService — zero test coverage
#16 EntitlementWebhookService — no tests for dispatch, circuit breaker, SSRF
#17 TotpService edge cases — clock drift, malformed secrets
#29 WorkspaceController API endpoints — no tests
#30 NamespaceService — no tests
#34 Add mutation testing (Infection PHP)

Features:

Issue Title
#21 Lazy-load Workspace relationships (30+ defined, N+1 risk)
#22 Soft deletes for WorkspaceInvitation (preserve audit trail)
#23 Invitation resend with rate limiting
#25 Configurable invitation expiry (hardcoded 7 days)
#35 Workspace ownership transfer
#36 Bulk workspace invitation
#37 Workspace activity audit log

Chores:

Issue Title
#26 Add PHPStan/Larastan for static analysis
#27 Pin host-uk/core away from dev-main
#31 IDE helper annotations for Eloquent models
#32 Artisan command for package provisioning

Documentation:

Issue Title
#33 OpenAPI/Swagger documentation for API endpoints

Roadmap

#38roadmap: php-tenant production readiness — full prioritised checklist of all open items.

Total issues created: 34 individual + 1 roadmap = 35 issues

## Discovery Scan Complete Automated scan completed on 2026-02-20. Here is a summary of findings. --- ### Already Resolved (Jan 2026) All P1 security items and several P2 items were fixed in January 2026: - SEC-001 to SEC-006: Rate limiting, auth validation, 2FA encryption, invitation token hashing, SSRF protection, workspace ID validation - DX-001/DX-002: strict_types compliance, EntitlementService documentation - TEST-001/002: Namespace entitlements, API integration tests - PERF-001/002: Cache tag invalidation, database indexes --- ### New Issues Created **Security:** | Issue | Title | |-------|-------| | #9 | `WorkspaceInvitation::findByToken` — O(n) timing attack (loads 1000 records + bcrypt checks each) | **Bugs / Fixes:** | Issue | Title | |-------|-------| | #7 | Hardcoded domain `hub.host.uk.com` in EntitlementApiController | | #8 | Hardcoded domain `hub.host.uk.com` in WorkspaceController (store + switch) | | #10 | `namespaces.workspace_id` uses `nullOnDelete` — orphaned namespaces on workspace delete | | #12 | `feature_code` in `usage_alert_history` not FK-constrained to features table | | #13 | 5 TODO stubs in UserStatsService — quotas/activity always return placeholder data | | #28 | README.md examples use wrong namespace (`Core\Mod\Tenant` vs `Core\Tenant`) | **Performance:** | Issue | Title | |-------|-------| | #11 | Missing composite index on `user_workspace(workspace_id, role)` | | #14 | N+1 query in `NamespaceService::groupedForUser` (1 query per workspace) | **Refactors:** | Issue | Title | |-------|-------| | #5 | Clarify WorkspaceScope vs BelongsToWorkspace architecture | | #6 | User model has undefined external class relationships | | #18 | Missing return type hints on Workspace model relationships | | #19 | EntitlementException needs subtypes (LimitExceeded, PackageNotFound, etc.) | | #20 | Inconsistent API error response format across controllers | | #24 | WorkspaceMember role strings should be a PHP enum | **Missing Tests:** | Issue | Title | |-------|-------| | #15 | WorkspaceTeamService — zero test coverage | | #16 | EntitlementWebhookService — no tests for dispatch, circuit breaker, SSRF | | #17 | TotpService edge cases — clock drift, malformed secrets | | #29 | WorkspaceController API endpoints — no tests | | #30 | NamespaceService — no tests | | #34 | Add mutation testing (Infection PHP) | **Features:** | Issue | Title | |-------|-------| | #21 | Lazy-load Workspace relationships (30+ defined, N+1 risk) | | #22 | Soft deletes for WorkspaceInvitation (preserve audit trail) | | #23 | Invitation resend with rate limiting | | #25 | Configurable invitation expiry (hardcoded 7 days) | | #35 | Workspace ownership transfer | | #36 | Bulk workspace invitation | | #37 | Workspace activity audit log | **Chores:** | Issue | Title | |-------|-------| | #26 | Add PHPStan/Larastan for static analysis | | #27 | Pin `host-uk/core` away from `dev-main` | | #31 | IDE helper annotations for Eloquent models | | #32 | Artisan command for package provisioning | **Documentation:** | Issue | Title | |-------|-------| | #33 | OpenAPI/Swagger documentation for API endpoints | --- ### Roadmap #38 — `roadmap: php-tenant production readiness` — full prioritised checklist of all open items. --- **Total issues created:** 34 individual + 1 roadmap = 35 issues
Clotho commented 2026-02-20 16:44:28 +00:00
Author
Member
Copy link

Second Pass — 4 additional issues

A background deep scan found 4 more items not captured in the initial report:

Issue Description
#40 entitlement_features.parent_feature_id uses nullOnDelete — child features silently orphaned when parent deleted
#41 Missing performance indexes on entitlement_webhook_deliveries ((webhook_id, resend_at), status)
#42 Race condition in EntitlementService::recordUsage() — concurrent requests can exceed usage limits (no DB locking)
#43 Invitation token not validated for format before database lookup in web routes

Total: 38 individual improvement issues + roadmap #38.

## Second Pass — 4 additional issues A background deep scan found 4 more items not captured in the initial report: | Issue | Description | |-------|-------------| | #40 | `entitlement_features.parent_feature_id` uses `nullOnDelete` — child features silently orphaned when parent deleted | | #41 | Missing performance indexes on `entitlement_webhook_deliveries` (`(webhook_id, resend_at)`, `status`) | | #42 | **Race condition** in `EntitlementService::recordUsage()` — concurrent requests can exceed usage limits (no DB locking) | | #43 | Invitation token not validated for format before database lookup in web routes | Total: 38 individual improvement issues + roadmap #38.
Sign in to join this conversation.
main
Branches Tags
Clear current reference
main
feat/discovery-scan-issue-3
feat/phase-0-assessment
dev
Clear current reference
No results found.
Labels
Clear labels   
P1

Priority 1 - Critical

  
P2

Priority 2 - Important

  
P3

Priority 3 - Nice to have

  
PHP

PHP codebase

  
agent-ready

   
bug

Bug fix

  
clotho

Assigned to Clotho AI agent

  
discovery

Auto-discovered by agent

  
docs

Documentation

  
epic

   
refactor

Code quality refactoring

  
review

Needs human review

  
security

Security hardening

  
testing

Test coverage

  
athena

Assign to Athena AI agent (M3 Ultra)

  
athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  
audit

Code audit task

  
clotho

Assign to Clotho AI agent for processing

  
clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  
codex

Dispatch to Codex CLI on gateway for analysis

  
darbs-claude

Dispatch to Claude on darbs (AU)

  
security

Security review task

  
wiki

Documentation/wiki update

No labels
P1
P2
P3
PHP
agent-ready
bug
clotho
discovery
docs
epic
refactor
review
security
testing
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/php-tenant#3
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?