core/php-tenant

Fork 0

roadmap: php-tenant production readiness #38

New issue

Open

opened 2026-02-20 16:40:41 +00:00 by Clotho · 1 comment

Clotho commented

2026-02-20 16:40:41 +00:00

Member

Overview

This is the production readiness tracker for core/php-tenant. Generated by automated discovery scan (issue #3) on 2026-02-20.

Critical / Security (P1)

All P1 items resolved in January 2026:

SEC-001: Rate limiting on EntitlementApiController
SEC-002: API authentication validation on provisioning routes
SEC-003: Encrypt 2FA secrets at rest
SEC-004: Hash workspace invitation tokens
SEC-005: SSRF protection on webhook test endpoint
SEC-006: Workspace ID validation in RequireWorkspaceContext middleware

New P1 findings (from Feb 2026 scan):

#9 — WorkspaceInvitation::findByToken O(n) timing attack surface (loads 1000 records + bcrypt)

High Priority (P2)

Resolved in January 2026:

DX-001: declare(strict_types=1) in all PHP files
DX-002: Document EntitlementService public API
TEST-001: Namespace-level entitlement tests
TEST-002: EntitlementApiController integration tests
PERF-001: Cache invalidation with Redis tags
PERF-002: Database indexes for common queries

Open P2 items:

#5 — Clarify WorkspaceScope vs BelongsToWorkspace architecture
#6 — Consolidate User model external relationships
#7 — Remove hardcoded domain hub.host.uk.com from EntitlementApiController
#8 — Remove hardcoded domain hub.host.uk.com from WorkspaceController
#10 — namespaces.workspace_id cascade-on-delete decision
#11 — Composite index on user_workspace(workspace_id, role)
#12 — feature_code in usage_alert_history referential integrity
#13 — Complete stub implementations in UserStatsService (5 TODOs)
#14 — N+1 query in NamespaceService::groupedForUser

Medium Priority (P3)

#15 — Test: WorkspaceTeamService (all methods untested)
#16 — Test: EntitlementWebhookService (webhook dispatch, circuit breaker, SSRF)
#17 — Test: TotpService edge cases (clock drift, malformed secrets)
#18 — Return type hints on all Workspace model relationships
#19 — EntitlementException hierarchy (LimitExceeded, PackageNotFound, etc.)
#20 — Standardise API error response format
#21 — Lazy-load Workspace relationships (30+ defined)
#22 — Soft deletes for WorkspaceInvitation
#23 — Invitation resend functionality
#29 — Test: WorkspaceController API endpoints
#30 — Test: NamespaceService

Low Priority (P4)

#24 — WorkspaceMemberRole enum for type safety
#25 — Configurable workspace invitation expiry
#26 — Add PHPStan/Larastan to dev dependencies
#27 — Pin host-uk/core to stable version (currently dev-main)
#28 — Fix incorrect namespace in README.md examples
#31 — IDE helper annotations for Eloquent models
#32 — Artisan command for manual package provisioning
#34 — Mutation testing with Infection PHP (target >80% MSI)

Nice to Have (P5)

#33 — OpenAPI/Swagger documentation for all API endpoints
#35 — Workspace ownership transfer
#36 — Bulk workspace invitation (CSV/multi-email)
#37 — Workspace activity audit log

Backlog / Ideas (P6)

GraphQL API for entitlements
Real-time usage updates (WebSockets)
Entitlement simulation mode ("what if I upgrade")
Multi-region data residency support
Workspace templates

Summary Statistics

Category	Total	Done	Open
Security (P1)	7	6	1
High (P2)	15	6	9
Medium (P3)	11	0	11
Low (P4)	8	0	8
Nice to Have (P5+)	5+	0	5+

Total open items: ~34

Generated by Clotho automated scan — issue #3, 2026-02-20

## Overview This is the production readiness tracker for `core/php-tenant`. Generated by automated discovery scan (issue #3) on 2026-02-20. --- ## Critical / Security (P1) All P1 items resolved in January 2026: - [x] SEC-001: Rate limiting on EntitlementApiController - [x] SEC-002: API authentication validation on provisioning routes - [x] SEC-003: Encrypt 2FA secrets at rest - [x] SEC-004: Hash workspace invitation tokens - [x] SEC-005: SSRF protection on webhook test endpoint - [x] SEC-006: Workspace ID validation in RequireWorkspaceContext middleware **New P1 findings (from Feb 2026 scan):** - [ ] #9 — `WorkspaceInvitation::findByToken` O(n) timing attack surface (loads 1000 records + bcrypt) --- ## High Priority (P2) Resolved in January 2026: - [x] DX-001: `declare(strict_types=1)` in all PHP files - [x] DX-002: Document EntitlementService public API - [x] TEST-001: Namespace-level entitlement tests - [x] TEST-002: EntitlementApiController integration tests - [x] PERF-001: Cache invalidation with Redis tags - [x] PERF-002: Database indexes for common queries **Open P2 items:** - [ ] #5 — Clarify WorkspaceScope vs BelongsToWorkspace architecture - [ ] #6 — Consolidate User model external relationships - [ ] #7 — Remove hardcoded domain `hub.host.uk.com` from EntitlementApiController - [ ] #8 — Remove hardcoded domain `hub.host.uk.com` from WorkspaceController - [ ] #10 — `namespaces.workspace_id` cascade-on-delete decision - [ ] #11 — Composite index on `user_workspace(workspace_id, role)` - [ ] #12 — `feature_code` in `usage_alert_history` referential integrity - [ ] #13 — Complete stub implementations in UserStatsService (5 TODOs) - [ ] #14 — N+1 query in `NamespaceService::groupedForUser` --- ## Medium Priority (P3) - [ ] #15 — Test: WorkspaceTeamService (all methods untested) - [ ] #16 — Test: EntitlementWebhookService (webhook dispatch, circuit breaker, SSRF) - [ ] #17 — Test: TotpService edge cases (clock drift, malformed secrets) - [ ] #18 — Return type hints on all Workspace model relationships - [ ] #19 — EntitlementException hierarchy (LimitExceeded, PackageNotFound, etc.) - [ ] #20 — Standardise API error response format - [ ] #21 — Lazy-load Workspace relationships (30+ defined) - [ ] #22 — Soft deletes for WorkspaceInvitation - [ ] #23 — Invitation resend functionality - [ ] #29 — Test: WorkspaceController API endpoints - [ ] #30 — Test: NamespaceService --- ## Low Priority (P4) - [ ] #24 — WorkspaceMemberRole enum for type safety - [ ] #25 — Configurable workspace invitation expiry - [ ] #26 — Add PHPStan/Larastan to dev dependencies - [ ] #27 — Pin `host-uk/core` to stable version (currently `dev-main`) - [ ] #28 — Fix incorrect namespace in README.md examples - [ ] #31 — IDE helper annotations for Eloquent models - [ ] #32 — Artisan command for manual package provisioning - [ ] #34 — Mutation testing with Infection PHP (target >80% MSI) --- ## Nice to Have (P5) - [ ] #33 — OpenAPI/Swagger documentation for all API endpoints - [ ] #35 — Workspace ownership transfer - [ ] #36 — Bulk workspace invitation (CSV/multi-email) - [ ] #37 — Workspace activity audit log --- ## Backlog / Ideas (P6) - GraphQL API for entitlements - Real-time usage updates (WebSockets) - Entitlement simulation mode ("what if I upgrade") - Multi-region data residency support - Workspace templates --- ## Summary Statistics | Category | Total | Done | Open | |----------|-------|------|------| | Security (P1) | 7 | 6 | 1 | | High (P2) | 15 | 6 | 9 | | Medium (P3) | 11 | 0 | 11 | | Low (P4) | 8 | 0 | 8 | | Nice to Have (P5+) | 5+ | 0 | 5+ | **Total open items: ~34** _Generated by Clotho automated scan — issue #3, 2026-02-20_

Clotho added the

review

discovery

labels 2026-02-20 16:40:41 +00:00

Clotho referenced this issue

2026-02-20 16:41:15 +00:00

discovery: scan php-tenant and create improvement issues #3

Clotho referenced this issue

2026-02-20 16:43:05 +00:00

docs: discovery scan — Feb 2026 (closes #3) #39

Clotho commented

2026-02-20 16:44:27 +00:00

Author

Member

Update — additional issues found (second pass)

Four additional issues were identified during background analysis pass:

Issue	Priority	Description
#40	P2	`entitlement_features.parent_feature_id` nullOnDelete silently orphans child features (breaks EntitlementService hierarchical pooling)
#41	P3	Missing indexes on `entitlement_webhook_deliveries` — `(webhook_id, resend_at)` and `status`
#42	P1/P2	Race condition in `EntitlementService` usage recording — concurrent requests can exceed limits
#43	P3	Invitation token not validated before DB lookup in web routes

#42 (race condition) is particularly important as usage limits can be exceeded under concurrent load — promoted to P2.

Updated total: 38 individual issues + 1 roadmap = 39 issues

## Update — additional issues found (second pass) Four additional issues were identified during background analysis pass: | Issue | Priority | Description | |-------|----------|-------------| | #40 | P2 | `entitlement_features.parent_feature_id` nullOnDelete silently orphans child features (breaks EntitlementService hierarchical pooling) | | #41 | P3 | Missing indexes on `entitlement_webhook_deliveries` — `(webhook_id, resend_at)` and `status` | | #42 | P1/P2 | Race condition in `EntitlementService` usage recording — concurrent requests can exceed limits | | #43 | P3 | Invitation token not validated before DB lookup in web routes | **#42 (race condition)** is particularly important as usage limits can be exceeded under concurrent load — promoted to P2. Updated total: **38 individual issues + 1 roadmap = 39 issues**

Clotho referenced this issue

2026-02-20 16:44:29 +00:00

discovery: scan php-tenant and create improvement issues #3

Clotho was assigned by Charon

2026-02-20 23:46:46 +00:00