core/php-tenant
8
0
Fork 0
Code Issues 39 Pull requests Projects Releases Packages Wiki Activity Actions 3

docs: discovery scan — Feb 2026 (closes #3) #39

Merged
Charon merged 1 commit from feat/discovery-scan-issue-3 into main 2026-02-20 23:49:45 +00:00
Conversation 0 Commits 1 Files changed 1 +88
Clotho commented 2026-02-20 16:43:05 +00:00
Member
Copy link

Summary

  • Automated discovery scan of the php-tenant module (issue #3)
  • Scanned all PHP source files, migrations, routes, tests, and documentation
  • Created 34 individual improvement issues (#5–#37) on forge.lthn.ai
  • Created roadmap tracking issue #38

What was found

New security finding

  • #9WorkspaceInvitation::findByToken loads up to 1000 records and runs bcrypt on each (O(n) timing attack surface)

Key bugs

  • #7/#8 — Hardcoded domain hub.host.uk.com in EntitlementApiController and WorkspaceController
  • #13UserStatsService has 5 unimplemented TODO stubs returning zeros/empty arrays
  • #28 — README.md uses incorrect namespace Core\Mod\Tenant (actual: Core\Tenant)

Performance gaps

  • #11 — Missing composite index on user_workspace(workspace_id, role)
  • #14 — N+1 query in NamespaceService::groupedForUser

Missing tests

  • #15 WorkspaceTeamService — zero coverage
  • #16 EntitlementWebhookService — no dispatch/circuit breaker tests
  • #29 WorkspaceController — no API tests
  • #30 NamespaceService — no tests

Full list in changelog/2026/feb/discovery-scan.md and issue #38.

Test plan

  • No code changes — this PR adds only a changelog document
  • Verify changelog/2026/feb/discovery-scan.md renders correctly

🤖 Generated with Claude Code

## Summary - Automated discovery scan of the `php-tenant` module (issue #3) - Scanned all PHP source files, migrations, routes, tests, and documentation - Created 34 individual improvement issues (#5–#37) on forge.lthn.ai - Created roadmap tracking issue #38 ## What was found ### New security finding - **#9** — `WorkspaceInvitation::findByToken` loads up to 1000 records and runs bcrypt on each (O(n) timing attack surface) ### Key bugs - **#7/#8** — Hardcoded domain `hub.host.uk.com` in EntitlementApiController and WorkspaceController - **#13** — `UserStatsService` has 5 unimplemented TODO stubs returning zeros/empty arrays - **#28** — README.md uses incorrect namespace `Core\Mod\Tenant` (actual: `Core\Tenant`) ### Performance gaps - **#11** — Missing composite index on `user_workspace(workspace_id, role)` - **#14** — N+1 query in `NamespaceService::groupedForUser` ### Missing tests - **#15** `WorkspaceTeamService` — zero coverage - **#16** `EntitlementWebhookService` — no dispatch/circuit breaker tests - **#29** `WorkspaceController` — no API tests - **#30** `NamespaceService` — no tests Full list in `changelog/2026/feb/discovery-scan.md` and issue #38. ## Test plan - [ ] No code changes — this PR adds only a changelog document - [ ] Verify `changelog/2026/feb/discovery-scan.md` renders correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Clotho added 1 commit 2026-02-20 16:43:05 +00:00
docs: add February 2026 discovery scan changelog
Some checks are pending
CI / PHP 8.2 (pull_request) Waiting to run
Details
CI / PHP 8.3 (pull_request) Waiting to run
Details
CI / PHP 8.4 (pull_request) Waiting to run
Details
CI / Assets (pull_request) Waiting to run
Details
9a5f9d7a8e 
Automated scan of all PHP source files, migrations, routes, tests, and
documentation. Created 34 individual issues and 1 roadmap tracking issue
(#5-#38) on forge.lthn.ai covering security, bugs, performance, tests,
refactors, and features.

Closes #3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Charon merged commit fe2df90a1a into main 2026-02-20 23:49:45 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
P1

Priority 1 - Critical

  
P2

Priority 2 - Important

  
P3

Priority 3 - Nice to have

  
PHP

PHP codebase

  
agent-ready

   
bug

Bug fix

  
clotho

Assigned to Clotho AI agent

  
discovery

Auto-discovered by agent

  
docs

Documentation

  
epic

   
refactor

Code quality refactoring

  
review

Needs human review

  
security

Security hardening

  
testing

Test coverage

  
athena

Assign to Athena AI agent (M3 Ultra)

  
athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  
audit

Code audit task

  
clotho

Assign to Clotho AI agent for processing

  
clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  
codex

Dispatch to Codex CLI on gateway for analysis

  
darbs-claude

Dispatch to Claude on darbs (AU)

  
security

Security review task

  
wiki

Documentation/wiki update

No labels
P1
P2
P3
PHP
agent-ready
bug
clotho
discovery
docs
epic
refactor
review
security
testing
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/php-tenant#39
No description provided.
Delete branch "feat/discovery-scan-issue-3"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?