Add route-level regex constraints to all token route parameters,
requiring exactly 64 alphanumeric characters. Malformed tokens
(path traversal attempts, overly long strings, special characters)
now receive a 404 at the routing layer before reaching controllers
or triggering database lookups.
Fixes#43
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace hardcoded 'hub.host.uk.com' with config('app.base_domain')
to match the existing pattern used in middleware and Blade views.
Fixes#7Fixes#8
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The self-referential FK on entitlement_features.parent_feature_id used
nullOnDelete(), which orphaned child features when a parent was deleted.
Children that belong to a pool have no meaning without their parent, so
cascade deletion is the correct behaviour.
Adds a migration that drops and re-creates the FK with cascadeOnDelete().
Fixes#40
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add foreign key constraints from usage_alert_history.feature_code,
entitlement_boosts.feature_code, and entitlement_usage_records.feature_code
to entitlement_features.code to prevent orphaned records.
Uses cascadeOnUpdate (code renames propagate) and restrictOnDelete
(cannot delete a feature that has usage/alert/boost records).
Fixes#12
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Change namespaces.workspace_id FK from nullOnDelete to cascadeOnDelete
so that namespaces are properly cleaned up when their parent workspace
is deleted, instead of being orphaned with a null workspace_id.
Fixes#10
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
