Snider
bdba302441
docs(changelog): add completed P2 items for January 2026
...
CI / PHP 8.2 / Laravel 11.* (push) Waiting to run
CI / PHP 8.3 / Laravel 11.* (push) Waiting to run
CI / PHP 8.4 / Laravel 11.* (push) Waiting to run
CI / PHP 8.3 / Laravel 12.* (push) Waiting to run
CI / PHP 8.4 / Laravel 12.* (push) Waiting to run
Track completed improvements:
- P2-058 to P2-061: Migration fix, webhook timing, API key exposure, payload validation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 19:52:32 +00:00
Snider
cb41d3fae6
fix(P2-058): complete migration column alignment with models
...
- VersionRelease: add storage fields, file counters, timestamps
- UpstreamTodo: add branch_name, assigned_to, started_at
- DiffCache: add new_content, lines_added/removed, metadata casts
- AnalysisLog: use version_release_id and error_message
- Asset: add slug, name, licence fields, install details
- AssetVersion: add changelog, breaking_changes, paths
- Webhook tables: fix foreign key to uptelligence_vendors
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 18:05:38 +00:00
Snider
6f71edd14e
fix(security): address P2 security items and migration mismatch
...
P2-058: Migration Mismatch
- Created new migration for vendor tracking tables (000004)
- Added explicit $table property to all models with uptelligence_ prefix
- Clarified dual-purpose nature (uptime monitoring + vendor tracking)
- Added appropriate indexes for common query patterns
P2-059: Webhook Signature Timing Attack Audit
- Verified all signature verification uses hash_equals()
- Added comprehensive tests in WebhookSignatureVerificationTest.php
- Tests cover all providers, grace periods, edge cases
P2-060: API Key Exposure in Logs
- Added redactSensitiveData() to AIAnalyzerService
- Added redactSensitiveData() to IssueGeneratorService
- Added redactSensitiveData() to VendorUpdateCheckerService
- Redacts API keys, tokens, bearer tokens, auth headers
P2-061: Missing Webhook Payload Validation
- Added MAX_PAYLOAD_SIZE (1MB) and MAX_JSON_DEPTH (32) limits
- Added validatePayloadSize() for DoS protection
- Added parseAndValidateJson() with depth limit
- Added validatePayloadStructure() for provider-specific validation
- Added hasExcessiveArraySize() to prevent memory exhaustion
- Added tests in WebhookPayloadValidationTest.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 13:29:26 +00:00
Snider
ef8a40829f
security: fix shell injection in AssetTrackerService
...
- Add package name validation with strict regex patterns
- Convert all Process::run() calls to array syntax
- Support Composer and NPM package name formats
- Add comprehensive shell injection tests (20 attack patterns)
- Update security docs and changelog
Fixes P2 shell injection vulnerability from security audit.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 12:21:07 +00:00
Snider
256e0c38b7
docs: rewrite CLAUDE.md for core-uptelligence package
...
Replace generic Core PHP Framework boilerplate with package-specific
documentation covering the vendor tracking module's architecture,
services, and commands.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 14:14:53 +00:00
Snider
6c17c39c97
refactor: update Tenant namespace imports to Core\Tenant
...
Align with core-tenant namespace structure.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 17:42:11 +00:00
Snider
e0d2325a20
refactor: move namespace from Core\Uptelligence to Core\Mod\Uptelligence
...
Aligns module namespace with Core PHP Framework conventions where
modules live under the Core\Mod\ namespace hierarchy. This follows
the monorepo separation work started in 40d893a
2026-01-27 16:32:55 +00:00
Snider
40d893af44
monorepo sepration
2026-01-26 23:56:46 +00:00
Snider
737e705755
Initial commit
2026-01-26 23:25:24 +00:00
