ef8a40829f
- Add package name validation with strict regex patterns - Convert all Process::run() calls to array syntax - Support Composer and NPM package name formats - Add comprehensive shell injection tests (20 attack patterns) - Update security docs and changelog Fixes P2 shell injection vulnerability from security audit. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
15 KiB
15 KiB
| title | description | updated |
|---|---|---|
| Architecture | Technical architecture of core-uptelligence | 2026-01-29 |
Architecture
The core-uptelligence package provides upstream vendor tracking and dependency intelligence for the Host UK platform. It monitors software vendors, analyses version differences, generates porting tasks, and manages notification digests.
Overview
┌─────────────────────────────────────────────────────────────────────────────┐
│ External Systems │
├─────────────┬─────────────┬─────────────┬─────────────┬────────────────────┤
│ GitHub │ GitLab │ npm │ Packagist │ AI Providers │
│ Releases │ Releases │ Publish │ Updates │ (Anthropic/OpenAI) │
└──────┬──────┴──────┬──────┴──────┬──────┴──────┬──────┴─────────┬──────────┘
│ │ │ │ │
└─────────────┴─────────────┴─────────────┘ │
│ │
┌──────▼──────┐ │
│ Webhook │ │
│ Controller │ │
└──────┬──────┘ │
│ │
┌──────▼──────┐ ┌──────▼──────┐
│ Webhook │ │ AI │
│ Receiver │ │ Analyzer │
│ Service │ │ Service │
└──────┬──────┘ └──────┬──────┘
│ │
┌───────────────────┼───────────────────────────────────────┤
│ │ │
┌──────▼──────┐ ┌──────▼──────┐ ┌──────────────┐ ┌──────▼──────┐
│ Vendor │ │ Version │ │ Diff │ │ Upstream │
│ Model │◄────┤ Release │────►│ Analyzer │───►│ Todo │
└─────────────┘ └─────────────┘ │ Service │ └─────────────┘
└──────────────┘ │
│
┌──────────────┐ ┌──────▼──────┐
│ Issue │◄───────────────────────┤ Issue │
│ (GitHub/ │ │ Generator │
│ Gitea) │ │ Service │
└──────────────┘ └─────────────┘
Module Registration
The package registers as a Laravel service provider via Boot.php and uses the event-driven module loading pattern from core-php.
Event Listeners
public static array $listens = [
AdminPanelBooting::class => 'onAdminPanel',
ApiRoutesRegistering::class => 'onApiRoutes',
ConsoleBooting::class => 'onConsole',
];
Registered Services
All services are registered as singletons:
| Service | Purpose |
|---|---|
VendorStorageService |
Local and S3 file storage for vendor archives |
VendorUpdateCheckerService |
Polls registries (GitHub, Packagist, npm) for updates |
DiffAnalyzerService |
Generates file diffs between versions |
AIAnalyzerService |
Uses AI to analyse diffs and categorise changes |
IssueGeneratorService |
Creates GitHub/Gitea issues from todos |
UptelligenceDigestService |
Compiles and sends digest notifications |
WebhookReceiverService |
Processes incoming vendor release webhooks |
AssetTrackerService |
Tracks package dependencies (Composer, npm) |
Data Model
Core Entities
┌─────────────┐ ┌─────────────────┐ ┌─────────────┐
│ Vendor │────►│ VersionRelease │────►│ DiffCache │
└─────────────┘ └─────────────────┘ └─────────────┘
│ │
│ │
▼ ▼
┌─────────────┐ ┌─────────────────┐
│UpstreamTodo │ │ AnalysisLog │
└─────────────┘ └─────────────────┘
Vendor
Represents an upstream software source (licensed, OSS, or plugin).
Key attributes:
slug- Unique identifiersource_type-licensed,oss, orplugingit_repo_url- Repository URL for OSS vendorspath_mapping- Maps upstream paths to target pathsignored_paths- Patterns to skip during analysispriority_paths- High-importance file patternstarget_repo- GitHub/Gitea repo for issue creation
VersionRelease
Tracks a specific version of a vendor's software.
Key attributes:
version/previous_version- Version comparisonstorage_disk-localors3s3_key- Archive location in cold storagefile_hash- SHA-256 for integrity verificationsummary- AI-generated release summary
UpstreamTodo
A porting task generated from version analysis.
Key attributes:
type-feature,bugfix,security,ui,block,api,refactor,dependencystatus-pending,in_progress,ported,skipped,wont_portpriority- 1-10 scaleeffort-low,medium,highai_analysis- Raw AI analysis datagithub_issue_number- Linked issue
DiffCache
Stores individual file changes for a version release.
Key attributes:
change_type-added,modified,removedcategory- Auto-detected:controller,model,view,security, etc.diff_content- Unified diff for modified files
Webhook System
Architecture
┌─────────────────┐
GitHub/GitLab/npm ─────►│WebhookController│
└────────┬────────┘
│
┌────────▼────────┐
│ Validate │
│ Signature │
└────────┬────────┘
│
┌────────▼────────┐
│ Create │
│ Delivery │
└────────┬────────┘
│
┌────────▼────────┐
│ Dispatch │
│ Job │
└────────┬────────┘
│
┌────────▼────────┐
│ Process │
│ Webhook │
│ Job │
└────────┬────────┘
│
┌──────────────┼──────────────┐
│ │ │
┌──────▼───┐ ┌──────▼───┐ ┌──────▼───┐
│ Parse │ │ Create │ │ Notify │
│ Payload │ │ Release │ │ Users │
└──────────┘ └──────────┘ └──────────┘
Supported Providers
| Provider | Signature Method | Event Types |
|---|---|---|
| GitHub | HMAC-SHA256 (X-Hub-Signature-256) |
release.published, release.created |
| GitLab | Token (X-Gitlab-Token) |
release.create, tag_push |
| npm | HMAC-SHA256 | package:publish |
| Packagist | HMAC-SHA1 | package.update |
| Custom | HMAC-SHA256 | Flexible |
Secret Rotation
Webhooks support secret rotation with a configurable grace period (default 24 hours) where both old and new secrets are accepted.
Circuit Breaker
After 10 consecutive failures, a webhook endpoint is automatically disabled to prevent continued processing failures.
Storage Architecture
Dual Storage Mode
The package supports both local and S3 storage for vendor archives.
┌─────────────────────────────────────────────────────────┐
│ Storage Flow │
├─────────────────────────────────────────────────────────┤
│ │
│ Upload ─► Local Storage ─► Create Archive ─► S3 │
│ │ │
│ ▼ │
│ Delete Local │
│ (optional, based │
│ on retention) │
│ │
│ Analysis ─► Check Local ─► Not Found ─► Download S3 │
│ │ │ │
│ ▼ ▼ │
│ Use Local Extract │
│ │ │
│ ▼ │
│ Use Local │
│ │
└─────────────────────────────────────────────────────────┘
Retention Policy
- Keep N most recent versions locally (configurable, default 2)
- Never delete current or previous version locally
- Archive older versions to S3 automatically
- Verify file integrity on S3 download via SHA-256 hash
Path Structure
Local:
storage/app/vendors/{vendor-slug}/{version}/
S3:
{prefix}{vendor-slug}/{version}.tar.gz
AI Analysis Pipeline
Flow
VersionRelease
│
▼
┌────────────┐
│ Group │ ─► Related files grouped together
│ Diffs │ (controller + view + route)
└─────┬──────┘
│
▼
┌────────────┐
│ Build │ ─► Construct context with file changes
│ Context │
└─────┬──────┘
│
▼
┌────────────┐
│ Call │ ─► Rate-limited AI API call
│ AI │ (10/minute default)
└─────┬──────┘
│
▼
┌────────────┐
│ Parse │ ─► Extract structured JSON
│ Response │
└─────┬──────┘
│
▼
┌────────────┐
│ Create │ ─► Generate UpstreamTodo records
│ Todos │
└────────────┘
AI Providers
Supports:
- Anthropic (default) - Claude models
- OpenAI - GPT models
Configuration via upstream.ai.provider and upstream.ai.model.
Rate Limiting
- AI API calls: 10/minute (configurable)
- Registry checks: 30/minute
- Issue creation: 10/minute
- Webhook ingestion: 60/minute per endpoint
Console Commands
| Command | Purpose |
|---|---|
upstream:check |
Check vendors for updates, display status table |
upstream:analyze |
Analyse version diffs and generate todos |
upstream:issues |
Create GitHub/Gitea issues from pending todos |
upstream:check-updates |
Poll external registries for new versions |
upstream:send-digests |
Send scheduled digest emails |
Admin UI Components
All components are Livewire-based and registered under the uptelligence.admin.* namespace:
| Component | Purpose |
|---|---|
Dashboard |
Overview of vendors, todos, recent activity |
VendorManager |
CRUD for vendor configurations |
TodoList |
View and manage porting todos |
DiffViewer |
Browse file changes between versions |
AssetManager |
Track package dependencies |
DigestPreferences |
User notification settings |
WebhookManager |
Configure and monitor webhook endpoints |
Configuration
See /Users/snider/Code/host-uk/core-uptelligence/config.php for all configuration options.
Key configuration sections:
storage- Local and S3 storage settingssource_types- Vendor type definitionsdetection_patterns- File categorisation patternsai- AI provider and model settingsgithub/gitea- Issue tracker integrationupdate_checker- Auto-checking behaviournotifications- Slack, Discord, email settingsdefault_vendors- Pre-configured vendor seeds
Dependencies
Required
host-uk/core- Foundation framework
External Services
- Anthropic API or OpenAI API (for AI analysis)
- GitHub API (for releases and issues)
- Gitea API (for internal git server)
- Packagist API (for Composer package checks)
- npm Registry (for npm package checks)
- S3-compatible storage (for archives)