core/php
8
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions
php/src/Core/Rules/CLAUDE.md
Snider 1d8a202bdf feat: add CLAUDE.md to all 21 CorePHP subsystems 
Agent-readable documentation for every Core subsystem, extracted
from 530 PHP source files. Each CLAUDE.md documents key classes,
public API, patterns, and integration points.

Highlights discovered:
- Actions: #[Scheduled] attribute system wires to Laravel scheduler
- Bouncer Gate: training mode with #[Action] attributes (CoreGO pattern)
- Config: hierarchical scope (global→workspace→user) with version diffs
- Crypt: LthnHash = QuasiSalt from dAppServer, ported to PHP
- Database: Kahn's algorithm topological seeder sorting via attributes
- Events: 12 lifecycle events with HasEventVersion forward compat
- Front: 78 blade components + programmatic Component for MCP/agent UI
- Headers: DetectDevice identifies 14 in-app browser platforms
- Input: 9-step pre-boot sanitisation pipeline
- Lang: TranslationMemory with fuzzy matching + TMX import/export
- Mail: EmailShield with 100k+ disposable domain blocking
- Search: 7-source unified search with privacy-aware IP hashing
- Storage: Redis circuit breaker (Closed/Open/Half-Open)

Co-Authored-By: Virgil <virgil@lethean.io>
2026-03-29 13:24:07 +01:00

1.6 KiB
Raw Blame History

Core\Rules

Security-focused Laravel validation rules. No service provider -- use directly in validation arrays.

Rules

SafeWebhookUrl

SSRF protection for webhook delivery URLs.

Blocks:

  • Localhost and loopback (127.0.0.0/8, ::1)
  • Private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Link-local, reserved ranges, special-use addresses
  • Local domain names (.local, .localhost, .internal)
  • Decimal IP encoding (2130706433 = 127.0.0.1)
  • IPv4-mapped IPv6 (::ffff:127.0.0.1)
  • Non-HTTPS schemes

Service mode: Optionally restrict to known webhook domains (Discord, Slack, Telegram). Known service domains skip SSRF checks.

'url' => [new SafeWebhookUrl]                    // any HTTPS, no SSRF
'url' => [new SafeWebhookUrl('discord')]          // discord.com/discordapp.com only

SafeJsonPayload

Protects against malicious JSON payloads stored in the database.

Validates:

  • Maximum total size (default 10 KB)
  • Maximum nesting depth (default 3)
  • Maximum total keys across all levels (default 50)
  • Maximum string value length (default 1000 chars)

Factory methods:

  • SafeJsonPayload::default() -- 10 KB, depth 3, 50 keys
  • SafeJsonPayload::small() -- 2 KB, depth 2, 20 keys
  • SafeJsonPayload::large() -- 100 KB, depth 5, 200 keys
  • SafeJsonPayload::metadata() -- 5 KB, depth 2, 30 keys, 256 char strings
'payload' => ['array', SafeJsonPayload::metadata()]

Conventions

  • Both rules implement Illuminate\Contracts\Validation\ValidationRule.
  • SafeWebhookUrl resolves hostnames and checks ALL returned IPs against blocklists.
  • These are standalone -- no Boot provider, no config. Import and use directly.