harden: web/index.php — runtime fingerprint, API channel isolation, extract() safety
Three robustness improvements to the request entry point: P1a: Module runtime stale-detection via fingerprint - ModuleRuntimePageBuilder gains writeFingerprint/readFingerprint/expectedFingerprint - module-build.php writes storage/runtime/.module-fingerprint after each build - web/index.php validates fingerprint on every request; throws RuntimeException with actionable message if stale (replaces silent auto-build in request path) - Eliminates P2 (concurrency) by removing build from hot path entirely P1b: API requests skip session/auth/cookie flows - Channel detection (isApiRequest) moved before Session::start() - Session::start(), remember-me, session timeout, tenant refresh and locale resolution wrapped in if-not-API guard - API endpoints no longer set cookies or trigger login redirects - Default locale set separately for API so t() works in error responses P3: extract(Router::getParameters(), EXTR_SKIP) - Prevents URL parameters from overwriting existing scope variables Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -51,6 +51,8 @@ function moduleBuildRun(): int
|
||||
$builder = new ModuleRuntimePageBuilder();
|
||||
$result = $builder->build($runtimeDir, __DIR__ . '/../pages', $modules);
|
||||
|
||||
ModuleRuntimePageBuilder::writeFingerprint($runtimeDir, $modules);
|
||||
|
||||
if (count($modules) === 0) {
|
||||
fwrite(STDOUT, "module-build: no modules, runtime → core pages (symlink).\n");
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user