5699bc6c5b
refactor(config): remove runtime config files and centralize route/bootstrap
2026-04-01 20:27:42 +02:00
0c351f6aff
refactor(audit): extract audit domain into self-contained module
...
Move the entire audit subsystem (system audit, API audit, import audit,
user lifecycle audit, frontend telemetry) from core into modules/audit/.
Core decoupling via interface-based injection:
- AuditRecorderInterface replaces SystemAuditService in 10+ core services
- UserLifecycleAuditInterface / ImportAuditInterface for specialized flows
- NullAuditRecorder fallback when audit module is disabled
- ApiBootstrap/ApiResponse use null-safe callable resolvers
Module structure (modules/audit/):
- Manifest with routes, permissions, scheduler jobs, authorization policy
- 9 services, 8 repositories, 6 domain enums, 4 job handlers
- 33 page files, 4 JS files, 8 test files, migration scripts, i18n
Core cleanup:
- OperationsAuthorizationPolicy, UiCapabilityMap, PermissionService
surgically cleaned of audit-specific constants
- Sidebar template cleared of hardcoded audit navigation
- AuditModuleIsolationContractTest ensures no future core→module coupling
All quality gates pass: 1346 tests (19,276 assertions), PHPStan level 5
clean, architecture contracts verified.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-25 21:12:49 +01:00
07fbb96246
test: add PHPUnit coverage for 7 critical Tier 1 services (GR-TEST-001)
...
199 new tests across 9 files covering auth, user lifecycle, and settings:
- ApiTokenService: create/validate/rotate/revoke, timing-safe hash, tenant scope
- ApiTokenEndpointService: pagination, scope filtering, tenant resolution, expiry
- SsoUserLinkService: 2-phase identity lookup, provisioning, profile+avatar sync
- UserAssignmentService: sync methods, assignable-role freeze, transactions
- UserLifecycleAuditService: encrypted snapshots, enum normalization, retention
- UserLifecycleRestoreService: full restore flow, 9 error exits, rollback
- AdminSettingsService: API/lifecycle, Microsoft/telemetry, color/SMTP validation
Workflow: TEST-TIER1-001 (Analyst → Planner → Executor → Code Review → Security Review → Acceptance → Finalizer — all pass)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-22 23:29:07 +01:00
555199b217
fix: PHPStan and test strictness improvements
...
Add bin/ scripts to PHPStan scanFiles, suppress property.onlyWritten for
by-ref test properties, add exhaustive default match arm, use explicit
expects() on mock stubs, fix data provider return type, and simplify
redundant null check in NotificationServiceTest.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-22 14:15:36 +01:00
b873efc973
Strengthen settings gateway tests
2026-03-19 20:32:34 +01:00
011d662dfc
Drop redundant crypto gateway tests
2026-03-19 20:17:11 +01:00
5c7a1148ac
Consolidate settings session policy tests
2026-03-19 19:45:16 +01:00
bc72fa50a6
Consolidate settings normalization tests
2026-03-19 19:43:55 +01:00
83aadb3535
Deduplicate crypto gateway tests
2026-03-19 19:36:17 +01:00
f6777113ec
test(gateways): add 27 unit tests for 3 security-critical gateway classes
...
AuthCryptoGatewayTest (10 tests): encrypt/decrypt round-trip, unique IVs,
Crypto payload format verification (GR-SEC-005), error handling.
SettingsCryptoGatewayTest (9 tests): interface compliance, round-trip,
AES-256-GCM format, tampered ciphertext handling.
OidcHttpGatewayTest (8 tests): success, 401/500, network error, malformed JSON.
Plan amended: PermissionGateway removed (does not exist in codebase).
SC-002 amended: payload format verification accepted as Crypto delegation proof.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-13 13:57:33 +01:00
892da0048d
refactor(arch): enforce gateway compliance and remove service-wrapping gateways
2026-03-13 11:31:33 +01:00
964c07a9de
feat(auth): add microsoft auto-remember policy with tenant override and configurable remember TTL
2026-03-10 22:48:10 +01:00
792af5a532
feat(settings): add admin session policy management
2026-03-09 20:07:55 +01:00
11ca546eae
feat(security): add session timeout + transaction wrapping (B1)
...
Session timeout: configurable idle (default 30min) and absolute (default 8h)
timeouts via DB settings, enforced in web/index.php on every request.
Timestamps set at login in action layer; graceful fallback for pre-existing
sessions.
Transaction wrapping: UserAccountService.createFromAdmin/register, roles
create/edit, and permissions edit now wrap multi-step DB operations in
transactions to guarantee atomicity.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-09 19:16:26 +01:00
9a08f96c11
agent foundation
2026-03-06 00:44:52 +01:00
8f4dd5840d
major update
2026-03-04 15:56:58 +01:00
7b53faca37
bisschen tests fixen
2026-02-23 16:00:04 +01:00
99db252f60
instances added god may help
2026-02-23 12:58:19 +01:00