Phase A — Gate Reliability:
- Fix typography token violations in app-breadcrumb.css
- Switch QG-006 from composer cs:check to direct php-cs-fixer
- Align all docs/skills with new gate command
Phase B — Production Profile:
- Multi-stage Dockerfile: dev (xdebug) / prod (no xdebug)
- Compose files target explicit build stages
Phase C — Module Runtime Hardening:
- Atomic staging+swap build in ModuleRuntimePageBuilder
- SHA-256 fingerprint from manifest content + page entries
- 11 new regression tests for build safety and fingerprint drift
Task: STARTERKIT-HARDENING-ONPREM-001
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Apply consistent security settings to both environments so issues
surface early in development rather than first appearing in prod.
Both environments:
- expose_php=Off — hide PHP version from X-Powered-By
- allow_url_include=Off — prevent remote file inclusion
- open_basedir=/var/www:/tmp — restrict filesystem access
- disable_functions — block shell execution functions unused by the app
- Session: strict_mode, httponly, samesite=Lax, use_only_cookies
Production additionally:
- display_errors=0, log_errors=1
- session.cookie_secure=1 (HTTPS-only)
Removed deprecated sid_length/sid_bits_per_character (PHP 8.5+).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- expose_php=Off — hide PHP version from response headers
- allow_url_include=Off — prevent remote file inclusion
- open_basedir=/var/www:/tmp — restrict filesystem access
- disable_functions — block shell execution functions not used by the app
- Session hardening: strict_mode, httponly, secure, samesite=Lax,
use_only_cookies, 48-char session IDs with 6 bits/char
Note: allow_url_fopen left On (required by PHPMailer for SMTP streams).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>