Files
breadcrumb-the-shire/.agents/checks/guard-checklist.md
fs 0e86925464 refactor: rename lib/ to core/ for clearer core-module separation
Rename the top-level lib/ directory to core/ so the project root
immediately communicates which code is core platform and which lives
in modules/. PHP namespaces (MintyPHP\*) are unchanged — only the
Composer PSR-4 path mapping moves from lib/ to core/.

Module-internal lib/ directories (modules/*/lib/) are untouched.

Updated across the full stack:
- composer.json PSR-4 mapping
- bootstrap entry points (web/index.php, bin/*, tests/bootstrap.php)
- tooling configs (phpstan.neon, phpunit.xml, php-cs-fixer)
- 26 architecture contract tests
- enforcement-policy, guard-catalog, quality-gates
- all documentation (CLAUDE.md, README, 25 docs/, .agents/skills/)
- bin/qa-extended.sh search paths
- .claude/settings.local.json permission paths

Workflow: .agents/runs/CORE-LIB-RENAME-001/ (Analyst → Planner →
Executor → Code Review (4 findings fixed) → Security Review →
Acceptance Test → Finalizer)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 23:20:42 +02:00

46 lines
2.2 KiB
Markdown

# Code Review Checklist
Use this checklist for the Code Reviewer role.
Guard IDs live in `.agents/checks/guard-catalog.json` (guards where `reviewer` = `code`).
## Architecture & Conventions
- `GR-CORE-003` request input via requestInput(); no $_POST/$_GET/$_FILES
- `GR-CORE-007` OpenAPI updated when API endpoints changed
- `GR-CORE-010` DB schema changes shipped as idempotent scripts in db/updates/
- `GR-CORE-011` new settings in DB settings table, not config files
- `GR-CORE-012` successful mutating POSTs use PRG pattern; flash before redirect
## Testing
- `GR-TEST-001` new/changed Service/Gateway logic has PHPUnit tests (happy + edge case)
- `GR-TEST-002` new code uses constructor injection; no hidden global state
## UI (skip if backend-only)
- `GR-UI-014` new views/components handle loading, empty, error, success states
- `GR-UI-LIST` list/grid standards preserved (row actions, page size, initStandardListPage)
- `GR-UI-DETAIL` detail page contracts, shared partials, no inline confirm, layout system
- `GR-UI-A11Y` no a11y regression; new components use semantic HTML, keyboard-operable
- `GR-UI-I18N` all visible text uses t(); keys present in all language files
- `GR-UI-REUSE` existing JS/CSS checked before adding new functions/rules
## Quality Gates
- required always (per `enforcement-policy.json`): `QG-001`, `QG-002`, `QG-003`, `QG-006`, `QG-008`, `QG-009`
- `QG-004` structural checks reported when relevant
- `QG-005` JS smoke for JS-touching changes
- `QG-007` composer-unused is periodic / non-blocking
# Security Review Checklist
Use this checklist for the Security Reviewer role.
Guard IDs live in `.agents/checks/guard-catalog.json` (guards where `reviewer` = `security`).
## Security
- `GR-SEC-001` CSRF token verified on every POST before processing
- `GR-SEC-002` no PII or secrets in logs/audit metadata
- `GR-SEC-003` all SQL via Repository with prepared statements
- `GR-SEC-004` no external CDN or remote asset loading
- `GR-SEC-005` encryption only via core/Support/Crypto.php
- `GR-SEC-006` file uploads in storage/ only; authz-gated serving; MIME validated
- `GR-SEC-007` API requests do not start sessions
- `GR-SEC-008` authorization enforced server-side
- `GR-SEC-009` tenant scope enforced server-side; tenant_id filtering on all scoped queries