@cicore/cli 1.0.0

package/dist/lib/tenant-scope.js

@@ -0,0 +1,129 @@
+/**
+ * Tenant-scope static analysis — T-C trust-boundary deploy gate (task-230).
+ *
+ * Addon Backend PHP'si paylaşımlı cicore_php-FPM içinde çalışır. Yanlış yazılmış
+ * bir addon DatabaseService'i doğrudan çağırarak TenantContext'i bypass edip başka
+ * tenant'ın verisine erişebilir.
+ *
+ * Tarama iki katmanda çalışır:
+ *   1. Orijinal satır bazlı — kesin satır numarası üretir.
+ *   2. Whitespace-normalize (tek satır) — multi-line split kaçağını kapatır.
+ *
+ * Ayrıca PHP class alias (`use ... as Alias`) tespiti yapılır; her alias için
+ * forbidden pattern'lar dinamik olarak üretilir.
+ *
+ * Sınır: statik regex (AST değil). Obfuscated runtime bypass → FAZ-2 sandbox (Hünkar).
+ */
+const TENANT_SAFE_PATTERNS = [
+    /TenantContext::current\(\)/,
+    /TenantDbResolver/,
+];
+/** Regex özel karakterlerini escape et. */
+function esc(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * PHP 'use ... as Alias' ifadelerinden DatabaseService alias listesi çıkarır.
+ * 'DatabaseService' her zaman dahil (alias olmayan doğrudan kullanım).
+ */
+function extractDbAliases(content) {
+    const aliases = ['DatabaseService'];
+    const re = /use\s+(?:[\w\\]+\\)?DatabaseService\s+as\s+(\w+)\s*;/g;
+    let m;
+    while ((m = re.exec(content)) !== null) {
+        if (!aliases.includes(m[1]))
+            aliases.push(m[1]);
+    }
+    return aliases;
+}
+/**
+ * Tüm whitespace dizilerini tek boşluğa indirir — satır kırıkları da dahil.
+ * Multi-line pattern split kaçağını tek-satıra getirerek kapatır.
+ */
+function flattenWhitespace(content) {
+    return content.replace(/\s+/g, ' ');
+}
+/**
+ * Orijinal satırları tarayarak kesin satır numarası üretir (1-tabanlı).
+ * Eşleşen satır yoksa -1 döner (normalize-path için çağıran line:0 atar).
+ */
+function findLine(lines, pattern) {
+    const idx = lines.findIndex((l) => pattern.test(l));
+    return idx >= 0 ? idx + 1 : -1;
+}
+function addViolation(violations, file, line, rule, detail) {
+    violations.push({ file, line, rule, detail });
+}
+/**
+ * Analyzes a list of Backend PHP files for tenant-scope violations.
+ * Pure function (no filesystem I/O) — testable without disk.
+ */
+export function analyzeTenantScope(files) {
+    if (files.length === 0) {
+        return { violations: [], tenantContextUsed: false, hasBackendFiles: false, ok: true };
+    }
+    const violations = [];
+    let tenantContextUsed = false;
+    for (const { path: filePath, content } of files) {
+        if (TENANT_SAFE_PATTERNS.some((p) => p.test(content))) {
+            tenantContextUsed = true;
+        }
+        const aliases = extractDbAliases(content);
+        const flat = flattenWhitespace(content);
+        const lines = content.split('\n');
+        // ── FORBIDDEN-1: Alias::getConnection() direkt çağrı ─────────────────
+        for (const alias of aliases) {
+            const pat = new RegExp(`${esc(alias)}::getConnection\\s*\\(\\s*\\)`);
+            // Katman-1: satır bazlı (kesin satır numarası)
+            lines.forEach((line, idx) => {
+                if (pat.test(line)) {
+                    addViolation(violations, filePath, idx + 1, 'direct-db-connection', `Direct ${alias}::getConnection() bypasses TenantContext — use TenantDbResolver. ` +
+                        `(found: "${line.trim().slice(0, 80)}")`);
+                }
+            });
+            // Katman-2: normalize (multi-line split'i kapatır; line:0 = dosya-seviyesi)
+            if (pat.test(flat) && !lines.some((l) => pat.test(l))) {
+                addViolation(violations, filePath, 0, 'direct-db-connection', `Direct ${alias}::getConnection() bypasses TenantContext (multi-line split detected) — use TenantDbResolver.`);
+            }
+        }
+        // ── FORBIDDEN-2: Alias::getGatewayInstance()->getConnection() ─────────
+        for (const alias of aliases) {
+            // 2a. Inline (tek satır veya whitespace-normalize birleşimi)
+            const inlinePat = new RegExp(`${esc(alias)}::getGatewayInstance\\s*\\(\\s*\\)\\s*->\\s*getConnection\\s*\\(\\s*\\)`);
+            lines.forEach((line, idx) => {
+                if (inlinePat.test(line)) {
+                    addViolation(violations, filePath, idx + 1, 'unguarded-gateway', `Unguarded ${alias}::getGatewayInstance()->getConnection() — use TenantDbResolver. ` +
+                        `(found: "${line.trim().slice(0, 80)}")`);
+                }
+            });
+            if (inlinePat.test(flat) && !lines.some((l) => inlinePat.test(l))) {
+                addViolation(violations, filePath, 0, 'unguarded-gateway', `Unguarded ${alias}::getGatewayInstance()->getConnection() (multi-line) — use TenantDbResolver.`);
+            }
+            // 2b. 2-step: $var = Alias::getGatewayInstance(); ... $var->getConnection()
+            //     Normalize üzerinde: değişken atama → aynı değişken üzerinden ->getConnection()
+            const assignPat = new RegExp(`(\\$\\w+)\\s*=\\s*${esc(alias)}::getGatewayInstance\\s*\\(\\s*\\)`);
+            const assignMatch = assignPat.exec(flat);
+            if (assignMatch) {
+                const varName = assignMatch[1];
+                const usePat = new RegExp(`${esc(varName)}\\s*->\\s*getConnection\\s*\\(\\s*\\)`);
+                if (usePat.test(flat)) {
+                    const assignLine = findLine(lines, new RegExp(`\\$\\w+\\s*=\\s*${esc(alias)}::getGatewayInstance\\s*\\(\\s*\\)`));
+                    addViolation(violations, filePath, assignLine > 0 ? assignLine : 0, 'unguarded-gateway', `${varName} = ${alias}::getGatewayInstance() stored and ->getConnection() called later ` +
+                        `(two-step pattern) — use TenantDbResolver.`);
+                }
+            }
+        }
+    }
+    // Backend dosyası var ama hiç TenantContext/TenantDbResolver yok
+    if (!tenantContextUsed) {
+        addViolation(violations, '<addon/Backend>', 0, 'no-tenant-context', 'No TenantContext::current() or TenantDbResolver found in any backend file — ' +
+            'tenant isolation cannot be verified. Add TenantContext::current() to all DB-accessing services.');
+    }
+    return {
+        violations,
+        tenantContextUsed,
+        hasBackendFiles: true,
+        ok: violations.length === 0,
+    };
+}
+//# sourceMappingURL=tenant-scope.js.map

package/dist/lib/tenant-scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-scope.js","sourceRoot":"","sources":["../../src/lib/tenant-scope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAqBH,MAAM,oBAAoB,GAAG;IAC3B,4BAA4B;IAC5B,kBAAkB;CACnB,CAAA;AAED,2CAA2C;AAC3C,SAAS,GAAG,CAAC,CAAS;IACpB,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;AACjD,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,OAAO,GAAG,CAAC,iBAAiB,CAAC,CAAA;IACnC,MAAM,EAAE,GAAG,uDAAuD,CAAA;IAClE,IAAI,CAAyB,CAAA;IAC7B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IACjD,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;AACrC,CAAC;AAED;;;GAGG;AACH,SAAS,QAAQ,CAAC,KAAe,EAAE,OAAe;IAChD,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;IACnD,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;AAChC,CAAC;AAED,SAAS,YAAY,CACnB,UAAkC,EAClC,IAAY,EACZ,IAAY,EACZ,IAAY,EACZ,MAAc;IAEd,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAA;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAkB;IACnD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,UAAU,EAAE,EAAE,EAAE,iBAAiB,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;IACvF,CAAC;IAED,MAAM,UAAU,GAA2B,EAAE,CAAA;IAC7C,IAAI,iBAAiB,GAAG,KAAK,CAAA;IAE7B,KAAK,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,KAAK,EAAE,CAAC;QAChD,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACtD,iBAAiB,GAAG,IAAI,CAAA;QAC1B,CAAC;QAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;QACzC,MAAM,IAAI,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAA;QACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAEjC,wEAAwE;QACxE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAA;YAEpE,+CAA+C;YAC/C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;gBAC1B,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnB,YAAY,CACV,UAAU,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,EAAE,sBAAsB,EACrD,UAAU,KAAK,mEAAmE;wBAClF,YAAY,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CACzC,CAAA;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,4EAA4E;YAC5E,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtD,YAAY,CACV,UAAU,EAAE,QAAQ,EAAE,CAAC,EAAE,sBAAsB,EAC/C,UAAU,KAAK,8FAA8F,CAC9G,CAAA;YACH,CAAC;QACH,CAAC;QAED,yEAAyE;QACzE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,6DAA6D;YAC7D,MAAM,SAAS,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,yEAAyE,CAAC,CAAA;YAEpH,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;gBAC1B,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzB,YAAY,CACV,UAAU,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,EAAE,mBAAmB,EAClD,aAAa,KAAK,kEAAkE;wBACpF,YAAY,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CACzC,CAAA;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClE,YAAY,CACV,UAAU,EAAE,QAAQ,EAAE,CAAC,EAAE,mBAAmB,EAC5C,aAAa,KAAK,8EAA8E,CACjG,CAAA;YACH,CAAC;YAED,4EAA4E;YAC5E,qFAAqF;YACrF,MAAM,SAAS,GAAG,IAAI,MAAM,CAAC,qBAAqB,GAAG,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAA;YACjG,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACxC,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;gBAC9B,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAA;gBACjF,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtB,MAAM,UAAU,GAAG,QAAQ,CACzB,KAAK,EACL,IAAI,MAAM,CAAC,mBAAmB,GAAG,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAC9E,CAAA;oBACD,YAAY,CACV,UAAU,EAAE,QAAQ,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAC1E,GAAG,OAAO,MAAM,KAAK,mEAAmE;wBACxF,4CAA4C,CAC7C,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,iEAAiE;IACjE,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,YAAY,CACV,UAAU,EAAE,iBAAiB,EAAE,CAAC,EAAE,mBAAmB,EACrD,8EAA8E;YAC9E,iGAAiG,CAClG,CAAA;IACH,CAAC;IAED,OAAO;QACL,UAAU;QACV,iBAAiB;QACjB,eAAe,EAAE,IAAI;QACrB,EAAE,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;KAC5B,CAAA;AACH,CAAC"}

package/dist/lib/tenant-scope.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=tenant-scope.test.d.ts.map

package/dist/lib/tenant-scope.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-scope.test.d.ts","sourceRoot":"","sources":["../../src/lib/tenant-scope.test.ts"],"names":[],"mappings":""}

package/dist/lib/tenant-scope.test.js

@@ -0,0 +1,223 @@
+import { describe, it, expect } from 'vitest';
+import { analyzeTenantScope } from './tenant-scope.js';
+describe('tenant-scope / T-C trust-boundary deploy gate (task-230)', () => {
+    // ── temiz addon ─────────────────────────────────────────────────────
+    it('dosya yoksa ok=true, hasBackendFiles=false (backend-siz addon geçer)', () => {
+        const result = analyzeTenantScope([]);
+        expect(result.ok).toBe(true);
+        expect(result.hasBackendFiles).toBe(false);
+        expect(result.violations).toHaveLength(0);
+    });
+    it('TenantContext::current() kullanan addon → temiz (deploy GEÇER)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/MyService.php',
+                content: [
+                    '<?php',
+                    'use VuCore\\Core\\Services\\TenantContext;',
+                    '$tenant = TenantContext::current();',
+                    '$db = $tenant->db();',
+                    '$stmt = $db->query("SELECT * FROM widgets WHERE tenant_id = :tid");',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(true);
+        expect(result.tenantContextUsed).toBe(true);
+        expect(result.violations).toHaveLength(0);
+    });
+    it('TenantDbResolver kullanan addon → temiz (deploy GEÇER)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/OrderService.php',
+                content: '<?php\n$db = TenantDbResolver::resolve($slug);\n',
+            },
+        ]);
+        expect(result.ok).toBe(true);
+        expect(result.violations).toHaveLength(0);
+    });
+    // ── adversarial: kötü addon, deploy RED ──────────────────────────────
+    it('[ADVERSARIAL] DatabaseService::getConnection() direkt çağrı → violation + deploy RED', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/BadService.php',
+                content: [
+                    '<?php',
+                    '// Kötü addon: TenantContext yok, direkt DB bağlantısı',
+                    '$pdo = \\VuCore\\Core\\Services\\DatabaseService::getConnection();',
+                    '$stmt = $pdo->query("SELECT * FROM all_tenants_data");',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        expect(result.tenantContextUsed).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('direct-db-connection');
+        expect(rules).toContain('no-tenant-context');
+    });
+    it('[ADVERSARIAL] getGatewayInstance()->getConnection() unguarded → violation + deploy RED', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Controllers/BadController.php',
+                content: [
+                    '<?php',
+                    '$db = DatabaseService::getGatewayInstance()->getConnection();',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('unguarded-gateway');
+        expect(rules).toContain('no-tenant-context');
+    });
+    it('[ADVERSARIAL] TenantContext var AMA direkt getConnection() de var → violation (deploy RED)', () => {
+        // TenantContext kullanıyor ama yine de direkt bypass da yapıyor
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/HybridService.php',
+                content: [
+                    '<?php',
+                    '$tenant = TenantContext::current();   // iyi',
+                    '$adminDb = DatabaseService::getConnection(); // BU YASAK',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        expect(result.tenantContextUsed).toBe(true); // tenantContext var ama...
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('direct-db-connection');
+        expect(rules).not.toContain('no-tenant-context'); // TC var, o violation yok
+    });
+    // ── çoklu dosya ────────────────────────────────────────────────────
+    it('çoklu dosya: biri temiz biri kötü → violation + deploy RED', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/GoodService.php',
+                content: '$tenant = TenantContext::current();',
+            },
+            {
+                path: 'Backend/Services/BadService.php',
+                content: '$db = DatabaseService::getConnection(); // bypass',
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        expect(result.tenantContextUsed).toBe(true);
+        expect(result.violations.some((v) => v.file === 'Backend/Services/BadService.php')).toBe(true);
+    });
+    // ── violation detay yapısı ─────────────────────────────────────────
+    it('violation satır numarası doğru (1-tabanlı)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/LineTest.php',
+                content: '<?php\n\n$db = DatabaseService::getConnection();\n',
+            },
+        ]);
+        const v = result.violations.find((x) => x.rule === 'direct-db-connection');
+        expect(v).toBeDefined();
+        expect(v.line).toBe(3);
+    });
+    // ── kaçak-1: PHP class alias (CHANGES_REQUESTED) ───────────────────
+    it('[ADVERSARIAL][kaçak-1] use DatabaseService as DB; DB::getConnection() → violation (deploy RED)', () => {
+        // Alias kullanımı: forbidden regex orijinal ismi aramaz, alias yakalanmalı
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/AliasedService.php',
+                content: [
+                    '<?php',
+                    'use VuCore\\Core\\Services\\DatabaseService as DB;',
+                    '// TenantContext yok, alias ile direkt bağlantı',
+                    '$pdo = DB::getConnection();',
+                    '$stmt = $pdo->query("SELECT * FROM all_data");',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('direct-db-connection');
+        expect(rules).toContain('no-tenant-context');
+        const v = result.violations.find((x) => x.rule === 'direct-db-connection');
+        expect(v?.detail).toMatch(/DB::getConnection/);
+        expect(v?.line).toBe(4);
+    });
+    it('[ADVERSARIAL][kaçak-1] alias ile getGatewayInstance()->getConnection() → violation (deploy RED)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/AliasGateway.php',
+                content: [
+                    '<?php',
+                    'use VuCore\\Core\\Services\\DatabaseService as Svc;',
+                    '$db = Svc::getGatewayInstance()->getConnection();',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('unguarded-gateway');
+    });
+    // ── kaçak-2: multi-line getGatewayInstance split (CHANGES_REQUESTED) ──
+    it('[ADVERSARIAL][kaçak-2] $gw = getGatewayInstance(); ayrı satır $gw->getConnection() → violation (deploy RED)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/MultiLineGateway.php',
+                content: [
+                    '<?php',
+                    '// Kötü addon: 2-step split, tek satır regex yakalamazdı',
+                    '$gw = DatabaseService::getGatewayInstance();',
+                    'someOtherCall();',
+                    '$db = $gw->getConnection();',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('unguarded-gateway');
+        const v = result.violations.find((x) => x.rule === 'unguarded-gateway');
+        expect(v?.detail).toMatch(/\$gw.*getGatewayInstance.*two-step|multi-line/i);
+    });
+    it('[ADVERSARIAL][kaçak-2] alias + multi-line split → violation (deploy RED)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Controllers/AliasMultiLine.php',
+                content: [
+                    '<?php',
+                    'use VuCore\\Core\\Services\\DatabaseService as DS;',
+                    '$gateway = DS::getGatewayInstance();',
+                    '$pdo = $gateway->getConnection();',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('unguarded-gateway');
+    });
+    // ── kaçak-3: parantez boşluk toleransı (CHANGES_REQUESTED 3. tur) ───
+    it('[ADVERSARIAL][kaçak-3] getConnection ( ) boşluklu parantez → violation (deploy RED)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/SpacedParen.php',
+                content: [
+                    '<?php',
+                    '// Kötü addon: getConnection ( ) boşluklu — önceki regex kaçırırdı',
+                    '$db = DatabaseService::getConnection ( );',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('direct-db-connection');
+    });
+    it('[ADVERSARIAL][kaçak-3] getGatewayInstance () -> getConnection () boşluklu → violation (deploy RED)', () => {
+        const result = analyzeTenantScope([
+            {
+                path: 'Backend/Services/SpacedGateway.php',
+                content: [
+                    '<?php',
+                    '$db = DatabaseService::getGatewayInstance ()  ->  getConnection ();',
+                ].join('\n'),
+            },
+        ]);
+        expect(result.ok).toBe(false);
+        const rules = result.violations.map((v) => v.rule);
+        expect(rules).toContain('unguarded-gateway');
+    });
+});
+//# sourceMappingURL=tenant-scope.test.js.map

package/dist/lib/tenant-scope.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-scope.test.js","sourceRoot":"","sources":["../../src/lib/tenant-scope.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAA;AAEtD,QAAQ,CAAC,0DAA0D,EAAE,GAAG,EAAE;IACxE,uEAAuE;IAEvE,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC,CAAA;QACrC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC1C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,gCAAgC;gBACtC,OAAO,EAAE;oBACP,OAAO;oBACP,4CAA4C;oBAC5C,qCAAqC;oBACrC,sBAAsB;oBACtB,qEAAqE;iBACtE,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC3C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,mCAAmC;gBACzC,OAAO,EAAE,kDAAkD;aAC5D;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAA;IAEF,wEAAwE;IAExE,EAAE,CAAC,sFAAsF,EAAE,GAAG,EAAE;QAC9F,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,iCAAiC;gBACvC,OAAO,EAAE;oBACP,OAAO;oBACP,wDAAwD;oBACxD,oEAAoE;oBACpE,wDAAwD;iBACzD,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC/C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wFAAwF,EAAE,GAAG,EAAE;QAChG,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,uCAAuC;gBAC7C,OAAO,EAAE;oBACP,OAAO;oBACP,+DAA+D;iBAChE,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;QAC5C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4FAA4F,EAAE,GAAG,EAAE;QACpG,gEAAgE;QAChE,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,oCAAoC;gBAC1C,OAAO,EAAE;oBACP,OAAO;oBACP,8CAA8C;oBAC9C,0DAA0D;iBAC3D,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,2BAA2B;QACxE,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC/C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA,CAAE,0BAA0B;IAC9E,CAAC,CAAC,CAAA;IAEF,sEAAsE;IAEtE,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,kCAAkC;gBACxC,OAAO,EAAE,qCAAqC;aAC/C;YACD;gBACE,IAAI,EAAE,iCAAiC;gBACvC,OAAO,EAAE,mDAAmD;aAC7D;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC3C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,iCAAiC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAChG,CAAC,CAAC,CAAA;IAEF,sEAAsE;IAEtE,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,+BAA+B;gBACrC,OAAO,EAAE,oDAAoD;aAC9D;SACF,CAAC,CAAA;QACF,MAAM,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAAC,CAAA;QAC1E,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QACvB,MAAM,CAAC,CAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACzB,CAAC,CAAC,CAAA;IAEF,sEAAsE;IAEtE,EAAE,CAAC,gGAAgG,EAAE,GAAG,EAAE;QACxG,2EAA2E;QAC3E,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,qCAAqC;gBAC3C,OAAO,EAAE;oBACP,OAAO;oBACP,oDAAoD;oBACpD,iDAAiD;oBACjD,6BAA6B;oBAC7B,gDAAgD;iBACjD,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAA;QAC/C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;QAC5C,MAAM,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAAC,CAAA;QAC1E,MAAM,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAA;QAC9C,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACzB,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,iGAAiG,EAAE,GAAG,EAAE;QACzG,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,mCAAmC;gBACzC,OAAO,EAAE;oBACP,OAAO;oBACP,qDAAqD;oBACrD,mDAAmD;iBACpD,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,yEAAyE;IAEzE,EAAE,CAAC,6GAA6G,EAAE,GAAG,EAAE;QACrH,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,uCAAuC;gBAC7C,OAAO,EAAE;oBACP,OAAO;oBACP,0DAA0D;oBAC1D,8CAA8C;oBAC9C,kBAAkB;oBAClB,6BAA6B;iBAC9B,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;QAC5C,MAAM,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB,CAAC,CAAA;QACvE,MAAM,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,gDAAgD,CAAC,CAAA;IAC7E,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,wCAAwC;gBAC9C,OAAO,EAAE;oBACP,OAAO;oBACP,oDAAoD;oBACpD,sCAAsC;oBACtC,mCAAmC;iBACpC,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,uEAAuE;IAEvE,EAAE,CAAC,qFAAqF,EAAE,GAAG,EAAE;QAC7F,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,kCAAkC;gBACxC,OAAO,EAAE;oBACP,OAAO;oBACP,oEAAoE;oBACpE,2CAA2C;iBAC5C,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oGAAoG,EAAE,GAAG,EAAE;QAC5G,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAChC;gBACE,IAAI,EAAE,oCAAoC;gBAC1C,OAAO,EAAE;oBACP,OAAO;oBACP,qEAAqE;iBACtE,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;QAClD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@cicore/cli",
+  "version": "1.0.0",
+  "description": "ciCore Platform CLI - Multi-Core SaaS Management Tool",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "ci": "./bin/ci.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js",
+    "link": "npm link",
+    "test": "vitest"
+  },
+  "keywords": [
+    "cicore",
+    "cli",
+    "saas",
+    "multi-tenant",
+    "addon"
+  ],
+  "author": "ciCore Team",
+  "license": "MIT",
+  "dependencies": {
+    "@types/archiver": "^7.0.0",
+    "archiver": "^7.0.1",
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "conf": "^13.0.1",
+    "enquirer": "^2.4.1",
+    "execa": "^9.5.1",
+    "fs-extra": "^11.2.0",
+    "glob": "^11.0.0",
+    "ora": "^8.1.1",
+    "table": "^6.8.2",
+    "yaml": "^2.6.1"
+  },
+  "devDependencies": {
+    "@types/fs-extra": "^11.0.4",
+    "@types/node": "^22.10.1",
+    "typescript": "^5.7.2",
+    "vitest": "^2.1.8"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "files": [
+    "dist",
+    "bin",
+    "templates"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  }
+}

package/templates/bootstrap/.env.template

@@ -0,0 +1,54 @@
+# cicore — .env (bootstrap tarafından üretildi)
+# IMAGE-ONLY: kaynak kodu inmez, her şey Docker imajından gelir.
+# Değiştirmek için: nano /opt/cicore/.env → docker compose up -d
+
+# ── Versiyon + Registry ───────────────────────────────────────────────────────
+CICORE_IMAGE_TAG=__IMAGE_TAG__
+CICORE_REGISTRY=__REGISTRY__
+
+# ── Uygulama ──────────────────────────────────────────────────────────────────
+APP_ENV=production
+APP_DEBUG=false
+APP_KEY=__APP_KEY__
+
+# ── Erişim noktaları ─────────────────────────────────────────────────────────
+HTTP_PORT=80
+HTTPS_PORT=443
+TIMEZONE=Europe/Istanbul
+
+# ── Veritabanı ───────────────────────────────────────────────────────────────
+DB_NAME=cicore_db
+DB_USER=cicore
+DB_PASS=__DB_PASS__
+DB_GATEWAY=local
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=__POSTGRES_PASSWORD__
+CONTROL_PLANE_DSN=
+
+# ── Redis ────────────────────────────────────────────────────────────────────
+REDIS_PASSWORD=__REDIS_PASSWORD__
+
+# ── JWT ──────────────────────────────────────────────────────────────────────
+JWT_SECRET=__JWT_SECRET__
+
+# ── Nuxt (domain sonradan ayarlanır) ─────────────────────────────────────────
+NUXT_PUBLIC_HOST=
+NUXT_PUBLIC_API_BASE=
+NUXT_PUBLIC_WS_URL=
+
+# ── Ödeme (v1 = mock) ────────────────────────────────────────────────────────
+CICORE_PAYMENT_GATEWAY=mock
+CICORE_PAYMENT_WEBHOOK_SECRET=__WEBHOOK_SECRET__
+
+# ── KASA (INST-3 ile aktif olur) ─────────────────────────────────────────────
+KASA_BASE_URL=
+KASA_SERVICE_TOKEN=
+KASA_SSH_AUTHORITY=false
+KASA_LICENSE_AUTHORITY=false
+
+# ── Deployment (v1 = mock; INST-5 ile değişir) ───────────────────────────────
+DEPLOYMENT_MOCK=false
+
+# ── Registry kimliği (INST-2: per-müşteri pull-token) ────────────────────────
+CICORE_REGISTRY_CREDENTIAL_ID=
+CICORE_CP_BASE_URL=https://cicore.com.tr

package/templates/bootstrap/docker-compose.yml

@@ -0,0 +1,145 @@
+# ══════════════════════════════════════════════════════════════════
+# CiCore — docker-compose.yml  (IMAGE-ONLY · bootstrap canonical)
+# Kaynak kodu YOK — her şey cisofttr/* imajından gelir.
+# Üretildi: ci server bootstrap | drift = bloker (installer/ ile sync)
+# ══════════════════════════════════════════════════════════════════
+
+services:
+
+  cicore_postgres:
+    image: postgres:16-alpine
+    container_name: cicore_postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: postgres
+      TZ: ${TIMEZONE:-Europe/Istanbul}
+    volumes:
+      - ./data/postgres:/var/lib/postgresql/data
+      - ./postgres-init:/docker-entrypoint-initdb.d:ro
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+    command: >
+      postgres
+      -c max_connections=200
+      -c superuser_reserved_connections=5
+      -c shared_buffers=256MB
+      -c effective_cache_size=1GB
+      -c maintenance_work_mem=64MB
+      -c work_mem=4MB
+      -c idle_in_transaction_session_timeout=30000
+      -c statement_timeout=60000
+    networks:
+      - cicore_internal
+
+  cicore_redis:
+    image: redis:7-alpine
+    container_name: cicore_redis
+    restart: unless-stopped
+    command: >
+      redis-server
+      --requirepass ${REDIS_PASSWORD}
+      --appendonly yes
+    volumes:
+      - ./data/redis:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    networks:
+      - cicore_internal
+
+  cicore_php:
+    image: ${CICORE_REGISTRY:-cisofttr}/cicore-php:${CICORE_IMAGE_TAG:-b11}
+    container_name: cicore_php
+    restart: unless-stopped
+    environment:
+      APP_ENV: ${APP_ENV:-production}
+      APP_DEBUG: ${APP_DEBUG:-false}
+      APP_KEY: ${APP_KEY}
+      DB_GATEWAY: ${DB_GATEWAY:-local}
+      DB_HOST: cicore_postgres
+      DB_PORT: "5432"
+      DB_NAME: ${DB_NAME:-cicore_db}
+      DB_USER: ${DB_USER:-cicore}
+      DB_PASS: ${DB_PASS}
+      CONTROL_PLANE_DSN: ${CONTROL_PLANE_DSN:-}
+      REDIS_HOST: cicore_redis
+      REDIS_PORT: "6379"
+      REDIS_PASSWORD: ${REDIS_PASSWORD}
+      REDIS_DB_CACHE: "1"
+      REDIS_DB_QUEUE: "2"
+      REDIS_DB_PUBSUB: "3"
+      JWT_SECRET: ${JWT_SECRET}
+      NUXT_PUBLIC_API_BASE: ${NUXT_PUBLIC_API_BASE:-}
+      CICORE_PAYMENT_GATEWAY: ${CICORE_PAYMENT_GATEWAY:-mock}
+      CICORE_PAYMENT_WEBHOOK_SECRET: ${CICORE_PAYMENT_WEBHOOK_SECRET:-}
+      KASA_BASE_URL: ${KASA_BASE_URL:-}
+      KASA_SERVICE_TOKEN: ${KASA_SERVICE_TOKEN:-}
+      KASA_SSH_AUTHORITY: ${KASA_SSH_AUTHORITY:-false}
+      KASA_LICENSE_AUTHORITY: ${KASA_LICENSE_AUTHORITY:-false}
+      DEPLOYMENT_MOCK: ${DEPLOYMENT_MOCK:-false}
+      TZ: ${TIMEZONE:-Europe/Istanbul}
+    volumes:
+      - ./logs/php:/var/www/storage/logs
+      - ./uploads:/var/www/uploads
+      - ./addons:/var/www/addons
+    depends_on:
+      cicore_postgres:
+        condition: service_healthy
+      cicore_redis:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "php-fpm-healthcheck || exit 1"]
+      interval: 15s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    networks:
+      - cicore_internal
+
+  cicore_nuxt:
+    image: ${CICORE_REGISTRY:-cisofttr}/cicore-nuxt:${CICORE_IMAGE_TAG:-b11}
+    container_name: cicore_nuxt
+    restart: unless-stopped
+    environment:
+      NUXT_PUBLIC_API_BASE: ${NUXT_PUBLIC_API_BASE:-}
+      NUXT_PUBLIC_WS_URL: ${NUXT_PUBLIC_WS_URL:-}
+      NUXT_PUBLIC_HOST: ${NUXT_PUBLIC_HOST:-}
+      NUXT_API_BASE_SERVER: http://cicore_nginx
+      TZ: ${TIMEZONE:-Europe/Istanbul}
+    depends_on:
+      - cicore_php
+    networks:
+      - cicore_internal
+
+  cicore_nginx:
+    image: ${CICORE_REGISTRY:-cisofttr}/cicore-nginx:${CICORE_IMAGE_TAG:-b11}
+    container_name: cicore_nginx
+    restart: unless-stopped
+    ports:
+      - "${HTTP_PORT:-80}:80"
+      - "${HTTPS_PORT:-443}:443"
+    depends_on:
+      cicore_php:
+        condition: service_healthy
+      cicore_nuxt:
+        condition: service_started
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1/health || exit 1"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 20s
+    networks:
+      - cicore_internal
+
+networks:
+  cicore_internal:
+    driver: bridge