heraspec 0.1.12 → 0.1.14

package/dist/core/templates/skills/knowledge/frameworks/php/codeigniter/rise-cms/structure.md

@@ -0,0 +1,137 @@
+## 1. Executive Summary
+
+- [Observed | High] The codebase is a CodeIgniter 4 monolith with plugin-based extensibility. Evidence: `index.php` (`$minPhpVersion = '8.1'`, `CodeIgniter\Boot::bootWeb()`), core app in `app/`, plugins in `plugins/`.
+- [Observed | High] `data_builder` is deeply integrated as a first-class plugin providing REST, GraphQL, API token management, webhooks, and public API docs/sandbox flows. Evidence: `plugins/data_builder/index.php`, `plugins/data_builder/config/Routes.php`, controllers `Db_resources`, `Db_graphql`, `Public_api_docs`, `Webhooks`.
+- [Observed | High] Runtime coupling is high because base controllers preload many models and settings globally. Evidence: `app/Controllers/App_Controller.php` (`get_models_array()` and eager model loading), `app/Controllers/Security_Controller.php`.
+- [Inferred | Medium] Integration readiness is strong for API-first extensions, but operational hardening is uneven due broad CSRF exclusions and mixed legacy compatibility layers. Evidence: `app/Config/Filters.php`, `app/Config/Rise.php`, `plugins/data_builder/Helpers/*CI3*` wrappers.
+- [Assumed | Low] This repository is the Rise CRM target for migration/integration work from another stack; direct Laravel runtime artifacts are not present. Evidence: missing `artisan`, `bootstrap/app.php`, `routes/web.php` in repo root.
+
+## 2. Technology Profile
+
+- [Observed | High] Language/runtime: PHP with CodeIgniter 4 bootstrap, minimum PHP 8.1. Evidence: `index.php`.
+- [Observed | High] Application versioning is managed in Rise config (`3.9.6`). Evidence: `app/Config/Rise.php` (`app_settings_array['app_version']`).
+- [Observed | High] Default data store is MySQL via MySQLi with DB prefix `rise_`. Evidence: `app/Config/Database.php` (`DBDriver = MySQLi`, `DBPrefix = rise_`).
+- [Observed | High] Session persistence uses database-backed sessions (`ci_sessions`). Evidence: `app/Config/Session.php` (`DatabaseHandler`, `savePath = ci_sessions`).
+- [Observed | High] Cache defaults to filesystem handler. Evidence: `app/Config/Cache.php` (`handler = file`).
+- [Observed | High] Root dependency manifests are absent; dependency management is partially embedded (core `app/ThirdParty`) and partially plugin-local. Evidence: missing root `composer.json`/`package.json`; present `plugins/data_builder/composer.json`, `plugins/data_builder/package.json`, `app/ThirdParty/*`.
+- [Observed | High] Data Builder adds GraphQL runtime dependency `webonyx/graphql-php` and frontend build toolchain (webpack/babel, Chart.js). Evidence: `plugins/data_builder/composer.json`, `plugins/data_builder/package.json`.
+
+## 3. Repository Topology
+
+- [Observed | High] Major root directories: `app`, `assets`, `plugins`, `system`, `writable`, `install`, `updates`, `_analytics`. Evidence: root directory listing.
+- [Observed | High] Core MVC footprint is large (`app/Controllers`: 92 files, `app/Models`: 95 files), indicating mature monolith breadth. Evidence: file counts collected from `app/Controllers`, `app/Models`.
+- [Observed | High] Data Builder plugin is modularized by concerns (`Controllers`, `Models`, `Libraries`, `Views`, `config`, `install`, `migrations`, `vendor`, `dist`). Evidence: `plugins/data_builder/*` structure.
+- [Observed | High] Embedded third-party providers include Google, Stripe, Pusher, TCPDF, PhpSpreadsheet, reCAPTCHA. Evidence: `app/ThirdParty/*` directories.
+
+## 4. Architecture and Dependency Flow
+
+- [Observed | High] Boot flow: front controller -> CI bootstrap -> pre-system event -> plugin loading/hooks. Evidence: `index.php`; `app/Config/Events.php` (`Events::on('pre_system', ...)`, `load_plugin_indexes()`).
+- [Observed | High] Activated plugins are auto-registered into PSR-4 namespaces at startup. Evidence: `app/Config/Autoload.php` (`load_activated_plugins()`).
+- [Observed | High] Routing combines explicit routes and dynamic controller scanning at core level. Evidence: `app/Config/Routes.php` (directory scan of `app/Controllers`).
+- [Observed | High] Data Builder routes are registered during plugin bootstrap and include both admin and public endpoints. Evidence: `plugins/data_builder/index.php` (`data_builder_register_routes()`), `plugins/data_builder/config/Routes.php`.
+- [Observed | High] API controllers inherit a compatibility base that wraps CI4 services into CI3-style interfaces for legacy module code. Evidence: `plugins/data_builder/Controllers/Base_controller.php`, `plugins/data_builder/Helpers/CI3_Instance_Compat.php`.
+- [Inferred | Medium] Dependency direction is mostly top-down (controllers -> models/libraries/helpers), but global helper and hook access patterns increase hidden coupling and side effects. Evidence: `app/Helpers/plugin_helper.php`, heavy global helper usage in controllers.
+
+## 5. Coding Style and Conventions
+
+- [Observed | High] Naming style is mixed legacy and modern (`snake_case` model names, CI-style controllers, namespaced classes). Evidence: `App_Controller.php`, `Permission_manager.php`, plugin `Db_*` classes.
+- [Observed | High] Plugin code uses dense inline documentation and defensive runtime guards, especially in API middleware and webhook components. Evidence: `Db_api_base.php`, `Db_api_middleware.php`, `WebhookEventBus.php`.
+- [Observed | Medium] Error handling strategy in Data Builder is centralized around structured API responses and an error registry. Evidence: `Db_api_response.php`, `ErrorRegistry.php`.
+- [Observed | Medium] Core and plugin both rely on direct `echo/json_encode` and header operations in many controllers, reducing consistency with response abstractions. Evidence: multiple controller methods in `plugins/data_builder/Controllers/*` and core controllers.
+- [Observed | High] No first-party test suite is present in repository root. Evidence: missing `tests/` directory and missing root phpunit config.
+- [Inferred | Medium] Maintainability risk is elevated by mixed framework idioms (CI4 + CI3 compat layer) and very large base controllers.
+
+## 6. Extension Points (Modules/Themes/Plugins/Hooks)
+
+- [Observed | High] Plugin lifecycle hooks are available for install/activate/deactivate/uninstall/update. Evidence: `app/Helpers/plugin_helper.php` (`register_installation_hook`, `register_activation_hook`, etc.).
+- [Observed | High] Data Builder uses lifecycle hooks to install schema and register routes. Evidence: `plugins/data_builder/index.php` hook registrations.
+- [Observed | High] Core supports app-wide hook/filter injection via PHP-Hooks wrapper. Evidence: `app/Config/Events.php` (loads `PHP-Hooks`), `app/Helpers/plugin_helper.php` (`app_hooks()`).
+- [Observed | High] UI extension point exists for admin sidebar composition through hook filters. Evidence: `plugins/data_builder/index.php` (`app_filter_staff_left_menu`).
+- [Observed | Medium] CSRF exclusion patterns are extensible through filter hook and are modified by plugin at bootstrap. Evidence: `app/Config/Rise.php` constructor filter, `plugins/data_builder/index.php` add_filter for API/docs/embed URIs.
+
+## 7. API and Interaction Surfaces
+
+- [Observed | High] Public docs/UI surface: `/api_docs` with endpoint registry, code samples, Postman/OpenAPI export, and webhook simulator. Evidence: `plugins/data_builder/config/Routes.php`, `Public_api_docs.php`.
+- [Observed | High] REST surface: `/api/v1/*` and alias `/data_builder/api/*` with resource, report, schema, and aggregate endpoints. Evidence: `plugins/data_builder/config/Routes.php`, `Db_resources.php`, `Db_views.php`.
+- [Observed | High] GraphQL surface: `/api/v1/graphql` POST-only with depth/complexity controls and optional introspection restriction. Evidence: `Db_graphql.php`, `Libraries/api/Db_graphql_schema.php`.
+- [Observed | High] Outbound webhook surface: subscription CRUD, test dispatch, live simulator, delivery logs. Evidence: `Webhooks.php`, `WebhookEventBus.php`, `HttpChannel.php`.
+- [Observed | High] Inbound webhook surface exists in core for external systems (GitHub/Bitbucket/Stripe subscription events). Evidence: `app/Controllers/Webhooks_listener.php`.
+- [Observed | Medium] Scheduled/background execution relies on HTTP-triggered cron controller, not a dedicated queue worker architecture. Evidence: `app/Controllers/Cron.php`.
+
+## 8. Data Model and State Management
+
+- [Observed | High] Core DB migrations/seeds are effectively empty placeholders (`.gitkeep`), while plugin owns explicit schema SQL and versioned migrations. Evidence: `app/Database/Migrations/.gitkeep`, `app/Database/Seeds/.gitkeep`, `plugins/data_builder/install/database.sql`, `plugins/data_builder/migrations/*`.
+- [Observed | High] Data Builder persists API tokens, API logs, rate counters, report metadata, relations, and webhook subscriptions/logs in dedicated tables. Evidence: `plugins/data_builder/install/database.sql` (`data_builder_api_*`, `polydb_*` tables).
+- [Observed | High] API write operations in Data Builder use transaction boundaries around mutating operations. Evidence: `Db_resources.php` (`trans_start`, `trans_complete`, rollback paths).
+- [Observed | Medium] Table prefix abstraction is consistently applied (`db_prefix()`), aiding multi-install portability. Evidence: plugin migration/install scripts and helper wrappers.
+- [Inferred | Medium] Data consistency is generally robust within single-request CRUD paths; cross-module consistency depends on model hooks and side effects not centrally orchestrated.
+
+## 9. Security Posture
+
+- [Observed | High] Core authentication/authorization is session-centric with role/permission gates in `Security_Controller` and `Permission_manager`. Evidence: `app/Controllers/Security_Controller.php`, `app/Libraries/Permission_manager.php`.
+- [Observed | High] Data Builder API applies an explicit middleware chain: DDoS shield, CORS, admin-session bypass, auth gate, rate limiter, scope verifier, request logger. Evidence: `Db_api_base.php`, `Db_api_middleware.php`, middleware classes.
+- [Observed | High] API token security includes scopes, table/view constraints, per-table CRUD permissions, HMAC signature validation, and anti-replay timestamp window. Evidence: `AuthGateMiddleware.php`, `ScopeVerifierMiddleware.php`, token schema in migrations.
+- [Observed | High] API observability includes two-phase request logging and sensitive-field redaction. Evidence: `RequestLoggerMiddleware.php`, `Api_log_finalizer.php`, `Log_redactor.php`.
+- [Observed | High] Public webhook simulator includes SSRF guard against localhost/private/reserved targets. Evidence: `Public_api_docs.php` (`_validate_webhook_simulator_target`, `_is_public_ip`).
+- [Observed | Medium] CSRF filter is not globally enabled and relies on exclusion lists and endpoint-specific handling. Evidence: `app/Config/Filters.php` (`'csrf'` commented), `app/Config/Rise.php` exclusions, plugin-added exclusions in `plugins/data_builder/index.php`.
+- [Observed | Medium] Core payment library code contains TLS verification disabled in some cURL paths, which is a material transport-security risk if unchanged in production. Evidence: `app/Libraries/Paypal.php` (`CURLOPT_SSL_VERIFYPEER => false`).
+
+## 10. Integration Capability Matrix
+
+| Domain                 | Entry Points                                                                                                           | Required Adapters                                                                    | Complexity  | Risks                                                            | Confidence |
+| ---------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------- | ---------------------------------------------------------------- | ---------- |
+| External APIs          | Core:`Google_api`, `Microsoft_api`, `Webhooks_listener`; Plugin: `/api/v1/*`, `/api_docs`, outbound webhooks | OAuth credential storage, API token issuance, endpoint-specific mappers              | Medium      | Credential sprawl, route exposure, vendor API drift              | High       |
+| Authentication/SSO     | Session auth in `Security_Controller`; token auth + HMAC in `AuthGateMiddleware`                                   | Optional IdP bridge (OIDC/SAML) and token broker if enterprise SSO required          | Medium-High | Mixed session/token contexts, bypass misconfiguration            | Medium     |
+| Payment                | `Paypal_redirect`, `Stripe_redirect`, `Paytm_redirect`, payment libraries                                        | Payment gateway credential hardening, webhook signature verification standardization | Medium      | TLS/cURL settings inconsistency, callback abuse if misconfigured | Medium     |
+| Messaging/Queue        | Pusher integration (`Pusher_connect`), HTTP cron (`Cron`), webhook dispatch                                        | Optional queue worker (Redis/RabbitMQ/SQS) for async retries/backoff                 | Medium      | No first-class queue abstraction for heavy burst workloads       | Medium     |
+| Storage/CDN            | File/cache/session paths via `writable/`, `files/`, cache config                                                   | Object storage adapter (S3-compatible), CDN URL rewriting, signed URL strategy       | Medium      | Local disk coupling and backup/retention variability             | Medium     |
+| Observability          | API logs, webhook logs, activity logs, debug toolbar                                                                   | Log shipping (ELK/Loki), metrics exporter, alert rules                               | Low-Medium  | Fragmented telemetry across subsystems                           | High       |
+| Admin/UI customization | Hook/filter system (`app_hooks()`), plugin menu injection, plugin routes/views                                       | Theme/view override conventions, stricter UI extension contracts                     | Low         | Hook ordering collisions and undocumented custom hooks           | High       |
+| Content/data migration | Plugin SQL installer + migrations, API docs export (Postman/OpenAPI), builder/template persistence                     | ETL scripts, schema-diff tooling, migration playbooks                                | Medium-High | Limited root migration automation and weak test safety net       | Medium     |
+
+## 11. Strengths, Weaknesses, Risks
+
+- [Observed | High] Strength: Clear plugin extensibility model with lifecycle hooks and route/menu injection points. Mitigation leverage: continue shipping new modules as plugins to reduce core edits.
+- [Observed | High] Strength: Data Builder API stack includes practical hardening features (rate limit, HMAC, scope checks, log redaction).
+- [Observed | Medium] Weakness: Core controller layer is monolithic and preloads many dependencies, increasing bootstrap cost and change blast radius.
+- [Observed | Medium] Weakness: Mixed CI4 + CI3 compatibility layer increases cognitive load and future upgrade complexity.
+- [Observed | Medium] Risk: Broad CSRF exclusions and globally disabled csrf filter can expand attack surface if endpoint assumptions drift.
+- [Observed | Medium] Risk: Dynamic route generation from controller directory can unintentionally expose actions when naming/visibility controls are inconsistent.
+- [Observed | Medium] Risk: No first-party automated tests detected; regression detection relies heavily on manual QA.
+- [Observed | Medium] Risk: Payment integration TLS options in legacy library code require review before production hardening.
+
+## 12. Top 10 Evidence Items
+
+1. [Observed | High] CI4 runtime and minimum PHP: `index.php` (`$minPhpVersion = '8.1'`, `Boot::bootWeb`).
+2. [Observed | High] Application version and CSRF exclusion baseline: `app/Config/Rise.php`.
+3. [Observed | High] Dynamic core route registration: `app/Config/Routes.php` (controller directory scan).
+4. [Observed | High] Plugin loading at bootstrap and hook init: `app/Config/Events.php` + `app/Config/Autoload.php`.
+5. [Observed | High] Hook/lifecycle extension APIs: `app/Helpers/plugin_helper.php`.
+6. [Observed | High] Data Builder bootstrap and menu/CSRF integration: `plugins/data_builder/index.php`.
+7. [Observed | High] Full API route map (REST/GraphQL/docs/webhooks): `plugins/data_builder/config/Routes.php`.
+8. [Observed | High] Middleware security pipeline wiring: `plugins/data_builder/Controllers/Db_api_base.php` + `Libraries/api/middleware/*`.
+9. [Observed | High] Webhook dispatch architecture and delivery logging: `WebhookEventBus.php`, `channels/HttpChannel.php`, `Webhooks.php`.
+10. [Observed | High] Persistent schema for tokens/logs/rate/webhooks: `plugins/data_builder/install/database.sql` and `migrations/200_version_200.php`.
+
+## 13. Unknowns and Verification Plan
+
+- [Assumed | Medium] Production deployment topology (single node vs load-balanced) is unknown. Verify by reviewing web server/proxy configs and session stickiness behavior.
+- [Assumed | Medium] Secret management policy (env vars vs DB settings) is unclear. Verify by tracing `get_setting()` storage/encryption and backup handling.
+- [Assumed | Medium] Real traffic/performance envelope for `/api/v1` and GraphQL is unknown. Verify with load tests and DB slow query profiling.
+- [Assumed | Medium] Permission boundary correctness for every Data Builder admin screen is not fully proven. Verify via role-matrix test plan across non-admin staff.
+- [Assumed | Low] Historical Laravel source parity requirements are not represented in this repo. Verify against external migration spec/change log.
+
+## 14. Recommended Next Actions (30/60/90 day)
+
+- [30 days]
+  - [Observed | High] Create a regression smoke suite for critical paths: login, permissions, `/api/v1` read/write, GraphQL, webhook simulate/send, payment callbacks.
+  - [Observed | High] Tighten security baseline: review and minimize CSRF excludes; enable endpoint-level CSRF strategy documentation.
+  - [Observed | Medium] Patch legacy transport settings (e.g., PayPal cURL TLS verification path) and validate gateway callbacks end-to-end.
+- [60 days]
+  - [Inferred | Medium] Refactor high-coupling controller bootstrap patterns by introducing slimmer service boundaries for new code.
+  - [Observed | Medium] Standardize response/error handling across plugin controllers to reduce direct `echo/json_encode` drift.
+  - [Observed | Medium] Add API contract tests from exported OpenAPI/Postman fixtures.
+- [90 days]
+  - [Inferred | Medium] Introduce optional async job layer for webhook retries and heavy API tasks.
+  - [Inferred | Medium] Establish centralized observability pipeline (structured logs + metrics + alerts).
+  - [Inferred | Medium] Define upgrade-safe extension contracts (hook catalog, route policy, compatibility guidelines) for future modules.

package/dist/core/templates/skills/knowledge/frameworks/php/laravel/botble/profile.json

@@ -0,0 +1,39 @@
+{
+  "id": "php-laravel-botble",
+  "name": "Botble CMS",
+  "runtime": "php",
+  "runtimeVersion": "^8.3|^8.4",
+  "framework": "laravel",
+  "frameworkVersion": "^13.0",
+  "cms": "botble",
+  "cmsType": "modular-monolith",
+  "description": "Laravel-based modular CMS with plugin/theme architecture and WordPress-style hooks",
+  "keyFeatures": [
+    "Plugin/Theme architecture via platform/ directory",
+    "WordPress-style hook system (add_filter/add_action/apply_filters/do_action)",
+    "Sanctum API authentication",
+    "Multi-cloud media storage drivers (s3/r2/wasabi/bunnycdn/do_spaces/backblaze)",
+    "Data synchronize import/export tooling",
+    "Composer merge plugin for plugin/theme dependencies",
+    "Module-based repository pattern with DI",
+    "Admin extension via AdminHelper::registerRoutes"
+  ],
+  "directorySignature": [
+    "platform/core",
+    "platform/packages",
+    "platform/plugins",
+    "platform/themes"
+  ],
+  "composerSignature": [
+    "botble",
+    "wikimedia/composer-merge-plugin"
+  ],
+  "typicalPlugins": [
+    "analytics", "audit-log", "backup", "block", "blog",
+    "captcha", "contact", "cookie-consent", "custom-field",
+    "gallery", "language", "language-advanced", "member",
+    "request-log", "social-login", "translation"
+  ],
+  "analysisFile": "structure.md",
+  "lastUpdated": "2026-04-04"
+}

package/dist/core/templates/skills/knowledge/frameworks/php/laravel/botble/structure.md

@@ -0,0 +1,208 @@
+## Executive Summary
+- [Inferred | High] Codebase nay la mot modular monolith tren Laravel + Botble, trong do `app/` giu vai tro shell mong va phan lon nghiep vu nam o `platform/core`, `platform/packages`, `platform/plugins`, `platform/themes`.
+  Evidence: `composer.json:14`, `composer.json:32`, `bootstrap/app.php:8`, `routes/web.php`.
+- [Observed | High] Kha nang mo rong va tich hop cao nhờ plugin/theme architecture, hook/filter, API package, Social Login, media driver da cloud va data synchronization tooling.
+  Evidence: `platform/core/base/helpers/action-filter.php:8`, `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php:28`, `vendor/botble/api/routes/api.php:6`, `platform/core/media/src/Providers/MediaServiceProvider.php:159`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php:44`.
+- [Observed | High] Rui ro chinh can uu tien: logic vo hieu hoa CSRF trong admin o production, `APP_DEBUG=true` khi `APP_ENV=production`, va tin hieu test coverage o root con mong.
+  Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197`, `.env:3`, `.env:4`, `phpunit.xml:17`, `tests/Feature/ExampleTest.php`.
+
+## Technology Profile
+- [Observed | High] Backend: PHP `^8.3|^8.4`, Laravel `^13.0`, Botble API `^2.1`, Sanctum `^4.0`.
+  Evidence: `composer.json:8`, `composer.json:14`, `composer.json:32`, `composer.json:33`.
+- [Observed | High] Plugin/theme dependency composition dung `wikimedia/composer-merge-plugin`, merge plugin/theme `composer.json` vao runtime.
+  Evidence: `composer.json:36`, `composer.json:98`, `composer.json:99`.
+- [Observed | High] Frontend build theo `laravel-mix`, monorepo NPM workspaces cho core/packages/plugins/themes; co su dung Vue 3.
+  Evidence: `package.json:3`, `package.json:5`, `package.json:6`, `package.json:7`, `package.json:8`, `package.json:28`, `package.json:47`.
+- [Observed | Medium] Tooling quality gate duoc khai bao o dependency (`larastan`, `pint`, `rector`, `phpunit`) nhung chua thay root config rieng cho phpstan/pint/rector.
+  Evidence: `composer.json:44`, `composer.json:47`, `composer.json:51`, `composer.json:52`.
+- [Observed | Medium] Deployment local/dev co `docker-compose` theo Laravel Sail runtime 8.2 + MySQL 8.0; chua thay GitHub workflow o repo.
+  Evidence: `docker-compose.yml`, `__NO_GITHUB_WORKFLOWS__` (filesystem check).
+
+## Repository Topology
+- [Observed | High] Root co cac nhom thu muc chinh: `app`, `config`, `routes`, `platform`, `resources`, `tests`, `vendor`, `_analytics`.
+  Evidence: root directory listing.
+- [Observed | High] `platform` duoc to chuc theo 4 nhom lon:
+  - `core` (10 subdirs)
+  - `packages` (13 subdirs)
+  - `plugins` (17 subdirs)
+  - `themes` (1 subdir: `ripple`)
+  Evidence: `platform/` directory stats.
+- [Observed | High] Plugins hien dien: `analytics`, `audit-log`, `backup`, `block`, `blog`, `captcha`, `contact`, `cookie-consent`, `custom-field`, `fob-comment`, `gallery`, `language`, `language-advanced`, `member`, `request-log`, `social-login`, `translation`.
+  Evidence: `platform/plugins/*` directory listing.
+- [Observed | High] Surface route theo module rat lon: 44 route files trong `platform/**/routes` (34 `web.php`, 5 `api.php`) va 97 `*ServiceProvider.php`.
+  Evidence: recursive file counts.
+
+## Architecture and Dependency Flow
+- [Observed | High] Bootstrap app-level chi tro route web/console va healthcheck; nghiep vu duoc delegated vao providers/module routes.
+  Evidence: `bootstrap/app.php:8-11`, `routes/web.php`.
+- [Observed | High] Luong nap plugin:
+  1. Lay manifest (`PluginManifest::getManifest`)
+  2. Set PSR-4 namespace cho plugin active
+  3. Register providers cua plugin active
+  Evidence: `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php:28`, `:33`, `:38`, `:43`.
+- [Observed | High] Plugin manifest cache nam o `bootstrap/cache/plugins.php`, co co che regenerate khi mismatch.
+  Evidence: `platform/packages/plugin-management/src/PluginManifest.php:16`, `:24`, `:42`, `:50`.
+- [Observed | High] Dependency direction theo mo hinh: Laravel shell -> Botble core/packages -> plugin/theme provider + routes + hooks.
+  Evidence: `bootstrap/cache/packages.php:22`, `:143`, `:198`, `platform/core/base/src/Traits/LoadAndPublishDataTrait.php:80`.
+- [Observed | Medium] Su dung DI repository interface-to-implementation trong nhieu module (blog, media, contact, acl, ...), giam coupling truc tiep.
+  Evidence: `platform/plugins/blog/src/Providers/BlogServiceProvider.php:44`, `platform/core/media/src/Providers/MediaServiceProvider.php:50`, `platform/core/acl/src/Providers/AclServiceProvider.php:36`.
+
+## Coding Style and Conventions
+- [Observed | High] Naming convention va namespace theo PSR-4, cau truc thu muc theo bounded module (`Http/Controllers`, `Models`, `Providers`, `Repositories`, `Tables`, `Forms`).
+  Evidence: `platform/plugins/blog/src/Http/Controllers/PostController.php`, `platform/plugins/blog/src/Models/Post.php`, `platform/plugins/blog/src/Repositories/Eloquent/PostRepository.php`.
+- [Observed | Medium] Pattern su dung nhieu: ServiceProvider, Facade, Repository, trait-based module bootstrap (`LoadAndPublishDataTrait`).
+  Evidence: `platform/core/base/src/Traits/LoadAndPublishDataTrait.php:20`, `:80`.
+- [Observed | Medium] Typed method signatures va typed properties duoc ap dung rong, nhung khong thay `declare(strict_types=1)` trong `app` va `platform`.
+  Evidence: strict-types scan result `__NONE__`.
+- [Observed | Medium] Root PHPUnit chi include `tests/Unit`, `tests/Feature` va source `app`; 2 test root de dang, trong khi test trong `platform` co 28 files.
+  Evidence: `phpunit.xml:8-17`, `tests/Feature/ExampleTest.php`, recursive test counts.
+- [Inferred | Medium] Quality tooling co kha nang manh tren ly thuyet, nhung co the chua enforce day du neu khong co config/CI pipeline dong bo.
+  Evidence: `composer.json:44`, `:47`, `:52`, `__NO_GITHUB_WORKFLOWS__`.
+
+## Extension Points (Modules/Themes/Plugins/Hooks)
+- [Observed | High] Hook system kieu WordPress duoc implement native: `add_filter`, `add_action`, `apply_filters`, `do_action`.
+  Evidence: `platform/core/base/helpers/action-filter.php:8`, `:26`, `:37`, `:44`.
+- [Observed | High] Hook usage rong trong he thong (dem scan): `add_filter` 153, `add_action` 45, `apply_filters` 247, `do_action` 85.
+  Evidence: recursive grep counts tren `platform`.
+- [Observed | High] Lifecycle plugin day du: activate/deactivate/remove, dependency check, migration/assets/translations publish, manifest regen.
+  Evidence: `platform/packages/plugin-management/src/Services/PluginService.php:41`, `:228`, `:295`, `:409`, `:414`.
+- [Observed | High] Theme extension point: route registration qua `Theme::registerRoutes`, `Theme::routes`; `theme.json` khai bao `required_plugins`.
+  Evidence: `platform/themes/ripple/routes/web.php:8`, `:20`, `platform/themes/ripple/theme.json:9`.
+- [Observed | High] Admin extension point: da so module dang ky admin routes qua `AdminHelper::registerRoutes`.
+  Evidence: `platform/core/base/src/Helpers/AdminHelper.php:15`, multiple route files under `platform/**/routes/web.php`.
+
+## API and Interaction Surfaces
+- [Observed | High] REST API core o `vendor/botble/api` voi prefix `api/v1`; auth layer su dung `auth:sanctum` cho protected endpoints.
+  Evidence: `vendor/botble/api/routes/api.php:6`, `:23`.
+- [Observed | High] API middleware stack duoc push dong vao group `api`: `ApiEnabledMiddleware`, `ForceJsonResponseMiddleware`, optional `ApiKeyMiddleware`.
+  Evidence: `vendor/botble/api/src/Providers/ApiServiceProvider.php:62`, `:65`, `:69`.
+- [Observed | High] Plugin APIs da mo san:
+  - Blog content API (`posts`, `categories`, `tags`)
+  - Contact API (`contacts`) + throttle `5,1`
+  - Social Login API (`api/v1/auth/*`)
+  Evidence: `platform/plugins/blog/routes/api.php`, `platform/plugins/contact/routes/api.php:10`, `platform/plugins/social-login/routes/api.php`.
+- [Observed | High] CLI surface lon (82 command classes scan), nhieu command namespace `cms:*` cho maintenance/integration.
+  Evidence: command class scan; `platform/core/base/src/Commands/UpdateCommand.php`, `platform/packages/plugin-management/src/Commands/PluginDiscoverCommand.php`, `vendor/botble/api/src/Commands/GenerateDocumentationCommand.php`.
+- [Observed | High] Async va schedule surfaces co san: ShouldQueue listeners/jobs + scheduled prune/cleanup/refresh.
+  Evidence: `platform/plugins/request-log/src/Providers/CommandServiceProvider.php:24`, `platform/plugins/audit-log/src/Providers/AuditLogServiceProvider.php:65`, `platform/core/media/src/Providers/MediaServiceProvider.php:259`.
+- [Observed | High] Khong thay GraphQL/webhook route footprint trong quet source hien tai.
+  Evidence: grep result `__NONE__` cho patterns `graphql|lighthouse|rebing` va `webhook` tren `app/platform/vendor/botble/api`.
+
+## Data Model and State Management
+- [Observed | High] Data layer chinh su dung Eloquent + migration theo module/plugin.
+  Evidence: `platform/plugins/blog/src/Models/Post.php`, `platform/plugins/blog/database/migrations/2015_06_18_033822_create_blog_table.php`.
+- [Observed | High] So luong migration da dang ky: root `7`, platform `83`, vendor API `5`.
+  Evidence: migration file counts.
+- [Observed | High] Trang thai plugin/theme/API duoc luu trong `settings` table (`activated_plugins`, `theme`, `api_enabled`).
+  Evidence: `database.sql:1798`.
+- [Observed | Medium] Runtime drivers trong `.env` hien tai: cache/file, queue/sync, session/file, db/mysql.
+  Evidence: `.env:11`, `.env:12`, `.env:13`, `.env:36`.
+- [Observed | Medium] Data migration/import-export capability da co package rieng (`data-synchronize`) voi route UI + command import/export/chunk cleanup.
+  Evidence: `vendor/botble/data-synchronize/routes/web.php:11`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php:44`.
+
+## Security Posture
+- [Observed | High] AuthN API dua tren Sanctum, co `auth:sanctum` gate cho protected endpoints.
+  Evidence: `vendor/botble/api/routes/api.php:23`, `bootstrap/cache/packages.php:225`.
+- [Observed | High] API gate bo sung: co the tat API toan cuc (`ApiEnabledMiddleware`) va bat buoc `X-API-KEY` khi cau hinh.
+  Evidence: `vendor/botble/api/src/Http/Middleware/ApiEnabledMiddleware.php:14`, `vendor/botble/api/src/Http/Middleware/ApiKeyMiddleware.php:19`.
+- [Observed | High] XSS sanitation co su dung purifier qua `BaseHelper::clean` (co the bypass neu bat `enable_less_secure_web`).
+  Evidence: `platform/core/base/src/Helpers/BaseHelper.php:373`, `:375`, `:390`, `platform/core/base/config/general.php:462`.
+- [Observed | High] HTTP security headers duoc set qua middleware (`nosniff`, `SAMEORIGIN`, `X-XSS-Protection`, `Referrer-Policy`).
+  Evidence: `platform/core/base/src/Http/Middleware/HttpSecurityHeaders.php:18-21`.
+- [Observed | High] Co rate-limit muc tieu cho endpoint tiep xuc public (`throttle:5,1`).
+  Evidence: `platform/plugins/contact/routes/api.php:10`.
+- [Observed | High] Rui ro lon: CSRF verification co the bi disable trong admin khi moi truong la production.
+  Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197`, `:199`; `platform/core/base/src/Helpers/AdminHelper.php:23`.
+- [Observed | High] Rui ro cau hinh: `.env` hien tai de `APP_ENV=production` va `APP_DEBUG=true`.
+  Evidence: `.env:4`, `.env:3`.
+- [Inferred | Medium] Co observability su co qua hook site error -> request-log event, va audit event listeners cho login/content.
+  Evidence: `platform/core/base/src/Exceptions/Handler.php:45`, `platform/plugins/request-log/src/Providers/HookServiceProvider.php:25`, `platform/plugins/audit-log/src/Providers/EventServiceProvider.php`.
+
+## Integration Capability Matrix
+| Domain | Entry Points | Required Adapters | Complexity | Risks | Confidence |
+|---|---|---|---|---|---|
+| External APIs | `api/v1` core + plugin APIs (`blog`, `contact`, `social-login`) | API gateway/versioning, request signing, client SDK wrappers | Medium | API co the dang tat (`api_enabled=0`), can governance versioning | High |
+| Authentication/SSO | Sanctum (`auth:sanctum`), Social Login web/api routes | IdP config mapping, token lifecycle, callback domain hardening | Medium | Misconfig callback/provider secret, token refresh drift | High |
+| Payment | Khong thay payment module active trong `platform/plugins` | Can plugin payment moi + domain model order/transaction | High | Scope tang nhanh, compliance (PCI/chargeback) | Medium |
+| Messaging/Queue | ShouldQueue listeners/jobs, scheduler commands | Queue backend (Redis/SQS), worker orchestration, retries/DLQ | Medium | `.env` dang `QUEUE_CONNECTION=sync` lam giam async throughput | High |
+| Storage/CDN | Media driver support `s3/r2/wasabi/bunnycdn/do_spaces/backblaze` | Credential/secret manager, CDN URL/signing, lifecycle policies | Medium | Sai config disk/ACL/public URL, chi phi egress | High |
+| Observability | Request-log + Audit-log + logger channel hooks | Central log pipeline, metrics/tracing, alert routing | Medium | Log noise, thieu correlation-id va SLO metrics | Medium |
+| Admin/UI customization | `AdminHelper::registerRoutes`, hooks/filters, panel sections, theme routes | Internal extension conventions, review checklist, plugin quality gates | Low-Medium | Hook overuse dan den kho truy vet side-effects | High |
+| Content/data migration | `data-synchronize` routes/commands + migration system | Mapping schema, transform rules, validation + rollback tooling | Medium | Data quality drift, rollback strategy chua ro | High |
+
+## Strengths, Weaknesses, Risks
+- [Observed | High] Strength: Kien truc module/plugin/theme rat ro rang, extension points phong phu, de mo rong ma khong phai fork core.
+  Evidence: `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php`, `platform/core/base/helpers/action-filter.php`.
+- [Observed | High] Strength: Integration surface da da dang (REST API, social auth, media cloud drivers, import/export tooling).
+  Evidence: `vendor/botble/api/routes/api.php`, `platform/plugins/social-login/routes/api.php`, `platform/core/media/src/Providers/MediaServiceProvider.php`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php`.
+- [Observed | Medium] Weakness: Root test scope chua phan anh day du plugin/platform domain; CI workflow chua thay trong repo.
+  Evidence: `phpunit.xml:17`, `__NO_GITHUB_WORKFLOWS__`.
+- [Observed | High] Weakness: App shell (`app/`) rat mong, kien thuc he thong tap trung trong platform/vendor, onboarding de bi tai.
+  Evidence: `routes/web.php`, `app/Providers/*.php`.
+- [Observed | High] Risk: CSRF bypass trong admin production co the mo rong attack surface neu khong co compensating controls.
+  Mitigation: tat condition bypass mac dinh, gioi han theo route can thiet, bat buoc CSRF regression tests.
+  Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197-199`.
+- [Observed | High] Risk: `APP_DEBUG=true` trong moi truong danh dau production.
+  Mitigation: set `APP_DEBUG=false`, review error rendering + log redaction.
+  Evidence: `.env:3-4`.
+- [Inferred | Medium] Risk: Queue dang `sync` gay han che throughput va retries cho email/notifications/jobs.
+  Mitigation: chuyen queue backend async, them supervisor + retry policy.
+  Evidence: `.env:12`, `platform/plugins/contact/src/Listeners/SendContactEmailListener.php:11`.
+
+## Top 10 Evidence Items
+1. [Observed | High] Stack versions va merge plugin.
+   File/Symbol: `composer.json` (`require`, `extra.merge-plugin`).
+   Snippet summary: PHP 8.3/8.4, Laravel 13, Botble API, merge plugin/theme composer files.
+2. [Observed | High] Frontend monorepo workspace.
+   File/Symbol: `package.json` (`workspaces`, `dependencies`, `devDependencies`).
+   Snippet summary: workspace split theo `platform/*`, build voi Laravel Mix, Vue 3.
+3. [Observed | High] App bootstrap va entry routing.
+   File/Symbol: `bootstrap/app.php` (`withRouting`), `routes/web.php`.
+   Snippet summary: app shell route map don gian; web route root trong app de trong.
+4. [Observed | High] Plugin dynamic loading by manifest.
+   File/Symbol: `PluginManagementServiceProvider::boot`, `PluginManifest::getManifest`.
+   Snippet summary: doc manifest, set PSR-4 plugin, register providers active.
+5. [Observed | High] Hook/filter engine.
+   File/Symbol: `action-filter.php` (`add_filter`, `add_action`, `apply_filters`, `do_action`).
+   Snippet summary: co che extension runtime dung xuyen module.
+6. [Observed | High] API auth/middleware orchestration.
+   File/Symbol: `ApiServiceProvider::boot`, `vendor/botble/api/routes/api.php`.
+   Snippet summary: push API middleware, prefix `api/v1`, auth sanctum cho protected routes.
+7. [Observed | High] Security headers + CSRF bypass condition.
+   File/Symbol: `HttpSecurityHeaders::handle`, `EventServiceProvider::disableCsrfProtection`.
+   Snippet summary: set secure headers; condition co the replace CSRF middleware trong admin production.
+8. [Observed | High] Input sanitization pivot.
+   File/Symbol: `BaseHelper::clean`, `core/base/config/general.php`.
+   Snippet summary: purifier active by default, co flag `enable_less_secure_web` de bypass.
+9. [Observed | High] Multi-cloud media integration.
+   File/Symbol: `MediaServiceProvider::boot` switch media driver.
+   Snippet summary: support `s3`, `r2`, `wasabi`, `bunnycdn`, `do_spaces`, `backblaze`.
+10. [Observed | High] Data migration/import-export tooling.
+    File/Symbol: `DataSynchronizeServiceProvider`, `vendor/botble/data-synchronize/routes/web.php`.
+    Snippet summary: co UI route + commands import/export + scheduled chunk cleanup.
+
+## Unknowns and Verification Plan
+- [Assumed | Medium] Chua xac nhan policy production thuc te cho CSRF bypass admin.
+  Verification: grep config override theo environment + pen-test luong form admin quan trong.
+- [Assumed | Medium] Chua xac nhan tinh trang queue workers thuc te (supervisor/systemd).
+  Verification: check process/runtime metrics, chay test end-to-end cho queued jobs.
+- [Assumed | Medium] Chua xac nhan API dang bat o moi truong production.
+  Verification: doc `settings` production (`api_enabled`), smoke test endpoint.
+- [Assumed | Medium] Chua do duoc real test coverage theo plugin/module.
+  Verification: thiet lap pipeline test matrix (core + plugin critical suites) va coverage report.
+- [Assumed | Low] Khong thay webhook/GraphQL footprint trong source hien tai, nhung co the ton tai o private plugins chua import.
+  Verification: inventory them plugin private/private repo + runtime route dump.
+
+## Recommended Next Actions (30/60/90 day)
+- [30 days | High priority]
+  - Dong hardening gap: tat `APP_DEBUG` tren production, review/rang buoc lai CSRF logic admin.
+  - Chuan hoa baseline architecture doc: route map, provider map, plugin dependency map.
+  - Tao smoke tests cho auth, API, plugin activation/deactivation, contact submission.
+- [60 days | Medium priority]
+  - Chuyen queue sang async backend (Redis/SQS), bo sung retry policy + dead-letter strategy.
+  - Dung CI pipeline cho lint/static/test (pint + larastan + phpunit selective suites).
+  - Chuan hoa integration contracts cho API versioning va plugin hook governance.
+- [90 days | Medium priority]
+  - Xay integration playbook (SSO, storage/CDN, data migration) kem template adapters.
+  - Bo sung observability stack: correlation-id, dashboard error budget, alert routing.
+  - Thiet lap regression/security test set cho cac extension points quan trong (hooks/routes/policies).

package/dist/core/templates/skills/knowledge/frameworks/php/wordpress/core/profile.json

@@ -0,0 +1,51 @@
+{
+  "id": "php-wordpress-core",
+  "name": "WordPress CMS",
+  "runtime": "php",
+  "runtimeVersion": ">=7.2.24",
+  "framework": "wordpress",
+  "frameworkVersion": "^6.0",
+  "cms": "wordpress",
+  "cmsType": "monolith-with-plugin-theme-extensions",
+  "description": "Open-source CMS built on PHP with a hook-based plugin/theme architecture, REST API, Block Editor (Gutenberg), and global function procedural style. Powers ~43% of the web.",
+  "keyFeatures": [
+    "Hook/Filter system (add_action, add_filter, do_action, apply_filters) — core extensibility",
+    "Plugin architecture via wp-content/plugins/",
+    "Theme architecture via wp-content/themes/ with template hierarchy",
+    "Block Editor (Gutenberg) with block.json registration",
+    "REST API with /wp-json/wp/v2/ endpoints and custom endpoint registration",
+    "WP_Query — the main content query engine",
+    "Custom Post Types and Custom Taxonomies",
+    "User roles and capabilities system (WP_Roles, WP_User)",
+    "Widget system (WP_Widget, WP_Widget_Factory)",
+    "Shortcode API",
+    "WP-Cron scheduling system",
+    "Multisite network support",
+    "Customizer API (WP_Customize_Manager)",
+    "Options API (get_option, update_option) for persistent key-value storage",
+    "Transients API for cached key-value storage with expiration",
+    "Rewrite API for pretty permalinks",
+    "Script/Style dependency management (wp_enqueue_script, wp_enqueue_style)",
+    "Interactivity API for interactive front-end blocks",
+    "Full Site Editing (FSE) with theme.json and block templates",
+    "XML-RPC and Application Passwords for remote authentication"
+  ],
+  "directorySignature": [
+    "wp-content",
+    "wp-admin",
+    "wp-includes"
+  ],
+  "fileSignature": [
+    "wp-config.php",
+    "wp-settings.php",
+    "wp-load.php",
+    "wp-blog-header.php"
+  ],
+  "typicalPlugins": [
+    "woocommerce", "contact-form-7", "yoast-seo", "elementor",
+    "advanced-custom-fields", "wordfence", "jetpack",
+    "wp-super-cache", "akismet", "classic-editor"
+  ],
+  "analysisFile": "structure.md",
+  "lastUpdated": "2026-05-03"
+}