heraspec 0.1.14 → 0.1.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +187 -0
- package/README.md +94 -95
- package/bin/heraspec.js +195 -80
- package/bin/heraspec.js.map +2 -2
- package/dist/core/templates/skills/README.md +41 -38
- package/dist/core/templates/skills/campaign-plan/skill.md +76 -0
- package/dist/core/templates/skills/campaign-plan/skill.vi.md +76 -0
- package/dist/core/templates/skills/campaign-plan-skill.md +76 -0
- package/dist/core/templates/skills/campaign-plan-skill.vi.md +76 -0
- package/dist/core/templates/skills/code-review/skill.md +70 -0
- package/dist/core/templates/skills/code-review/skill.vi.md +70 -0
- package/dist/core/templates/skills/code-review-skill.md +70 -0
- package/dist/core/templates/skills/code-review-skill.vi.md +70 -0
- package/dist/core/templates/skills/content-creation/skill.md +69 -0
- package/dist/core/templates/skills/content-creation/skill.vi.md +69 -0
- package/dist/core/templates/skills/content-creation-skill.md +69 -0
- package/dist/core/templates/skills/content-creation-skill.vi.md +69 -0
- package/dist/core/templates/skills/content-optimization/skill.md +104 -0
- package/dist/core/templates/skills/debug/skill.md +69 -0
- package/dist/core/templates/skills/debug/skill.vi.md +69 -0
- package/dist/core/templates/skills/debug-skill.md +69 -0
- package/dist/core/templates/skills/debug-skill.vi.md +69 -0
- package/dist/core/templates/skills/deploy-documentation/skill.md +408 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/airbnb/DESIGN.md +246 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/airtable/DESIGN.md +89 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/apple/DESIGN.md +313 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/bmw/DESIGN.md +180 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/cal/DESIGN.md +259 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/claude/DESIGN.md +312 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/clay/DESIGN.md +304 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/clickhouse/DESIGN.md +281 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/cohere/DESIGN.md +266 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/coinbase/DESIGN.md +129 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/composio/DESIGN.md +307 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/cursor/DESIGN.md +309 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/elevenlabs/DESIGN.md +265 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/expo/DESIGN.md +281 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/figma/DESIGN.md +220 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/framer/DESIGN.md +246 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/hashicorp/DESIGN.md +278 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/ibm/DESIGN.md +332 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/index.json +72 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/intercom/DESIGN.md +146 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/kraken/DESIGN.md +125 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/linear.app/DESIGN.md +367 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/lovable/DESIGN.md +298 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/minimax/DESIGN.md +257 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/mintlify/DESIGN.md +326 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/miro/DESIGN.md +108 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/mistral.ai/DESIGN.md +261 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/mongodb/DESIGN.md +266 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/notion/DESIGN.md +309 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/nvidia/DESIGN.md +293 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/ollama/DESIGN.md +267 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/opencode.ai/DESIGN.md +281 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/pinterest/DESIGN.md +230 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/posthog/DESIGN.md +256 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/raycast/DESIGN.md +268 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/replicate/DESIGN.md +261 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/resend/DESIGN.md +303 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/revolut/DESIGN.md +185 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/runwayml/DESIGN.md +244 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/sanity/DESIGN.md +357 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/sentry/DESIGN.md +262 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/spacex/DESIGN.md +194 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/spotify/DESIGN.md +246 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/stripe/DESIGN.md +322 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/supabase/DESIGN.md +255 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/superhuman/DESIGN.md +252 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/together.ai/DESIGN.md +263 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/uber/DESIGN.md +295 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/vercel/DESIGN.md +310 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/voltagent/DESIGN.md +323 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/warp/DESIGN.md +253 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/webflow/DESIGN.md +92 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/wise/DESIGN.md +173 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/x.ai/DESIGN.md +257 -0
- package/dist/core/templates/skills/design-system/knowledge/design-systems/zapier/DESIGN.md +328 -0
- package/dist/core/templates/skills/design-system/skill.md +176 -0
- package/dist/core/templates/skills/documents/skill.md +104 -0
- package/dist/core/templates/skills/e2e-test/skill.md +119 -0
- package/dist/core/templates/skills/email-sequence/skill.md +68 -0
- package/dist/core/templates/skills/email-sequence/skill.vi.md +68 -0
- package/dist/core/templates/skills/email-sequence-skill.md +68 -0
- package/dist/core/templates/skills/email-sequence-skill.vi.md +68 -0
- package/dist/core/templates/skills/git-embed/skill.md +57 -0
- package/dist/core/templates/skills/integration-test/skill.md +118 -0
- package/dist/core/templates/skills/knowledge/README.md +63 -63
- package/dist/core/templates/skills/knowledge/design-systems/index.json +72 -72
- package/dist/core/templates/skills/knowledge/frameworks/php/codeigniter/rise-cms/profile.json +27 -27
- package/dist/core/templates/skills/knowledge/frameworks/php/codeigniter/rise-cms/structure.md +137 -137
- package/dist/core/templates/skills/knowledge/frameworks/php/laravel/botble/profile.json +39 -39
- package/dist/core/templates/skills/knowledge/frameworks/php/laravel/botble/structure.md +207 -207
- package/dist/core/templates/skills/knowledge/frameworks/php/wordpress/core/profile.json +51 -51
- package/dist/core/templates/skills/knowledge/frameworks/php/wordpress/core/structure.md +369 -369
- package/dist/core/templates/skills/knowledge/index.json +65 -65
- package/dist/core/templates/skills/perfex-module/module-codebase/skill.md +110 -0
- package/dist/core/templates/skills/project-memory/skill.md +222 -0
- package/dist/core/templates/skills/project-memory/skill.vi.md +223 -0
- package/dist/core/templates/skills/seo-audit/skill.md +75 -0
- package/dist/core/templates/skills/seo-audit/skill.vi.md +75 -0
- package/dist/core/templates/skills/seo-audit-skill.md +75 -0
- package/dist/core/templates/skills/seo-audit-skill.vi.md +75 -0
- package/dist/core/templates/skills/smart-explore/skill.md +141 -0
- package/dist/core/templates/skills/sourcecode-analyzer/skill.md +210 -0
- package/dist/core/templates/skills/sourcecode-analyzer/skill.vi.md +210 -0
- package/dist/core/templates/skills/spec-writer/skill.md +61 -0
- package/dist/core/templates/skills/spec-writer/skill.vi.md +61 -0
- package/dist/core/templates/skills/spec-writer-skill.md +61 -0
- package/dist/core/templates/skills/spec-writer-skill.vi.md +61 -0
- package/dist/core/templates/skills/sql-queries/skill.md +67 -0
- package/dist/core/templates/skills/sql-queries/skill.vi.md +67 -0
- package/dist/core/templates/skills/sql-queries-skill.md +67 -0
- package/dist/core/templates/skills/sql-queries-skill.vi.md +67 -0
- package/dist/core/templates/skills/suggestion/skill.md +118 -0
- package/dist/core/templates/skills/system-design/skill.md +70 -0
- package/dist/core/templates/skills/system-design/skill.vi.md +70 -0
- package/dist/core/templates/skills/system-design-skill.md +70 -0
- package/dist/core/templates/skills/system-design-skill.vi.md +70 -0
- package/dist/core/templates/skills/tech-debt/skill.md +70 -0
- package/dist/core/templates/skills/tech-debt/skill.vi.md +70 -0
- package/dist/core/templates/skills/tech-debt-skill.md +70 -0
- package/dist/core/templates/skills/tech-debt-skill.vi.md +70 -0
- package/dist/core/templates/skills/ui-ux/data/charts.csv +26 -0
- package/dist/core/templates/skills/ui-ux/data/colors.csv +97 -0
- package/dist/core/templates/skills/ui-ux/data/design-systems.csv +54 -0
- package/dist/core/templates/skills/ui-ux/data/landing.csv +31 -0
- package/dist/core/templates/skills/ui-ux/data/pages-proposed.csv +22 -0
- package/dist/core/templates/skills/ui-ux/data/pages.csv +10 -0
- package/dist/core/templates/skills/ui-ux/data/products.csv +97 -0
- package/dist/core/templates/skills/ui-ux/data/prompts.csv +24 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/flutter.csv +53 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/html-tailwind.csv +56 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/nextjs.csv +53 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/react-native.csv +52 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/react.csv +54 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/svelte.csv +54 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/swiftui.csv +51 -0
- package/dist/core/templates/skills/ui-ux/data/stacks/vue.csv +50 -0
- package/dist/core/templates/skills/ui-ux/data/styles.csv +59 -0
- package/dist/core/templates/skills/ui-ux/data/typography.csv +58 -0
- package/dist/core/templates/skills/ui-ux/data/ux-guidelines.csv +100 -0
- package/dist/core/templates/skills/ui-ux/scripts/CODE_EXPLANATION.md +394 -0
- package/dist/core/templates/skills/ui-ux/scripts/SEARCH_ALGORITHMS_COMPARISON.md +421 -0
- package/dist/core/templates/skills/ui-ux/scripts/SEARCH_MODES_GUIDE.md +238 -0
- package/dist/core/templates/skills/ui-ux/scripts/core.py +391 -0
- package/dist/core/templates/skills/ui-ux/scripts/search.py +73 -0
- package/dist/core/templates/skills/ui-ux/skill.md +595 -0
- package/dist/core/templates/skills/ui-ux/templates/accessibility-checklist.md +40 -0
- package/dist/core/templates/skills/ui-ux/templates/example-prompt-full-theme.md +333 -0
- package/dist/core/templates/skills/ui-ux/templates/page-types-guide.md +338 -0
- package/dist/core/templates/skills/ui-ux/templates/pages-proposed-summary.md +273 -0
- package/dist/core/templates/skills/ui-ux/templates/pre-delivery-checklist.md +42 -0
- package/dist/core/templates/skills/ui-ux/templates/prompt-template-full-theme.md +313 -0
- package/dist/core/templates/skills/ui-ux/templates/responsive-design.md +40 -0
- package/dist/core/templates/skills/unit-test/skill.md +111 -0
- package/dist/core/templates/skills/wordpress/plugin-check/skill.md +151 -0
- package/dist/core/templates/skills/wordpress/plugin-directory/skill.md +396 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/skill.md +100 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/templates/admin-dashboard.php +47 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/templates/admin-settings.php +60 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/templates/assets/admin-css.css +22 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/templates/assets/admin-js.js +15 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/templates/plugin-main.php +169 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/templates/readme.txt +41 -0
- package/dist/core/templates/skills/wordpress/plugin-standard/templates/uninstall.php +21 -0
- package/dist/core/templates/skills/wordpress/ux-element/skill.md +83 -0
- package/dist/core/templates/skills/wordpress/ux-element/templates/Controller.php +50 -0
- package/dist/core/templates/skills/wordpress/ux-element/templates/Shortcode.php +23 -0
- package/dist/core/templates/skills/wordpress/ux-element/templates/Template.html +20 -0
- package/dist/core/templates/skills/wordpress/ux-element/templates/Thumbnail.svg +8 -0
- package/dist/core/templates/skills/wordpress/ux-element/templates/View.php +21 -0
- package/dist/index.js +195 -79
- package/package.json +1 -1
|
@@ -1,208 +1,208 @@
|
|
|
1
|
-
## Executive Summary
|
|
2
|
-
- [Inferred | High] Codebase nay la mot modular monolith tren Laravel + Botble, trong do `app/` giu vai tro shell mong va phan lon nghiep vu nam o `platform/core`, `platform/packages`, `platform/plugins`, `platform/themes`.
|
|
3
|
-
Evidence: `composer.json:14`, `composer.json:32`, `bootstrap/app.php:8`, `routes/web.php`.
|
|
4
|
-
- [Observed | High] Kha nang mo rong va tich hop cao nhờ plugin/theme architecture, hook/filter, API package, Social Login, media driver da cloud va data synchronization tooling.
|
|
5
|
-
Evidence: `platform/core/base/helpers/action-filter.php:8`, `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php:28`, `vendor/botble/api/routes/api.php:6`, `platform/core/media/src/Providers/MediaServiceProvider.php:159`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php:44`.
|
|
6
|
-
- [Observed | High] Rui ro chinh can uu tien: logic vo hieu hoa CSRF trong admin o production, `APP_DEBUG=true` khi `APP_ENV=production`, va tin hieu test coverage o root con mong.
|
|
7
|
-
Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197`, `.env:3`, `.env:4`, `phpunit.xml:17`, `tests/Feature/ExampleTest.php`.
|
|
8
|
-
|
|
9
|
-
## Technology Profile
|
|
10
|
-
- [Observed | High] Backend: PHP `^8.3|^8.4`, Laravel `^13.0`, Botble API `^2.1`, Sanctum `^4.0`.
|
|
11
|
-
Evidence: `composer.json:8`, `composer.json:14`, `composer.json:32`, `composer.json:33`.
|
|
12
|
-
- [Observed | High] Plugin/theme dependency composition dung `wikimedia/composer-merge-plugin`, merge plugin/theme `composer.json` vao runtime.
|
|
13
|
-
Evidence: `composer.json:36`, `composer.json:98`, `composer.json:99`.
|
|
14
|
-
- [Observed | High] Frontend build theo `laravel-mix`, monorepo NPM workspaces cho core/packages/plugins/themes; co su dung Vue 3.
|
|
15
|
-
Evidence: `package.json:3`, `package.json:5`, `package.json:6`, `package.json:7`, `package.json:8`, `package.json:28`, `package.json:47`.
|
|
16
|
-
- [Observed | Medium] Tooling quality gate duoc khai bao o dependency (`larastan`, `pint`, `rector`, `phpunit`) nhung chua thay root config rieng cho phpstan/pint/rector.
|
|
17
|
-
Evidence: `composer.json:44`, `composer.json:47`, `composer.json:51`, `composer.json:52`.
|
|
18
|
-
- [Observed | Medium] Deployment local/dev co `docker-compose` theo Laravel Sail runtime 8.2 + MySQL 8.0; chua thay GitHub workflow o repo.
|
|
19
|
-
Evidence: `docker-compose.yml`, `__NO_GITHUB_WORKFLOWS__` (filesystem check).
|
|
20
|
-
|
|
21
|
-
## Repository Topology
|
|
22
|
-
- [Observed | High] Root co cac nhom thu muc chinh: `app`, `config`, `routes`, `platform`, `resources`, `tests`, `vendor`, `_analytics`.
|
|
23
|
-
Evidence: root directory listing.
|
|
24
|
-
- [Observed | High] `platform` duoc to chuc theo 4 nhom lon:
|
|
25
|
-
- `core` (10 subdirs)
|
|
26
|
-
- `packages` (13 subdirs)
|
|
27
|
-
- `plugins` (17 subdirs)
|
|
28
|
-
- `themes` (1 subdir: `ripple`)
|
|
29
|
-
Evidence: `platform/` directory stats.
|
|
30
|
-
- [Observed | High] Plugins hien dien: `analytics`, `audit-log`, `backup`, `block`, `blog`, `captcha`, `contact`, `cookie-consent`, `custom-field`, `fob-comment`, `gallery`, `language`, `language-advanced`, `member`, `request-log`, `social-login`, `translation`.
|
|
31
|
-
Evidence: `platform/plugins/*` directory listing.
|
|
32
|
-
- [Observed | High] Surface route theo module rat lon: 44 route files trong `platform/**/routes` (34 `web.php`, 5 `api.php`) va 97 `*ServiceProvider.php`.
|
|
33
|
-
Evidence: recursive file counts.
|
|
34
|
-
|
|
35
|
-
## Architecture and Dependency Flow
|
|
36
|
-
- [Observed | High] Bootstrap app-level chi tro route web/console va healthcheck; nghiep vu duoc delegated vao providers/module routes.
|
|
37
|
-
Evidence: `bootstrap/app.php:8-11`, `routes/web.php`.
|
|
38
|
-
- [Observed | High] Luong nap plugin:
|
|
39
|
-
1. Lay manifest (`PluginManifest::getManifest`)
|
|
40
|
-
2. Set PSR-4 namespace cho plugin active
|
|
41
|
-
3. Register providers cua plugin active
|
|
42
|
-
Evidence: `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php:28`, `:33`, `:38`, `:43`.
|
|
43
|
-
- [Observed | High] Plugin manifest cache nam o `bootstrap/cache/plugins.php`, co co che regenerate khi mismatch.
|
|
44
|
-
Evidence: `platform/packages/plugin-management/src/PluginManifest.php:16`, `:24`, `:42`, `:50`.
|
|
45
|
-
- [Observed | High] Dependency direction theo mo hinh: Laravel shell -> Botble core/packages -> plugin/theme provider + routes + hooks.
|
|
46
|
-
Evidence: `bootstrap/cache/packages.php:22`, `:143`, `:198`, `platform/core/base/src/Traits/LoadAndPublishDataTrait.php:80`.
|
|
47
|
-
- [Observed | Medium] Su dung DI repository interface-to-implementation trong nhieu module (blog, media, contact, acl, ...), giam coupling truc tiep.
|
|
48
|
-
Evidence: `platform/plugins/blog/src/Providers/BlogServiceProvider.php:44`, `platform/core/media/src/Providers/MediaServiceProvider.php:50`, `platform/core/acl/src/Providers/AclServiceProvider.php:36`.
|
|
49
|
-
|
|
50
|
-
## Coding Style and Conventions
|
|
51
|
-
- [Observed | High] Naming convention va namespace theo PSR-4, cau truc thu muc theo bounded module (`Http/Controllers`, `Models`, `Providers`, `Repositories`, `Tables`, `Forms`).
|
|
52
|
-
Evidence: `platform/plugins/blog/src/Http/Controllers/PostController.php`, `platform/plugins/blog/src/Models/Post.php`, `platform/plugins/blog/src/Repositories/Eloquent/PostRepository.php`.
|
|
53
|
-
- [Observed | Medium] Pattern su dung nhieu: ServiceProvider, Facade, Repository, trait-based module bootstrap (`LoadAndPublishDataTrait`).
|
|
54
|
-
Evidence: `platform/core/base/src/Traits/LoadAndPublishDataTrait.php:20`, `:80`.
|
|
55
|
-
- [Observed | Medium] Typed method signatures va typed properties duoc ap dung rong, nhung khong thay `declare(strict_types=1)` trong `app` va `platform`.
|
|
56
|
-
Evidence: strict-types scan result `__NONE__`.
|
|
57
|
-
- [Observed | Medium] Root PHPUnit chi include `tests/Unit`, `tests/Feature` va source `app`; 2 test root de dang, trong khi test trong `platform` co 28 files.
|
|
58
|
-
Evidence: `phpunit.xml:8-17`, `tests/Feature/ExampleTest.php`, recursive test counts.
|
|
59
|
-
- [Inferred | Medium] Quality tooling co kha nang manh tren ly thuyet, nhung co the chua enforce day du neu khong co config/CI pipeline dong bo.
|
|
60
|
-
Evidence: `composer.json:44`, `:47`, `:52`, `__NO_GITHUB_WORKFLOWS__`.
|
|
61
|
-
|
|
62
|
-
## Extension Points (Modules/Themes/Plugins/Hooks)
|
|
63
|
-
- [Observed | High] Hook system kieu WordPress duoc implement native: `add_filter`, `add_action`, `apply_filters`, `do_action`.
|
|
64
|
-
Evidence: `platform/core/base/helpers/action-filter.php:8`, `:26`, `:37`, `:44`.
|
|
65
|
-
- [Observed | High] Hook usage rong trong he thong (dem scan): `add_filter` 153, `add_action` 45, `apply_filters` 247, `do_action` 85.
|
|
66
|
-
Evidence: recursive grep counts tren `platform`.
|
|
67
|
-
- [Observed | High] Lifecycle plugin day du: activate/deactivate/remove, dependency check, migration/assets/translations publish, manifest regen.
|
|
68
|
-
Evidence: `platform/packages/plugin-management/src/Services/PluginService.php:41`, `:228`, `:295`, `:409`, `:414`.
|
|
69
|
-
- [Observed | High] Theme extension point: route registration qua `Theme::registerRoutes`, `Theme::routes`; `theme.json` khai bao `required_plugins`.
|
|
70
|
-
Evidence: `platform/themes/ripple/routes/web.php:8`, `:20`, `platform/themes/ripple/theme.json:9`.
|
|
71
|
-
- [Observed | High] Admin extension point: da so module dang ky admin routes qua `AdminHelper::registerRoutes`.
|
|
72
|
-
Evidence: `platform/core/base/src/Helpers/AdminHelper.php:15`, multiple route files under `platform/**/routes/web.php`.
|
|
73
|
-
|
|
74
|
-
## API and Interaction Surfaces
|
|
75
|
-
- [Observed | High] REST API core o `vendor/botble/api` voi prefix `api/v1`; auth layer su dung `auth:sanctum` cho protected endpoints.
|
|
76
|
-
Evidence: `vendor/botble/api/routes/api.php:6`, `:23`.
|
|
77
|
-
- [Observed | High] API middleware stack duoc push dong vao group `api`: `ApiEnabledMiddleware`, `ForceJsonResponseMiddleware`, optional `ApiKeyMiddleware`.
|
|
78
|
-
Evidence: `vendor/botble/api/src/Providers/ApiServiceProvider.php:62`, `:65`, `:69`.
|
|
79
|
-
- [Observed | High] Plugin APIs da mo san:
|
|
80
|
-
- Blog content API (`posts`, `categories`, `tags`)
|
|
81
|
-
- Contact API (`contacts`) + throttle `5,1`
|
|
82
|
-
- Social Login API (`api/v1/auth/*`)
|
|
83
|
-
Evidence: `platform/plugins/blog/routes/api.php`, `platform/plugins/contact/routes/api.php:10`, `platform/plugins/social-login/routes/api.php`.
|
|
84
|
-
- [Observed | High] CLI surface lon (82 command classes scan), nhieu command namespace `cms:*` cho maintenance/integration.
|
|
85
|
-
Evidence: command class scan; `platform/core/base/src/Commands/UpdateCommand.php`, `platform/packages/plugin-management/src/Commands/PluginDiscoverCommand.php`, `vendor/botble/api/src/Commands/GenerateDocumentationCommand.php`.
|
|
86
|
-
- [Observed | High] Async va schedule surfaces co san: ShouldQueue listeners/jobs + scheduled prune/cleanup/refresh.
|
|
87
|
-
Evidence: `platform/plugins/request-log/src/Providers/CommandServiceProvider.php:24`, `platform/plugins/audit-log/src/Providers/AuditLogServiceProvider.php:65`, `platform/core/media/src/Providers/MediaServiceProvider.php:259`.
|
|
88
|
-
- [Observed | High] Khong thay GraphQL/webhook route footprint trong quet source hien tai.
|
|
89
|
-
Evidence: grep result `__NONE__` cho patterns `graphql|lighthouse|rebing` va `webhook` tren `app/platform/vendor/botble/api`.
|
|
90
|
-
|
|
91
|
-
## Data Model and State Management
|
|
92
|
-
- [Observed | High] Data layer chinh su dung Eloquent + migration theo module/plugin.
|
|
93
|
-
Evidence: `platform/plugins/blog/src/Models/Post.php`, `platform/plugins/blog/database/migrations/2015_06_18_033822_create_blog_table.php`.
|
|
94
|
-
- [Observed | High] So luong migration da dang ky: root `7`, platform `83`, vendor API `5`.
|
|
95
|
-
Evidence: migration file counts.
|
|
96
|
-
- [Observed | High] Trang thai plugin/theme/API duoc luu trong `settings` table (`activated_plugins`, `theme`, `api_enabled`).
|
|
97
|
-
Evidence: `database.sql:1798`.
|
|
98
|
-
- [Observed | Medium] Runtime drivers trong `.env` hien tai: cache/file, queue/sync, session/file, db/mysql.
|
|
99
|
-
Evidence: `.env:11`, `.env:12`, `.env:13`, `.env:36`.
|
|
100
|
-
- [Observed | Medium] Data migration/import-export capability da co package rieng (`data-synchronize`) voi route UI + command import/export/chunk cleanup.
|
|
101
|
-
Evidence: `vendor/botble/data-synchronize/routes/web.php:11`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php:44`.
|
|
102
|
-
|
|
103
|
-
## Security Posture
|
|
104
|
-
- [Observed | High] AuthN API dua tren Sanctum, co `auth:sanctum` gate cho protected endpoints.
|
|
105
|
-
Evidence: `vendor/botble/api/routes/api.php:23`, `bootstrap/cache/packages.php:225`.
|
|
106
|
-
- [Observed | High] API gate bo sung: co the tat API toan cuc (`ApiEnabledMiddleware`) va bat buoc `X-API-KEY` khi cau hinh.
|
|
107
|
-
Evidence: `vendor/botble/api/src/Http/Middleware/ApiEnabledMiddleware.php:14`, `vendor/botble/api/src/Http/Middleware/ApiKeyMiddleware.php:19`.
|
|
108
|
-
- [Observed | High] XSS sanitation co su dung purifier qua `BaseHelper::clean` (co the bypass neu bat `enable_less_secure_web`).
|
|
109
|
-
Evidence: `platform/core/base/src/Helpers/BaseHelper.php:373`, `:375`, `:390`, `platform/core/base/config/general.php:462`.
|
|
110
|
-
- [Observed | High] HTTP security headers duoc set qua middleware (`nosniff`, `SAMEORIGIN`, `X-XSS-Protection`, `Referrer-Policy`).
|
|
111
|
-
Evidence: `platform/core/base/src/Http/Middleware/HttpSecurityHeaders.php:18-21`.
|
|
112
|
-
- [Observed | High] Co rate-limit muc tieu cho endpoint tiep xuc public (`throttle:5,1`).
|
|
113
|
-
Evidence: `platform/plugins/contact/routes/api.php:10`.
|
|
114
|
-
- [Observed | High] Rui ro lon: CSRF verification co the bi disable trong admin khi moi truong la production.
|
|
115
|
-
Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197`, `:199`; `platform/core/base/src/Helpers/AdminHelper.php:23`.
|
|
116
|
-
- [Observed | High] Rui ro cau hinh: `.env` hien tai de `APP_ENV=production` va `APP_DEBUG=true`.
|
|
117
|
-
Evidence: `.env:4`, `.env:3`.
|
|
118
|
-
- [Inferred | Medium] Co observability su co qua hook site error -> request-log event, va audit event listeners cho login/content.
|
|
119
|
-
Evidence: `platform/core/base/src/Exceptions/Handler.php:45`, `platform/plugins/request-log/src/Providers/HookServiceProvider.php:25`, `platform/plugins/audit-log/src/Providers/EventServiceProvider.php`.
|
|
120
|
-
|
|
121
|
-
## Integration Capability Matrix
|
|
122
|
-
| Domain | Entry Points | Required Adapters | Complexity | Risks | Confidence |
|
|
123
|
-
|---|---|---|---|---|---|
|
|
124
|
-
| External APIs | `api/v1` core + plugin APIs (`blog`, `contact`, `social-login`) | API gateway/versioning, request signing, client SDK wrappers | Medium | API co the dang tat (`api_enabled=0`), can governance versioning | High |
|
|
125
|
-
| Authentication/SSO | Sanctum (`auth:sanctum`), Social Login web/api routes | IdP config mapping, token lifecycle, callback domain hardening | Medium | Misconfig callback/provider secret, token refresh drift | High |
|
|
126
|
-
| Payment | Khong thay payment module active trong `platform/plugins` | Can plugin payment moi + domain model order/transaction | High | Scope tang nhanh, compliance (PCI/chargeback) | Medium |
|
|
127
|
-
| Messaging/Queue | ShouldQueue listeners/jobs, scheduler commands | Queue backend (Redis/SQS), worker orchestration, retries/DLQ | Medium | `.env` dang `QUEUE_CONNECTION=sync` lam giam async throughput | High |
|
|
128
|
-
| Storage/CDN | Media driver support `s3/r2/wasabi/bunnycdn/do_spaces/backblaze` | Credential/secret manager, CDN URL/signing, lifecycle policies | Medium | Sai config disk/ACL/public URL, chi phi egress | High |
|
|
129
|
-
| Observability | Request-log + Audit-log + logger channel hooks | Central log pipeline, metrics/tracing, alert routing | Medium | Log noise, thieu correlation-id va SLO metrics | Medium |
|
|
130
|
-
| Admin/UI customization | `AdminHelper::registerRoutes`, hooks/filters, panel sections, theme routes | Internal extension conventions, review checklist, plugin quality gates | Low-Medium | Hook overuse dan den kho truy vet side-effects | High |
|
|
131
|
-
| Content/data migration | `data-synchronize` routes/commands + migration system | Mapping schema, transform rules, validation + rollback tooling | Medium | Data quality drift, rollback strategy chua ro | High |
|
|
132
|
-
|
|
133
|
-
## Strengths, Weaknesses, Risks
|
|
134
|
-
- [Observed | High] Strength: Kien truc module/plugin/theme rat ro rang, extension points phong phu, de mo rong ma khong phai fork core.
|
|
135
|
-
Evidence: `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php`, `platform/core/base/helpers/action-filter.php`.
|
|
136
|
-
- [Observed | High] Strength: Integration surface da da dang (REST API, social auth, media cloud drivers, import/export tooling).
|
|
137
|
-
Evidence: `vendor/botble/api/routes/api.php`, `platform/plugins/social-login/routes/api.php`, `platform/core/media/src/Providers/MediaServiceProvider.php`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php`.
|
|
138
|
-
- [Observed | Medium] Weakness: Root test scope chua phan anh day du plugin/platform domain; CI workflow chua thay trong repo.
|
|
139
|
-
Evidence: `phpunit.xml:17`, `__NO_GITHUB_WORKFLOWS__`.
|
|
140
|
-
- [Observed | High] Weakness: App shell (`app/`) rat mong, kien thuc he thong tap trung trong platform/vendor, onboarding de bi tai.
|
|
141
|
-
Evidence: `routes/web.php`, `app/Providers/*.php`.
|
|
142
|
-
- [Observed | High] Risk: CSRF bypass trong admin production co the mo rong attack surface neu khong co compensating controls.
|
|
143
|
-
Mitigation: tat condition bypass mac dinh, gioi han theo route can thiet, bat buoc CSRF regression tests.
|
|
144
|
-
Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197-199`.
|
|
145
|
-
- [Observed | High] Risk: `APP_DEBUG=true` trong moi truong danh dau production.
|
|
146
|
-
Mitigation: set `APP_DEBUG=false`, review error rendering + log redaction.
|
|
147
|
-
Evidence: `.env:3-4`.
|
|
148
|
-
- [Inferred | Medium] Risk: Queue dang `sync` gay han che throughput va retries cho email/notifications/jobs.
|
|
149
|
-
Mitigation: chuyen queue backend async, them supervisor + retry policy.
|
|
150
|
-
Evidence: `.env:12`, `platform/plugins/contact/src/Listeners/SendContactEmailListener.php:11`.
|
|
151
|
-
|
|
152
|
-
## Top 10 Evidence Items
|
|
153
|
-
1. [Observed | High] Stack versions va merge plugin.
|
|
154
|
-
File/Symbol: `composer.json` (`require`, `extra.merge-plugin`).
|
|
155
|
-
Snippet summary: PHP 8.3/8.4, Laravel 13, Botble API, merge plugin/theme composer files.
|
|
156
|
-
2. [Observed | High] Frontend monorepo workspace.
|
|
157
|
-
File/Symbol: `package.json` (`workspaces`, `dependencies`, `devDependencies`).
|
|
158
|
-
Snippet summary: workspace split theo `platform/*`, build voi Laravel Mix, Vue 3.
|
|
159
|
-
3. [Observed | High] App bootstrap va entry routing.
|
|
160
|
-
File/Symbol: `bootstrap/app.php` (`withRouting`), `routes/web.php`.
|
|
161
|
-
Snippet summary: app shell route map don gian; web route root trong app de trong.
|
|
162
|
-
4. [Observed | High] Plugin dynamic loading by manifest.
|
|
163
|
-
File/Symbol: `PluginManagementServiceProvider::boot`, `PluginManifest::getManifest`.
|
|
164
|
-
Snippet summary: doc manifest, set PSR-4 plugin, register providers active.
|
|
165
|
-
5. [Observed | High] Hook/filter engine.
|
|
166
|
-
File/Symbol: `action-filter.php` (`add_filter`, `add_action`, `apply_filters`, `do_action`).
|
|
167
|
-
Snippet summary: co che extension runtime dung xuyen module.
|
|
168
|
-
6. [Observed | High] API auth/middleware orchestration.
|
|
169
|
-
File/Symbol: `ApiServiceProvider::boot`, `vendor/botble/api/routes/api.php`.
|
|
170
|
-
Snippet summary: push API middleware, prefix `api/v1`, auth sanctum cho protected routes.
|
|
171
|
-
7. [Observed | High] Security headers + CSRF bypass condition.
|
|
172
|
-
File/Symbol: `HttpSecurityHeaders::handle`, `EventServiceProvider::disableCsrfProtection`.
|
|
173
|
-
Snippet summary: set secure headers; condition co the replace CSRF middleware trong admin production.
|
|
174
|
-
8. [Observed | High] Input sanitization pivot.
|
|
175
|
-
File/Symbol: `BaseHelper::clean`, `core/base/config/general.php`.
|
|
176
|
-
Snippet summary: purifier active by default, co flag `enable_less_secure_web` de bypass.
|
|
177
|
-
9. [Observed | High] Multi-cloud media integration.
|
|
178
|
-
File/Symbol: `MediaServiceProvider::boot` switch media driver.
|
|
179
|
-
Snippet summary: support `s3`, `r2`, `wasabi`, `bunnycdn`, `do_spaces`, `backblaze`.
|
|
180
|
-
10. [Observed | High] Data migration/import-export tooling.
|
|
181
|
-
File/Symbol: `DataSynchronizeServiceProvider`, `vendor/botble/data-synchronize/routes/web.php`.
|
|
182
|
-
Snippet summary: co UI route + commands import/export + scheduled chunk cleanup.
|
|
183
|
-
|
|
184
|
-
## Unknowns and Verification Plan
|
|
185
|
-
- [Assumed | Medium] Chua xac nhan policy production thuc te cho CSRF bypass admin.
|
|
186
|
-
Verification: grep config override theo environment + pen-test luong form admin quan trong.
|
|
187
|
-
- [Assumed | Medium] Chua xac nhan tinh trang queue workers thuc te (supervisor/systemd).
|
|
188
|
-
Verification: check process/runtime metrics, chay test end-to-end cho queued jobs.
|
|
189
|
-
- [Assumed | Medium] Chua xac nhan API dang bat o moi truong production.
|
|
190
|
-
Verification: doc `settings` production (`api_enabled`), smoke test endpoint.
|
|
191
|
-
- [Assumed | Medium] Chua do duoc real test coverage theo plugin/module.
|
|
192
|
-
Verification: thiet lap pipeline test matrix (core + plugin critical suites) va coverage report.
|
|
193
|
-
- [Assumed | Low] Khong thay webhook/GraphQL footprint trong source hien tai, nhung co the ton tai o private plugins chua import.
|
|
194
|
-
Verification: inventory them plugin private/private repo + runtime route dump.
|
|
195
|
-
|
|
196
|
-
## Recommended Next Actions (30/60/90 day)
|
|
197
|
-
- [30 days | High priority]
|
|
198
|
-
- Dong hardening gap: tat `APP_DEBUG` tren production, review/rang buoc lai CSRF logic admin.
|
|
199
|
-
- Chuan hoa baseline architecture doc: route map, provider map, plugin dependency map.
|
|
200
|
-
- Tao smoke tests cho auth, API, plugin activation/deactivation, contact submission.
|
|
201
|
-
- [60 days | Medium priority]
|
|
202
|
-
- Chuyen queue sang async backend (Redis/SQS), bo sung retry policy + dead-letter strategy.
|
|
203
|
-
- Dung CI pipeline cho lint/static/test (pint + larastan + phpunit selective suites).
|
|
204
|
-
- Chuan hoa integration contracts cho API versioning va plugin hook governance.
|
|
205
|
-
- [90 days | Medium priority]
|
|
206
|
-
- Xay integration playbook (SSO, storage/CDN, data migration) kem template adapters.
|
|
207
|
-
- Bo sung observability stack: correlation-id, dashboard error budget, alert routing.
|
|
1
|
+
## Executive Summary
|
|
2
|
+
- [Inferred | High] Codebase nay la mot modular monolith tren Laravel + Botble, trong do `app/` giu vai tro shell mong va phan lon nghiep vu nam o `platform/core`, `platform/packages`, `platform/plugins`, `platform/themes`.
|
|
3
|
+
Evidence: `composer.json:14`, `composer.json:32`, `bootstrap/app.php:8`, `routes/web.php`.
|
|
4
|
+
- [Observed | High] Kha nang mo rong va tich hop cao nhờ plugin/theme architecture, hook/filter, API package, Social Login, media driver da cloud va data synchronization tooling.
|
|
5
|
+
Evidence: `platform/core/base/helpers/action-filter.php:8`, `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php:28`, `vendor/botble/api/routes/api.php:6`, `platform/core/media/src/Providers/MediaServiceProvider.php:159`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php:44`.
|
|
6
|
+
- [Observed | High] Rui ro chinh can uu tien: logic vo hieu hoa CSRF trong admin o production, `APP_DEBUG=true` khi `APP_ENV=production`, va tin hieu test coverage o root con mong.
|
|
7
|
+
Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197`, `.env:3`, `.env:4`, `phpunit.xml:17`, `tests/Feature/ExampleTest.php`.
|
|
8
|
+
|
|
9
|
+
## Technology Profile
|
|
10
|
+
- [Observed | High] Backend: PHP `^8.3|^8.4`, Laravel `^13.0`, Botble API `^2.1`, Sanctum `^4.0`.
|
|
11
|
+
Evidence: `composer.json:8`, `composer.json:14`, `composer.json:32`, `composer.json:33`.
|
|
12
|
+
- [Observed | High] Plugin/theme dependency composition dung `wikimedia/composer-merge-plugin`, merge plugin/theme `composer.json` vao runtime.
|
|
13
|
+
Evidence: `composer.json:36`, `composer.json:98`, `composer.json:99`.
|
|
14
|
+
- [Observed | High] Frontend build theo `laravel-mix`, monorepo NPM workspaces cho core/packages/plugins/themes; co su dung Vue 3.
|
|
15
|
+
Evidence: `package.json:3`, `package.json:5`, `package.json:6`, `package.json:7`, `package.json:8`, `package.json:28`, `package.json:47`.
|
|
16
|
+
- [Observed | Medium] Tooling quality gate duoc khai bao o dependency (`larastan`, `pint`, `rector`, `phpunit`) nhung chua thay root config rieng cho phpstan/pint/rector.
|
|
17
|
+
Evidence: `composer.json:44`, `composer.json:47`, `composer.json:51`, `composer.json:52`.
|
|
18
|
+
- [Observed | Medium] Deployment local/dev co `docker-compose` theo Laravel Sail runtime 8.2 + MySQL 8.0; chua thay GitHub workflow o repo.
|
|
19
|
+
Evidence: `docker-compose.yml`, `__NO_GITHUB_WORKFLOWS__` (filesystem check).
|
|
20
|
+
|
|
21
|
+
## Repository Topology
|
|
22
|
+
- [Observed | High] Root co cac nhom thu muc chinh: `app`, `config`, `routes`, `platform`, `resources`, `tests`, `vendor`, `_analytics`.
|
|
23
|
+
Evidence: root directory listing.
|
|
24
|
+
- [Observed | High] `platform` duoc to chuc theo 4 nhom lon:
|
|
25
|
+
- `core` (10 subdirs)
|
|
26
|
+
- `packages` (13 subdirs)
|
|
27
|
+
- `plugins` (17 subdirs)
|
|
28
|
+
- `themes` (1 subdir: `ripple`)
|
|
29
|
+
Evidence: `platform/` directory stats.
|
|
30
|
+
- [Observed | High] Plugins hien dien: `analytics`, `audit-log`, `backup`, `block`, `blog`, `captcha`, `contact`, `cookie-consent`, `custom-field`, `fob-comment`, `gallery`, `language`, `language-advanced`, `member`, `request-log`, `social-login`, `translation`.
|
|
31
|
+
Evidence: `platform/plugins/*` directory listing.
|
|
32
|
+
- [Observed | High] Surface route theo module rat lon: 44 route files trong `platform/**/routes` (34 `web.php`, 5 `api.php`) va 97 `*ServiceProvider.php`.
|
|
33
|
+
Evidence: recursive file counts.
|
|
34
|
+
|
|
35
|
+
## Architecture and Dependency Flow
|
|
36
|
+
- [Observed | High] Bootstrap app-level chi tro route web/console va healthcheck; nghiep vu duoc delegated vao providers/module routes.
|
|
37
|
+
Evidence: `bootstrap/app.php:8-11`, `routes/web.php`.
|
|
38
|
+
- [Observed | High] Luong nap plugin:
|
|
39
|
+
1. Lay manifest (`PluginManifest::getManifest`)
|
|
40
|
+
2. Set PSR-4 namespace cho plugin active
|
|
41
|
+
3. Register providers cua plugin active
|
|
42
|
+
Evidence: `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php:28`, `:33`, `:38`, `:43`.
|
|
43
|
+
- [Observed | High] Plugin manifest cache nam o `bootstrap/cache/plugins.php`, co co che regenerate khi mismatch.
|
|
44
|
+
Evidence: `platform/packages/plugin-management/src/PluginManifest.php:16`, `:24`, `:42`, `:50`.
|
|
45
|
+
- [Observed | High] Dependency direction theo mo hinh: Laravel shell -> Botble core/packages -> plugin/theme provider + routes + hooks.
|
|
46
|
+
Evidence: `bootstrap/cache/packages.php:22`, `:143`, `:198`, `platform/core/base/src/Traits/LoadAndPublishDataTrait.php:80`.
|
|
47
|
+
- [Observed | Medium] Su dung DI repository interface-to-implementation trong nhieu module (blog, media, contact, acl, ...), giam coupling truc tiep.
|
|
48
|
+
Evidence: `platform/plugins/blog/src/Providers/BlogServiceProvider.php:44`, `platform/core/media/src/Providers/MediaServiceProvider.php:50`, `platform/core/acl/src/Providers/AclServiceProvider.php:36`.
|
|
49
|
+
|
|
50
|
+
## Coding Style and Conventions
|
|
51
|
+
- [Observed | High] Naming convention va namespace theo PSR-4, cau truc thu muc theo bounded module (`Http/Controllers`, `Models`, `Providers`, `Repositories`, `Tables`, `Forms`).
|
|
52
|
+
Evidence: `platform/plugins/blog/src/Http/Controllers/PostController.php`, `platform/plugins/blog/src/Models/Post.php`, `platform/plugins/blog/src/Repositories/Eloquent/PostRepository.php`.
|
|
53
|
+
- [Observed | Medium] Pattern su dung nhieu: ServiceProvider, Facade, Repository, trait-based module bootstrap (`LoadAndPublishDataTrait`).
|
|
54
|
+
Evidence: `platform/core/base/src/Traits/LoadAndPublishDataTrait.php:20`, `:80`.
|
|
55
|
+
- [Observed | Medium] Typed method signatures va typed properties duoc ap dung rong, nhung khong thay `declare(strict_types=1)` trong `app` va `platform`.
|
|
56
|
+
Evidence: strict-types scan result `__NONE__`.
|
|
57
|
+
- [Observed | Medium] Root PHPUnit chi include `tests/Unit`, `tests/Feature` va source `app`; 2 test root de dang, trong khi test trong `platform` co 28 files.
|
|
58
|
+
Evidence: `phpunit.xml:8-17`, `tests/Feature/ExampleTest.php`, recursive test counts.
|
|
59
|
+
- [Inferred | Medium] Quality tooling co kha nang manh tren ly thuyet, nhung co the chua enforce day du neu khong co config/CI pipeline dong bo.
|
|
60
|
+
Evidence: `composer.json:44`, `:47`, `:52`, `__NO_GITHUB_WORKFLOWS__`.
|
|
61
|
+
|
|
62
|
+
## Extension Points (Modules/Themes/Plugins/Hooks)
|
|
63
|
+
- [Observed | High] Hook system kieu WordPress duoc implement native: `add_filter`, `add_action`, `apply_filters`, `do_action`.
|
|
64
|
+
Evidence: `platform/core/base/helpers/action-filter.php:8`, `:26`, `:37`, `:44`.
|
|
65
|
+
- [Observed | High] Hook usage rong trong he thong (dem scan): `add_filter` 153, `add_action` 45, `apply_filters` 247, `do_action` 85.
|
|
66
|
+
Evidence: recursive grep counts tren `platform`.
|
|
67
|
+
- [Observed | High] Lifecycle plugin day du: activate/deactivate/remove, dependency check, migration/assets/translations publish, manifest regen.
|
|
68
|
+
Evidence: `platform/packages/plugin-management/src/Services/PluginService.php:41`, `:228`, `:295`, `:409`, `:414`.
|
|
69
|
+
- [Observed | High] Theme extension point: route registration qua `Theme::registerRoutes`, `Theme::routes`; `theme.json` khai bao `required_plugins`.
|
|
70
|
+
Evidence: `platform/themes/ripple/routes/web.php:8`, `:20`, `platform/themes/ripple/theme.json:9`.
|
|
71
|
+
- [Observed | High] Admin extension point: da so module dang ky admin routes qua `AdminHelper::registerRoutes`.
|
|
72
|
+
Evidence: `platform/core/base/src/Helpers/AdminHelper.php:15`, multiple route files under `platform/**/routes/web.php`.
|
|
73
|
+
|
|
74
|
+
## API and Interaction Surfaces
|
|
75
|
+
- [Observed | High] REST API core o `vendor/botble/api` voi prefix `api/v1`; auth layer su dung `auth:sanctum` cho protected endpoints.
|
|
76
|
+
Evidence: `vendor/botble/api/routes/api.php:6`, `:23`.
|
|
77
|
+
- [Observed | High] API middleware stack duoc push dong vao group `api`: `ApiEnabledMiddleware`, `ForceJsonResponseMiddleware`, optional `ApiKeyMiddleware`.
|
|
78
|
+
Evidence: `vendor/botble/api/src/Providers/ApiServiceProvider.php:62`, `:65`, `:69`.
|
|
79
|
+
- [Observed | High] Plugin APIs da mo san:
|
|
80
|
+
- Blog content API (`posts`, `categories`, `tags`)
|
|
81
|
+
- Contact API (`contacts`) + throttle `5,1`
|
|
82
|
+
- Social Login API (`api/v1/auth/*`)
|
|
83
|
+
Evidence: `platform/plugins/blog/routes/api.php`, `platform/plugins/contact/routes/api.php:10`, `platform/plugins/social-login/routes/api.php`.
|
|
84
|
+
- [Observed | High] CLI surface lon (82 command classes scan), nhieu command namespace `cms:*` cho maintenance/integration.
|
|
85
|
+
Evidence: command class scan; `platform/core/base/src/Commands/UpdateCommand.php`, `platform/packages/plugin-management/src/Commands/PluginDiscoverCommand.php`, `vendor/botble/api/src/Commands/GenerateDocumentationCommand.php`.
|
|
86
|
+
- [Observed | High] Async va schedule surfaces co san: ShouldQueue listeners/jobs + scheduled prune/cleanup/refresh.
|
|
87
|
+
Evidence: `platform/plugins/request-log/src/Providers/CommandServiceProvider.php:24`, `platform/plugins/audit-log/src/Providers/AuditLogServiceProvider.php:65`, `platform/core/media/src/Providers/MediaServiceProvider.php:259`.
|
|
88
|
+
- [Observed | High] Khong thay GraphQL/webhook route footprint trong quet source hien tai.
|
|
89
|
+
Evidence: grep result `__NONE__` cho patterns `graphql|lighthouse|rebing` va `webhook` tren `app/platform/vendor/botble/api`.
|
|
90
|
+
|
|
91
|
+
## Data Model and State Management
|
|
92
|
+
- [Observed | High] Data layer chinh su dung Eloquent + migration theo module/plugin.
|
|
93
|
+
Evidence: `platform/plugins/blog/src/Models/Post.php`, `platform/plugins/blog/database/migrations/2015_06_18_033822_create_blog_table.php`.
|
|
94
|
+
- [Observed | High] So luong migration da dang ky: root `7`, platform `83`, vendor API `5`.
|
|
95
|
+
Evidence: migration file counts.
|
|
96
|
+
- [Observed | High] Trang thai plugin/theme/API duoc luu trong `settings` table (`activated_plugins`, `theme`, `api_enabled`).
|
|
97
|
+
Evidence: `database.sql:1798`.
|
|
98
|
+
- [Observed | Medium] Runtime drivers trong `.env` hien tai: cache/file, queue/sync, session/file, db/mysql.
|
|
99
|
+
Evidence: `.env:11`, `.env:12`, `.env:13`, `.env:36`.
|
|
100
|
+
- [Observed | Medium] Data migration/import-export capability da co package rieng (`data-synchronize`) voi route UI + command import/export/chunk cleanup.
|
|
101
|
+
Evidence: `vendor/botble/data-synchronize/routes/web.php:11`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php:44`.
|
|
102
|
+
|
|
103
|
+
## Security Posture
|
|
104
|
+
- [Observed | High] AuthN API dua tren Sanctum, co `auth:sanctum` gate cho protected endpoints.
|
|
105
|
+
Evidence: `vendor/botble/api/routes/api.php:23`, `bootstrap/cache/packages.php:225`.
|
|
106
|
+
- [Observed | High] API gate bo sung: co the tat API toan cuc (`ApiEnabledMiddleware`) va bat buoc `X-API-KEY` khi cau hinh.
|
|
107
|
+
Evidence: `vendor/botble/api/src/Http/Middleware/ApiEnabledMiddleware.php:14`, `vendor/botble/api/src/Http/Middleware/ApiKeyMiddleware.php:19`.
|
|
108
|
+
- [Observed | High] XSS sanitation co su dung purifier qua `BaseHelper::clean` (co the bypass neu bat `enable_less_secure_web`).
|
|
109
|
+
Evidence: `platform/core/base/src/Helpers/BaseHelper.php:373`, `:375`, `:390`, `platform/core/base/config/general.php:462`.
|
|
110
|
+
- [Observed | High] HTTP security headers duoc set qua middleware (`nosniff`, `SAMEORIGIN`, `X-XSS-Protection`, `Referrer-Policy`).
|
|
111
|
+
Evidence: `platform/core/base/src/Http/Middleware/HttpSecurityHeaders.php:18-21`.
|
|
112
|
+
- [Observed | High] Co rate-limit muc tieu cho endpoint tiep xuc public (`throttle:5,1`).
|
|
113
|
+
Evidence: `platform/plugins/contact/routes/api.php:10`.
|
|
114
|
+
- [Observed | High] Rui ro lon: CSRF verification co the bi disable trong admin khi moi truong la production.
|
|
115
|
+
Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197`, `:199`; `platform/core/base/src/Helpers/AdminHelper.php:23`.
|
|
116
|
+
- [Observed | High] Rui ro cau hinh: `.env` hien tai de `APP_ENV=production` va `APP_DEBUG=true`.
|
|
117
|
+
Evidence: `.env:4`, `.env:3`.
|
|
118
|
+
- [Inferred | Medium] Co observability su co qua hook site error -> request-log event, va audit event listeners cho login/content.
|
|
119
|
+
Evidence: `platform/core/base/src/Exceptions/Handler.php:45`, `platform/plugins/request-log/src/Providers/HookServiceProvider.php:25`, `platform/plugins/audit-log/src/Providers/EventServiceProvider.php`.
|
|
120
|
+
|
|
121
|
+
## Integration Capability Matrix
|
|
122
|
+
| Domain | Entry Points | Required Adapters | Complexity | Risks | Confidence |
|
|
123
|
+
|---|---|---|---|---|---|
|
|
124
|
+
| External APIs | `api/v1` core + plugin APIs (`blog`, `contact`, `social-login`) | API gateway/versioning, request signing, client SDK wrappers | Medium | API co the dang tat (`api_enabled=0`), can governance versioning | High |
|
|
125
|
+
| Authentication/SSO | Sanctum (`auth:sanctum`), Social Login web/api routes | IdP config mapping, token lifecycle, callback domain hardening | Medium | Misconfig callback/provider secret, token refresh drift | High |
|
|
126
|
+
| Payment | Khong thay payment module active trong `platform/plugins` | Can plugin payment moi + domain model order/transaction | High | Scope tang nhanh, compliance (PCI/chargeback) | Medium |
|
|
127
|
+
| Messaging/Queue | ShouldQueue listeners/jobs, scheduler commands | Queue backend (Redis/SQS), worker orchestration, retries/DLQ | Medium | `.env` dang `QUEUE_CONNECTION=sync` lam giam async throughput | High |
|
|
128
|
+
| Storage/CDN | Media driver support `s3/r2/wasabi/bunnycdn/do_spaces/backblaze` | Credential/secret manager, CDN URL/signing, lifecycle policies | Medium | Sai config disk/ACL/public URL, chi phi egress | High |
|
|
129
|
+
| Observability | Request-log + Audit-log + logger channel hooks | Central log pipeline, metrics/tracing, alert routing | Medium | Log noise, thieu correlation-id va SLO metrics | Medium |
|
|
130
|
+
| Admin/UI customization | `AdminHelper::registerRoutes`, hooks/filters, panel sections, theme routes | Internal extension conventions, review checklist, plugin quality gates | Low-Medium | Hook overuse dan den kho truy vet side-effects | High |
|
|
131
|
+
| Content/data migration | `data-synchronize` routes/commands + migration system | Mapping schema, transform rules, validation + rollback tooling | Medium | Data quality drift, rollback strategy chua ro | High |
|
|
132
|
+
|
|
133
|
+
## Strengths, Weaknesses, Risks
|
|
134
|
+
- [Observed | High] Strength: Kien truc module/plugin/theme rat ro rang, extension points phong phu, de mo rong ma khong phai fork core.
|
|
135
|
+
Evidence: `platform/packages/plugin-management/src/Providers/PluginManagementServiceProvider.php`, `platform/core/base/helpers/action-filter.php`.
|
|
136
|
+
- [Observed | High] Strength: Integration surface da da dang (REST API, social auth, media cloud drivers, import/export tooling).
|
|
137
|
+
Evidence: `vendor/botble/api/routes/api.php`, `platform/plugins/social-login/routes/api.php`, `platform/core/media/src/Providers/MediaServiceProvider.php`, `vendor/botble/data-synchronize/src/Providers/DataSynchronizeServiceProvider.php`.
|
|
138
|
+
- [Observed | Medium] Weakness: Root test scope chua phan anh day du plugin/platform domain; CI workflow chua thay trong repo.
|
|
139
|
+
Evidence: `phpunit.xml:17`, `__NO_GITHUB_WORKFLOWS__`.
|
|
140
|
+
- [Observed | High] Weakness: App shell (`app/`) rat mong, kien thuc he thong tap trung trong platform/vendor, onboarding de bi tai.
|
|
141
|
+
Evidence: `routes/web.php`, `app/Providers/*.php`.
|
|
142
|
+
- [Observed | High] Risk: CSRF bypass trong admin production co the mo rong attack surface neu khong co compensating controls.
|
|
143
|
+
Mitigation: tat condition bypass mac dinh, gioi han theo route can thiet, bat buoc CSRF regression tests.
|
|
144
|
+
Evidence: `platform/core/base/src/Providers/EventServiceProvider.php:197-199`.
|
|
145
|
+
- [Observed | High] Risk: `APP_DEBUG=true` trong moi truong danh dau production.
|
|
146
|
+
Mitigation: set `APP_DEBUG=false`, review error rendering + log redaction.
|
|
147
|
+
Evidence: `.env:3-4`.
|
|
148
|
+
- [Inferred | Medium] Risk: Queue dang `sync` gay han che throughput va retries cho email/notifications/jobs.
|
|
149
|
+
Mitigation: chuyen queue backend async, them supervisor + retry policy.
|
|
150
|
+
Evidence: `.env:12`, `platform/plugins/contact/src/Listeners/SendContactEmailListener.php:11`.
|
|
151
|
+
|
|
152
|
+
## Top 10 Evidence Items
|
|
153
|
+
1. [Observed | High] Stack versions va merge plugin.
|
|
154
|
+
File/Symbol: `composer.json` (`require`, `extra.merge-plugin`).
|
|
155
|
+
Snippet summary: PHP 8.3/8.4, Laravel 13, Botble API, merge plugin/theme composer files.
|
|
156
|
+
2. [Observed | High] Frontend monorepo workspace.
|
|
157
|
+
File/Symbol: `package.json` (`workspaces`, `dependencies`, `devDependencies`).
|
|
158
|
+
Snippet summary: workspace split theo `platform/*`, build voi Laravel Mix, Vue 3.
|
|
159
|
+
3. [Observed | High] App bootstrap va entry routing.
|
|
160
|
+
File/Symbol: `bootstrap/app.php` (`withRouting`), `routes/web.php`.
|
|
161
|
+
Snippet summary: app shell route map don gian; web route root trong app de trong.
|
|
162
|
+
4. [Observed | High] Plugin dynamic loading by manifest.
|
|
163
|
+
File/Symbol: `PluginManagementServiceProvider::boot`, `PluginManifest::getManifest`.
|
|
164
|
+
Snippet summary: doc manifest, set PSR-4 plugin, register providers active.
|
|
165
|
+
5. [Observed | High] Hook/filter engine.
|
|
166
|
+
File/Symbol: `action-filter.php` (`add_filter`, `add_action`, `apply_filters`, `do_action`).
|
|
167
|
+
Snippet summary: co che extension runtime dung xuyen module.
|
|
168
|
+
6. [Observed | High] API auth/middleware orchestration.
|
|
169
|
+
File/Symbol: `ApiServiceProvider::boot`, `vendor/botble/api/routes/api.php`.
|
|
170
|
+
Snippet summary: push API middleware, prefix `api/v1`, auth sanctum cho protected routes.
|
|
171
|
+
7. [Observed | High] Security headers + CSRF bypass condition.
|
|
172
|
+
File/Symbol: `HttpSecurityHeaders::handle`, `EventServiceProvider::disableCsrfProtection`.
|
|
173
|
+
Snippet summary: set secure headers; condition co the replace CSRF middleware trong admin production.
|
|
174
|
+
8. [Observed | High] Input sanitization pivot.
|
|
175
|
+
File/Symbol: `BaseHelper::clean`, `core/base/config/general.php`.
|
|
176
|
+
Snippet summary: purifier active by default, co flag `enable_less_secure_web` de bypass.
|
|
177
|
+
9. [Observed | High] Multi-cloud media integration.
|
|
178
|
+
File/Symbol: `MediaServiceProvider::boot` switch media driver.
|
|
179
|
+
Snippet summary: support `s3`, `r2`, `wasabi`, `bunnycdn`, `do_spaces`, `backblaze`.
|
|
180
|
+
10. [Observed | High] Data migration/import-export tooling.
|
|
181
|
+
File/Symbol: `DataSynchronizeServiceProvider`, `vendor/botble/data-synchronize/routes/web.php`.
|
|
182
|
+
Snippet summary: co UI route + commands import/export + scheduled chunk cleanup.
|
|
183
|
+
|
|
184
|
+
## Unknowns and Verification Plan
|
|
185
|
+
- [Assumed | Medium] Chua xac nhan policy production thuc te cho CSRF bypass admin.
|
|
186
|
+
Verification: grep config override theo environment + pen-test luong form admin quan trong.
|
|
187
|
+
- [Assumed | Medium] Chua xac nhan tinh trang queue workers thuc te (supervisor/systemd).
|
|
188
|
+
Verification: check process/runtime metrics, chay test end-to-end cho queued jobs.
|
|
189
|
+
- [Assumed | Medium] Chua xac nhan API dang bat o moi truong production.
|
|
190
|
+
Verification: doc `settings` production (`api_enabled`), smoke test endpoint.
|
|
191
|
+
- [Assumed | Medium] Chua do duoc real test coverage theo plugin/module.
|
|
192
|
+
Verification: thiet lap pipeline test matrix (core + plugin critical suites) va coverage report.
|
|
193
|
+
- [Assumed | Low] Khong thay webhook/GraphQL footprint trong source hien tai, nhung co the ton tai o private plugins chua import.
|
|
194
|
+
Verification: inventory them plugin private/private repo + runtime route dump.
|
|
195
|
+
|
|
196
|
+
## Recommended Next Actions (30/60/90 day)
|
|
197
|
+
- [30 days | High priority]
|
|
198
|
+
- Dong hardening gap: tat `APP_DEBUG` tren production, review/rang buoc lai CSRF logic admin.
|
|
199
|
+
- Chuan hoa baseline architecture doc: route map, provider map, plugin dependency map.
|
|
200
|
+
- Tao smoke tests cho auth, API, plugin activation/deactivation, contact submission.
|
|
201
|
+
- [60 days | Medium priority]
|
|
202
|
+
- Chuyen queue sang async backend (Redis/SQS), bo sung retry policy + dead-letter strategy.
|
|
203
|
+
- Dung CI pipeline cho lint/static/test (pint + larastan + phpunit selective suites).
|
|
204
|
+
- Chuan hoa integration contracts cho API versioning va plugin hook governance.
|
|
205
|
+
- [90 days | Medium priority]
|
|
206
|
+
- Xay integration playbook (SSO, storage/CDN, data migration) kem template adapters.
|
|
207
|
+
- Bo sung observability stack: correlation-id, dashboard error budget, alert routing.
|
|
208
208
|
- Thiet lap regression/security test set cho cac extension points quan trong (hooks/routes/policies).
|
|
@@ -1,51 +1,51 @@
|
|
|
1
|
-
{
|
|
2
|
-
"id": "php-wordpress-core",
|
|
3
|
-
"name": "WordPress CMS",
|
|
4
|
-
"runtime": "php",
|
|
5
|
-
"runtimeVersion": ">=7.2.24",
|
|
6
|
-
"framework": "wordpress",
|
|
7
|
-
"frameworkVersion": "^6.0",
|
|
8
|
-
"cms": "wordpress",
|
|
9
|
-
"cmsType": "monolith-with-plugin-theme-extensions",
|
|
10
|
-
"description": "Open-source CMS built on PHP with a hook-based plugin/theme architecture, REST API, Block Editor (Gutenberg), and global function procedural style. Powers ~43% of the web.",
|
|
11
|
-
"keyFeatures": [
|
|
12
|
-
"Hook/Filter system (add_action, add_filter, do_action, apply_filters) — core extensibility",
|
|
13
|
-
"Plugin architecture via wp-content/plugins/",
|
|
14
|
-
"Theme architecture via wp-content/themes/ with template hierarchy",
|
|
15
|
-
"Block Editor (Gutenberg) with block.json registration",
|
|
16
|
-
"REST API with /wp-json/wp/v2/ endpoints and custom endpoint registration",
|
|
17
|
-
"WP_Query — the main content query engine",
|
|
18
|
-
"Custom Post Types and Custom Taxonomies",
|
|
19
|
-
"User roles and capabilities system (WP_Roles, WP_User)",
|
|
20
|
-
"Widget system (WP_Widget, WP_Widget_Factory)",
|
|
21
|
-
"Shortcode API",
|
|
22
|
-
"WP-Cron scheduling system",
|
|
23
|
-
"Multisite network support",
|
|
24
|
-
"Customizer API (WP_Customize_Manager)",
|
|
25
|
-
"Options API (get_option, update_option) for persistent key-value storage",
|
|
26
|
-
"Transients API for cached key-value storage with expiration",
|
|
27
|
-
"Rewrite API for pretty permalinks",
|
|
28
|
-
"Script/Style dependency management (wp_enqueue_script, wp_enqueue_style)",
|
|
29
|
-
"Interactivity API for interactive front-end blocks",
|
|
30
|
-
"Full Site Editing (FSE) with theme.json and block templates",
|
|
31
|
-
"XML-RPC and Application Passwords for remote authentication"
|
|
32
|
-
],
|
|
33
|
-
"directorySignature": [
|
|
34
|
-
"wp-content",
|
|
35
|
-
"wp-admin",
|
|
36
|
-
"wp-includes"
|
|
37
|
-
],
|
|
38
|
-
"fileSignature": [
|
|
39
|
-
"wp-config.php",
|
|
40
|
-
"wp-settings.php",
|
|
41
|
-
"wp-load.php",
|
|
42
|
-
"wp-blog-header.php"
|
|
43
|
-
],
|
|
44
|
-
"typicalPlugins": [
|
|
45
|
-
"woocommerce", "contact-form-7", "yoast-seo", "elementor",
|
|
46
|
-
"advanced-custom-fields", "wordfence", "jetpack",
|
|
47
|
-
"wp-super-cache", "akismet", "classic-editor"
|
|
48
|
-
],
|
|
49
|
-
"analysisFile": "structure.md",
|
|
50
|
-
"lastUpdated": "2026-05-03"
|
|
51
|
-
}
|
|
1
|
+
{
|
|
2
|
+
"id": "php-wordpress-core",
|
|
3
|
+
"name": "WordPress CMS",
|
|
4
|
+
"runtime": "php",
|
|
5
|
+
"runtimeVersion": ">=7.2.24",
|
|
6
|
+
"framework": "wordpress",
|
|
7
|
+
"frameworkVersion": "^6.0",
|
|
8
|
+
"cms": "wordpress",
|
|
9
|
+
"cmsType": "monolith-with-plugin-theme-extensions",
|
|
10
|
+
"description": "Open-source CMS built on PHP with a hook-based plugin/theme architecture, REST API, Block Editor (Gutenberg), and global function procedural style. Powers ~43% of the web.",
|
|
11
|
+
"keyFeatures": [
|
|
12
|
+
"Hook/Filter system (add_action, add_filter, do_action, apply_filters) — core extensibility",
|
|
13
|
+
"Plugin architecture via wp-content/plugins/",
|
|
14
|
+
"Theme architecture via wp-content/themes/ with template hierarchy",
|
|
15
|
+
"Block Editor (Gutenberg) with block.json registration",
|
|
16
|
+
"REST API with /wp-json/wp/v2/ endpoints and custom endpoint registration",
|
|
17
|
+
"WP_Query — the main content query engine",
|
|
18
|
+
"Custom Post Types and Custom Taxonomies",
|
|
19
|
+
"User roles and capabilities system (WP_Roles, WP_User)",
|
|
20
|
+
"Widget system (WP_Widget, WP_Widget_Factory)",
|
|
21
|
+
"Shortcode API",
|
|
22
|
+
"WP-Cron scheduling system",
|
|
23
|
+
"Multisite network support",
|
|
24
|
+
"Customizer API (WP_Customize_Manager)",
|
|
25
|
+
"Options API (get_option, update_option) for persistent key-value storage",
|
|
26
|
+
"Transients API for cached key-value storage with expiration",
|
|
27
|
+
"Rewrite API for pretty permalinks",
|
|
28
|
+
"Script/Style dependency management (wp_enqueue_script, wp_enqueue_style)",
|
|
29
|
+
"Interactivity API for interactive front-end blocks",
|
|
30
|
+
"Full Site Editing (FSE) with theme.json and block templates",
|
|
31
|
+
"XML-RPC and Application Passwords for remote authentication"
|
|
32
|
+
],
|
|
33
|
+
"directorySignature": [
|
|
34
|
+
"wp-content",
|
|
35
|
+
"wp-admin",
|
|
36
|
+
"wp-includes"
|
|
37
|
+
],
|
|
38
|
+
"fileSignature": [
|
|
39
|
+
"wp-config.php",
|
|
40
|
+
"wp-settings.php",
|
|
41
|
+
"wp-load.php",
|
|
42
|
+
"wp-blog-header.php"
|
|
43
|
+
],
|
|
44
|
+
"typicalPlugins": [
|
|
45
|
+
"woocommerce", "contact-form-7", "yoast-seo", "elementor",
|
|
46
|
+
"advanced-custom-fields", "wordfence", "jetpack",
|
|
47
|
+
"wp-super-cache", "akismet", "classic-editor"
|
|
48
|
+
],
|
|
49
|
+
"analysisFile": "structure.md",
|
|
50
|
+
"lastUpdated": "2026-05-03"
|
|
51
|
+
}
|