bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
325 Commits 3 Branches 0 Tags
a043b88bc09624b509f3bbdd1a50a8513d992978
Commit Graph

6 Commits

Author SHA1 Message Date
bert.hausmans
a043b88bc0 chore: install rector with accept-current-state baseline 
Installs rector/rector ^2.0 (v2.4.2) + driftingly/rector-laravel
^2.0 as dev-dependencies. Configures PHP 8.2 language sets + safe
quality rule sets (CODE_QUALITY, DEAD_CODE, EARLY_RETURN,
TYPE_DECLARATION, PRIVATIZATION) + Laravel-specific sets
(LARAVEL_CODE_QUALITY, LARAVEL_COLLECTION).

Dry-run baseline: 487 rule-applications across 357 files. NO
changes applied in this commit — adoption is incremental via per-
set sprints documented in BACKLOG.md.

Top rules by volume:
  103  AddClosureVoidReturnTypeWhereNoReturnRector
   71  AddArrowFunctionReturnTypeRector
   51  AppToResolveRector
   34  ConvertStaticToSelfRector
   27  ReadOnlyClassRector
   18  NullToStrictStringFuncCallArgRector
   16  ReturnBinaryOrToEarlyReturnRector
   16  MakeModelAttributesAndScopesProtectedRector
   13  RemoveUnusedVariableAssignRector
   13  OptionalToNullsafeOperatorRector
   13  FlipTypeControlToUseExclusiveTypeRector

Composer scripts:
  - composer rector              — DRY-RUN (default)
  - composer rector:apply        — apply changes
  - composer rector:clear-cache  — clear Rector cache

Dry-run exits with code 2 when suggestions exist (Rector convention,
not an error state). Apply-mode exits 0 on clean runs.

Documentation: /dev-docs/RECTOR.md added; CLAUDE.md updated.

Backlog: per-set application sprints seeded
(TECH-RECTOR-01..05 + TECH-RECTOR-CI). DEAD_CODE (smallest scope)
and TYPE_DECLARATION (biggest volume, will help reduce Larastan
baseline) are the natural first two.

Disruptive sets deliberately deferred:
  - LaravelLevelSetList::UP_TO_LARAVEL_* — broad bulk upgrades
  - SetList::NAMING — high-churn variable renames
  - SetList::INSTANCEOF — substantial logic changes

Memory limit 2G (dry-run completed within it).

No production behavior change. No code modified — Rector ran
dry-run only.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-25 03:50:41 +02:00
bert.hausmans
7542808cab chore: install larastan at level 6 with accept-all baseline 
Installs larastan/larastan ^3.0 (v3.9.6) as a dev-dependency. Level
6 is the starting target — catches missing typehints, method-
existence, null-safety, and model-property existence. Level 8
deferred to a follow-up sprint after level-6 baseline reaches zero.

Baseline error count at install: 1556 errors across 678 analysed
files (41 distinct identifiers).

Top 10 identifiers (errors / files):
  613 /  87  property.notFound
  289 /  52  missingType.generics
  154 /  31  argument.templateType
   98 /  61  missingType.iterableValue
   77 /  32  argument.type
   50 /  26  method.notFound
   35 /  35  method.childReturnType
   32 /   9  method.unresolvableReturnType
   31 /  10  assign.propertyType
   28 /  17  instanceof.alwaysTrue

Composer scripts:
  - composer analyse              — run static analysis
  - composer analyse:baseline     — regenerate baseline
  - composer analyse:clear-cache  — clear PHPStan result cache

Config deviation from plan: checkGenericClassInNonGenericObjectType
was removed in PHPStan 2.x (which Larastan 3 bundles) — setting
dropped from phpstan.neon, otherwise config matches the work
package verbatim. Defaults cover the original intent.

Documentation: /dev-docs/LARASTAN.md added; CLAUDE.md quality-gates
section introduced (with PHPUnit + Pint + Larastan listed).

Backlog: /dev-docs/BACKLOG.md gets 10 per-identifier reduction
sprints (TECH-LARASTAN-01..10) seeded from the actual baseline top
categories, plus TECH-LARASTAN-CI and TECH-LARASTAN-L8 follow-ups.

Memory limit 2G (baseline generation completed within it).

No production behavior change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-25 03:46:27 +02:00
bert.hausmans
948687f27e feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices 
Three verification methods (TOTP authenticator, email code, backup codes),
trusted device management with 30-day expiry, role-based enforcement for
super_admin and org_admin, admin reset capability, and full test coverage
(46 tests). Modifies login flow to support MFA challenge/response with
temporary session tokens stored in cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 20:45:55 +02:00
bert.hausmans
b8286d6a84 security: round 4 — frontend hardening (deps, XSS, cookie security) 
Vulnerable dependencies upgraded:
- Backend: league/commonmark >=2.8.2 (HTML injection bypass),
  phpunit/phpunit >=11.5.50, laravel/tinker (psysh LPE)
- Frontend: axios 1.13→1.15 (SSRF + metadata exfiltration),
  @casl/ability updated (prototype pollution)
- Removed swiper from all 3 apps (prototype pollution CVE,
  only used in Vuexy demo pages)

XSS vectors removed:
- Deleted Vuexy demo pages with v-html rendering API data:
  help-center/article, academy/course-details
- Deleted all front-pages (landing, pricing, checkout, payment) —
  Vuexy marketing template, not Crewli business logic
- Deleted swiper demo components and views
- Fixed admin main.ts: replaced innerHTML with template literal
  with safe DOM construction using textContent

Cookie security:
- Added SameSite=Strict and Secure flags to admin cookie defaults

Cleanup:
- Removed swiper SCSS from all 3 apps
- Removed swiper custom element config from all 3 vite configs
- Portal localStorage cleanup verified: reset() clears all keys,
  called on both explicit logout and 401 interceptor

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-14 07:15:00 +02:00
bert.hausmans
1cb7674d52 refactor: align codebase with EventCrew domain and trim legacy band stack 
- Update API: events, users, policies, routes, resources, migrations
- Remove deprecated models/resources (customers, setlists, invitations, etc.)
- Refresh admin app and docs; remove apps/band

Made-with: Cursor
 2026-03-29 23:19:06 +02:00
Bert Hausmans
34e12e00b3 feat: initial commit - Band Management application 2026-01-06 03:11:46 +01:00