michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8f6b239c6fe114dda77862ec63da92aba48aa30
michaelschiemer/docs/tasks.md
Michael Schiemer 55a330b223 Enable Discovery debug logging for production troubleshooting 
- Add DISCOVERY_LOG_LEVEL=debug
- Add DISCOVERY_SHOW_PROGRESS=true
- Temporary changes for debugging InitializerProcessor fixes on production
2025-08-11 20:13:26 +02:00

12 KiB
Raw Blame History

Improvement Tasks Checklist

This document lists actionable, logically ordered improvements for the project. Each task is prefixed with a checkbox for tracking. Tasks span architecture, quality, security, performance, testing, developer experience, and documentation.

Note: Some items reference existing files and modules to guide implementation. Execute tasks incrementally from top to bottom for best results.

Wichtigste Aufgaben (Top-Prioritäten sofort angehen)

Die folgenden Punkte liefern den größten Nutzen und sollten priorisiert bearbeitet werden. Sie referenzieren die entsprechenden Abschnitte weiter unten.

  • CI/CD Pipeline aufsetzen und härten (Lint, PHPStan, Tests, Composer Audit) siehe „CI/CD Pipeline Hardening“ (Punkt 2). Blocking für Qualität und Sicherheit.
  • Statische Analyse hochdrehen (strict_types prüfen, PHPStan-Level erhöhen, Baseline pflegen) siehe „Static Analysis and Type Safety“ (Punkt 3). Schneller Qualitätsgewinn.
  • Kritische Tests ergänzen: Sicherheitskomponenten/WAF und Integrationspfade (Auth, Persistence) siehe „Testing Improvements“ (Punkt 14/15) und „Security Improvements“ (Punkt 7).
  • CacheKey-Typo in CacheFeatureFlagRepository beheben und Negative-Caching-Strategie absichern siehe „Feature Flags System“ (Punkt 11) und „Concrete Fixes“ (Punkt 20).
  • HTTP-Layer Tests für HttpRequest/Query, Fehlerpfade und Middleware-Kette siehe „HTTP Layer and Routing“ (Punkt 10).
  • WAF/Rate Limiting verbessern, Regeln schärfen, Tests hinzufügen siehe „Security Improvements > Enhance WAF functionality“ (Punkt 7/IntelligentRateLimitLayer).
  • Konfiguration & Secrets zentralisieren (.env.example vervollständigen, Validierung beim Boot) siehe „Configuration and Secrets Management“ (Punkt 5).
  • Observability Basis schaffen: strukturierte Logs, Metriken (Hit/Miss/Errors), Tracing-Hooks siehe „Error Handling and Observability“ (Punkt 6) und „Performance and Caching“ (Punkt 8).
  • Datenbank-Quick-Wins: N+1 erkennen, Indexe ergänzen, Integrations-Tests für Repositories siehe „Data Layer and Persistence“ (Punkt 9).
  • Deployment/Operations stabilisieren: Healthchecks in Docker Compose, idempotente Deploy-Schritte siehe „Deployment and Ops“ (Punkt 19).
  • Developer-Docs aktualisieren (Getting Started, Troubleshooting) und ADRs für Schlüsselentscheidungen siehe „Documentation“ (Punkt 17) und „Developer Experience“ (Punkt 16).

  1. Establish a Baseline and Governance

    • Define and document the minimum supported PHP version and runtime requirements (extensions) in README and composer.json (platform).
    • Align coding standards across the codebase (PHP CS Fixer rules and .editorconfig) and enforce via CI.
    • Introduce a clear versioning strategy (SemVer), CHANGELOG, and release process.
    • Audit .gitignore to ensure build artifacts, caches (var/, storage/cache/, vendor/* docs), and generated files are excluded from VCS.

  2. CI/CD Pipeline Hardening

    • Add CI jobs: lint (php-cs-fixer dry-run), static analysis (phpstan), unit/integration tests (Pest), security scan (composer audit).
    • Add optional coverage reporting with Xdebug (XDEBUG_MODE=coverage) and a minimum threshold.
    • Add Docker image build/test job and push to a registry for deployment.
    • Introduce pre-commit hooks (lint, phpstan, pest) via Husky or CaptainHook for local dev.

  3. Static Analysis and Type Safety

    • Enable strict_types everywhere (verify headers and add missing declarations).
    • Raise PHPStan level progressively to target a high level (e.g., 8/9) and generate/update baseline responsibly.
    • Add Psalm or PHPStan-specific rules for DDD boundaries and unsafe patterns (mixed usage, array shape validation).
    • Replace magic arrays with value objects or DTOs where appropriate; document contracts.

  4. Dependency Injection and Module Boundaries

    • Document and formalize module boundaries (src/Application, src/Domain, src/Framework, src/Infrastructure) with allowed dependency directions.
    • Add architectural tests (Pest plugin or custom) to enforce dependency rules.
    • Review service wiring/discovery (DiscoveryServiceBootstrapper) and replace reflection-heavy or dynamic patterns with explicit configuration where it improves clarity/perf.
    • Ensure constructors favor interfaces; introduce missing interfaces for concrete dependencies.

  5. Configuration and Secrets Management

    • Centralize configuration (env/config/*.php) and document defaults and overrides.
    • Validate config at boot (fail-fast with actionable errors).
    • Ensure secrets are sourced from environment/secret stores, not committed; add examples to .env.example.
    • Add configuration schema tests (ensuring required keys and types).

  6. Error Handling and Observability

    • Standardize exception hierarchy and error codes across modules; avoid silent failures.
    • Add structured logging with context IDs (correlation, request, user) and log levels policy.
    • Introduce metrics for key operations (HTTP, cache, DB, queue) and expose Prometheus endpoint securely.
    • Add tracing hooks (OpenTelemetry) for critical paths; document propagation.

  7. Security Posture

    • Perform a security audit against OWASP Top 10; document findings and remediation plan.
    • Harden WAF (src/Framework/Waf): review rules, rate limiting strategies, false positive handling, and add tests.
    • Ensure input validation and output encoding in View processors; review IfProcessor and templating for SSR XSS vectors.
    • Enforce HTTPS, secure cookies, CSRF tokens, and security headers (CSP, HSTS) in HTTP module and Nginx config.
    • Add dependency vulnerability scanning in CI (e.g., symfony/security-checker replacement via Composer audit).

  8. Performance and Caching

    • Review and document cache strategy (Cache, MultiLevelCache, Async caches) and TTL policies per domain entity.
    • Add cache metrics (hit/miss/evictions) and logs to analyze effectiveness.
    • Implement cache warming for critical data at boot or via worker.
    • Resolve known cache correctness issues (e.g., negative caching keys, serialization safety).
    • Validate cache key naming with a central builder; enforce namespacing to avoid collisions.

  9. Data Layer and Persistence

    • Review repositories for N+1 queries and missing indexes; add DB migrations and schema docs.
    • Create integration tests for critical repositories.
    • Introduce transaction boundaries and retry strategy where needed.
    • Add database health checks and readiness probes for Docker composition.

  10. HTTP Layer and Routing

    • Increase test coverage for HttpRequest, Query, route resolution, middleware chain, and error responses.
    • Validate query parsing edge cases (duplicate keys, encodings) and add regression tests.
    • Normalize header casing and ensure PSR-7 compatibility where applicable.
    • Add request/response size limits and timeouts; document defaults.

  11. Feature Flags System

    • Define a canonical FeatureFlag repository interface contract and behaviors (null vs. NOT_FOUND semantics).
    • Add integration tests for CacheFeatureFlagRepository and FileFeatureFlagRepository, including negative cache behavior.
    • Fix typing/typos in cache key creation (CacheKey vs Cachekey) and ensure cache stores only serializable, immutable objects.
    • Add an admin endpoint/UI hardening with authorization checks in FeatureFlagController.

  12. Search Module

    • Validate SearchRequest input constraints and canonicalize parameters.
    • Add tests for SearchController behavior (pagination, empty results, errors).
    • Document search adapter contracts and index lifecycle.

  13. View and Templating

    • Review Processors (e.g., IfProcessor) for safety and predictable evaluation semantics.
    • Add template linting step and cached view invalidation strategy.
    • Ensure compiled view cache is not committed and is purged on deploy; update .gitignore if necessary.

  14. Queue and Async Processing

    • Define interfaces and contracts for queue-worker; add retry and backoff strategies.
    • Add idempotency guards for jobs and visibility timeouts.
    • Provide metrics and DLQ handling documentation.

  15. Testing Strategy (Pest)

    • Standardize test namespaces and file layout; ensure Tests mirror src structure.
    • Add factories/fixtures for common entities and a Faker-based generator.
    • Add integration tests for critical flows (auth, payments, persistence).
    • Add browser/E2E tests (Cypress/Selenium) for top user journeys (optional but recommended).
    • Establish coverage thresholds per package and enforce in CI.

  16. Developer Experience

    • Update Getting Started docs and ensure Docker build.sh and docker-compose flows are reliable across platforms.
    • Provide make targets or composer scripts for common tasks (cs, cs-fix, phpstan, pest, reload).
    • Create troubleshooting docs for Docker/DNS/cache issues; link from README.
    • Add local development data seeding scripts and reset commands.

  17. Documentation

    • Consolidate scattered docs and backups (backups/docs-backup-*/), migrate relevant content into docs/.
    • Add architecture decision records (ADRs) for key choices (DI, caching, WAF, templating).
    • Auto-generate API docs where feasible and publish via the existing /api/docs endpoints.
    • Keep README concise and link to deeper docs; add contribution guidelines cross-links.

  18. Code Hygiene and Consistency

    • Eliminate dead code, unused classes, and outdated experimental files; add CI check for unused symbols if possible.
    • Normalize naming (English vs. German in code identifiers; German is fine for test names per guidelines).
    • Ensure immutability/read-only where appropriate (readonly, final) and avoid incidental mutation.
    • Replace ad-hoc string constants with enums/ValueObjects where it improves safety.
    • Ensure all public APIs have PHPDoc where types cant fully express intent.

  19. Deployment and Ops

    • Review deploy.sh steps for idempotency and error handling; add rollback steps.
    • Add health checks to Docker Compose (web, php, db, redis) and readiness/liveness probes.
    • Parameterize environment-specific config (staging/production) and secrets injection.
    • Ensure asset build and cache warmups are part of deployment pipeline.

  20. Concrete Fixes Identified During Review

    • Fix Cache key class typo in CacheFeatureFlagRepository::getCacheKey (use CacheKey, not Cachekey) and add a unit test to catch it.
    • Verify negative caching marker ('NOT_FOUND') doesnt collide with real values; prefer a dedicated NullObject or sentinel ValueObject.
    • Audit src/Framework/View/cache/* and similar generated artifacts into .gitignore and remove from repo if committed.

  21. Monitoring and Alerting

    • Add basic alerting for error rates, latency, and resource saturation.
    • Create runbooks for on-call responses and link them from docs/operations.

  22. Accessibility and Internationalization (Optional but Valuable)

    • Add A11y checks for rendered views and components.
    • Formalize i18n/l10n strategy for user-facing content.

  23. Risk Register and Backlog Grooming

    • Maintain a living risk register (security, data loss, availability) and mitigation tasks.
    • Review this checklist quarterly and update priorities.
Reference in New Issue View Git Blame Copy Permalink