cmsPRO/.paul/codebase/README.md

# Codebase Map — cmsPRO

> Generated: 2026-04-26 | Auto-generated by /paul:map-codebase

## Documents

| File | Contents |
|------|---------|
| [overview.md](overview.md) | Project summary, modules, entry points, refactoring status |
| [stack.md](stack.md) | PHP runtime, database, frontend libs, server config, external services |
| [architecture.md](architecture.md) | Directory map, patterns, routing, caching, namespaces |
| [conventions.md](conventions.md) | Naming, class patterns, PHPDoc, return types, DB access |
| [testing.md](testing.md) | PHPUnit setup, test structure, stubs, adding new tests |
| [integrations.md](integrations.md) | Email, geolocation, analytics, update server, file manager |
| [concerns.md](concerns.md) | Technical debt prioritized CRITICAL → HIGH → MEDIUM → LOW |

## Quick Reference

- **Architecture**: Controls → (deprecated) Factories → Domain Repositories → Medoo/MySQL
- **New code goes in**: `autoload/Domain/{Entity}/{Entity}Repository.php`
- **Tests go in**: `tests/Unit/Domain/{Entity}/{Entity}RepositoryTest.php`
- **Global helper**: `\S::method()` (legacy) or `\Shared\Helpers\Helpers::method()` (preferred)
- **Templates**: `templates/{module}/template.php` (user override: `templates_user/`)
- **CSRF**: `\Shared\Security\CsrfToken::getToken()` / `::validate($token)`
- **Cache**: `\Shared\Cache\CacheHandler::store($key, $data, $ttl)` / `::fetch($key)`

## Top Issues to Fix

1. **CRITICAL**: `unserialize()` on cookie — `admin/ajax/pages.php:36,49`
2. **CRITICAL**: Path traversal in updates — `autoload/admin/factory/class.Update.php:76-80`
3. **HIGH**: Missing input validation everywhere
4. **HIGH**: Password hash in auto-login cookie — `admin/index.php:59-61`
5. **MEDIUM**: God class Helpers.php (1220 lines) — needs splitting