docs: map existing codebase
This commit is contained in:
162
.paul/codebase/concerns.md
Normal file
162
.paul/codebase/concerns.md
Normal file
@@ -0,0 +1,162 @@
|
||||
# Codebase Concerns
|
||||
|
||||
**Analysis Date:** 2026-05-07
|
||||
|
||||
## Tech Debt
|
||||
|
||||
**Generated backup artifacts committed:**
|
||||
- Issue: Backup archive and Duplicator working files are present in the repository.
|
||||
- Files: `project_backup_2026-03-26_13-38-53.zip`, `wp-content/backups-dup-pro/`.
|
||||
- Why: Likely copied from hosting/restore workflow.
|
||||
- Impact: Large diffs, possible secret/data exposure, noisy repository, unclear source of truth.
|
||||
- Fix approach: Add a `.gitignore`, remove generated backup artifacts from version control, and rotate secrets if already exposed.
|
||||
|
||||
**WordPress core and plugins committed as source:**
|
||||
- Issue: Full WordPress core and third-party plugins are committed.
|
||||
- Files: `wp-admin/`, `wp-includes/`, `wp-content/plugins/`.
|
||||
- Why: Common FTP-style WordPress project snapshot.
|
||||
- Impact: Accidental vendor/core edits are easy; updates/provenance are hard to audit; diffs become noisy.
|
||||
- Fix approach: Define an update/deployment policy and keep custom changes isolated in theme/MU plugin/project-owned plugin files.
|
||||
|
||||
**Missing custom JS asset referenced by theme:**
|
||||
- Issue: `wp-content/themes/hello-elementor/functions.php` references `wp-content/themes/hello-elementor/assets/js/custom.js`, but that file was not found.
|
||||
- Files: `wp-content/themes/hello-elementor/functions.php`, `wp-content/themes/hello-elementor/assets/js/`.
|
||||
- Why: Possibly planned custom JS or removed asset.
|
||||
- Impact: Extra 404 request or dead enqueue depending on existence checks and deployment state.
|
||||
- Fix approach: Create the asset intentionally or remove the enqueue.
|
||||
|
||||
## Known Bugs
|
||||
|
||||
**Possible duplicate GTM noscript output:**
|
||||
- Symptoms: GTM noscript iframe may render twice on themes that support `wp_body_open`.
|
||||
- Trigger: Both `wp_body_open` and `wp_footer` actions run.
|
||||
- Files: `wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php`.
|
||||
- Workaround: Browser usually tolerates it, but markup is duplicated.
|
||||
- Root cause: Same callback registered to two hooks without a one-time guard.
|
||||
|
||||
**Malformed consent cookie can break banner JS:**
|
||||
- Symptoms: Cookie banner initialization or helper methods can throw if stored cookie JSON is malformed.
|
||||
- Trigger: User/browser has invalid consent cookie value.
|
||||
- Files: `wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js`.
|
||||
- Workaround: Clear browser cookies.
|
||||
- Root cause: direct `JSON.parse()` calls without defensive parsing.
|
||||
|
||||
## Security Considerations
|
||||
|
||||
**Secrets committed in configuration files:**
|
||||
- Risk: Database credentials, WordPress salts, and Duplicator auth material are present in source files.
|
||||
- Files: `wp-config.php`, `wp-content/backups-dup-pro/installer/original_files_e507eb0-03080010/source_site_wpconfig`.
|
||||
- Current mitigation: Secret values are not copied into PAUL docs.
|
||||
- Recommendations: rotate exposed credentials/salts/auth keys, move environment-specific secrets out of committed files, and remove generated restore artifacts from version control.
|
||||
|
||||
**Backup archive may contain sensitive data:**
|
||||
- Risk: Root backup archive may contain code, uploads, config, database dumps, or credentials.
|
||||
- Files: `project_backup_2026-03-26_13-38-53.zip`.
|
||||
- Current mitigation: none visible.
|
||||
- Recommendations: inspect outside normal docs, remove from repo, rotate credentials if contents were committed/shared.
|
||||
|
||||
**Installer logs expose operational details:**
|
||||
- Risk: Duplicator logs may reveal server paths, restore process details, and environment data.
|
||||
- Files: `wp-content/backups-dup-pro/installer/dup-installer-log__c3605a4-03080010.txt`, `wp-content/backups-dup-pro/installer/dup-installer-bootlog__c3605a4-03080010.txt`.
|
||||
- Current mitigation: none visible.
|
||||
- Recommendations: treat as sensitive generated artifacts and remove from version control.
|
||||
|
||||
**Default WordPress table prefix:**
|
||||
- Risk: Default prefix is a minor hardening weakness, especially on older/poorly protected installs.
|
||||
- Files: `wp-config.php`.
|
||||
- Current mitigation: WordPress security does not rely on prefix secrecy.
|
||||
- Recommendations: consider custom prefix only during rebuild/migration, not casually on a live site.
|
||||
|
||||
## Performance Bottlenecks
|
||||
|
||||
**Cookie notice script loaded on every frontend page:**
|
||||
- Problem: Custom consent script is about 25 KB and includes inline SVG strings.
|
||||
- Files: `wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js`, `wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php`.
|
||||
- Measurement: file is about 438 lines / 25 KB in scan.
|
||||
- Cause: MU plugin enqueues the script globally.
|
||||
- Improvement path: minify it, defer where safe, and keep it cached.
|
||||
|
||||
**Per-request `filemtime()` cache busting:**
|
||||
- Problem: PHP calls `filemtime()` for custom assets on frontend requests.
|
||||
- Files: `wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php`.
|
||||
- Measurement: not measured; likely minor.
|
||||
- Cause: development-friendly cache busting.
|
||||
- Improvement path: use a fixed plugin/theme version constant if filesystem calls become a concern.
|
||||
|
||||
## Fragile Areas
|
||||
|
||||
**Cookie/consent frontend logic:**
|
||||
- Files: `wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js`.
|
||||
- Why fragile: public page code controls consent defaults, GTM updates, DOM rendering, and cookie parsing.
|
||||
- Common failures: malformed cookies, duplicate events, console noise, markup string escaping issues.
|
||||
- Safe modification: add defensive parsing first, then test accept/deny/update flows manually.
|
||||
- Test coverage: no automated tests detected.
|
||||
|
||||
**Elementor form configuration lives in DB:**
|
||||
- Files: `wp-content/plugins/elementor-pro/modules/forms/`, WordPress database.
|
||||
- Why fragile: the actual form actions and field configuration are not visible in the file tree.
|
||||
- Common failures: code/files appear unchanged while form delivery changes in admin/database.
|
||||
- Safe modification: verify WordPress admin form settings and a real submission after any lead-flow work.
|
||||
- Test coverage: no project E2E tests detected.
|
||||
|
||||
**Encoding of Polish copy:**
|
||||
- Files: `wp-content/mu-plugins/cookie-notice-pro/cookie-notice-pro.php`, `wp-content/mu-plugins/cookie-notice-pro/assets/cookienoticepro.script.js`.
|
||||
- Why fragile: some text appears mojibake in scans.
|
||||
- Common failures: broken Polish characters after edits.
|
||||
- Safe modification: confirm encoding before editing copy; preserve UTF-8.
|
||||
- Test coverage: manual visual verification only.
|
||||
|
||||
## Scaling Limits
|
||||
|
||||
**Unknown hosting/deployment capacity:**
|
||||
- Current capacity: not documented.
|
||||
- Limit: unknown.
|
||||
- Symptoms at limit: not measured.
|
||||
- Scaling path: document hosting, cache strategy, and form delivery path.
|
||||
|
||||
## Dependencies at Risk
|
||||
|
||||
**Duplicator Pro restore tooling with PHP 8.4 noise:**
|
||||
- Risk: installer logs show PHP 8.4 deprecation noise during restore.
|
||||
- Impact: future restores on newer PHP runtimes may be noisy or brittle.
|
||||
- Migration plan: update Duplicator Pro before relying on it for restore, or validate restore in staging.
|
||||
|
||||
**Committed plugin versions without update policy:**
|
||||
- Risk: security/update status is hard to audit from repo alone.
|
||||
- Impact: outdated plugins can create security and compatibility risk.
|
||||
- Migration plan: document update ownership, version checks, and deployment process.
|
||||
|
||||
## Missing Critical Features
|
||||
|
||||
**No project-owned `.gitignore`:**
|
||||
- Problem: generated artifacts and OS files are committed.
|
||||
- Current workaround: manual care.
|
||||
- Blocks: clean source control and safer collaboration.
|
||||
- Implementation complexity: low.
|
||||
|
||||
**No deployment/update notes:**
|
||||
- Problem: unclear how WordPress core/plugins/theme changes are deployed.
|
||||
- Current workaround: infer from FTP/SFTP/hosting behavior.
|
||||
- Blocks: reliable updates and rollback planning.
|
||||
- Implementation complexity: low to medium.
|
||||
|
||||
## Test Coverage Gaps
|
||||
|
||||
**Lead capture flow:**
|
||||
- What's not tested: landing page CTA, Elementor form submission, delivery/storage, thank-you/redirect behavior.
|
||||
- Files: `wp-content/plugins/elementor-pro/modules/forms/`, WordPress database configuration, `wp-content/themes/hello-elementor/assets/css/custom.scss`.
|
||||
- Risk: lead form could break silently.
|
||||
- Priority: High.
|
||||
- Difficulty to test: requires running WordPress environment and real/staged form configuration.
|
||||
|
||||
**Consent/GTM behavior:**
|
||||
- What's not tested: consent defaulting, malformed cookie handling, GTM consent updates.
|
||||
- Files: `wp-content/mu-plugins/cookie-notice-pro/`.
|
||||
- Risk: analytics/compliance behavior can break public pages.
|
||||
- Priority: High.
|
||||
- Difficulty to test: moderate; JS unit tests or browser tests could cover this.
|
||||
|
||||
---
|
||||
|
||||
*Concerns audit: 2026-05-07*
|
||||
*Update as issues are fixed or new ones discovered*
|
||||
Reference in New Issue
Block a user