diff --git a/.paul/PROJECT.md b/.paul/PROJECT.md index 10271e1..cc0ef33 100644 --- a/.paul/PROJECT.md +++ b/.paul/PROJECT.md @@ -13,8 +13,8 @@ Sprzedawca moĹĽe obsĹ‚ugiwać zamĂłwienia ze wszystkich kanaĹ‚Ăłw | Attribute | Value | |-----------|-------| | Version | 3.9.0-dev | -| Status | v3.9 Stabilizacja i splata dlugu technicznego in progress - Phase 138 Security and Legacy Hardening complete; Phase 139 ready to plan | -| Last Updated | 2026-05-17 (Phase 138 closed) | +| Status | v3.9 Stabilizacja i splata dlugu technicznego in progress - Phase 139 Sonar Critical/Major Cleanup complete; Phase 140 ready to plan | +| Last Updated | 2026-05-17 (Phase 139 closed) | ## Requirements @@ -138,6 +138,7 @@ Sprzedawca moĹĽe obsĹ‚ugiwać zamĂłwienia ze wszystkich kanaĹ‚Ăłw - [x] Fakturownia Invoice Idempotency: delegowane faktury uzywaja stabilnego `oid=orders.internal_order_number`, lookup-first `GET /invoices.json?oid=...`, lokalnego stanu `pending_external`/`failed_retryable` i auto-attach po timeoutach — Phase 136 - [x] Delivery Status Backlog Verification: `DELIVERY-STATUS-MGMT` zamkniete jako wdrozone; runtime korzysta z DB-driven statusow, a read-only DB check nie wykazal starych ani niepoprawnych kluczy automatyzacji — Phase 137 - [x] Security and Legacy Hardening: test SMTP ma strict TLS by default z lokalnym `SMTP_ALLOW_SELF_SIGNED_DEV`, szablony e-mail/SMS blokuja nieznane placeholdery, raw `$_SESSION` jest izolowany w `Session`, a wskazane widoki uzywaja `$component()` zamiast hard `require` — Phase 138 +- [x] Sonar Critical/Major Cleanup: Phase 139 odswiezyla baseline Sonar i zmniejszyla OPEN BLOCKER/CRITICAL/MAJOR z 648 do 495 przez delivery-status/statistics cleanup, typowane wyjatki oraz szeroka migracje alert include/import patterns — Phase 139 - [x] Integracja polkurier.pl (fundament): pojedyncza globalna konfiguracja w `/settings/integrations/polkurier`, szyfrowany Token API + login, karta w hubie integracji obok Apaczki i realny test polaczenia przez `apimetod=test_auth_api` zweryfikowany na zywym koncie operatora; `ShipmentProviderRegistry` netkniety — `PolkurierShipmentService/TrackingService` w kolejnych fazach — Phase 127 - [x] polkurier ShipmentService + TrackingService + UI prepare panel: pelen kontrakt API (createShipment/getLabel/getStatus/cancelOrder/getAvailableCarriers), `PolkurierShipmentService` implementujacy `ShipmentProviderInterface` z normalizacja shipmenttype (lowercase) i splitem ulicy na street/housenumber/flatnumber, `PolkurierTrackingService` mapujacy statusy O/P/A/WP/D/Z/W na znormalizowane, panel "polkurier" w `prepare.php` z dynamiczna lista uslug z `available_carriers`, seed migracja `delivery_status_mappings(provider='polkurier')` z 7 wpisami z PDF v1.11; live test na #114/#115 zakonczony sukcesem po 4 iteracjach (ReferenceError → uppercase shipmenttype → orderno parsing → A4/A6); rozmiar etykiety sterowany w panelu klienta polkurier.pl (Ustawienia konta → Preferencje etykiet), NIE przez API — Phase 128 - [x] Order User Notes module (Phase 129): pelen CRUD notatek autorskich operatora per zamowienie. Reuse `order_notes` przez nowy `note_type='user'` z `user_id` (FK→users SET NULL) + `author_name` (snapshot) + indeks `idx_order_notes_type_order`. `OrderNotesService` z autoryzacja DB-level (`WHERE user_id = :user_id`, rowCount=0 ⇒ 403). Sekcja `#notes` w "Wiadomosci i zalaczniki" w `/orders/{id}` z inline edit form + delete przez `OrderProAlerts.confirm`. Badge `[N]` (indigo neutralny) przy nr zamowienia na `/orders/list` (subquery `user_notes_count` w paginate). Brak admin override (brak systemu rol w aplikacji) — edit/delete tylko dla autora — Phase 129 @@ -150,7 +151,7 @@ Sprzedawca moĹĽe obsĹ‚ugiwać zamĂłwienia ze wszystkich kanaĹ‚Ăłw ### Active (In Progress) -- [ ] v3.9 Stabilizacja i splata dlugu technicznego — Phase 139 Sonar Critical/Major Cleanup ready to plan after Phase 138. +- [ ] v3.9 Stabilizacja i splata dlugu technicznego — Phase 140 Performance Safeguards ready to plan after Phase 139. ### Planned (Next) @@ -272,6 +273,7 @@ PHP (XAMPP/Laravel), integracje z API marketplace'Ăłw (Allegro, Erli) oraz API | SMTP mailbox TLS is strict by default | Phase 138: `ssl` and STARTTLS verify peer and host name; self-signed/unverified certificates require `SMTP_ALLOW_SELF_SIGNED_DEV=true` and local/dev/testing env. | 2026-05-17 | Active | | Unknown e-mail/SMS template placeholders are blocked on save | Phase 138: `TemplateVariableCatalog` is the shared catalog; create/edit rejects unknown `{{group.variable}}` keys while existing DB rows are not migrated. | 2026-05-17 | Active | | Raw session access belongs only in `App\Core\Support\Session` | Phase 138 moved auth, CSRF, flash and Allegro OAuth state access behind `Session::get/set/has/forget/pull`. | 2026-05-17 | Active | +| Phase 139 cleanup slices must stay behavior-preserving and leave god-class splits to Phase 141 | Phase 139 reduced Sonar BLOCKER/CRITICAL/MAJOR from 648 to 495 without DB/schema/business-flow changes; `php:S1448` remains a dedicated architecture concern. | 2026-05-17 | Active | | polkurier startuje jako jedna globalna konfiguracja (single-instance, mirror Apaczka/HostedSMS/SMSPLANET) z realnym testowym wywolaniem `apimetod=test_auth_api` | Operator ma jedno konto polkurier; fundament musi byc zweryfikowany na zywym API zanim dolozymy `PolkurierShipmentService` | 2026-05-14 | Active | | polkurier wymaga `login + token` razem w body `authorization` (nie samego tokena) | Zweryfikowane w SDK polkurier-sdk (`Auth.php`/`Request.php`); kolumna `login VARCHAR(190)` w `polkurier_integration_settings` mimo ze PLAN tego nie wymagal — kontrakt API to dyktuje | 2026-05-14 | Active | | polkurier API: top-level `status` === `'success'` (nie `'ok'`), tresc bledu w polu `response` envelope'a | `ResponseStatus::SUCCESS = 'success'` z `src/Type/ResponseStatus.php` SDK; bledy rzucane przez `ErrorException($response->get('response'))` w `PolkurierWebService.php`. Pattern dla wszystkich przyszlych metod polkurier API (`createShipment`, `getLabel`, `getStatus`, `cancelOrder`, etc.) | 2026-05-14 | Active | @@ -319,6 +321,6 @@ Quick Reference: --- *PROJECT.md — Updated when requirements or context change* -*Last updated: 2026-05-17 after Phase 138 (Security and Legacy Hardening) closure* +*Last updated: 2026-05-17 after Phase 139 (Sonar Critical/Major Cleanup) closure* diff --git a/.paul/ROADMAP.md b/.paul/ROADMAP.md index 6a16247..42c17a2 100644 --- a/.paul/ROADMAP.md +++ b/.paul/ROADMAP.md @@ -12,7 +12,7 @@ Milestone porzadkujacy zbudowany z `.paul/codebase/todo.md` i `.paul/codebase/co Rule for every phase/plan: przed implementacja sprawdzic w kodzie i dokumentacji, czy wpis nadal jest aktualny i czy nie zostal juz wdrozony; nastepnie przedstawic krotki plan operatorowi i zapytac o potwierdzenie. Dopiero po akceptacji wolno wprowadzac zmiany i uruchamiac testy. Jezeli wpis jest nieaktualny albo juz zrealizowany, faza/planu ma zamknac go dokumentacyjnie bez niepotrzebnej zmiany kodu. -Progress: 5 of 9 phases complete (56%). +Progress: 6 of 9 phases complete (67%). | Phase | Name | Plans | Status | |-------|------|-------|--------| @@ -21,7 +21,7 @@ Progress: 5 of 9 phases complete (56%). | 136 | Fakturownia Invoice Idempotency | 1/1 | Complete (2026-05-17; Fakturownia oid idempotency, migration/PHPUnit/Sonar env gaps documented) | | 137 | Delivery Status Backlog Verification | 1/1 | Complete (2026-05-17; verification-only closure, no stale automation keys found) | | 138 | Security and Legacy Hardening | 1/1 | Complete (2026-05-17; SMTP TLS/template/session/view hardening, PHPUnit/Sonar env gaps documented) | -| 139 | Sonar Critical/Major Cleanup | 1/TBD | Active (139-01 implemented 2026-05-17; total Sonar BLOCKER/CRITICAL/MAJOR 648 -> 605) | +| 139 | Sonar Critical/Major Cleanup | 2/2 | Complete (2026-05-17; Sonar BLOCKER/CRITICAL/MAJOR reduced 648 -> 495 across two cleanup slices) | | 140 | Performance Safeguards | TBD | Not started | | 141 | God Classes and Duplication Refactor | TBD | Not started | | 142 | Architecture Guardrails | TBD | Not started | @@ -54,7 +54,7 @@ Plans: 138-01 (complete; `.paul/phases/138-security-and-legacy-hardening/138-01- ### Phase 139: Sonar Critical/Major Cleanup Focus: Zmniejszyc potwierdzone problemy SonarQube z `concerns.md`: generic exceptions, zbyt wiele returnow, powtarzajace sie literaly, cognitive complexity, unused parameters, use-namespace-import oraz accessibility (`aria-label`, ``). Przed kazda grupa zmian odswiezyc stan skanu albo lokalnie potwierdzic wystepowanie problemu. -Plans: 139-01 (implemented; `.paul/phases/139-sonar-critical-major-cleanup/139-01-SUMMARY.md`) +Plans: 139-01 (complete; `.paul/phases/139-sonar-critical-major-cleanup/139-01-SUMMARY.md`); 139-02 (complete; `.paul/phases/139-sonar-critical-major-cleanup/139-02-SUMMARY.md`) ### Phase 140: Performance Safeguards @@ -633,4 +633,4 @@ Archive: `.paul/milestones/v0.1-ROADMAP.md` --- *Roadmap created: 2026-03-12* -*Last updated: 2026-05-17 - Phase 139 plan 139-01 implemented* +*Last updated: 2026-05-17 - Phase 139 complete; Phase 140 ready to plan* diff --git a/.paul/STATE.md b/.paul/STATE.md index 19fb293..c8014b5 100644 --- a/.paul/STATE.md +++ b/.paul/STATE.md @@ -5,44 +5,51 @@ See: .paul/PROJECT.md (updated 2026-05-17) **Core value:** Sprzedawca moze obslugiwac zamowienia ze wszystkich kanalow sprzedazy i nadawac przesylki bez przelaczania sie miedzy platformami. -**Current focus:** v3.9 Stabilizacja i splata dlugu technicznego; Phase 139 Sonar Critical/Major Cleanup plan 139-01 implemented, ready for UNIFY/next slice. +**Current focus:** v3.9 Stabilizacja i splata dlugu technicznego; Phase 139 Sonar Critical/Major Cleanup complete, Phase 140 Performance Safeguards ready to plan. ## Current Position Milestone: v3.9 Stabilizacja i splata dlugu technicznego -Phase: 139 of 142 (Sonar Critical/Major Cleanup) - Applying -Plan: 139-01 implemented -Status: APPLY complete; final Sonar scan processed -Last activity: 2026-05-17 19:58 - final Sonar scan processed; selected delivery-status files clean, statistics file has only remaining `php:S1448` +Phase: 140 of 142 (Performance Safeguards) +Plan: Not started +Status: Ready to plan +Last activity: 2026-05-17 23:21 - Phase 139 complete; transitioned to Phase 140 Progress: -- Milestone v3.9: [######----] 56% (5 of 9 phases complete) -- Phase 139: [####------] 40% (fresh baseline + first cleanup slice complete) +- Milestone v3.9: [#######---] 67% (6 of 9 phases complete) +- Phase 140: [----------] 0% (ready to plan) ## Loop Position Current loop state: ``` PLAN -> APPLY -> UNIFY - done done open [ready for summary/UNIFY] + done done done [Phase 139 loop complete; ready for Phase 140 PLAN] ``` ## Session Continuity -Last session: 2026-05-17 19:58 -Stopped at: Plan 139-01 implemented; documentation and summary pending finalization -Next action: Complete Phase 139-01 UNIFY/summary, then plan the next Sonar slice -Resume file: .paul/phases/139-sonar-critical-major-cleanup/139-01-PLAN.md +Last session: 2026-05-17 23:21 +Stopped at: Phase 139 complete, ready to plan Phase 140 +Next action: $paul-plan for Phase 140 Performance Safeguards +Resume file: .paul/ROADMAP.md ## Pending parallel work - None — Phase 118, 121, 122 wszystkie zacommitowane (8f14851, 360eef1). ## Git State -Last phase commit: HEAD feat(138): security and legacy hardening +Last phase commit: HEAD feat(139): sonar critical major cleanup Previous: feat(136): fakturownia invoice idempotency Branch: main +### Skill Audit (Phase 139) + +| Expected | Invoked | Notes | +|----------|---------|-------| +| `sonar-scanner` | invoked | Local PATH did not contain the scanner, but the official Windows x64 scanner was downloaded to `%TEMP%` and used successfully before and after cleanup. | +| `sonar-scanner` 139-02 | invoked | Reused the official Windows x64 scanner from `%TEMP%`; final scan succeeded with analysis `2c18a5b3-40b4-41d8-b826-df88615749db` and 495 OPEN BLOCKER/CRITICAL/MAJOR issues. | + ### Skill Audit (Phase 129) | Expected | Invoked | Notes | @@ -114,6 +121,7 @@ Branch: main - Phase 138 centralized raw `$_SESSION` access in `Session` and replaced targeted hard view `require`/inline `\App\...` patterns. - Phase 139 is confirmed by operator. Plan 139-01 must run a fresh `sonar-scanner` before code cleanup; stale API-only results are not enough. Scope should fix as many confirmed issues as safely possible, split across multiple plans if needed. - Phase 139-01 fresh scan found 648 OPEN BLOCKER/CRITICAL/MAJOR issues; final scan after cleanup found 605. Delivery status target files are clean; `OrdersStatisticsRepository` still needs a class split for `php:S1448`. +- Phase 139-02 final scan found 495 OPEN BLOCKER/CRITICAL/MAJOR issues. `php:S4833` dropped to 3 and selected `php:S112` generic exception clusters were replaced with typed exceptions. ### Blockers / Concerns @@ -133,7 +141,7 @@ Branch: main - Phase 138 follow-up: run `vendor/bin/phpunit tests/Unit/SmtpSecurityContextFactoryTest.php tests/Unit/TemplateVariableCatalogTest.php` after dependencies are installed. - Phase 139 follow-up: split `OrdersStatisticsRepository` (`php:S1448`, 43 methods) or include it in Phase 141 god-class refactor. -- Phase 139 follow-up: continue with fresh confirmed groups `php:S1142`, `php:S1192`, `php:S4833`, `php:S3776`, `php:S1172`, `php:S112`, plus Web table/accessibility issues. +- Phase 139 follow-up: continue with confirmed groups `php:S1142`, `php:S3776`, `php:S1172`, `php:S1192`, `php:S112`, plus Web table/accessibility issues. `php:S4833` is now only 3 core framework require issues. - Phase 138 manual smoke: test a real SMTP SSL/STARTTLS mailbox in strict mode; test invalid and valid e-mail/SMS template saves in UI. - Manualne testy AC-1..AC-7 dla Phase 112 na zywej bazie (XAMPP online). - Backfill zamowienia #882 - operator robi recznie po wdrozeniu (poza zakresem planu). diff --git a/.paul/changelog/2026-05-17.md b/.paul/changelog/2026-05-17.md index c10e9a1..1f61cba 100644 --- a/.paul/changelog/2026-05-17.md +++ b/.paul/changelog/2026-05-17.md @@ -8,6 +8,12 @@ - [Phase 138, Plan 138-01] Domknieto Security and Legacy Hardening: strict SMTP TLS, jawny local/dev self-signed override, walidacja zmiennych szablonow, centralizacja sesji i targeted view cleanup. - Dodano `SmtpSecurityContextFactory`, `TemplateVariableCatalog`, testy jednostkowe dla obu polityk oraz helper `$component()` w `Template`. - Udokumentowano brak zmian DB oraz luki srodowiskowe: `vendor/bin/phpunit` i `sonar-scanner` nie sa dostepne lokalnie. +- [Phase 139, Plan 139-01] Odswiezono baseline SonarQube i wykonano pierwszy cleanup slice: OPEN BLOCKER/CRITICAL/MAJOR spadly z 648 do 605. +- Wyczyszczono wybrane pliki Delivery Status/settings/view z potwierdzonych problemow Sonar, uproszczono fragmenty `OrdersStatisticsRepository` i udokumentowano pozostaly `php:S1448`. +- Zweryfikowano `sonar-scanner` przez tymczasowo pobrany oficjalny scanner Windows; PHPUnit pozostaje zablokowany przez brak `vendor/` i Composera w PATH. +- [Phase 139, Plan 139-02] Domknieto drugi cleanup slice Sonar: OPEN BLOCKER/CRITICAL/MAJOR spadly z 605 do 495. +- Dodano typowane wyjatki dla wybranych klastrow Settings/Automation, zmigrowano targetowane alert includes na `$component()` i usunieto inline `\App\...` z widokow. +- Zamknieto Phase 139 jako kompletna; kolejne kroki to Phase 140 Performance Safeguards oraz pozniejsze Phase 141 god-class splits. ## Zmienione pliki @@ -54,3 +60,39 @@ - `resources/views/users/index.php` - `tests/Unit/SmtpSecurityContextFactoryTest.php` - `tests/Unit/TemplateVariableCatalogTest.php` +- `.paul/phases/139-sonar-critical-major-cleanup/139-01-PLAN.md` +- `.paul/phases/139-sonar-critical-major-cleanup/139-01-SUMMARY.md` +- `.paul/phases/139-sonar-critical-major-cleanup/139-02-PLAN.md` +- `.paul/phases/139-sonar-critical-major-cleanup/139-02-SUMMARY.md` +- `.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md` +- `DOCS/todo.md` +- `src/Core/Exceptions/DeliveryStatusException.php` +- `src/Modules/Shipments/DeliveryStatus.php` +- `src/Modules/Shipments/DeliveryStatusRepository.php` +- `src/Modules/Settings/DeliveryStatusMappingController.php` +- `src/Modules/Settings/DeliveryStatusesController.php` +- `src/Modules/Statistics/OrdersStatisticsRepository.php` +- `resources/views/settings/_delivery-status-mappings-content.php` +- `resources/views/settings/delivery-status-mappings.php` +- `resources/views/settings/delivery-statuses.php` +- `tests/Unit/DeliveryStatusTest.php` +- `tests/Unit/OrdersStatisticsRepositoryTest.php` +- `src/Modules/Settings/FakturowniaApiException.php` +- `src/Modules/Settings/PolkurierApiException.php` +- `src/Modules/Settings/ErliOrderMappingException.php` +- `src/Modules/Automation/AutomationRuleException.php` +- `src/Modules/Settings/EmailTemplateException.php` +- `src/Modules/Settings/PolkurierApiClient.php` +- `src/Modules/Settings/ErliOrderMapper.php` +- `src/Modules/Automation/AutomationRepository.php` +- `src/Modules/Settings/EmailTemplateRepository.php` +- `src/Modules/Settings/SmsTemplateController.php` +- `src/Modules/Users/UsersController.php` +- `resources/views/layouts/app.php` +- `resources/views/layouts/auth.php` +- `resources/views/layouts/public.php` +- `resources/views/settings/erli.php` +- `resources/views/settings/polkurier.php` +- `resources/views/shipments/prepare.php` +- `tests/Unit/ErliOrderMapperTest.php` +- `tests/Unit/FakturowniaInvoiceIdempotencyTest.php` diff --git a/.paul/codebase/concerns.md b/.paul/codebase/concerns.md index 5f79266..524ffd4 100644 --- a/.paul/codebase/concerns.md +++ b/.paul/codebase/concerns.md @@ -7,7 +7,7 @@ Szczegoly i dowody: `.paul/phases/134-backlog-reality-check/BACKLOG-AUDIT.md`. | Group / item | Status po audycie | Krotki wniosek | |--------------|-------------------|----------------| | God Classes | **Active** | Klasy nadal sa duze; stare LOC/method counts sa nieaktualne, ale Phase 141 pozostaje zasadny. | -| SonarQube Issues | **Fresh baseline / active patterns** | Phase 139 odswiezyl baseline i zredukowal pierwsza fale issue; pozostale grupy sa aktualne po skanie z 2026-05-17. | +| SonarQube Issues | **Fresh baseline / active patterns** | Phase 139 odswiezyl baseline i zredukowal dwie fale issue; pozostale grupy sa aktualne po skanie 139-02 z 2026-05-17. | | Breaking: delivery status group keys | **Closed in Phase 137** | DB-driven statusy sa wdrozone, a read-only DB check nie znalazl starych ani niepoprawnych kluczy automatyzacji. | | Breaking: `SHIPMENT_STATUS_OPTION_MAP` | **Implemented / stale** | Symbol nie wystepuje juz w runtime source. | | Breaking: `_csrf_token` -> `_token` | **Implemented / stale** | Formularze/kontrolery uzywaja `_token`; wewnetrzny session key w `Csrf` nie jest problemem formularzy. | @@ -18,7 +18,7 @@ Szczegoly i dowody: `.paul/phases/134-backlog-reality-check/BACKLOG-AUDIT.md`. | Security: template variables | **Resolved in Phase 138** | Nowe/edytowane szablony e-mail/SMS blokuja nieznane `{{grupa.zmienna}}` przez wspolny `TemplateVariableCatalog`. | | Architecture Concerns | **Active / low impact** | Zostawic do decyzji w Phase 142. | | Duplication Areas | **Mixed** | `SslCertificateResolver` i `RedirectPathResolver` sa czesciowo wdrozone; reszta wymaga selektywnej decyzji. | -| Legacy patterns | **Partly resolved in Phase 138** | Raw `$_SESSION` jest izolowany w `Session`; wskazane hard `require` i inline FQCN w widokach sa usuniete. Alert includes pozostaja zaakceptowanym patternem Phase 120. | +| Legacy patterns | **Mostly resolved in Phase 139-02** | Raw `$_SESSION` jest izolowany w `Session`; targetowane hard `require`/alert includes i inline FQCN w widokach sa usuniete przez `$component()` i lokalne importy. | | Performance Risks | **Active / needs profiling** | Return-risk indexes i cron backoff aktywne; `findDetails()` najpierw profilowac. | ## God Classes (Priority Refactor Targets) @@ -37,22 +37,22 @@ Szczegoly i dowody: `.paul/phases/134-backlog-reality-check/BACKLOG-AUDIT.md`. ## SonarQube Issues (new code since 2026-03-28) -Fresh Phase 139 baseline after plan 139-01: **605 OPEN BLOCKER/CRITICAL/MAJOR issues** (BLOCKER=0, CRITICAL=181, MAJOR=424). +Fresh Phase 139 baseline after plan 139-02: **495 OPEN BLOCKER/CRITICAL/MAJOR issues** (BLOCKER=0, CRITICAL=178, MAJOR=317). | Rule | Count | Severity | Examples | |------|-------|----------|---------| | `php:S1142` — Excess return statements | 148 | MAJOR | Many service/controller methods still have 4+ returns | -| `php:S1192` — Duplicated string literals | 101 | CRITICAL | Route paths, SQL fragments, status strings, HTTP headers | -| `php:S4833` — Use namespace import / direct include patterns | 93 | MAJOR | Remaining source/view import/include cleanup outside Phase 139-01 target | +| `php:S1192` - Duplicated string literals | 98 | CRITICAL | Route paths, SQL fragments, status strings, HTTP headers | +| `php:S4833` - Use namespace import / direct include patterns | 3 | MAJOR | Remaining issues are core framework `require` calls in Application/Translator/Template | | `php:S3776` — Cognitive complexity > 15 | 54 | CRITICAL | Mapper/service/reporting methods needing focused refactor | | `php:S1172` — Unused parameters | 41 | MAJOR | Handler payload/request params | -| `php:S112` — Generic exceptions | 40 | MAJOR | Remaining generic exceptions outside delivery-status repository | +| `php:S112` - Generic exceptions | 23 | MAJOR | Remaining generic exceptions outside selected compact Settings/Automation clusters | | `php:S1448` — Class too large | 16 | MAJOR | See god classes above | | `php:S4423` — Weak TLS protocol | stale | **CRITICAL** | Resolved in Phase 138: `EmailMailboxController::testConnection()` uzywa strict SSL context i STARTTLS | | `Web:TableHeaderHasIdOrScopeCheck` | 16 | MAJOR | Tables without explicit header scope/id | | `Web:S6819` — Accessibility | 5 | MAJOR | Use semantic output/status elements where applicable | -Phase 139-01 reduced the fresh total by 43 issues and cleared all selected delivery-status files. Remaining detailed baseline: `.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md`. +Phase 139-01 reduced the fresh total by 43 issues and cleared all selected delivery-status files. Phase 139-02 reduced the post-139-01 total by 110, mainly through broad `$component()` alert rendering and typed exceptions. Remaining detailed baseline: `.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md`. ## Breaking Changes @@ -112,7 +112,7 @@ These support the correlated subquery in `OrdersRepository` used for return-risk | Pattern | Location | Status | |---------|----------|--------| | `fsockopen('ssl://')` / weak SMTP TLS | `EmailMailboxController::testConnection()` | Resolved in Phase 138; strict stream context + STARTTLS, local dev override only. | -| `require` in targeted views | `resources/views/accounting/index.php`, `orders/list.php`, `orders/show.php`, `users/index.php` | Resolved in Phase 138 through `$component()` helper. Other alert includes remain accepted Phase 120 pattern. | +| `require` / direct alert includes in targeted views | `resources/views/...` targeted by Phase 139-02 | Resolved through `$component()` helper. Remaining `php:S4833` issues are core framework file loading, not alert components. | | Raw `$_SESSION` access | Auth/Flash/Csrf/OAuth before Phase 138 | Resolved in Phase 138; raw access is isolated in `App\Core\Support\Session`. | ## Performance Risks diff --git a/.paul/codebase/tech_changelog.md b/.paul/codebase/tech_changelog.md index e98dcee..ffe2b84 100644 --- a/.paul/codebase/tech_changelog.md +++ b/.paul/codebase/tech_changelog.md @@ -1,5 +1,19 @@ # Technical Changelog +## 2026-05-17 - Phase 139 Plan 02: Sonar Critical/Major Cleanup + +**Co zrobiono:** +- Finalny Sonar: 495 OPEN BLOCKER/CRITICAL/MAJOR po 139-02 (spadek z 605 po 139-01). +- Dodano typowane wyjatki w selected Settings/Automation clusters: Fakturownia, Polkurier, Erli mapping, automation duplicate i email template duplicate. +- Targetowane widoki/layouty renderuja alert component przez `$component()`; `messageHtml` pozostaje tylko dla zaufanego gotowego HTML. +- `SmsTemplateController` i `UsersController` maja stale tras/flashy oraz male helpery walidacyjne, bez zmiany routingu i UX. + +**Dlaczego:** +- Najwiekszy bezpieczny zysk po 139-01 byl w `php:S4833` i `php:S112`; plan nie mial ruszac schematu DB ani god-class splitow. + +**BREAKING / migracja:** +- Brak migracji DB i brak breaking changes. + ## 2026-05-17 - Phase 139 Plan 01: Sonar Critical/Major Cleanup **Co zrobiono:** diff --git a/.paul/phases/139-sonar-critical-major-cleanup/139-02-PLAN.md b/.paul/phases/139-sonar-critical-major-cleanup/139-02-PLAN.md new file mode 100644 index 0000000..b5cf79e --- /dev/null +++ b/.paul/phases/139-sonar-critical-major-cleanup/139-02-PLAN.md @@ -0,0 +1,275 @@ +--- +phase: 139-sonar-critical-major-cleanup +plan: 02 +type: execute +wave: 1 +depends_on: ["139-01"] +files_modified: + - src/Modules/Settings/FakturowniaApiException.php + - src/Modules/Settings/FakturowniaApiClient.php + - src/Modules/Settings/PolkurierApiException.php + - src/Modules/Settings/PolkurierApiClient.php + - src/Modules/Settings/ErliOrderMappingException.php + - src/Modules/Settings/ErliOrderMapper.php + - src/Modules/Automation/AutomationRuleException.php + - src/Modules/Automation/AutomationRepository.php + - src/Modules/Settings/EmailTemplateException.php + - src/Modules/Settings/EmailTemplateRepository.php + - src/Modules/Settings/SmsTemplateController.php + - src/Modules/Users/UsersController.php + - resources/views/layouts/app.php + - resources/views/layouts/auth.php + - resources/views/layouts/public.php + - resources/views/auth/login.php + - resources/views/users/index.php + - resources/views/orders/list.php + - resources/views/orders/show.php + - resources/views/orders/receipt-create.php + - resources/views/automation/index.php + - resources/views/automation/form.php + - resources/views/statistics/orders.php + - resources/views/accounting/index.php + - resources/views/accounting/invoice_form.php + - resources/views/shipments/prepare.php + - resources/views/settings/accounting.php + - resources/views/settings/accounting-invoices.php + - resources/views/settings/accounting-invoice-edit.php + - resources/views/settings/accounting-receipts.php + - resources/views/settings/accounting-receipt-edit.php + - resources/views/settings/allegro.php + - resources/views/settings/apaczka.php + - resources/views/settings/company.php + - resources/views/settings/cron.php + - resources/views/settings/database.php + - resources/views/settings/delivery-status-form.php + - resources/views/settings/email-mailboxes.php + - resources/views/settings/email-templates.php + - resources/views/settings/email-templates-form.php + - resources/views/settings/erli.php + - resources/views/settings/fakturownia.php + - resources/views/settings/hostedsms.php + - resources/views/settings/inpost.php + - resources/views/settings/integrations.php + - resources/views/settings/polkurier.php + - resources/views/settings/printing.php + - resources/views/settings/project-mappings.php + - resources/views/settings/shoppro.php + - resources/views/settings/sms-templates.php + - resources/views/settings/sms-templates-form.php + - resources/views/settings/smsplanet.php + - resources/views/settings/statuses.php + - tests/Unit/ErliOrderMapperTest.php + - tests/Unit/FakturowniaInvoiceIdempotencyTest.php + - tests/Unit/OrdersStatisticsRepositoryTest.php + - DOCS/ARCHITECTURE.md + - DOCS/TECH_CHANGELOG.md + - DOCS/todo.md + - .paul/codebase/concerns.md + - .paul/codebase/tech_changelog.md + - .paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md +autonomous: true +delegation: off +--- + + +## Goal +Reduce the largest safe set of remaining Phase 139 Sonar `BLOCKER,CRITICAL,MAJOR` issues after plan 139-01, prioritizing high-count rules `php:S4833`, `php:S112`, `php:S1142`, `php:S1192`, and `php:S1172` without doing the `OrdersStatisticsRepository`/god-class split reserved for Phase 141. + +## Purpose +Plan 139-01 already reduced the fresh Sonar baseline from 648 to 605 issues and cleared the selected delivery-status cluster. This plan takes the operator-approved aggressive path for the next highest-impact cleanup: remove broad mechanical import/include issues, replace generic exceptions in compact API/repository clusters, and flatten small controllers where the behavior is easy to preserve. + +## Output +Typed exception classes for selected Settings/Automation failures, remaining alert component includes migrated to `$component()`, small controller/repository return/literal cleanup, updated Sonar/debt documentation, and a final Sonar scan showing the remaining count and next slice. + + + + +- **Zakres** - Jaki ma byc glowny zakres planu 139-02? + -> Odpowiedz: Najwiekszy efekt. +- **Skan** - Czy 139-02 ma ponownie zaczynac od pelnego `sonar-scanner`, czy bazowac na finalnym skanie z 139-01? + -> Odpowiedz: Bazuj na 139-01. +- **Ryzyko** - Jak agresywny ma byc refaktor w tym slice? + -> Odpowiedz: Agresywny. + + +## Project Context +@.paul/PROJECT.md +@.paul/ROADMAP.md +@.paul/STATE.md +@AGENTS.md +@DOCS/ARCHITECTURE.md +@DOCS/DB_SCHEMA.md +@DOCS/TECH_CHANGELOG.md + +## Prior Work +@.paul/phases/139-sonar-critical-major-cleanup/139-01-SUMMARY.md +@.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md + +## Source Files +@.paul/SPECIAL-FLOWS.md +@.paul/codebase/concerns.md +@DOCS/todo.md +@src/Modules/Settings/FakturowniaApiClient.php +@src/Modules/Settings/PolkurierApiClient.php +@src/Modules/Settings/ErliOrderMapper.php +@src/Modules/Automation/AutomationRepository.php +@src/Modules/Settings/EmailTemplateRepository.php +@src/Modules/Settings/SmsTemplateController.php +@src/Modules/Users/UsersController.php +@resources/views/layouts/app.php +@resources/views/layouts/auth.php +@resources/views/layouts/public.php +@resources/views/shipments/prepare.php +@resources/views/settings/*.php +@resources/views/orders/*.php +@resources/views/automation/*.php +@resources/views/accounting/*.php +@resources/views/users/index.php +@resources/views/auth/login.php +@resources/views/statistics/orders.php + + + +## Required Skills (from SPECIAL-FLOWS.md) + +| Skill | Priority | When to Invoke | Loaded? | +|-------|----------|----------------|---------| +| `sonar-scanner` | required | After APPLY, before UNIFY | o | +| /code-review | optional | Before UNIFY if the broad view/repository cleanup touches shared contracts | o | +| /simplify | optional | After APPLY if aggressive refactor leaves duplicated helper patterns | o | + +**BLOCKING for UNIFY:** `sonar-scanner` must be run after implementation. Because plan 139-02 intentionally bases initial target selection on the final 139-01 scan, APPLY does not need a new pre-edit scanner run. If `sonar-scanner` is still not in PATH, reuse the official Windows scanner downloaded during 139-01 or download the same official Windows x64 scanner to `%TEMP%`. + + + + +## AC-1: Plan uses the 139-01 final baseline, not stale counts +```gherkin +Given plan 139-01 ended with 605 OPEN BLOCKER/CRITICAL/MAJOR issues +When 139-02 implementation starts +Then target selection is based on `.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md` final scan and local code inspection, without requiring a new pre-edit scanner run +``` + +## AC-2: Generic exceptions are reduced in selected compact clusters +```gherkin +Given Sonar still reports `php:S112` outside the delivery-status repository +When the selected Settings/Automation clusters are cleaned +Then `FakturowniaApiClient`, `PolkurierApiClient`, `ErliOrderMapper`, `AutomationRepository::duplicate()`, and `EmailTemplateRepository::duplicate()` use typed domain exceptions instead of generic `RuntimeException` +``` + +## AC-3: Direct component includes/import-pattern issues are reduced broadly +```gherkin +Given many views still include `components/alert.php` directly or reference fully qualified `\App\...` classes inline +When the view cleanup finishes +Then targeted views use the established `$component('components/alert', [...])` helper and inline `\App\...` references are moved to controller-prepared variables or local imports where practical +``` + +## AC-4: Small controller/repository return and literal issues are reduced +```gherkin +Given selected controllers have repeated redirect paths, repeated flash keys, unused request parameters, or excessive early returns +When the cleanup completes +Then `SmsTemplateController` and `UsersController` have narrow helpers/constants that preserve the same redirects, messages, validation order, and response statuses while reducing confirmed `php:S1142`, `php:S1192`, and `php:S1172` issues +``` + +## AC-5: Behavior remains unchanged +```gherkin +Given the plan touches shared settings APIs, automation duplication, user creation, SMS templates, and view rendering +When verification runs +Then PHP lint passes for every touched PHP file/view, existing targeted runtime smokes still pass where available, and no route, form action, CSRF, flash, status mapping, invoice idempotency, or shipment behavior changes are introduced +``` + +## AC-6: Remaining Sonar work is documented +```gherkin +Given this is still not the final Phase 139 slice +When the final Sonar scan completes +Then `SONAR-BASELINE.md`, `DOCS/todo.md`, `.paul/codebase/concerns.md`, and technical changelogs record the new totals, fixed groups, remaining top groups, and the recommended next plan +``` + + + + + + + Task 1: Replace selected generic exceptions with typed domain exceptions + src/Modules/Settings/FakturowniaApiException.php, src/Modules/Settings/FakturowniaApiClient.php, src/Modules/Settings/PolkurierApiException.php, src/Modules/Settings/PolkurierApiClient.php, src/Modules/Settings/ErliOrderMappingException.php, src/Modules/Settings/ErliOrderMapper.php, src/Modules/Automation/AutomationRuleException.php, src/Modules/Automation/AutomationRepository.php, src/Modules/Settings/EmailTemplateException.php, src/Modules/Settings/EmailTemplateRepository.php, tests/Unit/ErliOrderMapperTest.php, tests/Unit/FakturowniaInvoiceIdempotencyTest.php + + Reduce confirmed `php:S112` in compact, high-confidence clusters. + - Add final typed exception classes extending the nearest existing project exception base when available, otherwise `RuntimeException`: `FakturowniaApiException`, `PolkurierApiException`, `ErliOrderMappingException`, `AutomationRuleException`, `EmailTemplateException`. + - Replace `throw new RuntimeException` / `throw new \RuntimeException` only in the selected files listed above. Preserve exception messages, codes, previous exceptions, and catch semantics. + - Update `catch (RuntimeException ...)` in `PolkurierApiClient::testConnection()` to catch the new typed exception if the call path now throws it. + - Do not convert broad `catch (RuntimeException)` blocks in integration sync services unless they catch the selected new typed exception without changing external behavior. + - Adjust tests only where they assert exception class or message. Do not add schema changes or new dependencies. + + `C:\xampp\php\php.exe -l` on all selected source/test files; targeted ad-hoc runtime smoke for Erli mapper invalid payload; existing invoice idempotency smoke if available; final Sonar file-level check after scanner + AC-2 and AC-5 satisfied for selected generic exception clusters. + + + + Task 2: Migrate remaining alert includes and inline view imports + resources/views/layouts/app.php, resources/views/layouts/auth.php, resources/views/layouts/public.php, resources/views/auth/login.php, resources/views/users/index.php, resources/views/orders/list.php, resources/views/orders/show.php, resources/views/orders/receipt-create.php, resources/views/automation/index.php, resources/views/automation/form.php, resources/views/statistics/orders.php, resources/views/accounting/index.php, resources/views/accounting/invoice_form.php, resources/views/shipments/prepare.php, resources/views/settings/accounting.php, resources/views/settings/accounting-invoices.php, resources/views/settings/accounting-invoice-edit.php, resources/views/settings/accounting-receipts.php, resources/views/settings/accounting-receipt-edit.php, resources/views/settings/allegro.php, resources/views/settings/apaczka.php, resources/views/settings/company.php, resources/views/settings/cron.php, resources/views/settings/database.php, resources/views/settings/delivery-status-form.php, resources/views/settings/email-mailboxes.php, resources/views/settings/email-templates.php, resources/views/settings/email-templates-form.php, resources/views/settings/erli.php, resources/views/settings/fakturownia.php, resources/views/settings/hostedsms.php, resources/views/settings/inpost.php, resources/views/settings/integrations.php, resources/views/settings/polkurier.php, resources/views/settings/printing.php, resources/views/settings/project-mappings.php, resources/views/settings/shoppro.php, resources/views/settings/sms-templates.php, resources/views/settings/sms-templates-form.php, resources/views/settings/smsplanet.php, resources/views/settings/statuses.php + + Reduce `php:S4833` and repeated include patterns aggressively but mechanically. + - Replace direct `include dirname(__DIR__) . '/components/alert.php'` and `include __DIR__ . '/../components/alert.php'` alert rendering with `$component('components/alert', [...])`. + - Preserve `messageHtml` behavior by passing `messageHtml` only for trusted prebuilt HTML and preserving `dismissible`/`role` values. Do not double-escape trusted HTML. + - In layouts, keep central flash rendering behavior exactly the same while avoiding direct component include. + - In `shipments/prepare.php`, move repeated inline `\App\Modules\Shipments\DeliveryStatus::*` and `\App\Core\Support\StringHelper::*` access to local prepared variables/imports at the top of the view or to controller-provided variables if already easy. Do not alter visible shipment rows, links, status colors, or tracking URLs. + - Leave JavaScript-generated alert class names alone; they are not PHP component includes and should remain compatible with existing CSS. + + `C:\xampp\php\php.exe -l` on every touched view/layout; `rg -n "include dirname\\(__DIR__\\) . '/components/alert.php'|include __DIR__ . '/../components/alert.php'|\\\\App\\\\" resources/views` shows only documented intentional leftovers; manual browser smoke deferred but rendering syntax is valid + AC-3 and AC-5 satisfied for targeted view/component cleanup. + + + + Task 3: Flatten small controllers and update Sonar documentation + src/Modules/Settings/SmsTemplateController.php, src/Modules/Users/UsersController.php, DOCS/ARCHITECTURE.md, DOCS/TECH_CHANGELOG.md, DOCS/todo.md, .paul/codebase/concerns.md, .paul/codebase/tech_changelog.md, .paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md + + Reduce local `php:S1142`, `php:S1192`, and `php:S1172` where the selected controllers are simple enough to preserve exactly. + - In `SmsTemplateController`, introduce constants for routes/flash keys/messages, extract CSRF/id validation helpers that return a `Response` or normalized data, and keep JSON status codes/messages unchanged. + - In `UsersController`, extract validation into small methods or a validation-result helper so `store()` has fewer early returns while preserving old form flash values, validation order, redirects, and password hashing behavior. + - Remove unused request parameters only where the method does not need them and route invocation supports the same signature pattern in this project. If unsure, keep the parameter and document it as intentionally retained. + - Run the final Sonar scanner after all code changes. Update baseline/docs with before/after totals, fixed groups, remaining top groups, and whether the next slice should address Web accessibility or Phase 141 god-class work. + + `C:\xampp\php\php.exe -l src/Modules/Settings/SmsTemplateController.php src/Modules/Users/UsersController.php`; `git diff --check`; final `sonar-scanner` using PATH or the downloaded Windows scanner; `vendor/bin/phpunit` only if dependencies exist, otherwise document the environment gap + AC-1, AC-4, AC-5, and AC-6 satisfied. + + + + + + +## DO NOT CHANGE +- Do not split `OrdersStatisticsRepository`, `OrdersRepository`, `OrdersController`, `AutomationService`, or other god classes in this plan; that belongs to Phase 141 or a dedicated later slice. +- Do not change database schema, migrations, SQL semantics, status mappings, cron behavior, payment/invoice/shipment business behavior, or route URLs. +- Do not add native `alert()` / `confirm()` or CSS in views. +- Do not replace JS-generated alert markup that intentionally only uses `.alert` classes. +- Do not use `DB_HOST_REMOTE`; no DB writes or migrations are needed. + +## SCOPE LIMITS +- This plan may be broad but must stay behavior-preserving. +- Initial target selection is based on the final 139-01 scan plus local code inspection; only the final scanner run is required. +- If a file is riskier than expected, skip that file, document the skip in `SONAR-BASELINE.md`, and continue with the other selected files. +- If `vendor/bin/phpunit` is missing, use PHP lint plus existing ad-hoc runtime smokes and document the gap. + + + + +Before declaring plan complete: +- [ ] PHP lint passes for all touched PHP source files and views. +- [ ] `rg` confirms targeted direct alert includes and selected generic `RuntimeException` throws were removed or explicitly documented as intentional leftovers. +- [ ] Existing targeted ad-hoc runtime smokes pass where available. +- [ ] `git diff --check` passes. +- [ ] Final `sonar-scanner` runs successfully using PATH or the downloaded Windows scanner from `%TEMP%`. +- [ ] `SONAR-BASELINE.md`, `DOCS/todo.md`, `DOCS/ARCHITECTURE.md`, `DOCS/TECH_CHANGELOG.md`, `.paul/codebase/concerns.md`, and `.paul/codebase/tech_changelog.md` are updated. + + + +- 139-02 reduces the total OPEN `BLOCKER,CRITICAL,MAJOR` Sonar count from the 139-01 final baseline of 605. +- Selected generic exceptions are replaced by typed domain exceptions without changing caller behavior. +- Targeted views use `$component()` for alert rendering and no longer rely on hard includes. +- Small controller cleanup reduces confirmed return/literal/unused-parameter issues while preserving UX and response contracts. +- Remaining high-count issue groups are documented for the next Phase 139 plan or Phase 141. + + + +After completion, create `.paul/phases/139-sonar-critical-major-cleanup/139-02-SUMMARY.md`. + diff --git a/.paul/phases/139-sonar-critical-major-cleanup/139-02-SUMMARY.md b/.paul/phases/139-sonar-critical-major-cleanup/139-02-SUMMARY.md new file mode 100644 index 0000000..feb4d18 --- /dev/null +++ b/.paul/phases/139-sonar-critical-major-cleanup/139-02-SUMMARY.md @@ -0,0 +1,150 @@ +--- +phase: 139-sonar-critical-major-cleanup +plan: 139-02 +subsystem: quality +tags: [sonar, php, views, exceptions, refactor] +requires: + - phase: 139-01 + provides: Fresh Sonar baseline reduced from 648 to 605 OPEN BLOCKER/CRITICAL/MAJOR issues +provides: + - Typed exceptions for selected Settings/Automation failure paths + - Broad alert component include migration to Template component helper + - Updated Phase 139 Sonar baseline and debt documentation +affects: [phase-139, phase-141, sonar-cleanup, ui-alerts] +tech-stack: + added: [] + patterns: + - Typed domain exceptions for compact API/repository failure clusters + - Alert rendering through `$component('components/alert', ...)` +key-files: + created: + - src/Modules/Settings/FakturowniaApiException.php + - src/Modules/Settings/PolkurierApiException.php + - src/Modules/Settings/ErliOrderMappingException.php + - src/Modules/Automation/AutomationRuleException.php + - src/Modules/Settings/EmailTemplateException.php + modified: + - .paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md + - DOCS/ARCHITECTURE.md + - DOCS/TECH_CHANGELOG.md + - DOCS/todo.md +key-decisions: + - "Use 139-01 final Sonar result as the 139-02 baseline; no pre-edit scanner rerun." + - "Keep Phase 141 god-class splits out of this cleanup slice." +patterns-established: + - "Trusted prebuilt alert HTML must be passed as `messageHtml`; normal alert text uses `message`." +duration: ~35min +started: 2026-05-17T23:09:00+02:00 +completed: 2026-05-17T23:21:00+02:00 +--- + +# Phase 139 Plan 02: Sonar Critical/Major Cleanup Summary + +Plan 139-02 removed the largest safe cluster after 139-01: broad view include/import issues, selected generic exceptions, and small controller literal/return cleanup. + +## Performance + +| Metric | Value | +|--------|-------| +| Duration | ~35min | +| Started | 2026-05-17 23:09 | +| Completed | 2026-05-17 23:21 | +| Tasks | 3 completed | +| Final Sonar total | 495 OPEN BLOCKER/CRITICAL/MAJOR | + +## Acceptance Criteria Results + +| Criterion | Status | Evidence | +|-----------|--------|----------| +| AC-1: 139-01 baseline used | Pass | Implementation used the documented 139-01 final baseline of 605 and only ran scanner after code changes. | +| AC-2: Selected generic exceptions reduced | Pass | New typed exceptions replaced target `RuntimeException` throws/catches; `php:S112` dropped from 40 to 23. | +| AC-3: Direct alert includes/import patterns reduced | Pass | `rg` found no target direct alert includes or inline `\App\...` in `resources/views`; `php:S4833` dropped from 93 to 3. | +| AC-4: Small controller cleanup | Pass | `SmsTemplateController` and `UsersController` now centralize routes, flash keys and validation helpers without route/UX changes. | +| AC-5: Behavior unchanged | Pass | PHP lint passed; ad-hoc Erli invalid-payload smoke passed; no DB/schema/routes were changed. | +| AC-6: Remaining Sonar work documented | Pass | `SONAR-BASELINE.md`, `DOCS/todo.md`, `DOCS/ARCHITECTURE.md`, `DOCS/TECH_CHANGELOG.md`, `.paul/codebase/concerns.md`, and `.paul/codebase/tech_changelog.md` were updated. | + +## Accomplishments + +- Reduced OPEN `BLOCKER,CRITICAL,MAJOR` Sonar issues from 605 to 495. +- Added typed exceptions for Fakturownia, Polkurier, Erli mapping, automation duplication, and email template duplication. +- Migrated target view/layout alert rendering to `$component('components/alert', ...)`, preserving trusted `messageHtml` behavior. +- Removed target inline fully qualified `\App\...` references from views by using local imports. +- Documented remaining Phase 139 work and the Phase 141 boundary for god-class splits. + +## Files Created/Modified + +| File | Change | Purpose | +|------|--------|---------| +| `src/Modules/Settings/FakturowniaApiException.php` | Created | Typed exception for Fakturownia API failures. | +| `src/Modules/Settings/PolkurierApiException.php` | Created | Typed exception for Polkurier API failures. | +| `src/Modules/Settings/ErliOrderMappingException.php` | Created | Typed exception for Erli inbox mapping failures. | +| `src/Modules/Automation/AutomationRuleException.php` | Created | Typed exception for automation rule duplication failures. | +| `src/Modules/Settings/EmailTemplateException.php` | Created | Typed exception for e-mail template duplication failures. | +| `src/Modules/Settings/FakturowniaApiClient.php` | Modified | Replaced selected generic runtime exceptions. | +| `src/Modules/Settings/PolkurierApiClient.php` | Modified | Replaced selected generic runtime exceptions and catch type. | +| `src/Modules/Settings/ErliOrderMapper.php` | Modified | Replaced mapping guard exceptions. | +| `src/Modules/Automation/AutomationRepository.php` | Modified | Replaced duplicate missing-rule exception. | +| `src/Modules/Settings/EmailTemplateRepository.php` | Modified | Replaced duplicate missing-template exception. | +| `src/Modules/Settings/SmsTemplateController.php` | Modified | Extracted constants/helpers for flash, routes and redirects. | +| `src/Modules/Users/UsersController.php` | Modified | Extracted user validation and flash helpers. | +| `resources/views/**/*.php` | Modified | Migrated target alerts to `$component()` and view imports where applicable. | +| `tests/Unit/ErliOrderMapperTest.php` | Modified | Updated exception assertion to typed mapper exception. | +| `tests/Unit/FakturowniaInvoiceIdempotencyTest.php` | Modified | Updated API failure mocks to typed exception. | +| `DOCS/ARCHITECTURE.md` | Modified | Documented 139-02 architecture cleanup. | +| `DOCS/TECH_CHANGELOG.md` | Modified | Added 139-02 technical changelog. | +| `DOCS/todo.md` | Modified | Updated Sonar totals and next slices. | +| `.paul/codebase/concerns.md` | Modified | Updated Sonar debt counts and legacy-pattern status. | +| `.paul/codebase/tech_changelog.md` | Modified | Added 139-02 PAUL technical changelog. | +| `.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md` | Modified | Recorded final Sonar analysis and remaining groups. | + +## Verification Results + +| Check | Result | +|-------|--------| +| PHP lint on touched source/test/view/layout files | Pass | +| `rg` target direct alert includes | Pass: no target leftovers | +| `rg` inline `\App\...` in views | Pass: no leftovers | +| `rg` selected generic `RuntimeException` leftovers | Pass: no leftovers | +| Ad-hoc Erli mapper invalid payload smoke | Pass: typed `ErliOrderMappingException` with preserved message | +| `git diff --check` | Pass | +| Final `sonar-scanner` | Pass, analysis `2c18a5b3-40b4-41d8-b826-df88615749db` | +| PHPUnit | Not run: `vendor/` and `vendor/bin/phpunit` are missing | + +## Deviations from Plan + +| Type | Count | Impact | +|------|-------|--------| +| Environment gaps | 1 | PHPUnit could not run because dependencies are not installed in checkout. | +| Scope additions | 0 | None. | +| Deferred | 0 | No new deferred issues beyond documented remaining Sonar groups. | + +## Decisions Made + +| Decision | Rationale | Impact | +|----------|-----------|--------| +| Reuse `%TEMP%` SonarScanner | Scanner is still not in PATH, but the official Windows x64 scanner from 139-01 exists and works. | Final scan completed without adding dependencies. | +| Do not split god classes | The plan explicitly reserved `OrdersStatisticsRepository` and other god-class work for Phase 141. | Phase 139 remains focused on safe Sonar reductions. | + +## Issues Encountered + +| Issue | Resolution | +|-------|------------| +| `vendor/bin/phpunit` unavailable | Documented as environment gap; used PHP lint, ad-hoc smoke and final Sonar. | +| `sonar-scanner` not in PATH | Reused official scanner from `%TEMP%`. | + +## Next Phase Readiness + +**Ready:** +- Phase 140 can plan performance safeguards from current roadmap. +- Phase 141 has a clearer boundary for `php:S1448` class splits. +- Remaining Phase 139 debt is documented for optional future slices. + +**Concerns:** +- PHPUnit still requires `composer install`/`vendor/`. +- `php:S1142`, `php:S3776`, `php:S1172`, and accessibility groups remain substantial. + +**Blockers:** None for moving to Phase 140 planning. + +--- +*Phase: 139-sonar-critical-major-cleanup, Plan: 139-02* +*Completed: 2026-05-17* diff --git a/.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md b/.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md index e5ff612..81c9e99 100644 --- a/.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md +++ b/.paul/phases/139-sonar-critical-major-cleanup/SONAR-BASELINE.md @@ -78,6 +78,49 @@ Top rules after cleanup: - `src/Modules/Statistics/OrdersStatisticsRepository.php`: `php:S1448`, 43 methods. This requires a class split and belongs with the Phase 141 god-class work or a dedicated Phase 139 follow-up slice. +## Final Scan After Plan 139-02 + +Analysis id: `2c18a5b3-40b4-41d8-b826-df88615749db` +CE task id: `de0e6b08-015c-4651-ae02-d28ada99b393` + +OPEN `BLOCKER,CRITICAL,MAJOR` issues: + +| Severity | After 139-01 | After 139-02 | Delta | +|----------|--------------|--------------|-------| +| BLOCKER | 0 | 0 | 0 | +| CRITICAL | 181 | 178 | -3 | +| MAJOR | 424 | 317 | -107 | +| Total | 605 | 495 | -110 | + +Top rules after 139-02: + +| Rule | Count | +|------|-------| +| `php:S1142` | 148 | +| `php:S1192` | 98 | +| `php:S3776` | 54 | +| `php:S1172` | 41 | +| `php:S121` | 24 | +| `php:S3358` | 23 | +| `php:S112` | 23 | +| `Web:TableHeaderHasIdOrScopeCheck` | 16 | +| `php:S1448` | 16 | +| `php:S2681` | 9 | + +Selected 139-02 fixes: + +| Group | Before | After | Notes | +|-------|--------|-------|-------| +| `php:S4833` | 93 | 3 | Broad alert include migration to `$component()` and view FQCN cleanup. Remaining issues are core framework `require` calls in `Application`, `Translator`, and `Template`. | +| `php:S112` | 40 | 23 | Typed exceptions added for Fakturownia, Polkurier, Erli mapping, automation duplication, and email template duplication. | +| `php:S1192` | 101 | 98 | Small controller constants reduced repeated route/flash literals. | + +Recommended next slice: + +- Continue Phase 139 with `php:S1142`, `php:S3776`, and `php:S1172` in compact service/controller methods. +- Treat Web accessibility issues as a separate UI verification slice. +- Keep `php:S1448` god-class splits for Phase 141 or a dedicated architecture plan. + ## Tooling Notes - `vendor/bin/phpunit` is not available because `vendor/` is missing and Composer is not installed in PATH. diff --git a/DOCS/ARCHITECTURE.md b/DOCS/ARCHITECTURE.md index 19b7634..c00f69c 100644 --- a/DOCS/ARCHITECTURE.md +++ b/DOCS/ARCHITECTURE.md @@ -89,6 +89,13 @@ HTTP Request - Amount SQL generation is split into small helpers while preserving the Phase 135 contract: source-level net first, VAT-aware item fallback second, legacy gross `/1.23` last, and delivery net at 23% only when source net is missing. - Remaining architecture debt: `OrdersStatisticsRepository` still exceeds the Sonar method-count threshold and should be split in a later god-class/refactor slice. +### Critical/major cleanup slice 139-02 +- Settings/Automation compact failure paths now use typed exceptions: `FakturowniaApiException`, `PolkurierApiException`, `ErliOrderMappingException`, `AutomationRuleException`, and `EmailTemplateException`. +- Alert rendering in targeted layouts/views uses `Template::$component('components/alert', ...)` instead of direct component includes. Trusted prebuilt alert HTML is still passed as `messageHtml`. +- `SmsTemplateController` and `UsersController` centralize repeated routes, flash keys and validation helpers without changing request routes, flash UX or response status contracts. +- `resources/views/shipments/prepare.php` imports `StringHelper` and `DeliveryStatus` locally instead of using inline fully qualified class names. +- Phase 139-02 final Sonar scan reduced OPEN BLOCKER/CRITICAL/MAJOR issues from 605 to 495. Remaining high-impact work is mostly return/cognitive-complexity cleanup, accessibility, and Phase 141 god-class splits. + ## Frontend Enhancement Modules ### Checkbox Multiselect (`public/assets/js/modules/checkbox-multiselect.js`) diff --git a/DOCS/TECH_CHANGELOG.md b/DOCS/TECH_CHANGELOG.md index 7570e96..2333bc6 100644 --- a/DOCS/TECH_CHANGELOG.md +++ b/DOCS/TECH_CHANGELOG.md @@ -1,5 +1,20 @@ # Technical Changelog +## 2026-05-17 - Phase 139 Plan 02: Sonar Critical/Major Cleanup + +**Co zrobiono:** +- Finalny Sonar po planie 139-02: 495 OPEN BLOCKER/CRITICAL/MAJOR (`BLOCKER=0`, `CRITICAL=178`, `MAJOR=317`), spadek z 605 po 139-01. +- Dodano typowane wyjatki dla kompaktowych klastrow: Fakturownia API, Polkurier API, Erli order mapping, automation rule duplication i email template duplication. +- Zmigrowano szeroki zestaw alertow w layoutach i widokach na `$component('components/alert', ...)`, zachowujac `messageHtml` dla zaufanego gotowego HTML. +- Usunieto inline `\App\...` z targetowanych widokow/layoutow przez lokalne importy. +- `SmsTemplateController` i `UsersController` dostaly stale dla tras/flashy oraz male helpery walidacji/redirectow bez zmiany kontraktu formularzy. + +**Dlaczego:** +- Plan 139-02 mial agresywnie zredukowac najwieksze bezpieczne grupy Sonar po 139-01, szczegolnie `php:S4833` i `php:S112`, bez ruszania schematu DB ani god-class splitow z Phase 141. + +**BREAKING / migracja:** +- Brak migracji DB i brak zmian breaking. PHPUnit nadal nie jest dostepny w checkoutcie przez brak `vendor/`; wykonano lint, ad-hoc smoke mappera Erli i finalny SonarScanner. + ## 2026-05-17 - Phase 139 Plan 01: Sonar Critical/Major Cleanup **Co zrobiono:** diff --git a/DOCS/todo.md b/DOCS/todo.md index 1446bf7..6a0c61d 100644 --- a/DOCS/todo.md +++ b/DOCS/todo.md @@ -2,13 +2,19 @@ ## SonarQube - 2026-05-17 -Fresh Phase 139 scan after plan 139-01: 605 OPEN `BLOCKER,CRITICAL,MAJOR` issues remain (`BLOCKER=0`, `CRITICAL=181`, `MAJOR=424`). +Fresh Phase 139 scan after plan 139-02: 495 OPEN `BLOCKER,CRITICAL,MAJOR` issues remain (`BLOCKER=0`, `CRITICAL=178`, `MAJOR=317`). Next recommended slices: -- Split `src/Modules/Statistics/OrdersStatisticsRepository.php` (`php:S1448`, 43 methods) into query/amount/schema helpers before making deeper statistics changes. -- Continue with the largest confirmed rule groups: `php:S1142`, `php:S1192`, `php:S4833`, `php:S3776`, `php:S1172`, `php:S112`. +- Continue with the largest confirmed rule groups: `php:S1142`, `php:S3776`, `php:S1172`, `php:S1192`, `php:S112`. - Handle Web accessibility groups separately so table headers, `` semantics and icon-only labels can be checked in the UI. +- Split `src/Modules/Statistics/OrdersStatisticsRepository.php` and other `php:S1448` god classes in Phase 141 or a dedicated architecture slice. + +Resolved in Phase 139-02: + +- Broad direct alert include/import-pattern cleanup: `php:S4833` reduced from 93 to 3. +- Selected generic exception cleanup: `php:S112` reduced from 40 to 23. +- Small controller literal cleanup in SMS templates and users. Resolved in Phase 139-01: diff --git a/resources/views/accounting/invoice_form.php b/resources/views/accounting/invoice_form.php index 603c54b..63074d1 100644 --- a/resources/views/accounting/invoice_form.php +++ b/resources/views/accounting/invoice_form.php @@ -30,7 +30,7 @@ $buyerEmailDefault = trim((string) ($buyerAddr['email'] ?? $orderRow['buyer_emai -
+
'danger', 'message' => (string) $errorMsg, 'dismissible' => true]); ?>
@@ -51,7 +51,7 @@ $buyerEmailDefault = trim((string) ($buyerAddr['email'] ?? $orderRow['buyer_emai -
+
'warning', 'messageHtml' => $existingInvoicesHtml, 'dismissible' => true]); ?>
diff --git a/resources/views/auth/login.php b/resources/views/auth/login.php index de33be2..0c38a7d 100644 --- a/resources/views/auth/login.php +++ b/resources/views/auth/login.php @@ -6,7 +6,7 @@ - + diff --git a/resources/views/automation/form.php b/resources/views/automation/form.php index 4cc88e3..bf3a1e4 100644 --- a/resources/views/automation/form.php +++ b/resources/views/automation/form.php @@ -41,7 +41,7 @@ $orderStatusOptions = is_array($orderStatusOptions ?? null) ? $orderStatusOption

-
+
'danger', 'message' => (string) $errorMessage, 'dismissible' => true]); ?>
diff --git a/resources/views/automation/index.php b/resources/views/automation/index.php index 00d97f4..3f5474a 100644 --- a/resources/views/automation/index.php +++ b/resources/views/automation/index.php @@ -56,10 +56,10 @@ $buildHistoryUrl = static function (array $overrides = []) use ($historyFiltersD

Reguly automatyzacji wykonywane po wystapieniu zdarzenia.

-
+
'danger', 'message' => (string) $errorMessage, 'dismissible' => true]); ?>
-
+
'success', 'message' => (string) $successMessage, 'dismissible' => true]); ?>