update

.paul/codebase/concerns.md

@@ -0,0 +1,76 @@
+# Concerns & Technical Debt
+
+> Generated by /paul:map-codebase — 2026-04-26
+
+## CRITICAL
+
+### 1. Credentials committed to git
+- **wp-config.php**: DB password in version history
+- **.vscode/ftp-kr.json**: FTP credentials in version history (host, user, password, path)
+- **Action**: Rotate both passwords. Add `wp-config.php` and `.vscode/ftp-kr.json` to `.gitignore`.
+
+### 2. FTP auto-upload to production with no staging
+- `autoUpload: true` in `.vscode/ftp-kr.json` — every file save goes live immediately
+- No review step, no staging environment
+- **Action**: Disable autoUpload for risky changes; test locally first.
+
+### 3. bbPress — 100+ core plugin files modified
+- Git shows every file in `wp-content/plugins/bbpress/` as modified
+- Next bbPress update will silently overwrite all customizations
+- **Action**: Document what was changed and why. Move custom logic to a custom plugin or mu-plugin using bbPress hooks/filters.
+
+## HIGH
+
+### 4. No .gitignore
+- Sensitive files (wp-config.php, ftp-kr.json) are tracked
+- Uploads, cache, and build artifacts can be accidentally committed
+- **Files to add to .gitignore**: `wp-config.php`, `.vscode/ftp-kr.json`, `.vscode/sftp.json`, `wp-content/uploads/`, `wp-content/cache/`, `*.log`
+
+### 5. Deprecated PHP in divi-children-engine
+- `extract(shortcode_atts(...))` in `divi-mods/divi_mod_functions.php:28` — deprecated PHP 8.0+, security risk
+- `query_posts()` in same file — deprecated, should use `WP_Query`
+- **Action**: Replace `extract()` with explicit variable assignments when touching this file.
+
+### 6. AJAX handler without nonce verification
+- `custom_selectors_action_callback()` in `custom_codes.php` processes `$_POST['selector']` without sanitization or nonce check
+- **Action**: Add `check_ajax_referer()` and `sanitize_text_field()` before the `set_theme_mod()` call.
+
+### 7. No error logging
+- `WP_DEBUG = false` with no `WP_DEBUG_LOG` — silent failures in production
+- **Action**: Enable `WP_DEBUG_LOG = true`, `WP_DEBUG_DISPLAY = false` to log errors server-side without exposing them.
+
+## MEDIUM
+
+### 8. Inline JavaScript using deprecated jQuery methods
+- `custom_codes.php` uses `.toggle()` (removed in jQuery 3.9+) via inline PHP-embedded JS
+- **Action**: Replace with `.slideToggle()` or vanilla JS when modifying this area.
+
+### 9. Hardcoded Polish strings without i18n
+- `functions.php`: stock text, email address hardcoded as string literals
+- `cron-products.php`: hardcoded Polish date strings
+- No `.pot` / `.po` / `.mo` files; uses `woocommerce` text domain instead of `body-relax`
+- **Action**: Wrap new strings in `__('...', 'body-relax')`, create proper text domain.
+
+### 10. Child theme author URL uses HTTP
+- `style.css` Author URI: `http://www.body-relax.baumer.vot.pl` (HTTP, not HTTPS)
+- Minor, but update to HTTPS when touching the file.
+
+### 11. FTP over plain FTP (not SFTP)
+- `.vscode/ftp-kr.json` uses unencrypted FTP protocol
+- Credentials and file contents transmitted in plaintext
+- **Action**: Switch to SFTP (port 22) if host supports it.
+
+## LOW
+
+### 12. Poor git commit history
+- All recent commits are "Save" — no meaningful history for auditing or rollback
+- **Action**: Use conventional commit messages going forward.
+
+### 13. Divi Children Engine version 1.0.4
+- Relatively old; last update date unclear
+- Non-standard approach that may conflict with Divi updates
+- Low urgency, but track for compatibility issues when Divi updates.
+
+### 14. AUTOMATIC_UPDATER_DISABLED = true
+- All updates are manual; security patches may be missed
+- Acceptable if monitored; ensure a process exists to apply patches.