up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
This commit is contained in:
StellaOps Bot
39
docs/modules/scanner/design/php-autoload-design.md
Normal file
39
docs/modules/scanner/design/php-autoload-design.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# PHP Analyzer Autoload & Restore Design (2025-12-09)
|
||||
|
||||
## Goals
|
||||
- Stabilize PHP analyzer pipeline (SCANNER-ENG-0010 / 27-001) by defining autoload graph handling, composer restore posture, and fixtures.
|
||||
- Provide deterministic evidence suitable for CI and reachability alignment with Concelier/Signals.
|
||||
|
||||
## Inputs
|
||||
- `composer.json` + `composer.lock`.
|
||||
- `vendor/composer/*.php` autoload files (`autoload_psr4.php`, `autoload_classmap.php`, `autoload_files.php`, `autoload_static.php`).
|
||||
- Installed vendor tree under `vendor/`.
|
||||
- Optional: `composer.phar` version metadata for diagnostics (no execution).
|
||||
|
||||
## Outputs
|
||||
- Package inventory: `pkg:composer/<name>@<version>` with source/dist hashes from lockfile.
|
||||
- Autoload graph:
|
||||
- PSR-4/PSR-0 mappings (namespace → path), classmap entries, files includes.
|
||||
- Emit edges from package → file and namespace → path with deterministic ordering.
|
||||
- Restore diagnostics:
|
||||
- Detect missing vendor install vs lockfile drift; emit findings instead of network restore.
|
||||
- Metadata:
|
||||
- Composer version (from lock/platform field when present).
|
||||
- Platform PHP extensions/version constraints.
|
||||
|
||||
## Determinism & Offline
|
||||
- No composer install/updates; read-only parsing of lock/autoload/vendor.
|
||||
- Stable ordering: sort packages, namespaces, classmap entries, files includes (ordinal, POSIX paths).
|
||||
- Hashes: use lockfile dist/shasum when present; otherwise SHA-256 over on-disk file bytes for autoloaded files.
|
||||
|
||||
## Fixtures / Backlog
|
||||
1) PSR-4 project with namespaced classes and classmap mix.
|
||||
2) Project with `autoload_files.php` includes (functions/constants).
|
||||
3) Lockfile present but vendor missing → expect finding, no inventory.
|
||||
4) Path repo override + dist hash present.
|
||||
|
||||
## Implementation Steps
|
||||
- Parser for composer.lock (packages + platform reqs) and autoload PHP arrays (psr-4, psr-0, classmap, files).
|
||||
- Graph builder producing deterministic edges and evidence records.
|
||||
- Findings for missing vendor, mismatched lock hash, or absent autoload files.
|
||||
- Tests under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Php.Tests` with goldens for each fixture; add TRX/binlogs to readiness once stable.
|
||||
Reference in New Issue
Block a user