# PHP Analyzer Autoload & Restore Design (2025-12-09)

## Goals
- Stabilize PHP analyzer pipeline (SCANNER-ENG-0010 / 27-001) by defining autoload graph handling, composer restore posture, and fixtures.
- Provide deterministic evidence suitable for CI and reachability alignment with Concelier/Signals.

## Inputs
- `composer.json` + `composer.lock`.
- `vendor/composer/*.php` autoload files (`autoload_psr4.php`, `autoload_classmap.php`, `autoload_files.php`, `autoload_static.php`).
- Installed vendor tree under `vendor/`.
- Optional: `composer.phar` version metadata for diagnostics (no execution).

## Outputs
- Package inventory: `pkg:composer/<name>@<version>` with source/dist hashes from lockfile.
- Autoload graph:
  - PSR-4/PSR-0 mappings (namespace → path), classmap entries, files includes.
  - Emit edges from package → file and namespace → path with deterministic ordering.
- Restore diagnostics:
  - Detect missing vendor install vs lockfile drift; emit findings instead of network restore.
- Metadata:
  - Composer version (from lock/platform field when present).
  - Platform PHP extensions/version constraints.

## Determinism & Offline
- No composer install/updates; read-only parsing of lock/autoload/vendor.
- Stable ordering: sort packages, namespaces, classmap entries, files includes (ordinal, POSIX paths).
- Hashes: use lockfile dist/shasum when present; otherwise SHA-256 over on-disk file bytes for autoloaded files.

## Fixtures / Backlog
1) PSR-4 project with namespaced classes and classmap mix.
2) Project with `autoload_files.php` includes (functions/constants).
3) Lockfile present but vendor missing → expect finding, no inventory.
4) Path repo override + dist hash present.

## Implementation Steps
- Parser for composer.lock (packages + platform reqs) and autoload PHP arrays (psr-4, psr-0, classmap, files).
- Graph builder producing deterministic edges and evidence records.
- Findings for missing vendor, mismatched lock hash, or absent autoload files.
- Tests under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Php.Tests` with goldens for each fixture; add TRX/binlogs to readiness once stable.