108d1c64b3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
sm-remote-ci / build-and-test (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
40 lines
2.1 KiB
Markdown
40 lines
2.1 KiB
Markdown
# PHP Analyzer Autoload & Restore Design (2025-12-09)
|
|
|
|
## Goals
|
|
- Stabilize PHP analyzer pipeline (SCANNER-ENG-0010 / 27-001) by defining autoload graph handling, composer restore posture, and fixtures.
|
|
- Provide deterministic evidence suitable for CI and reachability alignment with Concelier/Signals.
|
|
|
|
## Inputs
|
|
- `composer.json` + `composer.lock`.
|
|
- `vendor/composer/*.php` autoload files (`autoload_psr4.php`, `autoload_classmap.php`, `autoload_files.php`, `autoload_static.php`).
|
|
- Installed vendor tree under `vendor/`.
|
|
- Optional: `composer.phar` version metadata for diagnostics (no execution).
|
|
|
|
## Outputs
|
|
- Package inventory: `pkg:composer/<name>@<version>` with source/dist hashes from lockfile.
|
|
- Autoload graph:
|
|
- PSR-4/PSR-0 mappings (namespace → path), classmap entries, files includes.
|
|
- Emit edges from package → file and namespace → path with deterministic ordering.
|
|
- Restore diagnostics:
|
|
- Detect missing vendor install vs lockfile drift; emit findings instead of network restore.
|
|
- Metadata:
|
|
- Composer version (from lock/platform field when present).
|
|
- Platform PHP extensions/version constraints.
|
|
|
|
## Determinism & Offline
|
|
- No composer install/updates; read-only parsing of lock/autoload/vendor.
|
|
- Stable ordering: sort packages, namespaces, classmap entries, files includes (ordinal, POSIX paths).
|
|
- Hashes: use lockfile dist/shasum when present; otherwise SHA-256 over on-disk file bytes for autoloaded files.
|
|
|
|
## Fixtures / Backlog
|
|
1) PSR-4 project with namespaced classes and classmap mix.
|
|
2) Project with `autoload_files.php` includes (functions/constants).
|
|
3) Lockfile present but vendor missing → expect finding, no inventory.
|
|
4) Path repo override + dist hash present.
|
|
|
|
## Implementation Steps
|
|
- Parser for composer.lock (packages + platform reqs) and autoload PHP arrays (psr-4, psr-0, classmap, files).
|
|
- Graph builder producing deterministic edges and evidence records.
|
|
- Findings for missing vendor, mismatched lock hash, or absent autoload files.
|
|
- Tests under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Php.Tests` with goldens for each fixture; add TRX/binlogs to readiness once stable.
|