portal

liderra/portal

Fork 0

Commit Graph

Author	SHA1	Message	Date
Дмитрий	fb4e711b4a	fix(rls): close 4 dev↔prod RLS gaps in cron/jobs (hole #7 Phase B) Found by docs/audit/2026-05-23-rls-gap-audit.md. Each touched an RLS-protected table on the default connection in cron/queue context (no tenant GUC) — crash or silent misbehaviour on prod (crm_app_user, not BYPASSRLS), hidden on dev (superuser). - RemindersDispatchDue (Pattern B): gather pending via pgsql_supplier, then per-reminder DB::transaction + SET LOCAL app.current_tenant_id (isolation kept). - ReportsCleanupExpired (Pattern A): SaaS-admin cron → report_jobs + pd_processing_log via pgsql_supplier (BYPASSRLS). - GenerateReportJob (Pattern B): +readonly int $tenantId ctor param, wrap handle() in DB::transaction + SET LOCAL; both ReportJobController dispatch sites updated. - ProcessWebhookJob::failed (Pattern A): failed_webhook_jobs insert via pgsql_supplier → webhook failures now logged, incidents:watch-failures can see them. Tests +SharesSupplierPdo trait. 118 passed / 0 failed. My 5 src files pass larastan isolated (0 errors).	2026-05-23 10:16:46 +03:00
Дмитрий	9765ed760d	phase2(reports-stage3): retry/cancel/destroy + reports:cleanup-expired cron - ReportJobController +3 endpoints под auth:sanctum: - POST /api/reports/jobs/{id}/retry — CTO-6: только owner+failed, max 3 попытки (parameters.retry_count), окно 7 дней с created_at, квота CTO-7 учитывается; создаёт НОВЫЙ ReportJob (parameters.retry_of=original.id) + dispatch. - POST /api/reports/jobs/{id}/cancel — только owner+pending; status=failed + error_message=«Отменено пользователем.» + finished_at=NOW. - DELETE /api/reports/jobs/{id} — только owner+terminal (done\|failed); удаляет файл из disk('local') + row. - toResource +3 поля: is_expired (expires_at < NOW), retry_count, retry_max=3. - App\Console\Commands\ReportsCleanupExpired (cron `reports:cleanup-expired`): где status='done' AND expires_at < NOW AND file_path IS NOT NULL → delete file + UPDATE file_path=NULL. CTO-10: status='done' СОХРАНЯЕТСЯ. failed-jobs игнорируются. --dry-run + --limit=1000. Запуск ежесуточно через Task Scheduler. - routes/web.php: новые 3 routes под существующим prefix /api/reports/jobs. - Pest +21 в ReportLifecycleTest.php (всего 403/403, +21 от 382, 1343 assertions): retry 8 (404 unknown/foreign / 403 не владелец / 422 не failed / success+new+ retry_count=1+retry_of / 422 max retries / 422 окно 7 дней / 422 квота 3) + cancel 4 (404 / 422 не pending / success / 403 не владелец) + destroy 5 (404 / 422 pending / 403 не владелец / success+file / success+file_path=NULL) + index +1 (is_expired/retry_count/retry_max в response) + cron 3 (удаление expired+CTO-10 status сохраняется / --dry-run / failed игнорируются). - phpstan-baseline регенерирован. Этап 3/4 эпика Reports backend (закрыт). Этап 4: frontend integration — заменить mock в ReportsView на реальный API + UI кнопки retry/cancel/delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-09 13:44:09 +03:00

Author

SHA1

Message

Date

Дмитрий

fb4e711b4a

fix(rls): close 4 dev↔prod RLS gaps in cron/jobs (hole #7 Phase B)

Found by docs/audit/2026-05-23-rls-gap-audit.md. Each touched an RLS-protected
table on the default connection in cron/queue context (no tenant GUC) — crash or
silent misbehaviour on prod (crm_app_user, not BYPASSRLS), hidden on dev (superuser).

- RemindersDispatchDue (Pattern B): gather pending via pgsql_supplier, then
  per-reminder DB::transaction + SET LOCAL app.current_tenant_id (isolation kept).
- ReportsCleanupExpired (Pattern A): SaaS-admin cron → report_jobs + pd_processing_log
  via pgsql_supplier (BYPASSRLS).
- GenerateReportJob (Pattern B): +readonly int $tenantId ctor param, wrap handle()
  in DB::transaction + SET LOCAL; both ReportJobController dispatch sites updated.
- ProcessWebhookJob::failed (Pattern A): failed_webhook_jobs insert via pgsql_supplier
  → webhook failures now logged, incidents:watch-failures can see them.

Tests +SharesSupplierPdo trait. 118 passed / 0 failed. My 5 src files pass larastan
isolated (0 errors).

2026-05-23 10:16:46 +03:00

Дмитрий

9765ed760d

phase2(reports-stage3): retry/cancel/destroy + reports:cleanup-expired cron

- ReportJobController +3 endpoints под auth:sanctum:
  - POST /api/reports/jobs/{id}/retry — CTO-6: только owner+failed, max 3 попытки
    (parameters.retry_count), окно 7 дней с created_at, квота CTO-7 учитывается;
    создаёт НОВЫЙ ReportJob (parameters.retry_of=original.id) + dispatch.
  - POST /api/reports/jobs/{id}/cancel — только owner+pending; status=failed +
    error_message=«Отменено пользователем.» + finished_at=NOW.
  - DELETE /api/reports/jobs/{id} — только owner+terminal (done|failed); удаляет
    файл из disk('local') + row.
- toResource +3 поля: is_expired (expires_at < NOW), retry_count, retry_max=3.
- App\Console\Commands\ReportsCleanupExpired (cron `reports:cleanup-expired`):
  где status='done' AND expires_at < NOW AND file_path IS NOT NULL → delete file
  + UPDATE file_path=NULL. CTO-10: status='done' СОХРАНЯЕТСЯ. failed-jobs
  игнорируются. --dry-run + --limit=1000. Запуск ежесуточно через Task Scheduler.
- routes/web.php: новые 3 routes под существующим prefix /api/reports/jobs.
- Pest +21 в ReportLifecycleTest.php (всего 403/403, +21 от 382, 1343 assertions):
  retry 8 (404 unknown/foreign / 403 не владелец / 422 не failed / success+new+
  retry_count=1+retry_of / 422 max retries / 422 окно 7 дней / 422 квота 3) +
  cancel 4 (404 / 422 не pending / success / 403 не владелец) + destroy 5
  (404 / 422 pending / 403 не владелец / success+file / success+file_path=NULL)
  + index +1 (is_expired/retry_count/retry_max в response) + cron 3 (удаление
  expired+CTO-10 status сохраняется / --dry-run / failed игнорируются).
- phpstan-baseline регенерирован.

Этап 3/4 эпика Reports backend (закрыт). Этап 4: frontend integration —
заменить mock в ReportsView на реальный API + UI кнопки retry/cancel/delete.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-09 13:44:09 +03:00

2 Commits