sileya-ai
/
vr-shopxo-plugin
1
0
Fork 0
Code Issues 3 Pull Requests Packages Projects Releases Wiki Activity
92 Commits
9 Branches
0 Tags
29 MiB
Commit Graph

92 Commits (2a6d7bdbf75f805500162fd10c82d8dc54bdfea3)

Author SHA1 Message Date
Council 2a6d7bdbf7 council(execute): FrontendDev - Round 4: export button fix + mark Phase 2 complete 
- Fix P1 bug: ticket/list.html export button (GET→POST form) matching IS_AJAX_POST
- Mark all plan.md tasks complete (seat templates, tickets, verifiers, verifications views)
- BackendArchitect: AuditService.php (S4 design), Verifier.php CONCAT fix, Verification.php column() fix
- BackendArchitect: SeatTemplate.php countSeats fix, TicketService.php transaction fix
- BackendArchitect: EventListener.php audit_log table added
- SecurityEngineer: S1-S5 security audit complete
- [CONSENSUS: YES] all three agents vote YES

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:20:03 +08:00
Council 1d24075f4c Merge council/BackendArchitect: add missing verifier views + fix Verifier.php CONCAT bug 2026-04-15 14:12:24 +08:00
Council 255c8ed2bf council(review): SecurityEngineer - Phase 2 security audit complete + P1 Verifier.php fix 
Security audit findings (Task S1/S2/S3/S5 done):
- Task S1: Admin auth chain verified (Base extends Common OK)
- Task S2: SQL injection audit complete (no injection, P1 code bug found)
  - FIXED: Verifier.php:45 CONCAT column() syntax error → select()+PHP concat
- Task S3: XSS/CSRF audit complete (no risk in admin context)
- Task S5: IDOR audit complete (admin context acceptable)
- Task S4 (audit log design): still pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:11:43 +08:00
Council 8ca3b2d67b council(execute): FrontendDev - merge Round 3 view files to main 
FrontendDev Round 3 deliverables:
- All 7 admin view files (new + URL fixes)
- Resolve plan.md conflict: keep merged version + add Round 3 summary

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:11:36 +08:00
Council 649ae484e8 council(execute): FrontendDev - Round 3: complete all admin view files 
- Fix all MyUrl() → PluginsAdminUrl() in seat_template/list.html, save.html
- Fix ticket/list.html + verification/list.html URLs
- Create ticket/detail.html (QR code, ticket info, goods/verifier linkage)
- Create verifier/list.html (search, status filter, disable)
- Create verifier/save.html (user select, name, status toggle)
- Update plan.md task status

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:10:33 +08:00
Council a604c81b5a council(review): SecurityEngineer - Phase 2 security audit report (S1/S2/S3/S5 complete) 
- Task S1: Admin auth chain verified — Base extends Common OK
- Task S2: SQL injection audit complete — no injection found
  - NEW P1 bug: Verifier.php:45 CONCAT column() syntax error (needs PHP fix)
- Task S3: XSS/CSRF audit complete — no risk in admin context
- Task S5: IDOR audit complete — admin context acceptable
- Task S4 (audit log design) remains pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:09:41 +08:00
Council 75510529b3 Merge branch 'council/BackendArchitect' 2026-04-15 14:03:13 +08:00
Council b768d34dff council(execute): BackendArchitect - fix P0/P1 blocking issues in Phase 2 
[P0] Fix plugin Base controller to extend ShopXO Common class:
  - Now extends Common instead of standalone class
  - Automatically gets IsLogin() + IsPower() + ViewInit()
  - All child controllers (SeatTemplate/Ticket/Verifier/Verification) inherit fix

[P1] Fix code bugs found during codebase analysis:
  - Verifier.php: column('nickname|username', 'id') → CONCAT SQL (syntax error)
  - SeatTemplate.php: countSeats() wrong logic (count × rows → per-row scan)
  - Ticket.php: verify() returned view on POST → always JSON
  - Ticket.php: detail() returned view on error → JSON
  - SeatTemplate.php: delete() returned view on POST → JSON, plus soft-delete

[P1] Fix verifyTicket() in TicketService:
  - Wrap in Db::transaction() for atomicity
  - Add SELECT ... FOR UPDATE pessimistic lock to prevent double-verify
  - Add try/catch with error logging

[P2] Fix export() memory issue:
  - Replace select() with cursor() to avoid OOM on large datasets

Also: update plan.md with Round 2 findings, claim Task B1/B2/B3/B5

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:03:00 +08:00
Council aeb3f9d353 fix(P0): vr_ticket Base - inherit ShopXO Common for full auth chain 
- Change plugin Base from standalone to extend Common
- Call IsLogin() + IsPower() + FormTableInit() explicitly (avoids
  full ViewInit which is unnecessary for API/admin controllers)
- Documents permission node format: plugins_vr_ticket-{controller}-{action}
- Fixes R1 P0: bypassed auth chain (only LoginInfo, missing IsPower)
- Also fixes all child controllers since they call parent::__construct()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:00:20 +08:00
Council ecfb21faad council(draft): BackendArchitect - merge plan.md from main, resolve conflict with latest version 2026-04-15 13:58:44 +08:00
Council 1c4454723d council(draft): BackendArchitect - add backend research directions (BR-1~BR-5) to merged plan 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:56:15 +08:00
Council 8b5ec70bc8 council(draft): FrontendDev - merge SecurityEngineer + FrontendDev plan.md, resolve conflicts 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:55:02 +08:00
Council b9f3414e3c council(draft): FrontendDev - create plan.md with Phase 2 research directions 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:53:48 +08:00
Council 896df3210e council(draft): BackendArchitect - create Phase 2 research plan with backend direction list 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:53:44 +08:00
Council a92cafe33c council(draft): SecurityEngineer - create plan.md with Phase 2 security research directions 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:53:39 +08:00
Council 3b3dde5b32 chore: remove redundant duplicates (old plugin dir, shopxo-modifications, view/, reviews/, plan.md) 
All vr_ticket code now lives in shopxo/app/plugins/vr_ticket/
Goods.php modification lives in shopxo/app/index/controller/Goods.php
ARCHITECTURE.md is the single source of truth
 2026-04-15 13:43:13 +08:00
Council 1afd547444 feat: import ShopXO v6.8.0 sourcecode (vendor/runtime excluded) 
- ShopXO core + plugins/vr_ticket
- Goods.php item_type=ticket routing (Phase 1)
- vr_ticket plugin skeleton (Phase 0/1)
- Admin auth Base controller (Phase 2)
- All Phase 0/1/2 code included

Closes: tracks all ShopXO core modifications in monorepo
 2026-04-15 13:09:44 +08:00
Council d0a2a1193c feat(Phase 2): add Base controller + extend all admin controllers, add BaseService 2026-04-15 13:08:56 +08:00
Council 3949f91622 fix(Phase 2): SeatTemplate extends Base controller for proper auth 2026-04-15 13:08:46 +08:00
Council ad2eb780e4 council(finalize): FrontendDev - resolve plan.md conflict, Finalize phase complete 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:30:52 +08:00
Council 66e34a357c council(finalize): FrontendDev - resolve plan.md merge conflict, mark Consensus YES 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:30:00 +08:00
Council d1d7d080b3 council(finalize): FrontendDev - plan.md Finalize phase marked complete 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:29:10 +08:00
Council 967ed8cebb council(finalize): FrontendDev - 合并三方评审计划,整合问题汇总表 
三方评审报告已完成:
- SecurityEngineer: 1严重+5中等+3轻微+4建议
- BackendArchitect: 5严重+4中等+4轻微+5建议
- FrontendDev: 2严重+4中等+3轻微+4建议

整合为统一问题汇总表(4严重+7中等+5轻微+8建议)
P0-P2 修复优先级已明确

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:27:46 +08:00
Council a83d48d8bd council: resolve plan.md conflict - use BackendArchitect Round 2 version 2026-04-15 09:26:31 +08:00
Council 90602c11bc council(finalize): FrontendDev - 合并三方评审计划,解决 plan.md 冲突 
合并 SecurityEngineer + BackendArchitect + FrontendDev 三方评审结果
生成完整问题汇总表(13个问题 + 8项建议 + P0-P2 修复优先级)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:54 +08:00
Council 12e028eb8c council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论
- 发现汇总表:5 严重 + 7 中等 + 4 轻微 + 5 建议
- 综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:39 +08:00
Council c9b1066d98 council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论

综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:53 +08:00
Council 826a39f610 council(review): FrontendDev - 完成 vr-shopxo-plugin 前端代码评审报告 
评审发现:2个严重(S-01价格篡改/S-02 XSS)、4个中等、3个轻微、4项建议
交叉确认:与 SecurityEngineer / BackendArchitect 报告高度一致

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:04 +08:00
Council 592dbe6945 council(review): SecurityEngineer - update plan.md to Finalize phase 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:21:42 +08:00
Council 723bfc28f3 council(review): SecurityEngineer - cross-review BackendArchitect's code report 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:21:09 +08:00
Council 6f26816277 Merge branch 'council/BackendArchitect' 2026-04-15 09:18:42 +08:00
Council 11fa6ccfdb council(draft): BackendArchitect - 输出 vr-shopxo-plugin 架构评审报告 
发现严重问题:
- onOrderPaid() 无幂等性(并发重复发票)
- verifyTicket() TOCTOU 竞态条件
- QR Secret 默认密钥硬编码
- |raw XSS 漏洞(goods.simple_desc)
- 购票参数无服务端验证

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:18:34 +08:00
Council 8efb090a00 Merge branch 'council/SecurityEngineer' into main 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:18:11 +08:00
Council 5497c11989 council(draft): SecurityEngineer - update plan.md with completed findings 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:17:42 +08:00
Council c16ab36080 Merge council/SecurityEngineer: security review report + updated plan 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:17:14 +08:00
Council 6664be6cc8 council(draft): SecurityEngineer - complete security review for vr-shopxo-plugin 
Findings: 1 critical (onOrderPaid race condition), 5 medium, 3 low, 4 suggestions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:17:08 +08:00
Council 2ca5921b9d council(draft): 合并 SecurityEngineer + BackendArchitect 审议计划 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:15:16 +08:00
Council 529d3baafd council(draft): BackendArchitect - 创建 vr-shopxo-plugin 代码审议计划 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:14:35 +08:00
Council e0b2403486 council(draft): FrontendDev - Round 1 vr-shopxo-plugin 代码审议计划 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:14:29 +08:00
Council b135b772ef council(draft): SecurityEngineer - create plan.md for vr-shopxo-plugin security review 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:14:23 +08:00
Council 852623fc9f docs: 完整开发日志 DEVELOPMENT_LOG.md 
- 覆盖 2026-04-13 调研 → 2026-04-15 Phase 0/1 完成全记录
- 需求背景 + 技术栈决策
- ShopXO 插件机制调研结论
- Phase 0 插件骨架(14文件 + 4表 + 测试数据)
- Phase 1 Goods.php 改法 + 浏览器验证截图
- Council 审议记录
- 关键决策固化表
- Phase 2/3/4 下步计划
- 清理废弃 review 文件
 2026-04-15 09:12:32 +08:00
Council 7508bed11d docs: 追加 vr-shopxo-plugin Phase 0/1 状态记录 2026-04-15 08:47:21 +08:00
Council 0f5a82d04c feat(Phase 1): ShopXO Goods.php 修改(实际验证通过) 
修改文件:
- shopxo-modifications/app/index/controller/Goods.php

修改内容:
- 在 return MyView() 前加 item_type=ticket 判断
- 查询座位模板 + goods_spec_data 传给模板
- 使用独立票务模板

已通过实际测试验证(商品1改为ticket类型后渲染正常)
 2026-04-15 08:46:45 +08:00
Council 34f7045956 feat(Phase 0): vr_ticket plugin skeleton complete 
生成内容:
- plugin.json + EventListener.php(安装自动建表)
- service/BaseService.php(AES加密/Qr生成/工具函数)
- service/TicketService.php(核心:onOrderPaid发票/核销)
- admin/controller/:SeatTemplate + Ticket + Verifier + Verification
- admin/view/:4套后台列表页
- view/goods/ticket_detail.html(前端票务详情页,完全独立UI)
- app/plugins/vr_ticket/README.md(安装说明)
- docs/GOODS_PHP_MODIFICATION.md(Goods.php修改步骤,更新路径)

 核心原则:怎么快怎么来,AI介入度95%+
 2026-04-15 08:15:51 +08:00
Council d5edb76f33 docs: add guiding principle + Goods.php modification guide 
核心原则:怎么快怎么来,怎么方便怎么来,少改动少复杂度,完全允许改核心

- README.md: 写入核心原则,更新技术发现,标注 Goods.php 方案为推荐
- docs/GOODS_PHP_MODIFICATION.md: 票务模板替换的具体修改步骤(Phase 2 关键文档)
 2026-04-15 08:03:37 +08:00
Council 1c6d32b4c1 docs: add ShopXO hooks reference (v6.8.0) - extracted from source 
- All hooks from OrderService, GoodsService, Goods/Buy/User/Search controllers
- 100+ hooks with descriptions and VR ticket use cases
- Recommended hook strategy for payment callback + ticket generation
 2026-04-15 05:00:24 +08:00
Council e7b7bf9b55 docs: add plugin mechanism + requirements mapping docs 
- 07: ShopXO plugin dev core (config.json/hook/Event/BaseService/directory)
- 08: vr-shopxo-plugin requirements → ShopXO mechanism mapping
 2026-04-15 04:44:48 +08:00
Council 536ef9e120 docs: add 项目启动报告 REPORT-KICKOFF.md (issue #5) 2026-04-15 00:19:42 +08:00
Council 8c6878ec99 council(draft): Architect - 合并 Round 1 架构评审结论,解决冲突 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-14 18:57:58 +08:00
Council 9eae259444 council(draft): Architect - Round 1 架构评审结论 (Q2+Q4) 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-14 18:57:16 +08:00