sileya-ai
/
vr-shopxo-plugin
1
0
Fork 0
Code Issues 3 Pull Requests Packages Projects Releases Wiki Activity
220 Commits
9 Branches
0 Tags
29 MiB
Commit Graph

26 Commits (44120a7e2cb2404f8fa3aa3fc83aadd56aef30e9)

Author SHA1 Message Date
Council 44120a7e2c council(finalize): resolve plan.md merge conflict, integrate BackendArchitect report 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-20 19:21:45 +08:00
Council 7a14acf6bc council(review): SecurityEngineer - Round 2 安全审计完成:根因定位 + 修复建议 
根因:AdminGoodsSaveHandle.php:77 - \$r['id'] 无空安全
Secondary:Line 71 - find() 返回 null 后直接访问 \$template['seat_map']
报告:reviews/SecurityEngineer-AUDIT.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 09:56:52 +08:00
Council 6c35ac5c0f Merge branch 'council/BackendArchitect' 2026-04-20 09:56:20 +08:00
Council 8211419400 council(review): BackendArchitect - approve DebugAgent ROOT_CAUSE report 
- Confirms Primary/Secondary/Tertiary root causes
- Notes array_column(null) PHP 8.0+ warning finding
- No conflicts with BackendArchitect findings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 09:56:16 +08:00
Council 4b48e4648e council(review): DebugAgent - Task 10-11 complete, ROOT_CAUSE report 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 09:54:31 +08:00
Council 9d111541af council(draft): DebugAgent - Round 1 静态分析 + 补充 plan.md + Task 9-11 
- 补充 PHP 8+ ?? 行为分析
- 新增 reviews/DebugAgent-PRELIMINARY.md
- plan.md 新增 Task 9-11(DebugAgent Round 2)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 09:51:04 +08:00
Council 3799b2bc92 council(review): BackendArchitect - Issue #13 根因已定位:AdminGoodsSaveHandle.php:77 
- Primary: $r['id'] 无空安全(array_filter 回调内)→ "Undefined array key 'id'"
- Secondary: find() 返回 null 后直接访问 $template['seat_map']
- Tertiary: selected_rooms 类型不匹配静默失败
- 已排除:表前缀问题(Db::name 和 BaseService::table 均查询 vrt_vr_seat_templates)
- 已排除:SeatSkuService::BatchGenerate 有正确的空安全处理

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 09:48:53 +08:00
Council 04766c2424 council(draft): BackendArchitect - create debug plan for "Undefined array key 'id'" error 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 09:46:29 +08:00
Council 496271c468 council(review): Architect - 完成三份文档评审,输出 Top 3 修正建议 
Top 3 问题:
1. `{include}` 标签验证状态未闭环(已提交 ≠ 已验证)
2. DEVELOPMENT_LOG 两条 Git 时间线未衔接
3. 测试数据 goods_id 在多份文档中出现三个不同值

详见 reviews/Architect-DOC-SUMMARY.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 05:29:36 +08:00
Council ce20d2b430 council(review): BackendArchitect - 完成三份文档评审 
- reviews/BackendArchitect-on-14_TEMPLATE_RENDER_INVESTIGATION.md
- reviews/BackendArchitect-on-PHASE2_PLAN.md
- reviews/BackendArchitect-on-DEVELOPMENT_LOG.md
- reviews/BackendArchitect-DOCUMENTATION_REVIEW_SUMMARY.md

Top 3 问题:
1. vr_seat_templates 表名前缀不一致(docs/14)
2. docs/14 缺少 Phase 1/Phase 2 改法关系说明
3. DEVELOPMENT_LOG.md 11.3 Git 快照已过时

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-20 05:28:58 +08:00
Council 35c10a7f66 council(security): SecurityEngineer - add missing VenueList methods + security audit 
Security findings:
- SQL injection: LOW (query builder + parameter binding)
- XSS: LOW (ThinkPHP auto-escape, no |raw detected)
- Path traversal: LOW (all view paths hardcoded)
- CSRF: MEDIUM (ShopXO framework-level gap, out of scope for plugin)

Critical fix: admin/Admin.php was missing VenueList(), VenueSave(),
VenueDelete() — sidebar URL "/plugins/vr_ticket/admin/venueList" would
return 500 error. Added all three methods with v3.0 seat_map support.

P1 garbled name: documented DB fix SQL for shx_plugins + vrt_power tables.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-16 08:53:41 +08:00
Council 5b80e775bb council(review): BackendArchitect - Review FrontendDev P1 submit() refactor 
[PASS] Interface contract: specBaseIdMap['A_1'] = int ✓
[PASS] goods_params: stock=1, seat-level spec_base_id ✓
[PASS] Fallback strategy for Plan B transition ✓
[PASS] Seat label format matches backend regex ✓
[PASS] Price sources align between frontend and backend ✓

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 20:12:12 +08:00
Council 3b3dde5b32 chore: remove redundant duplicates (old plugin dir, shopxo-modifications, view/, reviews/, plan.md) 
All vr_ticket code now lives in shopxo/app/plugins/vr_ticket/
Goods.php modification lives in shopxo/app/index/controller/Goods.php
ARCHITECTURE.md is the single source of truth
 2026-04-15 13:43:13 +08:00
Council ad2eb780e4 council(finalize): FrontendDev - resolve plan.md conflict, Finalize phase complete 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:30:52 +08:00
Council 90602c11bc council(finalize): FrontendDev - 合并三方评审计划,解决 plan.md 冲突 
合并 SecurityEngineer + BackendArchitect + FrontendDev 三方评审结果
生成完整问题汇总表(13个问题 + 8项建议 + P0-P2 修复优先级)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:54 +08:00
Council 12e028eb8c council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论
- 发现汇总表:5 严重 + 7 中等 + 4 轻微 + 5 建议
- 综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:39 +08:00
Council c9b1066d98 council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论

综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:53 +08:00
Council 826a39f610 council(review): FrontendDev - 完成 vr-shopxo-plugin 前端代码评审报告 
评审发现:2个严重(S-01价格篡改/S-02 XSS)、4个中等、3个轻微、4项建议
交叉确认:与 SecurityEngineer / BackendArchitect 报告高度一致

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:04 +08:00
Council 723bfc28f3 council(review): SecurityEngineer - cross-review BackendArchitect's code report 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:21:09 +08:00
Council 6f26816277 Merge branch 'council/BackendArchitect' 2026-04-15 09:18:42 +08:00
Council 11fa6ccfdb council(draft): BackendArchitect - 输出 vr-shopxo-plugin 架构评审报告 
发现严重问题:
- onOrderPaid() 无幂等性(并发重复发票)
- verifyTicket() TOCTOU 竞态条件
- QR Secret 默认密钥硬编码
- |raw XSS 漏洞(goods.simple_desc)
- 购票参数无服务端验证

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:18:34 +08:00
Council 6664be6cc8 council(draft): SecurityEngineer - complete security review for vr-shopxo-plugin 
Findings: 1 critical (onOrderPaid race condition), 5 medium, 3 low, 4 suggestions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:17:08 +08:00
Council 852623fc9f docs: 完整开发日志 DEVELOPMENT_LOG.md 
- 覆盖 2026-04-13 调研 → 2026-04-15 Phase 0/1 完成全记录
- 需求背景 + 技术栈决策
- ShopXO 插件机制调研结论
- Phase 0 插件骨架(14文件 + 4表 + 测试数据)
- Phase 1 Goods.php 改法 + 浏览器验证截图
- Council 审议记录
- 关键决策固化表
- Phase 2/3/4 下步计划
- 清理废弃 review 文件
 2026-04-15 09:12:32 +08:00
Council a052d812ad council(draft): PM - PM Q1-Q4 review output 2026-04-14 18:21:32 +08:00
Council dd538ba08e fix: 明确允许最小范围修改ShopXO源码(MIT协议),以进度为先 2026-04-14 14:10:59 +08:00
Council b713cd73c3 council(finalize): backend-reviewer - execute T6/T8/T9, vote YES 
- T6: Confirm payment callback hook plugins_service_buy_order_insert_success
- T8: Supplement verifier permission validation (vr_verifiers whitelist)
- T9: Supplement vr_events/vr_sessions DDL (complete, indexed)
- Review pm-reviewer output: concurrent control already covered in 03 §9
- Vote: [CONSENSUS: YES] - docs ready for coding

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-14 14:09:56 +08:00