sileya-ai
/
vr-shopxo-plugin
1
0
Fork 0
Code Issues 3 Pull Requests Packages Projects Releases Wiki Activity
110 Commits
9 Branches
0 Tags
29 MiB
Commit Graph

110 Commits (5a047936e600a4f4fb2da13a0356eb7897d5e557)

Author SHA1 Message Date
Council 5a047936e6 council(draft): BackendArchitect - sync Q3/Q4 status (FrontendDev confirmed all) 
- Q3 confirmed done by FrontendDev ($vr- prefix safe)
- Q4 confirmed done by FrontendDev (Plan A recommended)
- Updated analysis sections

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:22:37 +08:00
Council c2770e5e64 Merge branch 'council/BackendArchitect' 2026-04-15 19:21:13 +08:00
Council bdfcb80d8c council(draft): BackendArchitect - Round 2 Q1/Q2 analysis (批量SKU生成路径 + 紧急修复) 
Q1: ShopXO批量SKU生成必须旁路GoodsSpecificationsInsert(),
    直接SQL INSERT三表(sxo_goods_spec_type/base/value)
Q2: 最小修复集 = UPDATE is_exist_many_spec + INSERT $vr- spec_type
Q4: 推荐方案A (每个座位=SKU, ShopXO原生防超卖)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:21:09 +08:00
Council b7bccf65c1 council(round2): FrontendDev - Issue #9 Q4 final analysis + $vr- security confirmation 
- Q4: 明确推荐方案 A(每座=SKU),经代码验证
- 发现当前 ticket_detail.html submit() 是 Plan B 模式,specBaseIdMap 未接入
- Q3: $vr- 前缀确认安全(ThinkPHP {$var} 默认转义,|raw 仅跳过HTML转义)
- Q2: 前端视角最小修复路径(spec_base 生成 + loadSoldSeats API)
- 更新行动项:P2 重构 submit() 接入 specBaseIdMap,P3 Hook 隐藏插件 SKU

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:20:22 +08:00
Council 0316a8101c council(merge): FrontendDev - resolve conflict, merge Issue #9 combined plan 
- Combine BackendArchitect skeleton + FrontendDev detailed analysis
- Add SecurityEngineer Q2/Q3/Q4 preliminary judgments
- Retain all Phase 2 audit results in plan

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:16:49 +08:00
Council d7ee522c41 council(merge): resolve conflict - merge all Phase 2 results + Issue #9 plan 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:15:33 +08:00
Council 6b8f3ec0de council(draft): FrontendDev - Issue #9 plan.md: 架构决策评议计划 
Round 1 输出:
- Q1: 方案A批量SKU可行但需独立管理页面
- Q2: 最小修复集=Hook注入is_exist_many_spec=1
- Q3: $vr-前缀低风险,需实测确认前端渲染
- Q4: 推荐方案A(每座位=SKU),安全性+一致性优先

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:15:32 +08:00
Council 85b1575a5c council(merge): resolve conflict and merge Issue #9 plan 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:14:58 +08:00
Council f2dcd842dd council(plan): BackendArchitect - add Issue #9 architecture decision plan 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:14:44 +08:00
Council d9493500fb council(draft): SecurityEngineer - add Issue #9 architecture decision plan 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 19:14:39 +08:00
Council 829564b019 docs: add SPEC_DESIGN_DECISION - architecture decision log for Issue #9 
Records the core finding from P0-2 discussion:
- ShopXO SPEC system: multi-dimension cross-product generates SKUs
- Original design: each seat = SPEC, stock=1, ShopXO native oversell prevention
- Current implementation: zone-level spec_base_id, bypasses ShopXO validation
- Two architecture options documented, decision pending
 2026-04-15 18:51:51 +08:00
Council 098bcfe780 fix(P0): P0-1 idempotent ticket issuance, P0-3 XSS, P0-4 QR secret exception 
P0-1: issueTicket() now checks for existing tickets by (order_id, spec_base_id)
      before inserting. Prevents duplicate tickets on HTTP retry/multi-instance.
P0-3: Removed |raw from simple_desc and content in ticket_detail.html.
      Prevents stored XSS via malicious admin content injection.
P0-4: getQrSecret() now throws exception if VR_TICKET_QR_SECRET is unset,
      instead of falling back to insecure default key.
 2026-04-15 16:59:22 +08:00
Council 9171046435 fix(migration): add missing indexes + fix ALTER TABLE PDOStatement bug 
- vr_tickets: add idx_created_at and idx_spec_base_id indexes
- vr_verifications: add idx_verified_at index
- fix PDOStatement+empty() bug → use rowCount() instead

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 15:51:11 +08:00
Council 5dcf4286c8 docs: add Phase 2 development log + research archive 
- PHASE2_DEVELOPMENT_LOG.md: 完整交付物清单、修复记录、安全审计
- PHASE2_RESEARCH_ARCHIVE.md: Council 研究方向归档(BR-1~BR-5 / R-1~R-5 / FR-1~FR-5)
- .gitignore: 排除 .worktrees/ 目录
 2026-04-15 14:59:30 +08:00
Council deacdedb01 council(execute): BackendArchitect - restore view files from merge conflict 
Resolve Round 4 merge conflict by restoring verifier views and ticket
detail from commit 6f49b8355. All 7 admin view files now confirmed on main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:23:16 +08:00
Council 59928d1196 Merge council/FrontendDev: complete admin views + export button fix 
Resolves merge conflicts:
- Verifier.php: keep parent (CONCAT fix, fetch-then-map pattern)
- ticket/detail.html, verifier/list.html, verifier/save.html: stage as-is (no conflict markers)
 2026-04-15 14:21:46 +08:00
Council b9ef6ef675 council(execute): BackendArchitect - fix Verification.php column() bug + S4 audit log design 
- Fix Verification.php:55 - ThinkPHP column() does not support multi-field
  mapping; replaced with select() + PHP foreach to build id-keyed array
- Add complete S4 audit log design to plan.md:
  - vr_audit_log table already exists in EventListener.php
  - AuditService interface design (log/getAdminContext/makeRequestId)
  - Integration points table for all sensitive operations
  - Append-only tamper-proof strategy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:20:14 +08:00
Council 2a6d7bdbf7 council(execute): FrontendDev - Round 4: export button fix + mark Phase 2 complete 
- Fix P1 bug: ticket/list.html export button (GET→POST form) matching IS_AJAX_POST
- Mark all plan.md tasks complete (seat templates, tickets, verifiers, verifications views)
- BackendArchitect: AuditService.php (S4 design), Verifier.php CONCAT fix, Verification.php column() fix
- BackendArchitect: SeatTemplate.php countSeats fix, TicketService.php transaction fix
- BackendArchitect: EventListener.php audit_log table added
- SecurityEngineer: S1-S5 security audit complete
- [CONSENSUS: YES] all three agents vote YES

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:20:03 +08:00
Council 1d24075f4c Merge council/BackendArchitect: add missing verifier views + fix Verifier.php CONCAT bug 2026-04-15 14:12:24 +08:00
Council 255c8ed2bf council(review): SecurityEngineer - Phase 2 security audit complete + P1 Verifier.php fix 
Security audit findings (Task S1/S2/S3/S5 done):
- Task S1: Admin auth chain verified (Base extends Common OK)
- Task S2: SQL injection audit complete (no injection, P1 code bug found)
  - FIXED: Verifier.php:45 CONCAT column() syntax error → select()+PHP concat
- Task S3: XSS/CSRF audit complete (no risk in admin context)
- Task S5: IDOR audit complete (admin context acceptable)
- Task S4 (audit log design): still pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:11:43 +08:00
Council 8ca3b2d67b council(execute): FrontendDev - merge Round 3 view files to main 
FrontendDev Round 3 deliverables:
- All 7 admin view files (new + URL fixes)
- Resolve plan.md conflict: keep merged version + add Round 3 summary

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:11:36 +08:00
Council 6f49b8355c council(execute): BackendArchitect - add missing verifier views + fix CONCAT bug in Verifier.php 
Round 3 completed:
- NEW: verifier/list.html (Layui table + search + enable/disable)
- NEW: verifier/save.html (user select + name + status form)
- NEW: ticket/detail.html (QR code + manual verify form)
- FIX: Verifier.php CONCAT column() → select() + PHP concat (P1)
- FIX: Ticket.php detail() adds $verifiers list for detail.html
- UPDATE: plan.md marks B1~B5 Done, S1~S5 pending SecurityEngineer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:11:35 +08:00
Council 649ae484e8 council(execute): FrontendDev - Round 3: complete all admin view files 
- Fix all MyUrl() → PluginsAdminUrl() in seat_template/list.html, save.html
- Fix ticket/list.html + verification/list.html URLs
- Create ticket/detail.html (QR code, ticket info, goods/verifier linkage)
- Create verifier/list.html (search, status filter, disable)
- Create verifier/save.html (user select, name, status toggle)
- Update plan.md task status

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:10:33 +08:00
Council a604c81b5a council(review): SecurityEngineer - Phase 2 security audit report (S1/S2/S3/S5 complete) 
- Task S1: Admin auth chain verified — Base extends Common OK
- Task S2: SQL injection audit complete — no injection found
  - NEW P1 bug: Verifier.php:45 CONCAT column() syntax error (needs PHP fix)
- Task S3: XSS/CSRF audit complete — no risk in admin context
- Task S5: IDOR audit complete — admin context acceptable
- Task S4 (audit log design) remains pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:09:41 +08:00
Council 75510529b3 Merge branch 'council/BackendArchitect' 2026-04-15 14:03:13 +08:00
Council b768d34dff council(execute): BackendArchitect - fix P0/P1 blocking issues in Phase 2 
[P0] Fix plugin Base controller to extend ShopXO Common class:
  - Now extends Common instead of standalone class
  - Automatically gets IsLogin() + IsPower() + ViewInit()
  - All child controllers (SeatTemplate/Ticket/Verifier/Verification) inherit fix

[P1] Fix code bugs found during codebase analysis:
  - Verifier.php: column('nickname|username', 'id') → CONCAT SQL (syntax error)
  - SeatTemplate.php: countSeats() wrong logic (count × rows → per-row scan)
  - Ticket.php: verify() returned view on POST → always JSON
  - Ticket.php: detail() returned view on error → JSON
  - SeatTemplate.php: delete() returned view on POST → JSON, plus soft-delete

[P1] Fix verifyTicket() in TicketService:
  - Wrap in Db::transaction() for atomicity
  - Add SELECT ... FOR UPDATE pessimistic lock to prevent double-verify
  - Add try/catch with error logging

[P2] Fix export() memory issue:
  - Replace select() with cursor() to avoid OOM on large datasets

Also: update plan.md with Round 2 findings, claim Task B1/B2/B3/B5

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:03:00 +08:00
Council aeb3f9d353 fix(P0): vr_ticket Base - inherit ShopXO Common for full auth chain 
- Change plugin Base from standalone to extend Common
- Call IsLogin() + IsPower() + FormTableInit() explicitly (avoids
  full ViewInit which is unnecessary for API/admin controllers)
- Documents permission node format: plugins_vr_ticket-{controller}-{action}
- Fixes R1 P0: bypassed auth chain (only LoginInfo, missing IsPower)
- Also fixes all child controllers since they call parent::__construct()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 14:00:20 +08:00
Council ecfb21faad council(draft): BackendArchitect - merge plan.md from main, resolve conflict with latest version 2026-04-15 13:58:44 +08:00
Council 1c4454723d council(draft): BackendArchitect - add backend research directions (BR-1~BR-5) to merged plan 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:56:15 +08:00
Council 8b5ec70bc8 council(draft): FrontendDev - merge SecurityEngineer + FrontendDev plan.md, resolve conflicts 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:55:02 +08:00
Council b9f3414e3c council(draft): FrontendDev - create plan.md with Phase 2 research directions 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:53:48 +08:00
Council 896df3210e council(draft): BackendArchitect - create Phase 2 research plan with backend direction list 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:53:44 +08:00
Council a92cafe33c council(draft): SecurityEngineer - create plan.md with Phase 2 security research directions 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 13:53:39 +08:00
Council 3b3dde5b32 chore: remove redundant duplicates (old plugin dir, shopxo-modifications, view/, reviews/, plan.md) 
All vr_ticket code now lives in shopxo/app/plugins/vr_ticket/
Goods.php modification lives in shopxo/app/index/controller/Goods.php
ARCHITECTURE.md is the single source of truth
 2026-04-15 13:43:13 +08:00
Council 1afd547444 feat: import ShopXO v6.8.0 sourcecode (vendor/runtime excluded) 
- ShopXO core + plugins/vr_ticket
- Goods.php item_type=ticket routing (Phase 1)
- vr_ticket plugin skeleton (Phase 0/1)
- Admin auth Base controller (Phase 2)
- All Phase 0/1/2 code included

Closes: tracks all ShopXO core modifications in monorepo
 2026-04-15 13:09:44 +08:00
Council d0a2a1193c feat(Phase 2): add Base controller + extend all admin controllers, add BaseService 2026-04-15 13:08:56 +08:00
Council 3949f91622 fix(Phase 2): SeatTemplate extends Base controller for proper auth 2026-04-15 13:08:46 +08:00
Council ad2eb780e4 council(finalize): FrontendDev - resolve plan.md conflict, Finalize phase complete 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:30:52 +08:00
Council 66e34a357c council(finalize): FrontendDev - resolve plan.md merge conflict, mark Consensus YES 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:30:00 +08:00
Council d1d7d080b3 council(finalize): FrontendDev - plan.md Finalize phase marked complete 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:29:10 +08:00
Council 967ed8cebb council(finalize): FrontendDev - 合并三方评审计划,整合问题汇总表 
三方评审报告已完成:
- SecurityEngineer: 1严重+5中等+3轻微+4建议
- BackendArchitect: 5严重+4中等+4轻微+5建议
- FrontendDev: 2严重+4中等+3轻微+4建议

整合为统一问题汇总表(4严重+7中等+5轻微+8建议)
P0-P2 修复优先级已明确

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:27:46 +08:00
Council a83d48d8bd council: resolve plan.md conflict - use BackendArchitect Round 2 version 2026-04-15 09:26:31 +08:00
Council 90602c11bc council(finalize): FrontendDev - 合并三方评审计划,解决 plan.md 冲突 
合并 SecurityEngineer + BackendArchitect + FrontendDev 三方评审结果
生成完整问题汇总表(13个问题 + 8项建议 + P0-P2 修复优先级)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:54 +08:00
Council 12e028eb8c council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论
- 发现汇总表:5 严重 + 7 中等 + 4 轻微 + 5 建议
- 综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:25:39 +08:00
Council c9b1066d98 council(finalize): BackendArchitect - Round 2 深度评审报告终稿 
新增发现:
- Admin 接口鉴权完全缺失(verifier_id 客户端可控)
- ALTER TABLE 条件逻辑错误(empty($cols) 永不成立)
- seatInfo.classes HTML 属性注入风险
- renderSessions() spec_base_id 赋值 bug
- 与 SecurityEngineer 报告交叉评审结论

综合评分:4.5/10(P0 修复项 4 个,P1 修复项 5 个)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:53 +08:00
Council 826a39f610 council(review): FrontendDev - 完成 vr-shopxo-plugin 前端代码评审报告 
评审发现:2个严重(S-01价格篡改/S-02 XSS)、4个中等、3个轻微、4项建议
交叉确认:与 SecurityEngineer / BackendArchitect 报告高度一致

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:24:04 +08:00
Council 592dbe6945 council(review): SecurityEngineer - update plan.md to Finalize phase 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:21:42 +08:00
Council 723bfc28f3 council(review): SecurityEngineer - cross-review BackendArchitect's code report 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:21:09 +08:00
Council 6f26816277 Merge branch 'council/BackendArchitect' 2026-04-15 09:18:42 +08:00
Council 11fa6ccfdb council(draft): BackendArchitect - 输出 vr-shopxo-plugin 架构评审报告 
发现严重问题:
- onOrderPaid() 无幂等性(并发重复发票)
- verifyTicket() TOCTOU 竞态条件
- QR Secret 默认密钥硬编码
- |raw XSS 漏洞(goods.simple_desc)
- 购票参数无服务端验证

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-15 09:18:34 +08:00