d7d7b33c96
council(review): BackendArchitect - Fix 2 bugs in P0-A/B/P1 implementations
...
1. SeatSkuService: Fix regex in getExistingSpecBaseIds()
(\d+)排(\d+)座 → (\d+)排(\d)座
The original regex incorrectly captures 2 digit groups in "A排10座",
causing seatId parse failure for column >= 10.
2. ticket_detail.html: Fix specBaseIdMap access in submit()
(obj||{}).spec_base_id → direct numeric value
PHP returns integers (not objects), so drop the .spec_base_id accessor.
关联:Issue #9
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 20:05:08 +08:00
f76a9d5462
council(merge): merge BackendArchitect P0 into FrontendDev worktree
2026-04-15 20:04:36 +08:00
5e9c111370
council(draft): BackendArchitect - P0-A initGoodsSpecs + P0-B BatchGenerate
...
P0-A: BaseService::initGoodsSpecs() — 启用 is_exist_many_spec=1,
插入 $vr-场馆/$vr-分区/$vr-时段/$vr-座位号 四维规格类型,幂等保护
P0-B: 新建 SeatSkuService.php,含:
- BatchGenerate(): 批量生成座位级 SKU(500条/批,直接 SQL INSERT)
- UpdateSessionSku(): 按场次更新 $vr-时段 维度
- 幂等:已存在座位不重复生成
关联:Issue #9
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 20:00:29 +08:00
93b70d4d50
council(execute): FrontendDev - Issue #9 P1 submit() refactor (seat-level goods_params)
...
- renderSeatMap(): add data-row-label + data-col-num attrs for specBaseIdMap key format
- toggleSeat(): change seatKey from "0_0" (numeric) to "A_1" (label_colNum) to match specBaseIdMap
- removeSeat(): use [data-row-label][data-col-num] selector
- submit(): refactor from 1 goods_params (zone-level) to N entries (seat-level, stock=1)
- Plan B fallback: if specBaseIdMap[key] missing, use sessionSpecId
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:56:25 +08:00
a2fb70d216
council(merge): resolve conflict — adopt execution plan (Round 1 P0 fix)
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:52:54 +08:00
22afafa1e1
council(draft): BackendArchitect - Round 1 execution plan: P0-A/B + P1 tasks
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:52:21 +08:00
b4a94f832a
Merge branch 'council/FrontendDev'
2026-04-15 19:52:08 +08:00
1d7f600675
council(round4): FrontendDev - Issue #9 execution plan (P0/P1 task breakdown)
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:52:03 +08:00
a3ef16034e
docs: 甲方新需求文档(多座位单订单/核销码卡夹/ext必填字段/手机号订单级)
2026-04-15 19:40:44 +08:00
78b699eab4
council(merge): FrontendDev - Round 3 final decision (方案A)
...
Round 3 合并:
- council-output/ARCHITECTURE_DECISION.md: 汇总 Q1-Q4 三方分析 + 最终推荐
- plan.md v1.2: 全部 Q1-Q4 完成标记,consensus=YES
最终推荐: 方案A (每个座位一个ShopXO SKU)
- Q1: 直接 SQL INSERT 批量生成(旁路 GoodsSpecificationsInsert)
- Q2: 最小修复集 (UPDATE is_exist_many_spec + INSERT $vr- spec_type)
- Q3: $vr- 前缀低风险(ThinkPHP {$var} 默认转义)
- Q4: 三方一致推荐方案A
全票通过。
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:29:08 +08:00
e5814c3bd4
council(merge): resolve conflicts — accept BackendArchitect final versions
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:27:21 +08:00
62553ab9f7
council(finalize): plan.md update — all tasks done, Plan A unanimous
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:27:05 +08:00
0eb8adbf71
council(finalize): Issue #9 final ARCHITECTURE_DECISION.md — Plan A adopted unanimously
...
- Q1: Batch SKU via direct SQL INSERT (bypass GoodsSpecificationsInsert)
- Q2: Minimal fix (UPDATE is_exist_many_spec + INSERT \$vr- spec_type + idempotency)
- Q3: \$vr- prefix LOW risk confirmed
- Q4: All 3 members recommend Plan A (one SKU per seat)
- Action items assigned: P0 BatchGenerate, P0 Q2 fix, P1 idempotency, P2 isolation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:26:45 +08:00
cd975797e3
council(round3): FrontendDev - Issue #9 final decision report (方案A)
...
- Write council-output/ARCHITECTURE_DECISION.md with Q1-Q4 conclusions
- Update plan.md: mark Q3 done, final report done, consensus=YES
- Resolve rebase conflict from Round 2
- Final recommendation: 方案A (每座=SKU)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:26:37 +08:00
fe457eee23
council(round3): BackendArchitect - Round 3 final analysis + Q4 done, vote YES
...
- Q1: Batch SKU via direct SQL INSERT (bypass GoodsSpecificationsInsert)
- Q2: Solution B minimal fix (UPDATE is_exist_many_spec + INSERT $vr- spec_type + idempotency)
- Q3: $vr- prefix LOW risk (confirmed by SecurityEngineer + FrontendDev)
- Q4: All members recommend Plan A (one SKU per seat)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:25:26 +08:00
e4cf3a7711
council(round2): FrontendDev - Issue #9 Q4 final analysis + $vr- security confirmation
...
- Q4: 明确推荐方案 A(每座=SKU),经代码验证
- 发现当前 ticket_detail.html submit() 是 Plan B 模式,specBaseIdMap 未接入
- Q3: $vr- 前缀确认安全(ThinkPHP {$var} 默认转义,|raw 仅跳过HTML转义)
- Q2: 前端视角最小修复路径(spec_base 生成 + loadSoldSeats API)
- 更新行动项:P2 重构 submit() 接入 specBaseIdMap,P3 Hook 隐藏插件 SKU
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:25:06 +08:00
e2008e2778
council(draft): SecurityEngineer - Issue #9 Q3/Q4 analysis: \$vr- prefix LOW risk, recommend Plan A
...
- Q3: ThinkPHP View layer security audit complete
- parseVar regex breaks on hyphen: \$vr-场馆 → \$vr only
- Default htmlentities filter protects XSS
- \$vr- prefix spec names are LOW risk in all rendering paths
- Q4: Recommend Plan A (one SKU per seat) for security
- Native DB-level atomic inventory = lowest oversell risk
- Full ShopXO spec mechanism alignment
- Clear ticket traceability per SKU
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:22:58 +08:00
5a047936e6
council(draft): BackendArchitect - sync Q3/Q4 status (FrontendDev confirmed all)
...
- Q3 confirmed done by FrontendDev ($vr- prefix safe)
- Q4 confirmed done by FrontendDev (Plan A recommended)
- Updated analysis sections
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:22:37 +08:00
c2770e5e64
Merge branch 'council/BackendArchitect'
2026-04-15 19:21:13 +08:00
bdfcb80d8c
council(draft): BackendArchitect - Round 2 Q1/Q2 analysis (批量SKU生成路径 + 紧急修复)
...
Q1: ShopXO批量SKU生成必须旁路GoodsSpecificationsInsert(),
直接SQL INSERT三表(sxo_goods_spec_type/base/value)
Q2: 最小修复集 = UPDATE is_exist_many_spec + INSERT $vr- spec_type
Q4: 推荐方案A (每个座位=SKU, ShopXO原生防超卖)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:21:09 +08:00
b7bccf65c1
council(round2): FrontendDev - Issue #9 Q4 final analysis + $vr- security confirmation
...
- Q4: 明确推荐方案 A(每座=SKU),经代码验证
- 发现当前 ticket_detail.html submit() 是 Plan B 模式,specBaseIdMap 未接入
- Q3: $vr- 前缀确认安全(ThinkPHP {$var} 默认转义,|raw 仅跳过HTML转义)
- Q2: 前端视角最小修复路径(spec_base 生成 + loadSoldSeats API)
- 更新行动项:P2 重构 submit() 接入 specBaseIdMap,P3 Hook 隐藏插件 SKU
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:20:22 +08:00
0316a8101c
council(merge): FrontendDev - resolve conflict, merge Issue #9 combined plan
...
- Combine BackendArchitect skeleton + FrontendDev detailed analysis
- Add SecurityEngineer Q2/Q3/Q4 preliminary judgments
- Retain all Phase 2 audit results in plan
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:16:49 +08:00
d7ee522c41
council(merge): resolve conflict - merge all Phase 2 results + Issue #9 plan
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:15:33 +08:00
6b8f3ec0de
council(draft): FrontendDev - Issue #9 plan.md: 架构决策评议计划
...
Round 1 输出:
- Q1: 方案A批量SKU可行但需独立管理页面
- Q2: 最小修复集=Hook注入is_exist_many_spec=1
- Q3: $vr-前缀低风险,需实测确认前端渲染
- Q4: 推荐方案A(每座位=SKU),安全性+一致性优先
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:15:32 +08:00
85b1575a5c
council(merge): resolve conflict and merge Issue #9 plan
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:14:58 +08:00
f2dcd842dd
council(plan): BackendArchitect - add Issue #9 architecture decision plan
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:14:44 +08:00
d9493500fb
council(draft): SecurityEngineer - add Issue #9 architecture decision plan
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 19:14:39 +08:00
829564b019
docs: add SPEC_DESIGN_DECISION - architecture decision log for Issue #9
...
Records the core finding from P0-2 discussion:
- ShopXO SPEC system: multi-dimension cross-product generates SKUs
- Original design: each seat = SPEC, stock=1, ShopXO native oversell prevention
- Current implementation: zone-level spec_base_id, bypasses ShopXO validation
- Two architecture options documented, decision pending
2026-04-15 18:51:51 +08:00
098bcfe780
fix(P0): P0-1 idempotent ticket issuance, P0-3 XSS, P0-4 QR secret exception
...
P0-1: issueTicket() now checks for existing tickets by (order_id, spec_base_id)
before inserting. Prevents duplicate tickets on HTTP retry/multi-instance.
P0-3: Removed |raw from simple_desc and content in ticket_detail.html.
Prevents stored XSS via malicious admin content injection.
P0-4: getQrSecret() now throws exception if VR_TICKET_QR_SECRET is unset,
instead of falling back to insecure default key.
2026-04-15 16:59:22 +08:00
9171046435
fix(migration): add missing indexes + fix ALTER TABLE PDOStatement bug
...
- vr_tickets: add idx_created_at and idx_spec_base_id indexes
- vr_verifications: add idx_verified_at index
- fix PDOStatement+empty() bug → use rowCount() instead
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 15:51:11 +08:00
5dcf4286c8
docs: add Phase 2 development log + research archive
...
- PHASE2_DEVELOPMENT_LOG.md: 完整交付物清单、修复记录、安全审计
- PHASE2_RESEARCH_ARCHIVE.md: Council 研究方向归档(BR-1~BR-5 / R-1~R-5 / FR-1~FR-5)
- .gitignore: 排除 .worktrees/ 目录
2026-04-15 14:59:30 +08:00
deacdedb01
council(execute): BackendArchitect - restore view files from merge conflict
...
Resolve Round 4 merge conflict by restoring verifier views and ticket
detail from commit 6f49b8355
2026-04-15 14:23:16 +08:00
59928d1196
Merge council/FrontendDev: complete admin views + export button fix
...
Resolves merge conflicts:
- Verifier.php: keep parent (CONCAT fix, fetch-then-map pattern)
- ticket/detail.html, verifier/list.html, verifier/save.html: stage as-is (no conflict markers)
2026-04-15 14:21:46 +08:00
b9ef6ef675
council(execute): BackendArchitect - fix Verification.php column() bug + S4 audit log design
...
- Fix Verification.php:55 - ThinkPHP column() does not support multi-field
mapping; replaced with select() + PHP foreach to build id-keyed array
- Add complete S4 audit log design to plan.md:
- vr_audit_log table already exists in EventListener.php
- AuditService interface design (log/getAdminContext/makeRequestId)
- Integration points table for all sensitive operations
- Append-only tamper-proof strategy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:20:14 +08:00
2a6d7bdbf7
council(execute): FrontendDev - Round 4: export button fix + mark Phase 2 complete
...
- Fix P1 bug: ticket/list.html export button (GET→POST form) matching IS_AJAX_POST
- Mark all plan.md tasks complete (seat templates, tickets, verifiers, verifications views)
- BackendArchitect: AuditService.php (S4 design), Verifier.php CONCAT fix, Verification.php column() fix
- BackendArchitect: SeatTemplate.php countSeats fix, TicketService.php transaction fix
- BackendArchitect: EventListener.php audit_log table added
- SecurityEngineer: S1-S5 security audit complete
- [CONSENSUS: YES] all three agents vote YES
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:20:03 +08:00
1d24075f4c
Merge council/BackendArchitect: add missing verifier views + fix Verifier.php CONCAT bug
2026-04-15 14:12:24 +08:00
255c8ed2bf
council(review): SecurityEngineer - Phase 2 security audit complete + P1 Verifier.php fix
...
Security audit findings (Task S1/S2/S3/S5 done):
- Task S1: Admin auth chain verified (Base extends Common OK)
- Task S2: SQL injection audit complete (no injection, P1 code bug found)
- FIXED: Verifier.php:45 CONCAT column() syntax error → select()+PHP concat
- Task S3: XSS/CSRF audit complete (no risk in admin context)
- Task S5: IDOR audit complete (admin context acceptable)
- Task S4 (audit log design): still pending
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:11:43 +08:00
8ca3b2d67b
council(execute): FrontendDev - merge Round 3 view files to main
...
FrontendDev Round 3 deliverables:
- All 7 admin view files (new + URL fixes)
- Resolve plan.md conflict: keep merged version + add Round 3 summary
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:11:36 +08:00
6f49b8355c
council(execute): BackendArchitect - add missing verifier views + fix CONCAT bug in Verifier.php
...
Round 3 completed:
- NEW: verifier/list.html (Layui table + search + enable/disable)
- NEW: verifier/save.html (user select + name + status form)
- NEW: ticket/detail.html (QR code + manual verify form)
- FIX: Verifier.php CONCAT column() → select() + PHP concat (P1)
- FIX: Ticket.php detail() adds $verifiers list for detail.html
- UPDATE: plan.md marks B1~B5 Done, S1~S5 pending SecurityEngineer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:11:35 +08:00
649ae484e8
council(execute): FrontendDev - Round 3: complete all admin view files
...
- Fix all MyUrl() → PluginsAdminUrl() in seat_template/list.html, save.html
- Fix ticket/list.html + verification/list.html URLs
- Create ticket/detail.html (QR code, ticket info, goods/verifier linkage)
- Create verifier/list.html (search, status filter, disable)
- Create verifier/save.html (user select, name, status toggle)
- Update plan.md task status
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:10:33 +08:00
a604c81b5a
council(review): SecurityEngineer - Phase 2 security audit report (S1/S2/S3/S5 complete)
...
- Task S1: Admin auth chain verified — Base extends Common OK
- Task S2: SQL injection audit complete — no injection found
- NEW P1 bug: Verifier.php:45 CONCAT column() syntax error (needs PHP fix)
- Task S3: XSS/CSRF audit complete — no risk in admin context
- Task S5: IDOR audit complete — admin context acceptable
- Task S4 (audit log design) remains pending
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:09:41 +08:00
75510529b3
Merge branch 'council/BackendArchitect'
2026-04-15 14:03:13 +08:00
b768d34dff
council(execute): BackendArchitect - fix P0/P1 blocking issues in Phase 2
...
[P0] Fix plugin Base controller to extend ShopXO Common class:
- Now extends Common instead of standalone class
- Automatically gets IsLogin() + IsPower() + ViewInit()
- All child controllers (SeatTemplate/Ticket/Verifier/Verification) inherit fix
[P1] Fix code bugs found during codebase analysis:
- Verifier.php: column('nickname|username', 'id') → CONCAT SQL (syntax error)
- SeatTemplate.php: countSeats() wrong logic (count × rows → per-row scan)
- Ticket.php: verify() returned view on POST → always JSON
- Ticket.php: detail() returned view on error → JSON
- SeatTemplate.php: delete() returned view on POST → JSON, plus soft-delete
[P1] Fix verifyTicket() in TicketService:
- Wrap in Db::transaction() for atomicity
- Add SELECT ... FOR UPDATE pessimistic lock to prevent double-verify
- Add try/catch with error logging
[P2] Fix export() memory issue:
- Replace select() with cursor() to avoid OOM on large datasets
Also: update plan.md with Round 2 findings, claim Task B1/B2/B3/B5
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:03:00 +08:00
aeb3f9d353
fix(P0): vr_ticket Base - inherit ShopXO Common for full auth chain
...
- Change plugin Base from standalone to extend Common
- Call IsLogin() + IsPower() + FormTableInit() explicitly (avoids
full ViewInit which is unnecessary for API/admin controllers)
- Documents permission node format: plugins_vr_ticket-{controller}-{action}
- Fixes R1 P0: bypassed auth chain (only LoginInfo, missing IsPower)
- Also fixes all child controllers since they call parent::__construct()
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 14:00:20 +08:00
ecfb21faad
council(draft): BackendArchitect - merge plan.md from main, resolve conflict with latest version
2026-04-15 13:58:44 +08:00
1c4454723d
council(draft): BackendArchitect - add backend research directions (BR-1~BR-5) to merged plan
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 13:56:15 +08:00
8b5ec70bc8
council(draft): FrontendDev - merge SecurityEngineer + FrontendDev plan.md, resolve conflicts
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 13:55:02 +08:00
b9f3414e3c
council(draft): FrontendDev - create plan.md with Phase 2 research directions
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 13:53:48 +08:00
896df3210e
council(draft): BackendArchitect - create Phase 2 research plan with backend direction list
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 13:53:44 +08:00
a92cafe33c
council(draft): SecurityEngineer - create plan.md with Phase 2 security research directions
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 13:53:39 +08:00
Council