Publecto — Foundation Console

● Operational
Platform Status
Version
0.1.0-alpha
Environment
local
Status
ok
Timestamp
2026-07-19T06:39:13+00:00
Request ID
0db808fb-ab9f-4d17-b034-598e325dddee
Architecture
Foundation-first modular monolith (PHP/MySQL)
Owner
Quantum Leap Innovations, LLC
Website
https://publecto.qlidemo.com
Foundation Boundary Status
Wave 001 implementation state — boundary-layer primitives
Request ID / X-Request-ID
UUID v4 per-request; emitted as X-Request-ID header and included in JSON error envelopes.
Implemented
Route Classification
RouteClassification enum; all 5 routes carry RouteDefinition metadata.
Implemented
JSON Error Envelope
Stable shape: {"error":{"code":"...","message":"...","request_id":"..."}}
Implemented
Debug-Aware ErrorBoundary
Global exception/error handler; debug detail gated by app.debug config flag.
Implemented
Safe 404 Behavior
HTML 404 for browser routes; JSON error envelope for /api/* routes.
Implemented
XAMPP / Apache Baseline
Subdirectory-aware URI normalization; verified under Apache at /publecto.com/public/.
Implemented
Verification Baseline — Wave 001 106 tests / 174 assertions — all passing
Verified
Current Verification 546 tests / 1780 assertions — all passing
Verified
Deferred — Wave 002:
Identity (users table, login, registration) Session management CSRF protection ACL v1 (roles, permissions, route enforcement)
Registered Routes
Method, path, classification, and operation identity
Method Path Classification Operation ID Response Status
GET / Public getHome html active
GET /status Public getStatus html active
GET /ui-demo Public getUiDemo html active
GET /health Public getHealth json active
GET /api/v1/health v1 Public getApiHealth json active
GET /login Public getLogin html active
POST /login Public postLogin html active
POST /logout Authenticated postLogout html active
GET /app Authenticated getApp html active
GET /admin/security Permissioned getAdminSecurity html active
GET /admin/security/users Permissioned getAdminSecurityUsers html active
GET /admin/security/roles Permissioned getAdminSecurityRoles html active
GET /admin/security/assignments Permissioned getAdminSecurityAssignments html active
POST /admin/security/assignments Permissioned postAdminSecurityAssignRole html active
POST /admin/security/assignments/revoke Permissioned postAdminSecurityRevokeRole html active
GET /api/v1/admin/security/users v1 Permissioned getApiAdminUsers json active
GET /api/v1/admin/security/roles v1 Permissioned getApiAdminRoles json active
GET /api/v1/admin/security/permissions v1 Permissioned getApiAdminPermissions json active
GET /api/v1/admin/security/assignments v1 Permissioned getApiAdminAssignments json active
GET /admin/runtime-readiness Permissioned getAdminRuntimeReadiness html active
GET /api/v1/admin/runtime-readiness v1 Permissioned getApiAdminRuntimeReadiness json active
GET /admin/sites Permissioned getAdminSites html active
GET /admin/sites/create Permissioned getAdminSitesCreate html active
POST /admin/sites Permissioned postAdminSites html active
GET /admin/sites/edit Permissioned getAdminSitesEdit html active
POST /admin/sites/update Permissioned postAdminSitesUpdate html active
GET /api/v1/admin/sites v1 Permissioned getApiAdminSites json active
Available Endpoints
  • GET
    /
    Foundation console / home (HTML)
    Open ↗
  • GET
    /status
    Platform status — boundary-layer facts (HTML)
    Open ↗
  • GET
    /ui-demo
    UI Design System demo page (HTML)
    Open ↗
  • GET
    /health
    Plain health check (JSON: {status: ok})
    Open ↗
  • GET
    /api/v1/health
    API health — project, status, version, env, timestamp (JSON v1)
    Open ↗
  • GET
    /login
    Login page (HTML)
    Open ↗
  • POST
    /login
    Login form submission — CSRF enforced (HTML redirect)
    Open ↗
  • POST
    /logout
    Logout — session destroy, CSRF enforced (redirect)
    Open ↗
  • GET
    /app
    Authenticated application shell (HTML, session required)
    Open ↗
  • GET
    /admin/security
    Admin Security Console — overview (HTML, users.manage permission)
    Open ↗
  • GET
    /admin/security/users
    Admin user listing (HTML, users.manage permission)
    Open ↗
  • GET
    /admin/security/roles
    Admin role/permission listing (HTML, settings.manage permission)
    Open ↗
  • GET
    /admin/security/assignments
    Admin role assignments — list + assign form (HTML, roles.assign permission)
    Open ↗
  • POST
    /admin/security/assignments
    Assign a role — CSRF enforced, audit-logged (redirect, roles.assign permission)
    Open ↗
  • POST
    /admin/security/assignments/revoke
    Revoke a role assignment — CSRF enforced, audit-logged (redirect, roles.assign permission)
    Open ↗
  • GET
    /api/v1/admin/security/users
    Admin API — list users (JSON v1, users.manage permission)
    Open ↗
  • GET
    /api/v1/admin/security/roles
    Admin API — list roles (JSON v1, settings.manage permission)
    Open ↗
  • GET
    /api/v1/admin/security/permissions
    Admin API — list permissions (JSON v1, settings.manage permission)
    Open ↗
  • GET
    /api/v1/admin/security/assignments
    Admin API — list role assignments (JSON v1, roles.assign permission)
    Open ↗
  • GET
    /admin/runtime-readiness
    Admin Runtime Readiness Console — read-only health overview (HTML, settings.manage permission)
    Open ↗
  • GET
    /api/v1/admin/runtime-readiness
    Admin API — runtime readiness payload (JSON v1, settings.manage permission)
    Open ↗
  • GET
    /admin/sites
    Admin Sites — site registry list (HTML, sites.manage permission)
    Open ↗
  • GET
    /admin/sites/create
    Admin Sites — create site form (HTML, sites.manage permission)
    Open ↗
  • POST
    /admin/sites
    Admin Sites — store new site, CSRF enforced, audit-logged (redirect, sites.manage permission)
    Open ↗
  • GET
    /admin/sites/edit
    Admin Sites — edit site form ?uuid=... (HTML, sites.manage permission)
    Open ↗
  • POST
    /admin/sites/update
    Admin Sites — update site, CSRF enforced, audit-logged (redirect, sites.manage permission)
    Open ↗
  • GET
    /api/v1/admin/sites
    Admin API — list sites (JSON v1, sites.manage permission)
    Open ↗
API Response Preview

GET /api/v1/health returns: /api/v1/health

{
    "project": "Publecto",
    "status": "ok",
    "version": "0.1.0-alpha",
    "environment": "local",
    "timestamp": "2026-07-19T06:39:13+00:00"
}

404 JSON error envelope /api/v1/not-found

{
    "error": {
        "code": "not_found",
        "message": "The requested resource was not found.",
        "request_id": "0db808fb-ab9f-4d17-b034-598e325dddee"
    }
}
Wave 002A — Security Data Substrate
Identity/ACL foundation scaffolds — not yet active
Database Connection Layer Lazy PDO wrapper; wraps errors to avoid credential leaks. Scaffolded
Migration Runner Discovers, applies, and rolls back ordered migration files. Scaffolded
Security Schema (users, roles, permissions, sessions, audit) Five migration files exist; apply with: php scripts/migrate.php run Pending Migration
Password Hashing (bcrypt cost 12) Wraps password_hash / password_verify; never stores plaintext. Scaffolded
Session Manager Sets HttpOnly, SameSite=Lax, strict mode; not injected into routes yet. Scaffolded
CSRF Token Service Generates / validates tokens via $_SESSION; no DB table needed. Scaffolded
Authorization Decision Model Immutable value object. AuthorizationService always denies in Wave 002A. Scaffolded
Audit Event Scaffold AuditEvent value object + NullAuditEventWriter (in-memory). DB writer deferred. Scaffolded
Deferred to Wave 002B / 002C
  • deferred Login / logout flow
  • deferred ACL enforcement on routes
  • deferred Admin shell UI
  • deferred Protected route guards
Wave 002B — Auth, Session Lifecycle & Route Guards
Login/logout, CSRF enforcement, DB-backed authorization, DB audit writer
DB Audit Event Writer Writes AuditEvent records to audit_events table. Fail-safe: never throws on DB error. Active
DB-Backed Authorization Queries role_assignments → role_permissions → permissions. Deny-by-default preserved. Active
Authentication Service login() and logout() against users table. Session fixation prevention via regenerate(). Active
Route Guard Enforces session auth for Authenticated/Permissioned/Privileged routes; enforces CSRF on all mutating routes. Active
Login / Logout Routes GET /login, POST /login, POST /logout, GET /app — wired into Application kernel. Active
CSRF Token Enforcement All non-GET routes except Internal/DevOnly validated via _csrf_token hidden field. Active
Session Lifecycle Management Lazy start: session only opened for auth/CSRF routes. Regenerate on login. Destroy on logout. Active
Bootstrap Admin CLI scripts/bootstrap-admin.php — creates platform_admin user. Refuses APP_ENV=production. Active
Deferred to Wave 002C / 003
  • deferred Password reset flow
  • deferred Multi-factor authentication
  • deferred API tokens / machine credentials
  • deferred Admin impersonation
Wave 002C — Admin Security Console
User management, role/permission visibility, role assignment foundation
Admin Security Console GET /admin/security — overview with user/role/assignment counts. Active
User Listing GET /admin/security/users — lists users; password_hash never exposed. Active
Role/Permission Visibility GET /admin/security/roles — lists roles and all platform permissions. Active
Role Assignment Actions POST /admin/security/assignments — assign and revoke; CSRF-protected; audit-logged. Active
Admin UI Professional admin views with navigation integration. Active
Admin JSON API GET /api/v1/admin/security/{users|roles|permissions|assignments} — JSON endpoints. Active
Deferred to Wave 003+
  • deferred Password reset flow
  • deferred Self-service registration
  • deferred Multi-factor authentication
  • deferred API tokens / machine credentials
  • deferred Admin impersonation
  • deferred Content management modules
  • deferred Tenant/site management UI
Next Foundation Slices
Planned — not yet implemented
Identity, Security & ACL v1 Planned

Accounts, sessions, permissions, and ACL — implemented before content management.

Database Connection & Migrations Planned

Connection abstraction, schema migration runner, and data-layer baseline.

Site Registry Foundation Planned

Multi-site registry, domain resolution, and per-site context.

Admin Shell Planned

Minimal server-rendered admin interface and authenticated navigation.