Publecto — Foundation Console
Platform Status
- Version
0.1.0-alpha- Environment
local- Status
- ok
- Timestamp
- 2026-07-19T06:39:13+00:00
- Request ID
- 0db808fb-ab9f-4d17-b034-598e325dddee
- Architecture
- Foundation-first modular monolith (PHP/MySQL)
- Owner
- Quantum Leap Innovations, LLC
- Website
- https://publecto.qlidemo.com
Foundation Boundary Status
Wave 001 implementation state — boundary-layer primitives
Request ID / X-Request-ID
UUID v4 per-request; emitted as X-Request-ID header and included in JSON error envelopes.
Route Classification
RouteClassification enum; all 5 routes carry RouteDefinition metadata.
JSON Error Envelope
Stable shape: {"error":{"code":"...","message":"...","request_id":"..."}}
Debug-Aware ErrorBoundary
Global exception/error handler; debug detail gated by app.debug config flag.
Safe 404 Behavior
HTML 404 for browser routes; JSON error envelope for /api/* routes.
XAMPP / Apache Baseline
Subdirectory-aware URI normalization; verified under Apache at /publecto.com/public/.
Verification Baseline — Wave 001
106 tests / 174 assertions — all passing
Verified
Current Verification
546 tests / 1780 assertions — all passing
Verified
Deferred — Wave 002:
Identity (users table, login, registration)
Session management
CSRF protection
ACL v1 (roles, permissions, route enforcement)
Registered Routes
Method, path, classification, and operation identity
| Method | Path | Classification | Operation ID | Response | Status |
|---|---|---|---|---|---|
| GET | / | Public | getHome | html | active |
| GET | /status | Public | getStatus | html | active |
| GET | /ui-demo | Public | getUiDemo | html | active |
| GET | /health | Public | getHealth | json | active |
| GET | /api/v1/health v1 | Public | getApiHealth | json | active |
| GET | /login | Public | getLogin | html | active |
| POST | /login | Public | postLogin | html | active |
| POST | /logout | Authenticated | postLogout | html | active |
| GET | /app | Authenticated | getApp | html | active |
| GET | /admin/security | Permissioned | getAdminSecurity | html | active |
| GET | /admin/security/users | Permissioned | getAdminSecurityUsers | html | active |
| GET | /admin/security/roles | Permissioned | getAdminSecurityRoles | html | active |
| GET | /admin/security/assignments | Permissioned | getAdminSecurityAssignments | html | active |
| POST | /admin/security/assignments | Permissioned | postAdminSecurityAssignRole | html | active |
| POST | /admin/security/assignments/revoke | Permissioned | postAdminSecurityRevokeRole | html | active |
| GET | /api/v1/admin/security/users v1 | Permissioned | getApiAdminUsers | json | active |
| GET | /api/v1/admin/security/roles v1 | Permissioned | getApiAdminRoles | json | active |
| GET | /api/v1/admin/security/permissions v1 | Permissioned | getApiAdminPermissions | json | active |
| GET | /api/v1/admin/security/assignments v1 | Permissioned | getApiAdminAssignments | json | active |
| GET | /admin/runtime-readiness | Permissioned | getAdminRuntimeReadiness | html | active |
| GET | /api/v1/admin/runtime-readiness v1 | Permissioned | getApiAdminRuntimeReadiness | json | active |
| GET | /admin/sites | Permissioned | getAdminSites | html | active |
| GET | /admin/sites/create | Permissioned | getAdminSitesCreate | html | active |
| POST | /admin/sites | Permissioned | postAdminSites | html | active |
| GET | /admin/sites/edit | Permissioned | getAdminSitesEdit | html | active |
| POST | /admin/sites/update | Permissioned | postAdminSitesUpdate | html | active |
| GET | /api/v1/admin/sites v1 | Permissioned | getApiAdminSites | json | active |
Available Endpoints
-
GET
Open ↗/Foundation console / home (HTML)
-
GET
Open ↗/statusPlatform status — boundary-layer facts (HTML)
-
GET
Open ↗/ui-demoUI Design System demo page (HTML)
-
GET
Open ↗/healthPlain health check (JSON: {status: ok})
-
GET
Open ↗/api/v1/healthAPI health — project, status, version, env, timestamp (JSON v1)
-
GET
Open ↗/loginLogin page (HTML)
-
POST
Open ↗/loginLogin form submission — CSRF enforced (HTML redirect)
-
POST
Open ↗/logoutLogout — session destroy, CSRF enforced (redirect)
-
GET
Open ↗/appAuthenticated application shell (HTML, session required)
-
GET
Open ↗/admin/securityAdmin Security Console — overview (HTML, users.manage permission)
-
GET
Open ↗/admin/security/usersAdmin user listing (HTML, users.manage permission)
-
GET
Open ↗/admin/security/rolesAdmin role/permission listing (HTML, settings.manage permission)
-
GET
Open ↗/admin/security/assignmentsAdmin role assignments — list + assign form (HTML, roles.assign permission)
-
POST
Open ↗/admin/security/assignmentsAssign a role — CSRF enforced, audit-logged (redirect, roles.assign permission)
-
POST
Open ↗/admin/security/assignments/revokeRevoke a role assignment — CSRF enforced, audit-logged (redirect, roles.assign permission)
-
GET
Open ↗/api/v1/admin/security/usersAdmin API — list users (JSON v1, users.manage permission)
-
GET
Open ↗/api/v1/admin/security/rolesAdmin API — list roles (JSON v1, settings.manage permission)
-
GET
Open ↗/api/v1/admin/security/permissionsAdmin API — list permissions (JSON v1, settings.manage permission)
-
GET
Open ↗/api/v1/admin/security/assignmentsAdmin API — list role assignments (JSON v1, roles.assign permission)
-
GET
Open ↗/admin/runtime-readinessAdmin Runtime Readiness Console — read-only health overview (HTML, settings.manage permission)
-
GET
Open ↗/api/v1/admin/runtime-readinessAdmin API — runtime readiness payload (JSON v1, settings.manage permission)
-
GET
Open ↗/admin/sitesAdmin Sites — site registry list (HTML, sites.manage permission)
-
GET
Open ↗/admin/sites/createAdmin Sites — create site form (HTML, sites.manage permission)
-
POST
Open ↗/admin/sitesAdmin Sites — store new site, CSRF enforced, audit-logged (redirect, sites.manage permission)
-
GET
Open ↗/admin/sites/editAdmin Sites — edit site form ?uuid=... (HTML, sites.manage permission)
-
POST
Open ↗/admin/sites/updateAdmin Sites — update site, CSRF enforced, audit-logged (redirect, sites.manage permission)
-
GET
Open ↗/api/v1/admin/sitesAdmin API — list sites (JSON v1, sites.manage permission)
API Response Preview
GET /api/v1/health returns: /api/v1/health
{
"project": "Publecto",
"status": "ok",
"version": "0.1.0-alpha",
"environment": "local",
"timestamp": "2026-07-19T06:39:13+00:00"
}
404 JSON error envelope /api/v1/not-found
{
"error": {
"code": "not_found",
"message": "The requested resource was not found.",
"request_id": "0db808fb-ab9f-4d17-b034-598e325dddee"
}
}
Wave 002A — Security Data Substrate
Identity/ACL foundation scaffolds — not yet active
Database Connection Layer
Lazy PDO wrapper; wraps errors to avoid credential leaks.
Scaffolded
Migration Runner
Discovers, applies, and rolls back ordered migration files.
Scaffolded
Security Schema (users, roles, permissions, sessions, audit)
Five migration files exist; apply with: php scripts/migrate.php run
Pending Migration
Password Hashing (bcrypt cost 12)
Wraps password_hash / password_verify; never stores plaintext.
Scaffolded
Session Manager
Sets HttpOnly, SameSite=Lax, strict mode; not injected into routes yet.
Scaffolded
CSRF Token Service
Generates / validates tokens via $_SESSION; no DB table needed.
Scaffolded
Authorization Decision Model
Immutable value object. AuthorizationService always denies in Wave 002A.
Scaffolded
Audit Event Scaffold
AuditEvent value object + NullAuditEventWriter (in-memory). DB writer deferred.
Scaffolded
Deferred to Wave 002B / 002C
- deferred Login / logout flow
- deferred ACL enforcement on routes
- deferred Admin shell UI
- deferred Protected route guards
Wave 002B — Auth, Session Lifecycle & Route Guards
Login/logout, CSRF enforcement, DB-backed authorization, DB audit writer
DB Audit Event Writer
Writes AuditEvent records to audit_events table. Fail-safe: never throws on DB error.
Active
DB-Backed Authorization
Queries role_assignments → role_permissions → permissions. Deny-by-default preserved.
Active
Authentication Service
login() and logout() against users table. Session fixation prevention via regenerate().
Active
Route Guard
Enforces session auth for Authenticated/Permissioned/Privileged routes; enforces CSRF on all mutating routes.
Active
Login / Logout Routes
GET /login, POST /login, POST /logout, GET /app — wired into Application kernel.
Active
CSRF Token Enforcement
All non-GET routes except Internal/DevOnly validated via _csrf_token hidden field.
Active
Session Lifecycle Management
Lazy start: session only opened for auth/CSRF routes. Regenerate on login. Destroy on logout.
Active
Bootstrap Admin CLI
scripts/bootstrap-admin.php — creates platform_admin user. Refuses APP_ENV=production.
Active
Deferred to Wave 002C / 003
- deferred Password reset flow
- deferred Multi-factor authentication
- deferred API tokens / machine credentials
- deferred Admin impersonation
Wave 002C — Admin Security Console
User management, role/permission visibility, role assignment foundation
Admin Security Console
GET /admin/security — overview with user/role/assignment counts.
Active
User Listing
GET /admin/security/users — lists users; password_hash never exposed.
Active
Role/Permission Visibility
GET /admin/security/roles — lists roles and all platform permissions.
Active
Role Assignment Actions
POST /admin/security/assignments — assign and revoke; CSRF-protected; audit-logged.
Active
Admin UI
Professional admin views with navigation integration.
Active
Admin JSON API
GET /api/v1/admin/security/{users|roles|permissions|assignments} — JSON endpoints.
Active
Deferred to Wave 003+
- deferred Password reset flow
- deferred Self-service registration
- deferred Multi-factor authentication
- deferred API tokens / machine credentials
- deferred Admin impersonation
- deferred Content management modules
- deferred Tenant/site management UI
Next Foundation Slices
Planned — not yet implemented
Identity, Security & ACL v1
Planned
Accounts, sessions, permissions, and ACL — implemented before content management.
Database Connection & Migrations
Planned
Connection abstraction, schema migration runner, and data-layer baseline.
Site Registry Foundation
Planned
Multi-site registry, domain resolution, and per-site context.
Admin Shell
Planned
Minimal server-rendered admin interface and authenticated navigation.