3.4 KiB
3.4 KiB
ServerManager — AGENTS.md
Repo-specific guidance for OpenCode sessions. Verified against code.
Stack
- PHP 8.3+, custom MVC (not Laravel), MySQL/MariaDB, phpseclib 3.0, phpdotenv
- Autoload: PSR-4
ServerManager\→src/;src/Helpers/functions.phpauto-loaded - Android companion app at
android/(Jetpack Compose, Material3, Retrofit, Kotlinx Serialization)
Entry point
public/index.php → App::boot() → App::run() → Router::dispatch()
Commands
composer install— install deps (no dev deps incomposer.json)php bin/generate-key.php— generate master key at/etc/servermanager/master.keyphp bin/monitor.php— collect server metrics (runs via cron every minute)sudo bash install.sh— full Ubuntu 22.04+/24.04+ install (needs sudo)mysql servermanager < database/migrations/001_initial_schema.sql— db setupexport ANDROID_HOME=/opt/android-sdk && cd android && ./gradlew assembleDebug— build APK →public/sysadmin.apk
Non-obvious conventions
- Route params use
:idsyntax (/servers/:id), not{id}. Patterns::id→(\d+),:slug→([a-zA-Z0-9\-]+) - Router supports method spoofing via
_methodPOST field - Session name is
SM_SESSION; sessions stored server-side insessionstable - View engine: custom PHP templates (
extract()+include), not Twig/Blade - SSH credentials encrypted with AES-256-CBC; master key at
/etc/servermanager/master.key vendor/is properly gitignored now (/vendor/in.gitignore, no leading space)- Android build outputs ignored:
android/.gradle/,android/build/,android/app/build/,android/local.properties - Bump
versionCodeandversionNameinandroid/app/build.gradle.ktson every code change to the Android app
Backend gotchas
View::json()has: neverreturn type — callsexitimmediately. Do not put code after it expecting to run.AuditService::log(string $action, string $entityType, ?int $entityId, ?array $details = null, ?array $metadata = null)— requires 3 positional args minimum. Calling with 2 args causes Error 500.RoleMiddlewaredefaults to'admin'required level. Hierarchy:super_admin(3) >admin(2) >operator(1).- Role helper functions in views:
is_super_admin(),is_admin(),is_operator() - CSRF: middleware checks
$_POST['_csrf_token']then$_SERVER['HTTP_X_CSRF_TOKEN']. Token expiry 7200s default. - API routes have no middleware (auth is manual via
$this->authenticateRequest()in controller). Web routes useAuthMiddleware/RoleMiddleware/CSRFMiddleware. - Admin group routes (
/admin/*) already includeAuthMiddleware+RoleMiddleware; individual routes addCSRFMiddleware. - Rate limiting on
POST /loginonly (viaRateLimitMiddleware) - Every credential access must be logged at
warninglevel viaAuditService
Database
- Migrations run manually:
mysql servermanager < database/migrations/NNN_name.sql - 5 migrations:
001_initial_schema,002_server_access,003_teams,004_soft_deletes,005_app_config_and_notifications - Users table has
roleENUM:super_admin,admin,operator api_tokencolumn on users for Bearer token auth
Testing / CI
- No tests, no CI, no linter, no formatter, no typechecker exist in this repo
Notable missing files
.env.exampledoes NOT exist (referenced incomposer.jsonpost-install-cmd but missing from repo)- No Makefile, Dockerfile, or CI workflows