ben
9f4667fbb4
Comprehensive code review using GPT-5, Gemini 3, Kimi K2.5, and Zen MCP tools across 11 critical files (~9,000 lines). Identified and fixed issues by consensus prioritization. CRITICAL fixes: - Strip passwords from transients in registration error handling - Rewrite O(3600) token verification loop to O(1) with embedded timestamp HIGH fixes: - Replace remove_all_actions() with targeted hook removal (breaks WP isolation) - Prefer wp-config.php constant for encryption key storage - Add revocation check before generating certificate download URLs - Fix security headers condition to apply to AJAX requests - Add zoho-config.php to .gitignore MEDIUM fixes: - IP spoofing: only trust proxy headers when behind configured trusted proxies - Remove unsafe-eval from CSP (keep unsafe-inline for compatibility) - Remove duplicate Master Trainer component initialization - Remove file-scope side-effect initialization in profile manager - Use WordPress current_time() for consistent timezone in cert numbers Validated as non-issues: - Path traversal (token-based system prevents) - SQL injection (proper $wpdb->prepare throughout) - OAuth CSRF (correctly implemented with hash_equals) All 7 modified PHP files pass syntax validation (php -l). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
257 lines
No EOL
4.8 KiB
Text
257 lines
No EOL
4.8 KiB
Text
# Ignore everything by default
|
|
# *
|
|
!.gitignore
|
|
!.gitattributes
|
|
|
|
# Development Environment - whitelist approach
|
|
!/wordpress-dev/
|
|
/wordpress-dev/*
|
|
|
|
# Scripts directory
|
|
!/scripts/
|
|
/scripts/*
|
|
!/scripts/*.sh
|
|
|
|
# Bin directory - Data seeding and testing scripts
|
|
!/bin/
|
|
/bin/*
|
|
!/bin/create-comprehensive-test-data.sh
|
|
!/bin/create-staging-test-data.sh
|
|
!/bin/create-complete-test-data.sh
|
|
!/bin/create-test-attendees.sh
|
|
!/bin/create-test-attendees-simple.sh
|
|
!/bin/enhance-test-data-revenue.sh
|
|
!/bin/fix-and-create-test-data.sh
|
|
!/bin/debug-attendee-data.sh
|
|
|
|
# Plugin files
|
|
!hvac-community-events.php
|
|
!/includes/
|
|
/includes/*
|
|
!/includes/admin/
|
|
!/includes/zoho/
|
|
!/includes/**/*.php
|
|
!/templates/
|
|
/templates/*
|
|
!/templates/**/*.php
|
|
!/assets/
|
|
/assets/*
|
|
!/assets/css/
|
|
/assets/css/*
|
|
!/assets/css/*.css
|
|
!/assets/js/
|
|
/assets/js/*
|
|
!/assets/js/*.js
|
|
!/assets/images/
|
|
/assets/images/*
|
|
!/assets/images/*.png
|
|
!/assets/images/*.jpg
|
|
!/assets/images/*.jpeg
|
|
!/assets/images/*.gif
|
|
!/assets/images/*.svg
|
|
!/assets/images/*.ico
|
|
!/wordpress-dev/tests/
|
|
/wordpress-dev/tests/*
|
|
!/wordpress-dev/tests/e2e/
|
|
/wordpress-dev/tests/e2e/*
|
|
!/wordpress-dev/tests/e2e/*.spec.ts
|
|
!/wordpress-dev/tests/e2e/*.test.ts
|
|
!/wordpress-dev/tests/e2e/pages/
|
|
!/wordpress-dev/tests/e2e/pages/*.ts
|
|
!/wordpress-dev/tests/e2e/utils/
|
|
!/wordpress-dev/tests/e2e/utils/*.ts
|
|
!/wordpress-dev/tests/e2e/data/
|
|
!/wordpress-dev/tests/e2e/data/*.ts
|
|
!/wordpress-dev/tests/e2e/global-setup.ts
|
|
!/wordpress-dev/tests/e2e/global-teardown.ts
|
|
!/wordpress-dev/includes/
|
|
!/wordpress-dev/bin/
|
|
/wordpress-dev/bin/*
|
|
!/wordpress-dev/bin/*.sh
|
|
!/wordpress-dev/bin/*.php
|
|
!/wordpress-dev/bin/*.json
|
|
!/wordpress-dev/bin/wp-tests-config-staging.php
|
|
/wordpress-dev/bin/backups/ # Explicitly ignore all backup directories
|
|
!/wordpress-dev/composer.json
|
|
!/wordpress-dev/composer.lock
|
|
!/wordpress-dev/package.json
|
|
!/wordpress-dev/package-lock.json
|
|
!/wordpress-dev/phpunit.xml.dist
|
|
!/wordpress-dev/playwright.config.ts
|
|
!/wordpress-dev/tsconfig.json
|
|
!/wordpress-dev/README.md
|
|
!/wordpress-dev/MIGRATION_GUIDE.md
|
|
!/wordpress-dev/ZOHO-INTEGRATION-SUMMARY.md
|
|
!/wordpress-dev/ZOHO-STAGING-TEST-RESULTS.md
|
|
!/wordpress-dev/ZOHO-OAUTH-SETUP.md
|
|
!/wordpress-dev/WORDPRESS-ADMIN-ACCESS.md
|
|
|
|
# HVAC Community Events Plugin
|
|
!/wordpress-dev/wordpress/
|
|
/wordpress-dev/wordpress/*
|
|
!/wordpress-dev/wordpress/wp-content/
|
|
/wordpress-dev/wordpress/wp-content/*
|
|
!/wordpress-dev/wordpress/wp-content/plugins/
|
|
/wordpress-dev/wordpress/wp-content/plugins/*
|
|
!/wordpress-dev/wordpress/wp-content/plugins/hvac-community-events/
|
|
!/wordpress-dev/wordpress/wp-content/plugins/hvac-community-events/**
|
|
|
|
# Test files
|
|
# **/test-results/
|
|
# **/playwright-report/
|
|
# **/.phpunit.result.cache
|
|
# **/node_modules/
|
|
# **/vendor/
|
|
# **/screenshots/
|
|
# **/videos/
|
|
# **/traces/
|
|
|
|
# Documentation
|
|
!/docs/
|
|
/docs/*
|
|
!/docs/*.md
|
|
!/docs/00_*.md
|
|
/docs/scraped/
|
|
/docs/archive/
|
|
|
|
# Root-level documentation and reports
|
|
!*_TEST_REPORT.md
|
|
!*_SUMMARY.md
|
|
!*_GUIDE.md
|
|
!*_RESULTS.md
|
|
!*_INSTRUCTIONS.md
|
|
!*_AUDIT*.md
|
|
!*DEPLOYMENT*.md
|
|
!*COVERAGE*.md
|
|
!*CRITICAL*.md
|
|
!*FINAL*.md
|
|
!*SECURITY*.md
|
|
!*MONITORING*.md
|
|
!*MOBILE*.md
|
|
!*CROSS-BROWSER*.md
|
|
!*CSS-ANALYSIS*.md
|
|
!*ROADMAP*.md
|
|
!WORKFLOW*.md
|
|
!TRANSITION*.md
|
|
!POWERMAPPER*.md
|
|
|
|
# Development and Debug Files
|
|
!test-*.js
|
|
!verify-*.js
|
|
!debug-*.js
|
|
!mobile-*.js
|
|
!comprehensive-*.js
|
|
!fix-*.js
|
|
!enhanced-*.js
|
|
!*-analysis.js
|
|
!debug-*.php
|
|
!test-*.php
|
|
!enhanced-*.php
|
|
!manual-*.php
|
|
!*-analysis.php
|
|
!check-*.sh
|
|
!verify-*.sh
|
|
!fix-*.sh
|
|
!update-*.sh
|
|
!migrate-*.sh
|
|
!create-*.sh
|
|
!manual-*.sh
|
|
!debug-*.sh
|
|
!*-analysis.sh
|
|
|
|
# Tests directory
|
|
!/tests/
|
|
/tests/*
|
|
!/tests/**/*.js
|
|
!/tests/**/*.php
|
|
!/tests/**/*.yml
|
|
!/tests/**/*.md
|
|
!/tests/**/*.json
|
|
!/tests/**/*.config.*
|
|
|
|
# Data Files
|
|
!*.csv
|
|
!CSV_*.csv
|
|
|
|
# WordPress
|
|
!/wp-content/
|
|
/wp-content/*
|
|
!/wp-content/plugins/
|
|
|
|
# Security - Sensitive Files (CRITICAL SECURITY)
|
|
# .env
|
|
.env.*
|
|
# *.env
|
|
# **/.env
|
|
# **/.env.*
|
|
.auth/
|
|
# **/.auth/
|
|
**/zoho-config.php
|
|
# **/wp-config.php
|
|
# **/wp-tests-config*.php
|
|
memory-bank/mcpServers.md
|
|
# **/*config*.php
|
|
# **/*secret*
|
|
# **/*password*
|
|
# **/*credential*
|
|
# **/*.key
|
|
# **/*.pem
|
|
# **/*.p12
|
|
# **/*.pfx
|
|
|
|
# Security Framework - Sensitive Runtime Data
|
|
security-audit.log
|
|
auth-state-*.json
|
|
session-*.json
|
|
test-results/
|
|
test-screenshots/
|
|
# *.har
|
|
coverage/
|
|
|
|
# Allow security framework files but not sensitive data
|
|
!lib/
|
|
!lib/security/
|
|
!lib/security/*.js
|
|
!.env.template
|
|
!SECURITY-MIGRATION-GUIDE.md
|
|
!test-secure-example.js
|
|
|
|
# Claude Code Files (temporary)
|
|
!.claude/
|
|
!.claude/settings.local.json
|
|
!.claude/agents/
|
|
!.claude/agents/*.md
|
|
!CLAUDE.md
|
|
.mcp.json # MCP configuration contains JWT tokens
|
|
|
|
# Forgejo Actions CI/CD
|
|
!.forgejo/
|
|
!.forgejo/workflows/
|
|
!.forgejo/workflows/*.yml
|
|
|
|
# Temporary test files (exclude from commits)
|
|
test-actual-*.js
|
|
test-missing-*.js
|
|
direct-*.php
|
|
# *-temp.js
|
|
# *-temp.php
|
|
|
|
# Common ignores
|
|
.DS_Store
|
|
Thumbs.db
|
|
# *.log
|
|
# *.zip
|
|
# *.tar
|
|
# *.tar.gz
|
|
node_modules/
|
|
vendor/
|
|
.idea/
|
|
.vscode/
|
|
# *.swp
|
|
# *.swo
|
|
|
|
# GEMINI Config
|
|
!GEMINI.md
|
|
!.agent/
|
|
!.agent/workflows/
|
|
!.agent/workflows/*.md |