Sanierungsbericht Juni 2026

Warum wir untersucht haben

The work began with the protected business work-data lifecycle: identity, membership, consent, access, encrypted envelope state, exports, revocation, caching, and audit evidence all had to line up. The investigation widened because old compatibility paths, route shims, skipped tests, and Redis migration artifacts made it harder to prove the current product model.

The rule was simple: old compatibility should either be proven necessary and guarded, or proven unused and removed. For sensitive work data, assumptions were not enough.

DST-Fehler bei Lohnperioden

One real product bug found during the cleanup was in biweekly pay-period navigation. The old calculation converted timestamp seconds into days by dividing by 86400. Across a spring daylight-saving transition, that can miscount calendar days and cause the next period to resolve incorrectly.

• Fixed PayPeriods::biweeklyStart() to use calendar-day differences instead of timestamp seconds divided by 86,400.
• Added PayPeriodsTest::testBiweeklyNavigationAdvancesAcrossSpringDstBoundary, which verifies America/Edmonton navigation from 2024-02-26 to 2024-03-11 and then 2024-03-25.
• Re-enabled EarningsCalendarParityIntegrationTest::testRenderSectionsLazyDoesNotFatalWhenEncryptedWorkRowOmitsGross, which had exposed the period-navigation stall.
• Kept PayPeriodGeneratorTest in the remediation verification set so adjacent generation behavior remains covered.

Geschützte Arbeitsdaten

• Added and enforced BusinessProtectedDataAccess for actor authority, target membership, consent, wrap state, envelope metadata, and business site visibility.
• Routed member reports, financial summaries, workspace warmers, team earnings, daily member JSON, and member XLSX/PDF exports through the protected gate.
• Locked generic PDF/XLSX endpoints to personal current-user payloads and added negative tests for forged business/member payloads.
• Moved protected business XLSX/PDF export to server-side rebuilds from authorized rows.
• Expanded audit events for requested, denied, started, completed, and failed protected read/export outcomes.
• Added revocation tests proving stale reports, exports, summaries, team earnings, and caches are denied or purged after access changes.

Aliasse, Pfade, Weiterleitungen, Methoden und Klassen

• Removed /earnings/ compatibility route and smoke references; personal earnings and reports use /reports/.
• Removed /profile/ compatibility route and profile-page references; account profile settings now live under settings/account.
• Removed /js/businesses/ asset shim after canonical asset references were verified.
• Removed settings legacy hash redirect map, JSON payload, and browser redirect logic.
• Removed /blog/article/?slug=... redirect entrypoint from active routing and accessibility inventory references.
• Replaced /api/v1/profile/update/ and profile/settings route declarations with account-scoped profile routes.
• Removed unused BusinessDiscovery method aliases, ShadowTalon::init(), old Settings account route aliases, and an internal EmailVerification rate-limit wrapper.
• Removed runtime bare work.write organization mutation compatibility; runtime grants now require explicit self/org scope or manager authority.
• Removed generated TODO: Document... comments and unused FPDF.php placeholder class so source scans and inventories reflect active work.

Redis und Datendrift

• Created a Redis checkpoint before mutation: paycal-redis-20260619-091729.rdb, SHA-256 baff0c94361b57ef67a153b242669c537165a9b576a1cfb4953b10e95fa41215.
• Migrated old relationship/metaphor Redis keys and values: 4,288 key migrations and 599 value updates, with 0 conflicts and 0 errors.
• Repaired connection index drift across 1,698 connections and 1,447 businesses. The fixer repaired 378 drifted records and verified post-run drift at 0.
• Extended scripts/connections-audit.php so report-only mode identifies bare work.write drift and --fix migrates records to explicit work.scope.self.
• Replaced the stale SQL-era Redis field migration helper with a Redis-native dry-run/execute/verify flow for text_sizing -> text and density -> spacing.
• Removed absent compatibility paths for no-colon email index keys, theme_mode, and legacy fixed-TTL lock-boundary keys after audit verification.
• Marked 98 seeded @paycal.app fake personas so plaintext work-entry audits can ignore them by default while still reporting them with --include-ignored.

Crypto- und Plaintext-Arbeitseinträge

• Added CryptoCompatibilityTelemetry for unwrap source selection and outcomes.
• Added scripts/paycal crypto:compat:audit --json to report wrapper and fallback usage.
• Added scripts/paycal work:plaintext:audit --json to report plaintext-only rows, invalid encrypted blobs, fake-user rows, and rows requiring user-session rewrite.
• Retired the old plaintext migration execution path so it cannot strip intentional work-entry snapshot fields.
• Backfilled earnings snapshot fields across 64,447 work entries, including 859 missing gross values, and verified final missing gross and wage counts at 0.
• Kept plaintext/non-encrypted read compatibility because real-user rows still require user-session encrypted rewrite.
• Kept work-entry short-alias read compatibility because encrypted blobs and fixtures can still contain historical alias-shaped payloads, even though active Redis hash fields showed zero short aliases.

Geschlossene Sicherheitsbefunde

• Active request-IP call paths now use trusted-proxy-aware client IP resolution.
• Invite code and audit-chain hash comparisons use constant-time comparison.
• CORS validation evaluates request origins against an explicit allowlist.
• The development security-disable flag is ignored outside approved dev-like environments.
• Rate-limit IP key derivation uses SHA-256 instead of MD5.
• The admin test runner returns summarized output by default instead of raw PHPUnit details.

Sanierung von Einstellungen und Darstellung

• Added a persisted sidebar Trigger preference with a 400 ms default, 200 ms minimum, 3,000 ms maximum, and 200 ms step size.
• Cancelled delayed sidebar timers on pointer exit, document leave, and window blur.
• Grouped sidebar navigation into Personal, Business, and bottom Utility actions, with Settings, Help, and Sign Out anchored together.
• Replaced the Accent dropdown with 16 spectrum swatches, hover popovers, shared accent tokens, and a live preview window.
• Renamed Accent color to Accent, Density preset to Density, and Variant to Mode.
• Rebuilt notification position selection as a spatial grid using canonical top/bottom values.
• Fixed settings nav hover, active, and focus states after a global link hover rule produced a poor white hover block in the dark settings header.