v0.1.3: audit-driven non-breaking fixes

Three bugs surfaced by the post-v0.1.2 architecture audit: - bridge.qml_path is now actually configurable. BridgeBundle::configure defines the qml_path scalar node (default ../qml/); loadExtension exposes it as the bridge.qml_path container parameter; services.yaml binds it into BridgeResourceMaker + BridgeWindowMaker. Apps override with `config/packages/bridge.yaml`. The existing maker docstrings claimed this worked already — they lied; now they don't. - SessionAuthenticator implements AuthenticationEntryPointInterface and routes the no-token entry-point path through the same problem+json helper as onAuthenticationFailure, so QML's RestClient sees one error shape regardless of which firewall path was taken. Test added. - CorrelationKeyListener::onTerminate guards on isMainRequest() now, matching onRequest's existing guard. No user-visible impact in worker mode (no sub-requests emitted), but the asymmetry was a defensive bug that would corrupt optimistic-update reconciliation. PLAN.md §13 gains a v0.1.3 section + folds the audit's API-surface items (PublisherInterface / ModelPublisherInterface / BridgeOp enum / maker DRY / DTO-shaped scaffold) into v0.2.0. CHANGELOG.md mirrors. PHPStan + cs-fixer + PHPUnit (17/17) + maker snapshot tests all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 16:31:54 +02:00
parent 9f524104b9
commit 0cceefc890
9 changed files with 98 additions and 11 deletions
--- a/framework/php/src/BridgeBundle.php
+++ b/framework/php/src/BridgeBundle.php
@@ -12,16 +12,23 @@ use Symfony\Component\HttpKernel\Bundle\AbstractBundle;
 final class BridgeBundle extends AbstractBundle
 {
    /**
-     * @param array<string, mixed> $config
+     * @param array{qml_path?: string} $config
     */
    public function loadExtension(array $config, ContainerConfigurator $container, ContainerBuilder $builder): void
    {
+        $builder->setParameter('bridge.qml_path', $config['qml_path']);
        $container->import(__DIR__.'/../config/services.yaml');
    }

    public function configure(DefinitionConfigurator $definition): void
    {
-        // Bundle config tree gains nodes when bridge:doctor and the
-        // skeleton's wiring need settable knobs (Phase 1 sub-commits 3 & 6).
+        $definition->rootNode()
+            ->children()
+                ->scalarNode('qml_path')
+                    ->info('Where make:bridge:resource and make:bridge:window write QML scaffolds. Path is resolved relative to the Symfony project dir.')
+                    ->defaultValue('../qml/')
+                    ->cannotBeEmpty()
+                ->end()
+            ->end();
    }
 }
--- a/framework/php/src/EventSubscriber/CorrelationKeyListener.php
+++ b/framework/php/src/EventSubscriber/CorrelationKeyListener.php
@@ -43,6 +43,12 @@ final class CorrelationKeyListener implements EventSubscriberInterface

    public function onTerminate(TerminateEvent $event): void
    {
+        // Sub-requests share the kernel's correlation context with the main
+        // request — clearing on a sub-request's TerminateEvent would wipe the
+        // key while the main controller is still running.
+        if (!$event->isMainRequest()) {
+            return;
+        }
        $this->context->clear();
    }
 }
--- a/framework/php/src/Maker/BridgeResourceMaker.php
+++ b/framework/php/src/Maker/BridgeResourceMaker.php
@@ -33,8 +33,8 @@ use Symfony\Component\Uid\Uuid;
 *
 * The Doctrine subscriber installed by the bundle picks the entity up
 * automatically — no per-resource listener is generated. The QML snippet
- * goes to `qml_path` (default: `../qml/`, configurable via the bundle's
- * `qml_path` option in services.yaml).
+ * goes to `qml_path` (default: `../qml/`, set via `config/packages/bridge.yaml`:
+ * `bridge: { qml_path: ../qml/ }`).
 *
 * See PLAN.md §8 (*Custom makers*).
 */
--- a/framework/php/src/Maker/BridgeWindowMaker.php
+++ b/framework/php/src/Maker/BridgeWindowMaker.php
@@ -21,7 +21,8 @@ use Symfony\Component\Console\Input\InputInterface;
 * the first window and as many extra instances as it wants for the
 * multi-window test from PLAN.md §9 / §13 Phase 3.
 *
- * Generated file goes to `qml_path` (default: `../qml/`).
+ * Generated file goes to `qml_path` (default: `../qml/`, set via
+ * `config/packages/bridge.yaml`: `bridge: { qml_path: ../qml/ }`).
 */
 final class BridgeWindowMaker extends AbstractMaker
 {
--- a/framework/php/src/SessionAuthenticator.php
+++ b/framework/php/src/SessionAuthenticator.php
@@ -13,6 +13,7 @@ use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;

 /**
 * Validates the per-session bearer token shared between the Qt host
@@ -22,7 +23,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPasspor
 * Qt host generates it per session and passes it to FrankenPHP via env.
 * See PLAN.md §3 (*Run modes*, *Edge cases — Per-session secret rotation*).
 */
-final class SessionAuthenticator extends AbstractAuthenticator
+final class SessionAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
 {
    public function __construct(
        #[\SensitiveParameter]
@@ -57,13 +58,30 @@ final class SessionAuthenticator extends AbstractAuthenticator
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
+    {
+        return $this->problemJson($exception->getMessage());
+    }
+
+    /**
+     * Entry point invoked when access is denied without a triggered authenticator
+     * (e.g. an anonymous request to a protected route). Without this, Symfony
+     * returns its default `WWW-Authenticate: Form` 302/401, which clients
+     * speaking JSON would never expect — same shape as onAuthenticationFailure
+     * keeps QML's RestClient error mapping consistent across both paths.
+     */
+    public function start(Request $request, ?AuthenticationException $authException = null): Response
+    {
+        return $this->problemJson($authException?->getMessage() ?? 'Bearer token required.');
+    }
+
+    private function problemJson(string $detail): JsonResponse
    {
        return new JsonResponse(
            [
                'type'   => 'about:blank',
                'title'  => 'Unauthorized',
                'status' => Response::HTTP_UNAUTHORIZED,
-                'detail' => $exception->getMessage(),
+                'detail' => $detail,
            ],
            Response::HTTP_UNAUTHORIZED,
            ['Content-Type' => 'application/problem+json'],