vr-shopxo-plugin/plan.md

# Council Plan — vr-shopxo-plugin 安全审议

> Round 1 — 2026-04-15
> Branch: council/SecurityEngineer → main
> 状态：**Draft Phase 完成，进入 Review**

---

## Task Summary

对 vr-shopxo-plugin 票务插件进行完整代码安全审议，输出独立评审报告（≥500字），列出所有发现的问题（严重/中等/轻微/建议），给出具体修复建议。**仅评论不改代码，变更提交本地 worktree。**

---

## Task Checklist

- [x] 1. 插件架构审计（EventListener.php / plugin.json）
- [x] 2. 票务核心审计（TicketService.php / BaseService.php）
- [x] 3. 前端票务详情页审计（ticket_detail.html）
- [x] 4. 数据库 Schema 审计
- [x] 5. 安全性综合审计（SQL注入/XSS/重放攻击/QR伪造）
- [x] 6. 输出评审报告到 reviews/code-review-SecurityEngineer.md
- [x] 7. 提交 plan.md 到 main

---

## 审计发现汇总

| 编号 | 严重程度 | 类别 | 描述 |
|------|---------|------|------|
| S-01 | 🔴 严重 | 业务逻辑 | `onOrderPaid` 无幂等保护，同一订单可生成多张票 |
| M-01 | 🟡 中等 | 业务逻辑 | `verifyTicket` 存在 TOCTOU 竞态条件 |
| M-02 | 🟡 中等 | 鉴权 | 手动核销接口未验证核销员身份 |
| M-03 | 🟡 中等 | 数据安全 | 观演人身份证明文存储 |
| M-04 | 🟡 中等 | 前端安全 | `simple_desc` 使用 `|raw` 导致存储型 XSS |
| M-05 | 🟡 中等 | 加密 | QR 加密密钥回退到硬编码默认值 |
| L-01 | 🟢 轻微 | 前端安全 | `data-label` 属性可能含未转义数据 |
| L-02 | 🟢 轻微 | 数据完整性 | AES-CBC 无认证加密 |
| L-03 | 🟢 轻微 | 业务逻辑 | `loadSoldSeats` 未实现，存在超卖风险 |
| I-01~04 | 💡 建议 | 架构/业务 | 升级迁移、退款钩子、购买上限、表单校验缺失 |

---

## Phase Breakdown

| Phase | 内容 | 状态 |
|---|---|---|
| **Draft** | 各模块代码审计 + 报告撰写 | ✅ Done |
| **Review** | 交叉评审其他成员报告 | ✅ Done |
| **Finalize** | 合并到 main，投票 | ⏳ Pending |

### 评审交叉验证结果

- BackendArchitect 报告：**[APPROVE]** — 结构严谨，修复建议具体，与 SecurityEngineer 独立审计结论高度一致
- 发现补充：BackendArchitect 补充了 issueTicket 时序问题、ALTER TABLE `empty($cols)` 判断错误、座位图 class XSS 等 SecurityEngineer 遗漏项
- SecurityEngineer 补充：手动核销鉴权（M-02）、观演人明文存储合规风险（M-03）未在 BackendArchitect 报告中单独标记

---

## Claim Status

| Task | Owner | Status |
|---|---|---|
| 插件架构审计 | council/SecurityEngineer | `[Done]` |
| 票务核心审计 | council/SecurityEngineer | `[Done]` |
| 前端票务页审计 | council/SecurityEngineer | `[Done]` |
| 数据库Schema审计 | council/SecurityEngineer | `[Done]` |
| 安全综合审计 | council/SecurityEngineer | `[Done]` |
| 输出评审报告 | council/SecurityEngineer | `[Done]` |
| 交叉评审 BackendArchitect 报告 | council/SecurityEngineer | `[Done]` |

---

## 立即修复优先级（上线前必须）

1. **S-01** — `onOrderPaid` 添加幂等检查
2. **M-02** — 手动核销接口鉴权
3. **M-04** — 移除 `|raw` XSS
4. **M-05** — 移除 QR 密钥硬编码回退

---

**[CONSENSUS: YES]** — Draft + Review 完成，等待 Finalize 投票
-												council(draft): SecurityEngineer - create plan.md for vr-shopxo-plugin security review

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:14:23 +00:00
+								# Council Plan — vr-shopxo-plugin 安全审议
-												council(draft): pm-reviewer - create plan.md with PM review task breakdown

											
										
										
											2026-04-14 05:45:33 +00:00
-												council(draft): SecurityEngineer - create plan.md for vr-shopxo-plugin security review

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:14:23 +00:00
+								> Round 1 — 2026-04-15
 								> Branch: council/SecurityEngineer → main
-												council(draft): SecurityEngineer - update plan.md with completed findings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:17:42 +00:00
+								> 状态：**Draft Phase 完成，进入 Review**
-												council(draft): pm-reviewer - create plan.md with PM review task breakdown

											
										
										
											2026-04-14 05:45:33 +00:00
 								---
-												council(draft): PM - Round 1 Q3 回答（配置结构建议）

PM 立场：建议新增 `routing` section
- routing.modelProviderOverride: 模型 → provider 映射
- routing.baseUrlOverride: 可选 baseUrl 覆盖
- 放在顶层，语义清晰，向后兼容

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:56:22 +00:00
+								## Task Summary
-												council(draft): resolve plan.md conflict, merge backend-reviewer + pm-reviewer plans

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 05:47:12 +00:00
-												council(draft): SecurityEngineer - create plan.md for vr-shopxo-plugin security review

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:14:23 +00:00
+								对 vr-shopxo-plugin 票务插件进行完整代码安全审议，输出独立评审报告（≥500字），列出所有发现的问题（严重/中等/轻微/建议），给出具体修复建议。**仅评论不改代码，变更提交本地 worktree。**
-												council(draft): pm-reviewer - create plan.md with PM review task breakdown

											
										
										
											2026-04-14 05:45:33 +00:00
 								---
-												council(draft): PM - Round 1 Q3 回答（配置结构建议）

PM 立场：建议新增 `routing` section
- routing.modelProviderOverride: 模型 → provider 映射
- routing.baseUrlOverride: 可选 baseUrl 覆盖
- 放在顶层，语义清晰，向后兼容

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:56:22 +00:00
+								## Task Checklist
-												council(draft): pm-reviewer - create plan.md with PM review task breakdown

											
										
										
											2026-04-14 05:45:33 +00:00
-												council(draft): SecurityEngineer - update plan.md with completed findings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:17:42 +00:00
+								- [x] 1. 插件架构审计（EventListener.php / plugin.json）
 								- [x] 2. 票务核心审计（TicketService.php / BaseService.php）
 								- [x] 3. 前端票务详情页审计（ticket_detail.html）
 								- [x] 4. 数据库 Schema 审计
 								- [x] 5. 安全性综合审计（SQL注入/XSS/重放攻击/QR伪造）
 								- [x] 6. 输出评审报告到 reviews/code-review-SecurityEngineer.md
 								- [x] 7. 提交 plan.md 到 main
 								---
 								## 审计发现汇总
 								| 编号 | 严重程度 | 类别 | 描述 |
 								|------|---------|------|------|
 								| S-01 | 🔴 严重 | 业务逻辑 | `onOrderPaid` 无幂等保护，同一订单可生成多张票 |
 								| M-01 | 🟡 中等 | 业务逻辑 | `verifyTicket` 存在 TOCTOU 竞态条件 |
 								| M-02 | 🟡 中等 | 鉴权 | 手动核销接口未验证核销员身份 |
 								| M-03 | 🟡 中等 | 数据安全 | 观演人身份证明文存储 |
 								| M-04 | 🟡 中等 | 前端安全 | `simple_desc` 使用 `|raw` 导致存储型 XSS |
 								| M-05 | 🟡 中等 | 加密 | QR 加密密钥回退到硬编码默认值 |
 								| L-01 | 🟢 轻微 | 前端安全 | `data-label` 属性可能含未转义数据 |
 								| L-02 | 🟢 轻微 | 数据完整性 | AES-CBC 无认证加密 |
 								| L-03 | 🟢 轻微 | 业务逻辑 | `loadSoldSeats` 未实现，存在超卖风险 |
 								| I-01~04 | 💡 建议 | 架构/业务 | 升级迁移、退款钩子、购买上限、表单校验缺失 |
-												fix: 明确允许最小范围修改ShopXO源码（MIT协议），以进度为先

											
										
										
											2026-04-14 06:10:59 +00:00
 								---
-												council(finalize): PM - Round 2 完成，清理 plan.md conflict markers

- 清理 plan.md 中的 Git conflict markers
- 确认 4 Q 全票通过 NON-BLOCKING
- 架构决策完成

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:45:13 +00:00
+								## Phase Breakdown
-												council(draft): Architect - Round 1 架构评审结论

Q1: 座位模板绑定粒度 - NON-BLOCKING (分类UNIQUE KEY合理)
Q2: spec_base_id_map - NON-BLOCKING (共用seat_map最简)
Q3: 观演人存储 - NON-BLOCKING (vr_tickets支付后写入)
Q4: spec绑定 - NON-BLOCKING ($vr-前缀隔离已确认)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:40:41 +00:00
-												council(draft): PM - Round 1 Q3 回答（配置结构建议）

PM 立场：建议新增 `routing` section
- routing.modelProviderOverride: 模型 → provider 映射
- routing.baseUrlOverride: 可选 baseUrl 覆盖
- 放在顶层，语义清晰，向后兼容

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:56:22 +00:00
+								| Phase | 内容 | 状态 |
 								|---|---|---|
-												council(draft): SecurityEngineer - update plan.md with completed findings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:17:42 +00:00
+								| **Draft** | 各模块代码审计 + 报告撰写 | ✅ Done |
-												council(review): SecurityEngineer - update plan.md to Finalize phase

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:21:42 +00:00
+								| **Review** | 交叉评审其他成员报告 | ✅ Done |
-												council(draft): PM - Round 1 Q3 回答（配置结构建议）

PM 立场：建议新增 `routing` section
- routing.modelProviderOverride: 模型 → provider 映射
- routing.baseUrlOverride: 可选 baseUrl 覆盖
- 放在顶层，语义清晰，向后兼容

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:56:22 +00:00
+								| **Finalize** | 合并到 main，投票 | ⏳ Pending |
-												council(review): SecurityEngineer - update plan.md to Finalize phase

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:21:42 +00:00
+								### 评审交叉验证结果
 								- BackendArchitect 报告：**[APPROVE]** — 结构严谨，修复建议具体，与 SecurityEngineer 独立审计结论高度一致
 								- 发现补充：BackendArchitect 补充了 issueTicket 时序问题、ALTER TABLE `empty($cols)` 判断错误、座位图 class XSS 等 SecurityEngineer 遗漏项
 								- SecurityEngineer 补充：手动核销鉴权（M-02）、观演人明文存储合规风险（M-03）未在 BackendArchitect 报告中单独标记
-												council(draft): PM - Round 1 Q3 回答（配置结构建议）

PM 立场：建议新增 `routing` section
- routing.modelProviderOverride: 模型 → provider 映射
- routing.baseUrlOverride: 可选 baseUrl 覆盖
- 放在顶层，语义清晰，向后兼容

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:56:22 +00:00
+								---
 								## Claim Status
 								| Task | Owner | Status |
-												council(finalize): PM - Round 2 完成，清理 plan.md conflict markers

- 清理 plan.md 中的 Git conflict markers
- 确认 4 Q 全票通过 NON-BLOCKING
- 架构决策完成

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:45:13 +00:00
+								|---|---|---|
-												council(draft): SecurityEngineer - update plan.md with completed findings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:17:42 +00:00
+								| 插件架构审计 | council/SecurityEngineer | `[Done]` |
 								| 票务核心审计 | council/SecurityEngineer | `[Done]` |
 								| 前端票务页审计 | council/SecurityEngineer | `[Done]` |
 								| 数据库Schema审计 | council/SecurityEngineer | `[Done]` |
 								| 安全综合审计 | council/SecurityEngineer | `[Done]` |
 								| 输出评审报告 | council/SecurityEngineer | `[Done]` |
-												council(review): SecurityEngineer - update plan.md to Finalize phase

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:21:42 +00:00
+								| 交叉评审 BackendArchitect 报告 | council/SecurityEngineer | `[Done]` |
-												council(draft): SecurityEngineer - create plan.md for vr-shopxo-plugin security review

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:14:23 +00:00
 								---
-												council(draft): SecurityEngineer - update plan.md with completed findings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:17:42 +00:00
+								## 立即修复优先级（上线前必须）
-												council(draft): SecurityEngineer - create plan.md for vr-shopxo-plugin security review

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:14:23 +00:00
-												council(draft): SecurityEngineer - update plan.md with completed findings

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:17:42 +00:00
+. **S-01** — `onOrderPaid` 添加幂等检查
 . **M-02** — 手动核销接口鉴权
 . **M-04** — 移除 `|raw` XSS
 . **M-05** — 移除 QR 密钥硬编码回退
-												council(draft): Architect - Round 1 架构评审结论

Q1: 座位模板绑定粒度 - NON-BLOCKING (分类UNIQUE KEY合理)
Q2: spec_base_id_map - NON-BLOCKING (共用seat_map最简)
Q3: 观演人存储 - NON-BLOCKING (vr_tickets支付后写入)
Q4: spec绑定 - NON-BLOCKING ($vr-前缀隔离已确认)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-14 10:40:41 +00:00
 								---
-												council(review): SecurityEngineer - update plan.md to Finalize phase

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 01:21:42 +00:00
+								**[CONSENSUS: YES]** — Draft + Review 完成，等待 Finalize 投票