vr-shopxo-plugin/plan.md

# Plan — vr-shopxo-plugin 安全评估 + 票务链路审计

> 版本：v1.0 | 日期：2026-05-26 | Agent：council/SecurityEngineer

---

## Round 1 安全评估任务清单

- [x] [Done: council/SecurityEngineer] **Task 1**: 审计购物车→支付→QR票生成链路（BuyService → onOrderPaid → issueTicket）
- [x] [Done: council/SecurityEngineer] **Task 2**: 检查 FOR UPDATE SKIP LOCKED 防超卖实现（verifyTicket / issueTicket）
- [x] [Done: council/SecurityEngineer] **Task 3**: QR签名机制审计（HMAC-SHA256、30分钟exp、code字段）
- [x] [Done: council/SecurityEngineer] **Task 4**: 检查 BaseService QR Secret 配置（硬编码风险）
- [x] [Done: council/SecurityEngineer] **Task 5**: 前端 XSS 风险初步评估
- [x] [Done: council/SecurityEngineer] **Task 6**: 输出安全评估报告 → `docs/council-eval-securityengineer.md`

---

## 阶段划分

| 阶段 | 内容 | 状态 |
|------|------|------|
| **Round 1 Draft** | 安全审计 + 评估报告 | ✅ 完成 |
| **Round 1 Review** | 投票 + 报告写入 main | 🔄 进行中 |

---

## 安全评估结论摘要

| # | 问题 | 严重性 | 状态 |
|---|------|--------|------|
| S-1 | issueTicket() 并发竞态（无悲观锁） | **P0 建议** | 建议加唯一索引 `(order_id, seat_info)` |
| S-2 | QR Secret 硬编码 fallback | **P1** | 需确认生产环境 `.env` 配置 |
| S-3 | FOR UPDATE SKIP LOCKED 概念混淆 | **P2** | 防超卖依赖ShopXO原子UPDATE已有效 |
| S-4 | onOrderPaid 无事务包装 | **P2** | 可接受（有幂等保护） |
| S-5 | 前端XSS（观演人渲染） | **P3** | 需确认渲染方式 |

**无 P0 安全漏洞。支付链路整体安全，建议持续改进。**

---

## 投票

**议题：下一步主攻方向**
**投票：C（双线并行）**

---

## 关键文件索引

| 文件 | 行号 | 安全关注点 |
|------|------|-----------|
| `shopxo/app/plugins/vr_ticket/service/TicketService.php` | 159-169 | issueTicket() 幂等检查（无悲观锁） |
| `shopxo/app/plugins/vr_ticket/service/TicketService.php` | 252-256 | verifyTicket() FOR UPDATE |
| `shopxo/app/plugins/vr_ticket/service/TicketService.php` | 25-138 | onOrderPaid 回调 |
| `shopxo/app/plugins/vr_ticket/service/BaseService.php` | 302-303 | QR Secret 硬编码 fallback |
| `shopxo/app/service/BuyService.php` | 1650-1684 | ShopXO 原子条件库存扣减 |
| `docs/council-eval-securityengineer.md` | — | 完整安全评估报告 |
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								# Plan — vr-shopxo-plugin 安全评估 + 票务链路审计
-												council(draft): SecurityEngineer - create plan.md with Phase 2 security research directions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 05:53:39 +00:00
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								> 版本：v1.0 | 日期：2026-05-26 | Agent：council/SecurityEngineer
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
 								---
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								## Round 1 安全评估任务清单
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								- [x] [Done: council/SecurityEngineer] **Task 1**: 审计购物车→支付→QR票生成链路（BuyService → onOrderPaid → issueTicket）
 								- [x] [Done: council/SecurityEngineer] **Task 2**: 检查 FOR UPDATE SKIP LOCKED 防超卖实现（verifyTicket / issueTicket）
 								- [x] [Done: council/SecurityEngineer] **Task 3**: QR签名机制审计（HMAC-SHA256、30分钟exp、code字段）
 								- [x] [Done: council/SecurityEngineer] **Task 4**: 检查 BaseService QR Secret 配置（硬编码风险）
 								- [x] [Done: council/SecurityEngineer] **Task 5**: 前端 XSS 风险初步评估
 								- [x] [Done: council/SecurityEngineer] **Task 6**: 输出安全评估报告 → `docs/council-eval-securityengineer.md`
-												Merge branch 'main' into council/SecurityEngineer

# Conflicts:
#	plan.md

											
										
										
											2026-04-20 01:59:21 +00:00
 								---
-												council(draft): SecurityEngineer - add Round 1 plan for AdminGoodsSaveHandle security audit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:45:33 +00:00
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								## 阶段划分
-												council(draft): DebugAgent - plan.md: debug "Undefined array key id" error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:46:20 +00:00
-												council(finalize): BackendArchitect - merge report + resolve plan.md conflict, all tasks done

											
										
										
											2026-04-20 11:21:04 +00:00
+								| 阶段 | 内容 | 状态 |
 								|------|------|------|
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								| **Round 1 Draft** | 安全审计 + 评估报告 | ✅ 完成 |
 								| **Round 1 Review** | 投票 + 报告写入 main | 🔄 进行中 |
-												council(draft): DebugAgent - plan.md: debug "Undefined array key id" error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:46:20 +00:00
 								---
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								## 安全评估结论摘要
 								| # | 问题 | 严重性 | 状态 |
 								|---|------|--------|------|
 								| S-1 | issueTicket() 并发竞态（无悲观锁） | **P0 建议** | 建议加唯一索引 `(order_id, seat_info)` |
 								| S-2 | QR Secret 硬编码 fallback | **P1** | 需确认生产环境 `.env` 配置 |
 								| S-3 | FOR UPDATE SKIP LOCKED 概念混淆 | **P2** | 防超卖依赖ShopXO原子UPDATE已有效 |
 								| S-4 | onOrderPaid 无事务包装 | **P2** | 可接受（有幂等保护） |
 								| S-5 | 前端XSS（观演人渲染） | **P3** | 需确认渲染方式 |
-												council(plan): FrontendDev - Phase 2 bugfix plan: routing + encoding issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-16 00:11:57 +00:00
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								**无 P0 安全漏洞。支付链路整体安全，建议持续改进。**
-												fix(P0): vr_ticket Base - inherit ShopXO Common for full auth chain

- Change plugin Base from standalone to extend Common
- Call IsLogin() + IsPower() + FormTableInit() explicitly (avoids
  full ViewInit which is unnecessary for API/admin controllers)
- Documents permission node format: plugins_vr_ticket-{controller}-{action}
- Fixes R1 P0: bypassed auth chain (only LoginInfo, missing IsPower)
- Also fixes all child controllers since they call parent::__construct()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 06:00:20 +00:00
-												council(plan): FrontendDev - Phase 2 bugfix plan: routing + encoding issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-16 00:11:57 +00:00
+								---
-												council(execute): FrontendDev - Round 4: export button fix + mark Phase 2 complete

- Fix P1 bug: ticket/list.html export button (GET→POST form) matching IS_AJAX_POST
- Mark all plan.md tasks complete (seat templates, tickets, verifiers, verifications views)
- BackendArchitect: AuditService.php (S4 design), Verifier.php CONCAT fix, Verification.php column() fix
- BackendArchitect: SeatTemplate.php countSeats fix, TicketService.php transaction fix
- BackendArchitect: EventListener.php audit_log table added
- SecurityEngineer: S1-S5 security audit complete
- [CONSENSUS: YES] all three agents vote YES

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-15 06:20:03 +00:00
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								## 投票
-												council(draft): DebugAgent - plan.md: debug "Undefined array key id" error

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-20 01:46:20 +00:00
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								**议题：下一步主攻方向**
 								**投票：C（双线并行）**
-												council(draft): BackendArchitect - add documentation review plan

- Add BackendArchitect Round 1 section to plan.md
- Claim 4 review tasks: 3 docs + 1 summary
- Dimensions: accuracy, completeness, actionability, consistency, misleading risk

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-19 21:25:48 +00:00
-												council(security): SecurityEngineer - add missing VenueList methods + security audit

Security findings:
- SQL injection: LOW (query builder + parameter binding)
- XSS: LOW (ThinkPHP auto-escape, no |raw detected)
- Path traversal: LOW (all view paths hardcoded)
- CSRF: MEDIUM (ShopXO framework-level gap, out of scope for plugin)

Critical fix: admin/Admin.php was missing VenueList(), VenueSave(),
VenueDelete() — sidebar URL "/plugins/vr_ticket/admin/venueList" would
return 500 error. Added all three methods with v3.0 seat_map support.

P1 garbled name: documented DB fix SQL for shx_plugins + vrt_power tables.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-16 00:53:41 +00:00
+								---
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								## 关键文件索引
-												council(draft): SecurityEngineer - Round 1 plan for ghost spec security audit

											
										
										
											2026-04-20 10:47:31 +00:00
-												council(draft): SecurityEngineer - 安全评估：支付链路 + Issue #6 + FOR UPDATE

审计范围：
- 购物车→支付→QR票生成链路
- FOR UPDATE SKIP LOCKED 防超卖实现
- QR签名机制（HMAC-SHA256）
- BaseService QR Secret 硬编码风险
- 前端XSS初步评估

结论：无P0漏洞，支付链路整体安全。投票C（双线并行）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-05-26 09:16:48 +00:00
+								| 文件 | 行号 | 安全关注点 |
 								|------|------|-----------|
 								| `shopxo/app/plugins/vr_ticket/service/TicketService.php` | 159-169 | issueTicket() 幂等检查（无悲观锁） |
 								| `shopxo/app/plugins/vr_ticket/service/TicketService.php` | 252-256 | verifyTicket() FOR UPDATE |
 								| `shopxo/app/plugins/vr_ticket/service/TicketService.php` | 25-138 | onOrderPaid 回调 |
 								| `shopxo/app/plugins/vr_ticket/service/BaseService.php` | 302-303 | QR Secret 硬编码 fallback |
 								| `shopxo/app/service/BuyService.php` | 1650-1684 | ShopXO 原子条件库存扣减 |
 								| `docs/council-eval-securityengineer.md` | — | 完整安全评估报告 |