Untitled Session — Memory Wiki

You2026-05-25 07:40 UTC

Sweep the entire Profe codebase for gremlin breeding grounds. Write findings to /root/.hermes/plans/. Work in parallel with GS (separate subagent). Both of you submit independent reports. ## What to hunt ### Silent Failures - Empty catch blocks that swallow errors - Code that runs but has no side effects (writes nobody reads) - Events emitted with no registered listeners - Methods that log errors but never surface them (no admin alert, no retry) - Migration steps that silently skip (IF NOT EXISTS on everything means you'd never know if a migration failed) ### Dead Code Paths - Interface methods with zero callers across all modules - Routes registered but no frontend or webhook will ever hit them - Config keys defined in the build brief but never read at runtime - Constructor parameters stored but never used in the class ### Assumptions That Don't Hold - "The user is always logged in" — routes with `permission_callback => '__return_true'` that assume the handler won't crash on null user - "The table always has rows" — `getResults()` used without checking if result is empty - "This API always returns in 5 seconds" — no timeout handling on external API calls (Brevo, Stripe, Bunny) - "The config file is always there" — code that reads PROFE_MODULES_DIR without checking if it's defined ### State Leaks / Compensation Gaps - Pipeline steps with execute() but no compensate() - Stripe PaymentIntent created but user creation fails — orphan payment with no cleanup - WP user created but CRM sync fails — user exists in WP but never reaches Brevo - File uploaded to Bunny Storage but DB record creation fails — orphan file ### Missing Observability - Error paths that print to error_log() but nobody reads error logs - No admin dashboard for failed pipeline steps - No alerts for stuck cron jobs (abandoned cart scanner, CRM sync queue) - Webhook handlers that return 200 even when processing fails (Stripe will stop retrying) ### Hardcoded Environment - API URLs hardcoded in service files instead of config - Credential defaults in source code (even if just for dev) - Path assumptions (e.g., `/tmp/` for uploads — may not exist on production) - Cache TTLs, retry counts, timeouts hardcoded as magic numbers ### Interface Drift - Modules that depend on CoreUsersInterface but the interface was never updated per spec - T44 pipeline calling crm_sync with the wrong parameter type - Module 8 form admin calling Module 5 CRM with mismatched method signatures ### Auto-generated Template Artifacts - `listItems/getItem/createItem/updateItem/deleteItem` stubs that were never replaced - Generic README.md files that say "TODO: describe this module" - Composer.json files with placeholder descriptions - Test files that test the template (createItem works) but not the domain (createPost fails) ## Report format Write to /root/.hermes/plans/sa-gremlin-report.md (you're SA) Per finding: - **Category**: Silent Failure / Dead Code / Assumption / State Leak / Observability / Hardcoded / Interface Drift / Template Artifact - **File**: path + line number - **Risk**: LOW / MEDIUM / HIGH / CRITICAL - **Description**: what's wrong - **Fix**: what to do about it

Donna2026-05-25 07:40 UTC

I'll start by exploring the codebase structure to understand the scope, then systematically hunt for each category of gremlin.

Tool2026-05-25 07:40 UTC

{"output": "/root/profe-modules\n/root/profe-modules/access_control\n/root/profe-modules/admin_app\n/root/profe-modules/automator\n/root/profe-modules/badge_system\n/root/profe-modules/billing_admin\n/root/profe-modules/brevo_service\n/root/profe-modules/bunny_storage\n/root/profe-modules/bunny_stre...

Tool2026-05-25 07:40 UTC

{"output": "/root/profe-chassis\n/root/profe-chassis/config\n/root/profe-chassis/migrations\n/root/profe-chassis/src\n/root/profe-chassis/vendor", "exit_code": 0, "error": null}

Tool2026-05-25 07:40 UTC

{"content": " 1|# Past Faults Log — Profe Core Modules\n 2|\n 3|> **Purpose:** Every bug, design miss, and edge case discovered during development is recorded here.\n 4|> Future modules (and future TBs) MUST read this log before writing code.\n 5|\n 6|---\n 7|\n 8|## ...

Donna2026-05-25 07:40 UTC

Good, I can see 44 modules plus the chassis. Let me start the systematic gremlin hunt with parallel searches across all categories.

Tool2026-05-25 07:40 UTC

{"total_count": 0}

Tool2026-05-25 07:40 UTC

{"total_count": 80, "matches": [{"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardModule.php", "line": 48, "content": " catch(\\Throwable $e) { if (function_exists('error_log')) error_log('[LeaderboardModule] CSRF: ' . $e->getMessage()); return false; }"}, {"path": "/root/p...

Tool2026-05-25 07:40 UTC

{"total_count": 4, "matches": [{"path": "/root/profe-modules/access_control/src/AccessControl/AccessControlModule.php", "line": 149, "content": " 'permission_callback' => '__return_true',"}, {"path": "/root/profe-modules/mem_levels/src/MemLevels/MemLevelsModule.php", "line": 206, "content...

Tool2026-05-25 07:40 UTC

{"total_count": 100, "matches": [{"path": "/root/profe-modules/leaderboard/tests/Unit/LeaderboardServiceTest.php", "line": 32, "content": " public function testListItemsReturnsPaginated(): void { $this->repo->method('listItems')->willReturn(['items'=>[],'total'=>0]); $r=$this->service->listItems(...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"total_count": 20, "matches": [{"path": "/root/profe-modules/form_entries/src/FormSubmissions/Pipeline/Steps/CreateSubscriptionStep.php", "line": 24, "content": " public function execute(PipelineContext $context): PipelineResult"}, {"path": "/root/profe-modules/form_entries/src/FormSubmissions/P...

Tool2026-05-25 07:40 UTC

{"total_count": 15, "matches": [{"path": "/root/profe-modules/form_entries/src/FormSubmissions/FormSubmissionsModule.php", "line": 285, "content": " $submission = $this->getSubmissionsService()->getSubmissionByPaymentIntent($paymentIntentId);"}, {"path": "/root/profe-modules/form_entries/...

Tool2026-05-25 07:40 UTC

{"total_count": 30, "matches": [{"path": "/root/profe-modules/media_upload_jobs/src/MediaUploadJobs/MediaUploadJobsProcessor.php", "line": 63, "content": " // In production, this would call BunnyStorageInterface::upload()"}, {"path": "/root/profe-modules/media_upload_jobs/src/MediaUpl...

Tool2026-05-25 07:40 UTC

{"total_count": 0}

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"total_count": 9, "matches": [{"path": "/root/profe-modules/webhook_handler/src/WebhookHandler/WebhookHandlerModule.php", "line": 204, "content": " public function handleStripeWebhook(\\WP_REST_Request $request): \\WP_REST_Response"}, {"path": "/root/profe-modules/webhook_handler/src/WebhookHand...

Tool2026-05-25 07:40 UTC

{"total_count": 40, "matches": [{"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardService.php", "line": 26, "content": " public function __construct(ProfeDB $db, CoreUsersInterface $coreUsers, EventBusInterface $events)"}, {"path": "/root/profe-modules/media_upload_jobs/src/Med...

Tool2026-05-25 07:40 UTC

{"total_count": 0}

Tool2026-05-25 07:40 UTC

{"total_count": 50, "matches": [{"path": "/root/profe-modules/migrations/039_create_profe_automator_rules.sql", "line": 1, "content": "CREATE TABLE IF NOT EXISTS `profe_automator_rules` ("}, {"path": "/root/profe-modules/migrations/056_create_profe_form_submissions.sql", "line": 2, "content": "CREAT...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 200| * POST /api/webhooks/stripe\n 201| *\n 202| * Stripe webhook receiver. No auth, no CSRF — Stripe signs via webhook secret.\n 203| */\n 204| public function handleStripeWebhook(\\WP_REST_Request $request): \\WP_REST_Response\n 205| {\n 206| ...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|/**\n 3| * WebhookHandler — Stripe webhook event processing implementation\n 4| *\n 5| * HC-01: Stripe SDK used for signature verification via StripeServiceInterface.\n 6| * HC-02: Webhook signature via SDK — NOT hand-rolled HMAC.\n 7| * HC-03: I...

Tool2026-05-25 07:40 UTC

{"total_count": 1, "matches": [{"path": "/root/profe-modules/google_ads_conversion/src/GoogleAdsConversion/GoogleAdsConversionService.php", "line": 195, "content": " $result = $response->getResults()->offsetGet(0);"}]}

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 180| * FAULT-013: Verify webhook signature before processing.\n 181| */\n 182| public function handleBrevoWebhook(\\WP_REST_Request $request): \\WP_REST_Response\n 183| {\n 184| try {\n 185| $payload = $request->get_body();\n 186| ...

Tool2026-05-25 07:40 UTC

{"total_count": 0}

Tool2026-05-25 07:40 UTC

{"total_count": 0}

Tool2026-05-25 07:40 UTC

{"total_count": 20, "matches": [{"path": "/root/profe-modules/leaderboard/composer.json", "line": 3, "content": " \"description\": \"Leaderboard and ranking system\","}, {"path": "/root/profe-modules/media_upload_jobs/composer.json", "line": 3, "content": " \"description\": \"Upload orchestrat...

Donna2026-05-25 07:40 UTC

CRITICAL finding: Brevo webhook returns 200 even on unhandled errors. Let me continue the deep hunt.

Tool2026-05-25 07:40 UTC

{"content": " 690| *\n 691| * @param string $message\n 692| * @param \\Throwable $e\n 693| */\n 694| private function logError(string $message, \\Throwable $e): void\n 695| {\n 696| if (function_exists('error_log')) {\n 697| error_log(sprin...

Tool2026-05-25 07:40 UTC

{"total_count": 4, "matches": [{"path": "/root/profe-modules/profe-modules-loader/profe-modules-loader.php", "line": 23, "content": "define('PROFE_MODULES_DIR', dirname(__DIR__) . '/profe-modules');"}, {"path": "/root/profe-modules/profe-modules-loader/profe-modules-loader.php", "line": 54, "content...

Tool2026-05-25 07:40 UTC

{"total_count": 30, "matches": [{"path": "/root/profe-modules/media_upload_jobs/src/MediaUploadJobs/MediaUploadJobsService.php", "line": 96, "content": " $this->eventBus->emit('profe/media/upload_queued', ["}, {"path": "/root/profe-modules/media_upload_jobs/src/MediaUploadJobs/MediaUploadJobs...

Tool2026-05-25 07:40 UTC

{"total_count": 30, "matches": [{"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardModule.php", "line": 29, "content": " $c->set('Profe\\\\Leaderboard\\\\LeaderboardInterface', function($d){"}, {"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardModule.php",...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|namespace Profe\\FormSubmissions\\Pipeline\\Steps;\n 4|\n 5|use Profe\\FormSubmissions\\Pipeline\\PipelineStepInterface;\n 6|use Profe\\FormSubmissions\\Pipeline\\PipelineContext;\n 7|use Profe\\FormSubmissions\\Pipel...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|namespace Profe\\FormSubmissions\\Pipeline\\Steps;\n 4|\n 5|use Profe\\FormSubmissions\\Pipeline\\PipelineStepInterface;\n 6|use Profe\\FormSubmissions\\Pipeline\\PipelineContext;\n 7|use Profe\\FormSubmissions\\Pipel...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|namespace Profe\\FormSubmissions\\Pipeline\\Steps;\n 4|\n 5|use Profe\\FormSubmissions\\Pipeline\\PipelineStepInterface;\n 6|use Profe\\FormSubmissions\\Pipeline\\PipelineContext;\n 7|use Profe\\FormSubmissions\\Pipel...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|namespace Profe\\FormSubmissions\\Pipeline\\Steps;\n 4|\n 5|use Profe\\FormSubmissions\\Pipeline\\PipelineStepInterface;\n 6|use Profe\\FormSubmissions\\Pipeline\\PipelineContext;\n 7|use Profe\\FormSubmissions\\Pipel...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|namespace Profe\\FormSubmissions\\Pipeline;\n 4|\n 5|use Profe\\FormSubmissions\\Repository\\FormSubmissionsRepository;\n 6|use Profe\\FormEngine\\FormEngineInterface;\n 7|use Profe\\EventBus\\EventBusInterface;\n ...

Tool2026-05-25 07:40 UTC

{"content": "", "total_lines": 0, "file_size": 0, "truncated": false, "is_binary": false, "is_image": false, "error": "File not found: /root/profe-modules/event_bus/src/EventBus/EventBus.php", "similar_files": ["/root/profe-modules/event_bus/src/EventBus/EventBusInterface.php", "/root/profe-modules/...

Tool2026-05-25 07:40 UTC

{"total_count": 4, "matches": [{"path": "/root/profe-modules/crm_sync/src/CrmSync/CrmSyncModule.php", "line": 101, "content": " $this->registerEventListeners();"}, {"path": "/root/profe-modules/crm_sync/src/CrmSync/CrmSyncModule.php", "line": 142, "content": " private function registerEven...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 140| * HC-05: Event-driven enqueuing — listens to CRM events.\n 141| */\n 142| private function registerEventListeners(): void\n 143| {\n 144| try {\n 145| global $profeContainer;\n 146| if (isset($profeContainer) && $profeContai...

Tool2026-05-25 07:40 UTC

{"content": " 140| *\n 141| * Listens to profe/billing/payment_succeeded and auto-creates orders.\n 142| */\n 143| private function registerEventListeners(): void\n 144| {\n 145| try {\n 146| global $profeContainer;\n 147| if (isset($pro...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|\n 4|namespace Profe\\EventBus;\n 5|\n 6|class EventBusStub implements EventBusInterface\n 7|{\n 8| public function emit(string $event, array $payload = []): void\n 9| {\n 10| // Stub — no-op\n...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|/**\n 3| * GoogleAdsConversionService — Google Ads Conversion Tracking Implementation\n 4| *\n 5| * HC-01: Google Ads PHP SDK used (googleads/google-ads-php) — NOT hand-rolled API calls.\n 6| * HC-02: OAuth2 credentials via ConfigManagerInterface — N...

Donna2026-05-25 07:40 UTC

HUGE finding on the EventBus. Let me verify this is what's actually used, and check the GoogleAdsConversion, hardcoded values, the chassis, and more.

Tool2026-05-25 07:40 UTC

{"total_count": 10, "matches": [{"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardService.php", "line": 15, "content": "use Profe\\EventBus\\EventBusInterface;"}, {"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardService.php", "line": 20, "content": " private...

Tool2026-05-25 07:40 UTC

{"content": " 50| ?string $conversionActionId = null\n 51| ): string {\n 52| $this->validateCredentials();\n 53|\n 54| $conversionActionId = $conversionActionId ?? $this->getConfiguredConversionActionId();\n 55|\n 56| try {\n 57| $cli...

Tool2026-05-25 07:40 UTC

{"content": " 160| ): ClickConversion {\n 161| $clickConversion = (new ClickConversion())\n 162| ->setGclid($gclid)\n 163| ->setConversionValue($conversionValue)\n 164| ->setCurrencyCode(strtoupper($currencyCode))\n 165| ->setConversi...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|/**\n 3| * MediaUploadJobsProcessor — Queue processing + CDN offload\n 4| *\n 5| * HC-04: Job status machine: queued → processing → completed / failed.\n 6| * HC-05: Max 3 retries before permanent failure.\n 7| *\n 8| * @package Profe\\MediaU...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|/**\n 3| * Profe Modules Loader — WordPress Plugin\n 4| *\n 5| * Loads all Profe sub-modules, creates the DI container, and\n 6| * bootstraps them into the WordPress lifecycle.\n 7| *\n 8| * Plugin Name: Profe Modules Loader\n 9| * Plugin...

Tool2026-05-25 07:40 UTC

{"total_count": 0}

Tool2026-05-25 07:40 UTC

{"content": "", "total_lines": 0, "file_size": 0, "truncated": false, "is_binary": false, "is_image": false, "error": "File not found: /root/profe-chassis/src/DiContainer/DiContainer.php"}

Tool2026-05-25 07:40 UTC

{"total_count": 0}

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 101| {\n 102| $this->services[$id] = $instance;\n 103| }\n 104|}\n 105|\n 106|// ---------------------------------------------------------------------------\n 107|// Module Loader\n 108|// --------------------------------------------------------------------...

Tool2026-05-25 07:40 UTC

{"output": "/root/profe-chassis/src/ProfeMigrator.php\n/root/profe-chassis/src/ProfeDB.php\n/root/profe-chassis/src/ProfeUserSync.php\n/root/profe-chassis/src/ProfeChassis.php\n/root/profe-chassis/src/ProfeContainer.php\n/root/profe-chassis/src/ProfeAutoloader.php", "exit_code": 0, "error": null}

Tool2026-05-25 07:40 UTC

{"total_count": 30, "matches": [{"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardService.php", "line": 15, "content": "use Profe\\EventBus\\EventBusInterface;"}, {"path": "/root/profe-modules/leaderboard/src/Leaderboard/LeaderboardService.php", "line": 20, "content": " private...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 161| $this->registerCoreServices();\n 162| }\n 163|\n 164| private function registerCoreServices(): void\n 165| {\n 166| // Chassis services — every module needs these\n 167| $this->container->set(\n 168| 'Profe\\\\Chassis\\\\Pro...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|\n 4|namespace Profe\\EventBus;\n 5|\n 6|interface EventBusInterface\n 7|{\n 8| public function emit(string $event, array $payload = []): void;\n 9|\n 10| public function on(string $event, callable $l...

Tool2026-05-25 07:40 UTC

{"total_count": 1, "matches": [{"path": "/root/profe-modules/event_bus/src/EventBus/EventBusStub.php", "line": 6, "content": "class EventBusStub implements EventBusInterface"}]}

Tool2026-05-25 07:40 UTC

{"total_count": 10, "matches": [{"path": "/root/profe-modules/event_bus/src/EventBus/EventBusStub.php", "line": 1, "content": "<?php"}, {"path": "/root/profe-modules/event_bus/src/EventBus/EventBusStub.php", "line": 2, "content": "declare(strict_types=1);"}, {"path": "/root/profe-modules/event_bus/s...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 56| // Mark as processing\n 57| $this->repository->updateStatus($jobId, ['status' => 'processing']);\n 58|\n 59| try {\n 60| // Delegate CDN upload based on target_storage\n 61| $cdnUrl = null;\n 62| if ($job['t...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|/**\n 3| * WebhookHandler — Stripe webhook event processing implementation\n 4| *\n 5| * HC-01: Stripe SDK used for signature verification via StripeServiceInterface.\n 6| * HC-02: Webhook signature via SDK — NOT hand-rolled HMAC.\n 7| * HC-03: I...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|namespace Profe\\FormSubmissions\\Pipeline\\Steps;\n 4|\n 5|use Profe\\FormSubmissions\\Pipeline\\PipelineStepInterface;\n 6|use Profe\\FormSubmissions\\Pipeline\\PipelineContext;\n 7|use Profe\\FormSubmissions\\Pipel...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|/**\n 3| * ProfeContainer — minimal PSR-11-style dependency injection container.\n 4| *\n 5| * Stores service definitions as factory closures. Services are lazy —\n 6| * instantiated on first get(), then shared for subsequent calls.\n 7| *\n ...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|/**\n 3| * ProfeMigrator — Versioned Migration Runner with Rollback\n 4| *\n 5| * HC-18: Uses authoritative SQL schema files as source of truth\n 6| * HC-19: Supports rollback (each file has UP/DOWN sections)\n 7| * HC-22: Uses IF NOT EXISTS / IF...

Tool2026-05-25 07:40 UTC

{"content": " 190| }\n 191| }\n 192|\n 193| /**\n 194| * Register REST API routes.\n 195| */\n 196| public function registerRoutes(): void\n 197| {\n 198| if (!function_exists('register_rest_route')) {\n 199| return;\n 200| }\...

Tool2026-05-25 07:40 UTC

{"content": " 130| 'name' => 'Free',\n 131| 'slug' => 'free',\n 132| 'description' => 'Access to public domain content and basic features.',\n 133| 'price_amount' => 0.00,\n 134| ...

Donna2026-05-25 07:40 UTC

I now have enough data for a comprehensive report. Let me check a couple more things about the CSRF enforcement and migration PHP classes.

Tool2026-05-25 07:40 UTC

{"total_count": 30, "matches": [{"path": "/root/profe-modules/media_upload_jobs/src/MediaUploadJobs/Migration/CreateMediaUploadJobsMigration.php", "line": 5, "content": " * FAULT-006: PHP migration class with up/down SQL."}, {"path": "/root/profe-modules/media_upload_jobs/src/MediaUploadJobs/Migrati...

Tool2026-05-25 07:40 UTC

{"content": " 60| try {\n 61| if (isset($GLOBALS['profeRedis']) && $GLOBALS['profeRedis'] instanceof \\Redis) {\n 62| $redis = $GLOBALS['profeRedis'];\n 63| } elseif (class_exists('\\Redis')) {\n 64| ...

Tool2026-05-25 07:40 UTC

{"content": " 130|\n 131| // DELETE /api/access/rules/{resource} — remove rule (admin)\n 132| register_rest_route('profe/v1', '/access/rules/(?P<resource>[a-z_]+)', [\n 133| 'methods' => 'DELETE',\n 134| 'callback' => [$this, 'hand...

Donna2026-05-25 07:40 UTC

Tool2026-05-25 07:40 UTC

{"content": " 178| // FAULT-004: Enforce CSRF nonce validation\n 179| try {\n 180| global $profeContainer;\n 181| if (isset($profeContainer) && $profeContainer->has('Profe\\\\CsrfMiddleware\\\\CsrfMiddlewareInterface')) {\n 182| $csrf = $p...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|\n 4|namespace Profe\\CsrfMiddleware;\n 5|\n 6|class CsrfMiddlewareStub implements CsrfMiddlewareInterface\n 7|{\n 8| public function requireValidNonce(): void\n 9| {\n 10| // Stub — no-op\n ...

Tool2026-05-25 07:40 UTC

{"total_count": 20, "matches": [{"path": "/root/profe-modules/core_users/src/CoreUsers/CoreUsersStub.php", "line": 6, "content": "class CoreUsersStub implements CoreUsersInterface"}, {"path": "/root/profe-modules/core_users/src/CoreUsers/CoreUsersStub.php", "line": 8, "content": " public function...

Donna2026-05-25 07:40 UTC

This is a huge finding. Let me verify a few more things and then write the comprehensive report.

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|\n 4|namespace Profe\\CoreUsers;\n 5|\n 6|class CoreUsersStub implements CoreUsersInterface\n 7|{\n 8| public function findByUuid(string $uuid): ?array\n 9| {\n 10| // Stub — returns null\n ...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|\n 4|namespace Profe\\InputSanitizer;\n 5|\n 6|class InputSanitizerStub implements InputSanitizerInterface\n 7|{\n 8| public function sanitize(mixed $input, string $type = 'string'): mixed\n 9| {\n 10...

Tool2026-05-25 07:40 UTC

{"content": " 1|<?php\n 2|declare(strict_types=1);\n 3|\n 4|namespace Profe\\ConfigManager;\n 5|\n 6|class ConfigManagerStub implements ConfigManagerInterface\n 7|{\n 8| public function get(string $key, mixed $default = null): mixed\n 9| {\n 10| //...

Donna2026-05-25 07:40 UTC

Now I have a comprehensive view. Let me write the full report.

Tool2026-05-25 07:40 UTC

{"bytes_written": 33620, "dirs_created": true, "lint": {"status": "skipped", "message": "No linter for .md files"}}

Donna2026-05-25 07:40 UTC

Let me verify the report was written correctly.

Tool2026-05-25 07:40 UTC

{"output": "456 /root/.hermes/plans/sa-gremlin-report.md\n# SA Gremlin Breeding Grounds Report\n\n> Sweep Date: 2026-05-25 \n> Scope: /root/profe-modules/ (44 modules) + /root/profe-chassis/ \n> Classification: Architecture & Interface Contracts Focus", "exit_code": 0, "error": null}

Donna2026-05-25 07:40 UTC

## Summary **File written:** `/root/.hermes/plans/sa-gremlin-report.md` (456 lines) ### What I did Systematically swept the entire Profe codebase (44 modules + chassis + migrations) across all 8 gremlin categories defined in the task brief. ### Critical architecture findings **The codebase has a stub layer problem:** 5 core interfaces are registered as no-op stubs in the module loader: 1. **EventBusStub** — all 30+ event emitters fire into a void. The entire event-driven architecture is dead. 2. **CsrfMiddlewareStub** — CSRF nonce checking is a no-op. All admin mutation endpoints are unprotected despite the call to `checkAdminAccessWithCsrf()`. 3. **CoreUsersStub** — every user lookup returns null. All user-dependent features silently fail. 4. **InputSanitizerStub** — input sanitization passes everything through unchanged. 5. **ConfigManagerStub** — every config read returns the default value. Secrets never loaded. ### Top findings by risk | Risk | Count | Examples | |------|-------|---------| | CRITICAL | 6 | EventBus no-op, all 5 core stubs, Brevo webhook 200-on-error | | HIGH | 12 | Pipeline state leaks (orphan Stripe PaymentIntents), empty catches in SyncCrmStep, migration silences, hardcoded CDN URL, no admin dashboards | | MEDIUM | 12 | Template CRUD artifacts, missing compensation, cron invisibility, public route assumptions | | LOW | 6 | IF NOT EXISTS masking, seed data TODOs, Redis defaults | ### Key state leaks found - **Pipeline execution order is wrong**: ProcessPaymentStep runs before CreateWpUserStep — if user creation fails, orphan PaymentIntent exists in Stripe - **SendNotificationsStep runs before pipeline completion**: Users get confirmation emails for failed registrations - **SyncCrmStep empty catch**: WP user is created but CRM sync failure is silently swallowed — user never reaches Brevo ### Template artifacts 6+ modules have autogenerated `listItems/getItem/createItem/updateItem/deleteItem` method names instead of domain-specific names. All test files test the template pattern (createItem with `['name'=>'T','created_by'=>1]`) not actual domain logic.