Apply bootstrap-openbuilt — core implementation (sections 1–3)#2
Merged
rubenvdlinde merged 15 commits intoMay 12, 2026
Merged
Conversation
….4, 3.1–3.2)
Schemas (openbuilt-application-register capability):
- Declare Application schema with manifest blob + slug + version + status
- Add x-openregister-lifecycle (draft → published → archived) on Application —
canonical ADR-031 example, no service class
- Declare BuiltAppRoute schema for slug → applicationUuid index
- Wire BuiltAppRoute upkeep via x-openregister-lifecycle on_transition
(declarative path per design.md Decision 2 / Q1)
- Declare HelloMessage seed schema
Runtime (openbuilt-runtime capability):
- Register GET /api/applications/{slug}/manifest route in appinfo/routes.php
- ApplicationsController::getManifest — thin-glue resolver (slug → BuiltAppRoute
→ Application → manifest blob unwrapped). #[NoAdminRequired] + #[NoCSRFRequired]
per design.md Decision 6
- BuilderHost.vue — nested CnAppRoot mount with key=slug, options.endpoint
redirecting useAppManifest's backend fetch to the per-slug endpoint
(workaround per design.md Decision 4 until chain spec #2 ships)
- ApplicationEditor.vue — textarea-based manifest editor with validateManifest
- src/router/index.js — /applications + /builder/:slug/:pathMatch(.*)? routes
- src/manifests/placeholder.json — bundled placeholder skeleton for useAppManifest
Seed (ADR-001):
- SeedHelloWorld repair step — idempotent seed of canonical hello-world
Application + manifest exercising index/detail/form pages + three sample
HelloMessage objects
- info.xml repair-steps — SeedHelloWorld runs after InitializeSettings
Deferred to follow-up apply: tasks 4.x (verification), 5.x (tests),
6.x (docs), 7.x (i18n).
Refs: openspec/changes/bootstrap-openbuilt/{proposal,specs,design,tasks}.md
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 215/215 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 08:02 UTC
Download the full PDF report from the workflow artifacts.
…tasks 4.1, 4.2, 4.5, 7.1-7.3) PHP refactors per "fix all issues" rule (no @SuppressWarnings shortcuts): - ApplicationsController + SeedHelloWorld: constructor injection of OCA\OpenRegister\Service\ObjectService (eliminates Server::get static access). OR is a declared hard dep in info.xml, so injection is the right pattern per ADR-022 + ADR-003. - SettingsService::loadConfiguration split into loadConfiguration() + reloadConfiguration() + private doLoadConfiguration(bool $force) — the bool flag stays internal so PHPMD's BooleanArgumentFlag rule no longer fires on the public API. - SPDX-License-Identifier moved INSIDE every file's docblock (per memory rule on SPDX placement + PHPCS "/** style file comment" rule). Files: Application, AdminSettings, DashboardController, ApplicationsController, SeedHelloWorld, SettingsService, SettingsSection. - Long sample-message body in SeedHelloWorld trimmed under the 150-char PHPCS line-length limit. Dependency bumps: - @conduction/nextcloud-vue: ^0.1.0-beta.3 → ^1.0.0-beta.30. The 1.x line is the active release lane and is the first to export the CnAppRoot manifest-renderer family (CnAppRoot, CnAppNav, CnPageRenderer, useAppManifest, validateManifest, useAppStatus). 0.1.0-beta.3 did NOT export them — design.md Decision 4's runtime-loader workaround was built on an unverified assumption, now verified and corrected. - @nextcloud/auth added as an explicit dependency (was used by store modules but not declared, causing eslint n/no-extraneous-import errors). phpstan.neon: added '#has invalid type OCA\\OpenRegister\\#' to ignoreErrors so constructor parameter types referencing OR's classes don't fail static analysis (mirrors existing return-type pattern). i18n keys (tasks 7.1, 7.2): English + Dutch translations for the ApplicationEditor strings and the seeded hello-world manifest (openbuilt.helloworld.menu.*, openbuilt.helloworld.title.*, openbuilt.editor.help). Verification status (task 4.x): - ✓ 4.1 composer phpcs / phpmd / psalm / phpstan — all clean - ✓ 4.2 npm run lint — clean - ⊘ 4.3 npm run check:manifest — script not shipped by nextcloud-vue ecosystem yet; deferred with a follow-up issue - ⊘ 4.4 visual verify on docker compose up — manual step, separate from this commit - ✓ 4.5 ADR-031 service-class gate — confirmed no ApplicationLifecycleService / ApplicationStateMachine class under lib/Service/
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 08:12 UTC
Download the full PDF report from the workflow artifacts.
…s 4.x, 5.1, 6.x, 7.x) Docs (Section 6): - docs/openbuilt-runtime.md — big-picture diagram, manifest endpoint contract, the bundled-mode + options.endpoint workaround until chain spec #2 ships the in-memory useAppManifest overload, declarative lifecycle table, file map - docs/integrator-guide.md — step-by-step for authoring a virtual app by hand (slug rules, manifest checklist, what doesn't work yet in spec #1) - openspec/app-config.json — list openbuilt-application-register + openbuilt-runtime under capabilities Tests (Section 5 partial): - tests/unit/Controller/ApplicationsControllerTest.php — 3 PHPUnit tests: happy path (200 with unwrapped manifest), unknown slug (404 not_found), inconsistent state (500 inconsistent_state when route missing applicationUuid) - tests/unit/Repair/SeedHelloWorldTest.php — 3 PHPUnit tests: getName format, idempotency on re-run, full seed (4 saveObject calls) on fresh install Deferred (need NC + container): - 5.2 Integration test for the Application lifecycle (requires container with OR's lifecycle engine to actually run transitions) - 5.3 Newman collection (requires running NC instance) - 5.4 Playwright e2e (requires NC + browser, mounts via docker-compose) - 4.3 npm run check:manifest — script not yet shipped by @conduction/nextcloud-vue - 4.4 Visual verify on docker compose up — manual step tasks.md status: 22/22 implementation + 3/5 verification + 1/4 tests + 4/4 docs + 3/3 i18n boxes checked. Remaining 5 deferred tasks documented inline.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 08:15 UTC
Download the full PDF report from the workflow artifacts.
…-verify
Two pre-existing template inheritances violated ADR-004 hard rules and the
corresponding hydra mechanical gates. Fixed both via the canonical NC
pattern (IInitialState + admin-via-AdminSettings.php-only).
hydra-gate-10 (DOM dataset → IInitialState):
- AdminSettings.php now injects IInitialState and calls
provideInitialState('version', $version) before rendering the template.
- templates/settings/admin.php no longer carries data-version on the mount
div — server data flows via initial-state, not DOM attrs.
- AdminRoot.vue replaces document.getElementById('openbuilt-settings')
.dataset.version with loadState('openbuilt', 'version', 'Unknown').
hydra-gate-11 (admin-router → no admin in vue-router):
- src/router/index.js no longer imports AdminRoot or registers a /settings
route. Admin settings are reached exclusively through Nextcloud's admin
settings framework (/index.php/settings/admin/openbuilt), which goes
through the admin auth gate. The redundant vue-router entry was a
bypass-the-auth-gate regression that the doriath retrospective flagged.
Verification:
- gate-10 grep: no matches
- gate-11 grep: no matches
- composer phpcs/phpmd/psalm/phpstan: all clean
- npm run lint: clean
Surfaced by: /opsx-verify bootstrap-openbuilt
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 08:22 UTC
Download the full PDF report from the workflow artifacts.
…le + curl manifest endpoint Verified end-to-end: GET /api/applications/hello-world/manifest returns HTTP 200 with the seeded hello-world manifest. Smoke test mission complete. Bug 1 — SettingsService::doLoadConfiguration missing $data + $version args. OR's importFromApp signature is importFromApp(string $appId, array $data, string $version, bool $force=false). My call was passing only appId + force, so importFromApp threw "Argument #2 ($data) not passed". Fixed by reading lib/Settings/openbuilt_register.json from disk + parsing + passing data+version (per openregister-wiring-guide.md — the sweep agent missed this step). Bug 2 — ObjectService::getObjects doesn't exist. The real API is findAll($config) + find($id, register, schema). Refactored ApplicationsController and SeedHelloWorld to the real signatures. Bug 3 — searchObjects requires NUMERIC register/schema IDs in @self, not slugs. Slug-to-ID resolution is NOT applied at this layer. Injected RegisterMapper + SchemaMapper into ApplicationsController to resolve before searchObjects. Found via direct CLI test: @self with slug strings returns 0 results; @self with numeric IDs returns the matching object. Bug 4 — RegisterMapper/SchemaMapper::find with default _multitenancy=true filters out the lookup. Pass _multitenancy: false on the LOOKUP only (object-level multitenancy still enforced via searchObjects + the underlying RBAC). Bug 5 — x-openregister-lifecycle.on_transition.upsert_relation NOT supported by OR's current engine (design.md OQ-1 confirmed). The Application's declarative lifecycle declaration is preserved (still ADR-031-compliant when OR ships the hook), but SeedHelloWorld now explicitly creates the BuiltAppRoute as the ADR-031 §Exceptions(1) fallback. A BuiltAppRouteSyncListener subscribed to ObjectLifecycleTransitionedEvent should follow in a separate change. Plus ObjectEntity UUID extraction now reads $entity->jsonSerialize()['@self']['id'] (__call-based getUuid() is invisible to method_exists, so we read the array). Tests updated to the new controller signature + searchObjects mock. Known remaining gaps (smoke-test follow-ups, deferred): - Openbuilt Register row was NOT auto-created by importFromApp despite schemas being created. Manually created via REST during smoke test; needs an explicit createRegisterIfMissing step in InitializeSettings. - Webpack build fails with @nextcloud/axios exports-field errors when the local apps-extra/nextcloud-vue/ source-alias is active. Frontend not yet runtime- validated; backend is. - BuiltAppRouteSyncListener (the proper ADR-031 §Exceptions(1) PHP fallback for the missing OR lifecycle hook) — covered only for the seed Application; new user-created Applications won't get BuiltAppRoute upkeep yet. All quality tools green: phpcs, phpmd, psalm, phpstan, ESLint.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 10:04 UTC
Download the full PDF report from the workflow artifacts.
This was referenced May 11, 2026
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
…tor shell) - PageDesigner.vue: three-pane layout dispatching to per-page-type sub-editors; side-panel validator errors; live-preview fallback affordance (TODO chain spec #2 for in-memory preview mount). - ApplicationEditor.vue: two-tab shell (Design default, Raw JSON fallback); both tabs share the in-flight Pinia store so unsaved edits survive a tab switch; Save is gated on dirty + no parse errors. - CustomPageEditor.vue: StubPageEditor passthrough (full editor v1.1). - Router: /applications/:slug, /applications/:slug/design (default), /applications/:slug/json routes wired to ApplicationEditor. - ESLint: disable import/named + n/no-unpublished-import (re-exports through the aliased nextcloud-vue/src trip the resolver; webpack handles at build time), broaden no-unused-vars to allow _-prefixed discarded destructure vars, fix one JSDoc tag-parse warning. Closes tasks 1.1-1.4, 2.1-2.5, 3.1-3.2, 4.1-4.3, 4.8, 5.1, 5.2, 5.3, 5.6. Tasks 4.4-4.7, 4.9 ship as StubPageEditor passthroughs (round-trip lossless); tests (7.x), i18n l10n bundles (6.x), and docs (8.x) deferred to v1.1.
Member
Review — Apply bootstrap-openbuilt — core implementation (sections 1–3)Verdict: 🔴 REQUEST_CHANGES — Code is heel schoon (ADR-004/ADR-022/ADR-031 conform, schema-declaratief, geen IDOR, alle SPDX-headers correct), maar 5 frontend CI-jobs falen — lint, eslint, stylelint, npm security en npm license — vermoedelijk door de major dependency bump van @conduction/nextcloud-vue. Moet groen voor merge. Wat goed gaatUitstekend bootstrap-werk. De PR repareert proactief twee ADR-004 hard-rule patronen die voorheen aanwezig waren: AdminRoot.vue stopt met Findings1. 🔴 Blocker — 5 frontend CI-jobs falen — lint, eslint, stylelint, npm security, npm licenseDe volgende required/quality jobs zijn rood:
Waarschijnlijk gerelateerd aan de major dependency-jump van Impact: Branch-protection vereist groene checks; PR kan niet mergen zoals-is. Section 4 van de spec (verification gates) was bewust deferred — maar de basis CI hoort wel groen te zijn. Suggested fix: Run 2. 🟡 Concern — Major bump @conduction/nextcloud-vue 0.1.0-beta.3 → 1.0.0-beta.30 —
|
MWest2020
requested changes
May 11, 2026
Member
MWest2020
left a comment
MWest2020
left a comment
There was a problem hiding this comment.
Zie consolidated review comment voor complimenten, findings en suggested fixes.
16 tasks
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
Spec #5 of the 9-spec OpenBuilt chain — visual manifest/page designer that replaces the spec-1 textarea (now the Raw JSON fallback tab) with a graphical builder targeting the canonical 9-page-type enum (@conduction/nextcloud-vue v1.4.0+). Artifacts: - proposal.md (kind: code, depends_on: bootstrap-openbuilt) - specs/openbuilt-page-designer/spec.md (11 ADDED requirements covering menu tree, page list, 9 per-type sub-editors, live preview, save flow, raw-JSON fallback, debounced validator) - specs/openbuilt-runtime/spec.md (1 MODIFIED — REQ-OBR-005 reshaped from textarea-only to tabbed Design + Raw JSON shell) - design.md (5 decisions covering sub-editor decomposition, drag-drop reuse, live-preview chain-#2 dependency with graceful degradation, validator surface, custom-page registry deferral; ADR-031 declarative-vs-imperative call-out; 4 open questions) - tasks.md (39 tasks across foundations, shared field builders, per-page-type sub-editors, designer view + tabbed swap, i18n, tests, chain coordination) No backend changes — manifest CRUD continues via OR REST per ADR-022. Feature-detects chain spec #2's in-memory useAppManifest overload at runtime; falls back to save-and-reload preview when absent so this spec ships independently. Strict validation passes.
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
…tor shell) - PageDesigner.vue: three-pane layout dispatching to per-page-type sub-editors; side-panel validator errors; live-preview fallback affordance (TODO chain spec #2 for in-memory preview mount). - ApplicationEditor.vue: two-tab shell (Design default, Raw JSON fallback); both tabs share the in-flight Pinia store so unsaved edits survive a tab switch; Save is gated on dirty + no parse errors. - CustomPageEditor.vue: StubPageEditor passthrough (full editor v1.1). - Router: /applications/:slug, /applications/:slug/design (default), /applications/:slug/json routes wired to ApplicationEditor. - ESLint: disable import/named + n/no-unpublished-import (re-exports through the aliased nextcloud-vue/src trip the resolver; webpack handles at build time), broaden no-unused-vars to allow _-prefixed discarded destructure vars, fix one JSDoc tag-parse warning. Closes tasks 1.1-1.4, 2.1-2.5, 3.1-3.2, 4.1-4.3, 4.8, 5.1, 5.2, 5.3, 5.6. Tasks 4.4-4.7, 4.9 ship as StubPageEditor passthroughs (round-trip lossless); tests (7.x), i18n l10n bundles (6.x), and docs (8.x) deferred to v1.1.
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
The embedded template was a copy of nextcloud-app-template at Tier-0 — no
manifest, no CnAppRoot, hand-written NcContent + NcAppNavigation + custom
MainMenu + bespoke router. That directly violates ADR-024 (every
Conduction-ecosystem app is a Tier-4 manifest consumer that mounts
CnAppRoot with a manifest as the single source of truth).
Now the template is a minimal Tier-4 shell:
lib/Resources/template/src/manifest.json
New placeholder file with {{appId}} / {{appNamespace}} / {{appName}} /
{{appVersion}} / {{appDescription}} / {{license}} / {{authorName}} /
{{authorEmail}} tokens. PlaceholderResolver already covers all of
these — they get baked in at export time, so the unzipped tree ships
with a fully-resolved manifest and no further hand-edits.
lib/Resources/template/src/App.vue
Reduced to '<CnAppRoot :manifest="manifest" :app-id="appId" />'.
No more bespoke navigation, OpenRegister-missing guards, or store
wiring — CnAppRoot owns those.
lib/Resources/template/src/main.js
Drops router + custom store init; calls
useAppManifest({ manifest }) before mounting so CnAppRoot reads from
the registry. Depends on chain spec #2 (openbuilt-manifest-runtime)
for the in-process overload signature — documented in the file
header.
lib/Resources/template/package.json
Bumps @conduction/nextcloud-vue from ^0.1.0-beta.3 to ^1.0.0-beta.30
(locked decision #1) so CnAppRoot + useAppManifest are present.
lib/Resources/template/.path-manifest.txt
Adds src/manifest.json so the snapshot validator + export tree-walker
see it.
The pre-existing router/, navigation/, and views/ files in the template
are left in place for now — they're not imported by the new App.vue/main.js
and webpack tree-shakes them out, but ripping them out is a noisy follow-up
that belongs in its own commit.
- ApplicationsControllerTest: rename happy-path to match spec naming; add testGetManifestReturns500OnInconsistentState covering the dangling-applicationUuid branch (Application deleted, route survives). - SeedHelloWorldTest: tighten fresh-install test to stub jsonSerialize so it asserts exactly 4 core saves; add new testRunCreatesBuiltAppRouteWhenApplicationUuidIsExposed covering the 5-save path (Application + BuiltAppRoute + 3 messages) that locks the design.md Decision 6 lifecycle-hook fallback. - Postman collection: replace placeholder /status request with three real assertions — GET hello-world manifest (200 + version/menu/pages), GET unknown-slug manifest (404 + error=not_found), and GET the OpenRegister-backed Application listing (>=1 result with slug=hello-world after seed).
- OpenBuiltTest: assert APP_ID + autoload resolves worktree's lib/ - ApplicationsControllerTest: 4 tests on getManifest (200/404/500-x2) - SeedHelloWorldTest: 4 tests on idempotency + fresh/uuid-exposed paths - bootstrap-unit.php: pin OCP/NCU PSR-4 + rebuild OpenBuilt classmap from the worktree's lib/ so tests run in a git-worktree dev setup (the symlinked vendor/ otherwise resolves classes against a sibling checkout) - tests/stubs/openregister-stubs.php: fallback ObjectService/Mapper stubs when OR sources aren't on the autoload path (CI strip-down) All 13 unit tests pass: ./vendor/bin/phpunit -c phpunit-unit.xml PHPCS still clean — tests/ are out of phpcs.xml scope.
- playwright.config.ts: chromium project, baseURL http://localhost:8080, basic-auth httpCredentials, OCS-APIRequest header pinned for NC API calls, headless by default, no webServer (Docker stack is the documented dev path). - tests/e2e/bootstrap-openbuilt.e2e.spec.ts: two specs covering the bootstrap-openbuilt change — (1) renders the three seeded hello-message titles on the index page, and (2) returns a valid unwrapped manifest (version/menu/pages) from the public endpoint. - package.json: add @playwright/test devDep and test:e2e / test:e2e:install scripts. Browser install is the one-time setup documented in the spec header. - .gitignore: ignore playwright-report/, test-results/, .playwright/, playwright/.cache/.
Linter rewrites that landed after the initial commits: - openbuilt.postman_collection.json: extend from 3 to 6 requests — add a full CRUD round-trip on Application objects via OR (POST/GET/PUT/DELETE on /openregister/api/objects/openbuilt/application) in addition to the manifest endpoint coverage (200 + 404) and the seed listing assertion. - tests/e2e/builder-host.spec.ts: BuilderHost journey covering REQ-OBR-002 (mount the manifest) and REQ-OBR-003 (forward to detail pages declared in the manifest). Companion to the bootstrap-openbuilt.e2e.spec.ts smoke test.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 19:22 UTC
Download the full PDF report from the workflow artifacts.
OCA\OpenRegister\Db\RegisterMapper and SchemaMapper are referenced by ApplicationsController's constructor for the slug→id resolution; they live in the openregister app and are only present at runtime. Adding them to the existing OpenRegister suppress list (alongside ObjectService and ConfigurationService) clears the 4 pre-existing UndefinedClass errors surfaced during the test-coverage task.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 19:23 UTC
Download the full PDF report from the workflow artifacts.
Two further e2e specs surfaced by the linter to round out coverage:
- tests/e2e/application-editor.spec.ts: exercises the in-app manifest
editor (data-testid hooks added to ApplicationEditor.vue).
- tests/e2e/manifest-endpoint.spec.ts: API-level coverage of the
/api/applications/{slug}/manifest endpoint (200/404 paths,
unwrapped envelope).
Companion changes:
- ApplicationEditor.vue: add data-testid='openbuilt-editor-textarea'
+ 'openbuilt-editor-save' to make the form addressable from Playwright.
- BuilderHost.vue: add data-testid='openbuilt-builder-host' so the
journey spec can scope its locators to the inner-app root.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 19:25 UTC
Download the full PDF report from the workflow artifacts.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 19:26 UTC
Download the full PDF report from the workflow artifacts.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ❌ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ❌ | ❌ | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-11 19:27 UTC
Download the full PDF report from the workflow artifacts.
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
- Newman collection openbuilt-schema-editor.postman_collection.json
exercises POST/PUT/DELETE schemas + lifecycle CRUD under
openbuilt-{slug}. Skips chain-#3-dependent requests via probe-and-
pm.test.skip() so the collection passes when the OR runtime schema
API isn't deployed yet.
- Playwright tests/e2e/schema-designer.spec.ts walks login -> create
virtual app -> add schema -> add 2 fields -> save -> edit -> delete
with confirm. Marks parts of cross-spec journey #2.
- Rename Promise resolver param r -> resolve in SchemaDesigner.spec to
satisfy promise/param-names.
3 tasks
CI was red on lint-check + License/Security/Vue Quality npm jobs because `npm ci` refused the out-of-sync lockfile (missing playwright, pinia v3 transitive deps, etc. after the @conduction/nextcloud-vue 0.1.0-beta.3 → 1.0.0-beta.30 bump). Regenerated package-lock.json from scratch and confirmed `npm run lint`, `npm run stylelint`, `npm audit --audit-level=critical --omit=dev`, and the workflow's license-checker step all pass locally. Also addresses MWest2020's PR-#2 review: * Finding #3 (manifest visibility) — added an explicit visibility block to `ApplicationsController::getManifest`'s docblock noting manifests are publicly readable to authenticated users by design, and that future role-scoped manifests must extend BuiltAppRoute (e.g. a `restrictToGroup` property) rather than hardening this endpoint. Forwards the decision to the RBAC spec (PR #6). * Finding #4 (correlation ID) — the catch-all 500 path now generates a 16-hex correlationId, includes it in both the log context and the response envelope, and is covered by a new testGetManifestIncludesCorrelationIdOnInternalError unit test. * Finding #5 (tracking issue) — opened issue #10 to track the 3 remaining deferred items (tasks 4.3, 4.4, 5.2); the other 13 ticks from sections 5/6/7 were landed before merge. Also fixes 9 rule-empty-line-before stylelint violations in ApplicationEditor.vue surfaced once Vue Quality (stylelint) could run.
Contributor
Author
|
@MWest2020 — addressed all 3 actionable findings from the consolidated review in
The 5 red CI jobs ( Finding #2 (nc-vue major bump) — the prop-shape is verified at runtime by Re-requesting review. |
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 427/427 | |||
| PHPUnit | ❌ | ||||
| Newman | ❌ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/71 statements)
Quality workflow — 2026-05-11 21:50 UTC
Download the full PDF report from the workflow artifacts.
PHPUnit on CI rejects the prior stdClass+addMethods doubles because OR's RegisterMapper::find() and SchemaMapper::find() are typed `: Register` and `: Schema`, and ObjectService::saveObject() is typed `: ObjectEntity`. Locally those return-type checks pass against the anonymous stubs because OR isn't on the classpath; CI mounts the real classes and raises PHPUnit\Framework\MockObject\IncompatibleReturnValueException. Switched both ApplicationsControllerTest and SeedHelloWorldTest to mock the concrete entity classes (Register, Schema, ObjectEntity). Behaviour is unchanged; only the mock construction is correct now.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 427/427 | |||
| PHPUnit | ❌ | ||||
| Newman | ❌ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/71 statements)
Quality workflow — 2026-05-11 22:04 UTC
Download the full PDF report from the workflow artifacts.
Replace the scaffold's rounded-rectangle #0082C9 placeholder with the Conduction app-icon convention (matches ConductionNL/scholiq): - img/app-store.svg — point-up hexagon fill #4376FC (Conduction Cobalt), white `package-variant-closed` box symbol centred via translate(136,136) scale(10) over the 512×512 viewBox. This is the icon the README + the Nextcloud app store render. - img/app.svg — monochrome box symbol, fill currentColor (navbar/light). - img/app-dark.svg — same symbol, fill #ffffff (dark theme). Per feedback_brand-rules-strict: pointy-top point-up, solid colours only, hex polygon background (no rounded rect, no Nextcloud blue). README logo block already references img/app-store.svg so it now shows the hex.
Contributor
Quality Report — ConductionNL/openbuilt @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ✅ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ✅ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 427/427 | |||
| PHPUnit | ❌ | ||||
| Newman | ❌ | ||||
| Playwright | ⏭️ |
Coverage: 0% (0/71 statements)
Quality workflow — 2026-05-12 04:44 UTC
Download the full PDF report from the workflow artifacts.
rubenvdlinde
added a commit
that referenced
this pull request
May 12, 2026
- Newman collection openbuilt-schema-editor.postman_collection.json
exercises POST/PUT/DELETE schemas + lifecycle CRUD under
openbuilt-{slug}. Skips chain-#3-dependent requests via probe-and-
pm.test.skip() so the collection passes when the OR runtime schema
API isn't deployed yet.
- Playwright tests/e2e/schema-designer.spec.ts walks login -> create
virtual app -> add schema -> add 2 fields -> save -> edit -> delete
with confirm. Marks parts of cross-spec journey #2.
- Rename Promise resolver param r -> resolve in SchemaDesigner.spec to
satisfy promise/param-names.
rubenvdlinde
added a commit
that referenced
this pull request
May 12, 2026
The embedded template was a copy of nextcloud-app-template at Tier-0 — no
manifest, no CnAppRoot, hand-written NcContent + NcAppNavigation + custom
MainMenu + bespoke router. That directly violates ADR-024 (every
Conduction-ecosystem app is a Tier-4 manifest consumer that mounts
CnAppRoot with a manifest as the single source of truth).
Now the template is a minimal Tier-4 shell:
lib/Resources/template/src/manifest.json
New placeholder file with {{appId}} / {{appNamespace}} / {{appName}} /
{{appVersion}} / {{appDescription}} / {{license}} / {{authorName}} /
{{authorEmail}} tokens. PlaceholderResolver already covers all of
these — they get baked in at export time, so the unzipped tree ships
with a fully-resolved manifest and no further hand-edits.
lib/Resources/template/src/App.vue
Reduced to '<CnAppRoot :manifest="manifest" :app-id="appId" />'.
No more bespoke navigation, OpenRegister-missing guards, or store
wiring — CnAppRoot owns those.
lib/Resources/template/src/main.js
Drops router + custom store init; calls
useAppManifest({ manifest }) before mounting so CnAppRoot reads from
the registry. Depends on chain spec #2 (openbuilt-manifest-runtime)
for the in-process overload signature — documented in the file
header.
lib/Resources/template/package.json
Bumps @conduction/nextcloud-vue from ^0.1.0-beta.3 to ^1.0.0-beta.30
(locked decision #1) so CnAppRoot + useAppManifest are present.
lib/Resources/template/.path-manifest.txt
Adds src/manifest.json so the snapshot validator + export tree-walker
see it.
The pre-existing router/, navigation/, and views/ files in the template
are left in place for now — they're not imported by the new App.vue/main.js
and webpack tree-shakes them out, but ripping them out is a noisy follow-up
that belongs in its own commit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements 24 of 27 tasks from
openspec/changes/bootstrap-openbuilt/— the core code of spec #1 in the 9-spec OpenBuilt chain.lib/Settings/openbuilt_register.json, withx-openregister-lifecycleon Application drivingdraft → published → archived. Declarative-only per ADR-031 — noApplicationLifecycleService.ApplicationsController::getManifest(thin-glue resolver), nestedCnAppRootmount viaBuilderHost.vue, textarea editor viaApplicationEditor.vue, router updates.SeedHelloWorldrepair step seeds the canonicalhello-worldvirtual app + threehello-messageobjects.Review-cycle fixes (post-
3d88107)package-lock.json—npm ciwas failing acrosslint-check/ Vue Quality (eslint+stylelint) / License / Security because the lockfile lagged behindpackage.jsonafter the@conduction/nextcloud-vue0.1.0-beta.3 → 1.0.0-beta.30 bump.rule-empty-line-beforestylelint violations inApplicationEditor.vue.getManifest's docblock; future role-scoped manifests are forwarded to the RBAC spec (BuiltAppRouterestrictToGroup), not by hardening this endpoint.testGetManifestIncludesCorrelationIdOnInternalErrorunit test guards the contract.4.3 npm run check:manifest,4.4 docker compose visual check,5.2 PHPUnit Integration). All 13 other ticks from sections 5/6/7 were landed before merge.Deferred to follow-up
Tracked in #10 — 3 items, all requiring a live Nextcloud container or live OR data.
Test plan
npm installclean +npm run lint+npm run stylelintgreen locallynpm audit --audit-level=critical --omit=devreturns no critical findings (matches workflow gate)license-checker --production— all licenses on the default workflow allowlistcomposer phpcs/composer phpmd/composer psalm/composer phpstangreendocker exec nextcloud php occ app:disable openbuilt && app:enable openbuilt— confirmInitializeSettingsregisters the three schemas in OR +SeedHelloWorldcreates thehello-worldApplication (tracked under Bootstrap follow-up: deferred verification tasks (4.3, 4.4, 5.2) #10)/index.php/apps/openbuilt/builder/hello-world— confirm the nestedCnAppRootmounts and the seeded index/detail/form pages render (tracked under Bootstrap follow-up: deferred verification tasks (4.3, 4.4, 5.2) #10)lib/Service/contains noApplicationLifecycleService.php/ApplicationStateMachine.php(ADR-031 gate)Refs
kind: mixedthin-glue exception)openspec/changes/bootstrap-openbuilt/design.md(especially Decision 2 declarative lifecycle, Decision 4 manifest-loader workaround, Decision 6 OR REST passthrough)