WebCalendar

fix(tests): release-files CI failure + harden the consistency check (#233) The first master CI run after the signed-manifest feature landed (24891039995) failed on all three PHP versions with: 3 stale entry(ies) in release-files: line 185: pub/bootstrap.bundle.min.js.sha line 187: pub/bootstrap.min.css.sha line 189: pub/jquery.min.js.sha Root cause: these are SRI integrity sidecar files that `make` generates into pub/ from vendor/. They’re .gitignored (*.sha) so they DON’T exist in a fresh CI checkout. Story 2.5’s cleanup kept them in release-files because they existed on my dev disk — my local test passed (is_file returns true) but CI fails. They’ve never actually shipped in any release either — the old cp loop silently skipped them (no set -e before Story 2.5). Fixes: 1. Remove the 3 .sha lines from release-files. They aren’t generated in the release workflow (no `make` step), so omitting them matches what’s actually been shipping. If they’re ever needed in releases, the workflow would have to run `make` first AND they’d need to be re-added here. 2. Harden ReleaseFilesConsistencyTest to also check git-tracked-ness, not just is_file(). Shells out to `git -C <root> ls-files` once per test run and errors on files that exist-locally-but-aren’t-tracked. Drift of this exact shape now fails locally, not just on CI. Falls back gracefully to existence-only if .git isn’t present (e.g. tarball install of the tests). 3. Add docs/release-signing.md to the mkdocs nav so the Sigstore runbook is discoverable from the rendered documentation site. Note: The Deploy Documentation workflow was ALSO failing on the same push, but that failure is pre-existing (3 strict-mode link warnings in unrelated .md files from commit #634, 9 days old) — not caused by this feature. Not touched here. Full signed-manifest suite: 200 tests / 522 assertions green. Full CI suite: 388 tests / 1313 assertions, 6 skipped, 0 failures.

feat: add tools/sign-manifest.php Ed25519 manifest signer (#233) Story 2.2 of the signed-manifest feature. Signs MANIFEST.sha256 with the Ed25519 secret key in env var RELEASE_SIGNING_KEY and writes a base64 detached signature to MANIFEST.sha256.sig alongside. – includes/classes/Security/ManifestSigner.php — pure logic. Envelope return (not throw) so the workflow prints clean operator messages and reason strings stay in our control. #[\SensitiveParameter] on the secret arg; sodium_memzero() scrubs the decoded key after use. – tools/sign-manifest.php — CLI wrapper, single positional arg for manifest path, <path>.sig is the implied output. – tests/ManifestSignerTest.php — 12 tests covering verifiable round-trip, Ed25519 determinism (RFC 8032), tamper detection (full-message and single-bit flip), empty/null/invalid-base64/ wrong-length secret rejection, and two log-safety tests that assert the secret never appears in any reason string. End-to-end smoke tested: build-manifest -> sign-manifest -> external libsodium verify = true; one-byte flip in the manifest -> verify = false. Full signed-manifest suite now: 57 tests / 116 assertions green. Epic 2 crypto pipeline is complete; Story 2.3 (release.yml wiring) is unblocked.

feat(ci): wire signed-manifest build+sign into release.yml (#233) Story 2.3 of the signed-manifest feature. Retrofits .github/workflows/release.yml with the four steps that turn every tagged release into a signed bundle: 1. Set up PHP 8.4 with ext-sodium (was implicit before; pin it). 2. Pin SOURCE_DATE_EPOCH to the HEAD commit’s committer timestamp so MANIFEST.sha256 is byte-identical across re-runs. 3. Build MANIFEST.sha256 against the staged WebCalendar-${VERSION}/ tree via tools/build-manifest.php (strict: fails on any missing release-files entry). 4. Sign MANIFEST.sha256 via tools/sign-manifest.php with RELEASE_SIGNING_KEY injected from secrets. Scopes the build job to `environment: release` so the secret is not exposed to forked-PR workflows. Adds two `actions/upload-release-asset` steps so MANIFEST.sha256 and MANIFEST.sha256.sig are published as top-level release assets in addition to being inside the zip. Each bash block runs under `set -euo pipefail`, and GitHub Actions fails the job on any non-zero exit — no partial releases. Locally simulated the full pipeline against the 266-entry release-files list: 269-line manifest generated, 89-byte detached signature produced, external libsodium verify returned true, zip contained MANIFEST.sha256, MANIFEST.sha256.sig, and release-signing-pubkey.pem at the expected root locations. Story 2.4 was satisfied as a side-effect (pubkey already listed in release-files, MANIFEST files intentionally not listed) — marked complete with no code changes needed. Epic 2 is now code-complete. Only remaining Epic 2 item is Story 2.5 AC2 (which new docs/*.md to ship), a maintainer decision.

feat: add ManifestVerifier + VerifyResult classes (#233) Story 3.1 of the signed-manifest feature. The app-side crypto entry point: given the paths to MANIFEST.sha256, MANIFEST.sha256.sig, and release-signing-pubkey.pem, return an immutable VerifyResult{valid, reason}. Uses sodium_crypto_sign_verify_detached() exclusively (no OpenSSL). Reuses ReleaseKeyGenerator::parsePublicKeyPem for the 32-byte pubkey invariant — no duplicated PEM logic. VerifyResult is final + readonly-per-property (PHP 8.1 parse-compatible equivalent of the spec’d final-readonly-class). Mutation raises fatal Error, locked in by testVerifyResultIsImmutable. Every failure mode returns a clean human-readable reason suitable for the admin UI display: – missing manifest / sig / pubkey file – empty / invalid-base64 / wrong-length signature – malformed or truncated PEM – tampered manifest (full-message or one-bit-flip) – swapped pubkey (different keypair) Signature-file whitespace is tolerated via trim() — base64 has no whitespace, so CRLF / extra LFs from pipe-chained tools are safe to strip. 15 new unit tests / 29 assertions. Full signed-manifest suite now 72 tests / 145 assertions green. PHPStan level-0 clean on new files.

feat: add ManifestParser + ManifestData classes (#233) Story 3.2 of the signed-manifest feature. Turns signature-verified MANIFEST.sha256 bytes into an immutable ManifestData value object with version, build timestamp, git SHA, and a relpath -> sha256hex map ready for the scanner (Story 3.3) to walk. Strict-format parser: – HASH_LINE_REGEX `/^([0-9a-f]{64}) (\S.*)$/` rejects anything that isn’t lowercase-hex with exactly two spaces and a non-empty path. – HEADER_LINE_REGEX captures `# key: value` into a map; unknown keys are tolerated (forward-compatibility). – Blank lines, tabs, wrong hash length, uppercase hex, duplicate paths, malformed timestamps, missing required headers, and empty bodies all throw RuntimeException with `line N:` context where applicable. Round-trip contract locked in by testRoundTripsWithManifestBuilder: a manifest produced by ManifestBuilder parses cleanly back into ManifestData. Future format changes on either side now break a test rather than drifting silently. 22 new unit tests / 41 assertions. Full signed-manifest suite: 94 tests / 186 assertions green. PHPStan level-0 clean.