# KIYOKART SECURE CODING POLICY - v1.0

## 1) Purpose

This policy defines mandatory secure coding requirements for all KiyoKart Laravel/PHP code.

## 2) Prohibited PHP Functions

The following functions are prohibited in application code:

- Command execution: `exec`, `shell_exec`, `system`, `passthru`, `popen`, `proc_open`, `pcntl_exec`
- Process control (web-unsafe): `pcntl_alarm`, `pcntl_fork`, `pcntl_wait`, `pcntl_waitpid`, `pcntl_signal`, `pcntl_signal_dispatch`
- Code execution: `eval`, `assert`, `create_function`
- Link manipulation: `link`, `symlink`, `readlink`
- Info/env leakage: `phpinfo`, `getenv`, `putenv`

Exception policy: no exception in runtime web code. Any exceptional operational need must be approved by security architecture and implemented outside web runtime.

## 3) Required Secure Alternatives

- OS/process tasks: Laravel Queues + vetted worker services
- Filesystem operations: Laravel `Storage` facade only
- Environment access: `config()` values from config files
- Dynamic behavior: explicit strategy classes/interfaces, never `eval`

## 4) Input Validation Rules

- All write endpoints must use `FormRequest` or strict `$request->validate(...)`
- Never trust route/body/query input without validation
- Use explicit allowlists for sort fields, filters, and enums

## 5) File Upload Restrictions

- Validate extension + MIME + file size
- Store uploads outside executable paths
- Block `.php`, `.phtml`, and script execution in upload directories
- Prefer random filenames and per-tenant/user path segmentation

## 6) External API Rules

- Use Laravel HTTP Client (`Http::...`) with:
  - explicit timeouts
  - retries with bounded backoff
  - domain allowlisting
  - strict TLS verification

## 7) Logging Restrictions

- Do not log raw request payloads containing PII/secrets
- Do not log tokens, passwords, API keys, or card-related metadata
- Use masked identifiers (e.g. last4) and correlation IDs

## 8) Environment Handling Rules

- Never commit `.env` with real values
- Use secret manager for production secrets
- `APP_ENV=production`, `APP_DEBUG=false` in production

## 9) Mandatory Security Gates

Every pull request must pass:

1. Forbidden function scan (`composer security:forbidden-functions`)
2. Static analysis/security checks
3. Code review for authn/authz, validation, and data exposure

## 10) Enforcement

Violations block merge and release until remediated.