PCat LMS Projektstatus

Stand: 2026-03-11 11:32 (Europe/Berlin)

Zur Anwendung

Abgeschlossene Aufgaben

  • 2026-03-10:
  • Added attempt event tracking table + model + API endpoint
  • Added instructor exam analytics endpoint
  • Added admin analytics overview endpoint
  • Extended instructor attempt detail with event list
  • Added instructor analytics UI page and routing
  • Extended admin dashboard with analytics overview
  • Rebuilt student exam page with event tracking and stable ordering UX
  • Fixed migration issues (long FK names and partial-create recovery)
  • Updated API quick test documentation
  • Added detailed execution log: `docs/AUTO_RUN_LOG_2026-03-10.md`
  • Added per-question difficulty labels (`easy|medium|hard`)
  • Added average time-to-first-answer metrics
  • Added suspicious attempt scoring and ranking for instructor/admin
  • Added risk indicator (`events_count`) in instructor attempt list
  • Added student performance summary endpoint
  • Added student result insights page and routing
  • Added configurable risk thresholds (`EXAM_RISK_MEDIUM/HIGH/CRITICAL`)
  • Added risk level classification and alert counting in analytics
  • Added threshold and risk level visibility in admin/instructor UI
  • Added trend analytics (`last_7_days`, `last_30_days`)
  • Added CSV export endpoints (instructor/admin analytics datasets)
  • Added CSV download actions in instructor/admin frontend
  • Added instructor dashboard alert summary metrics and recent alerts list
  • Added DB-backed risk threshold settings endpoints
  • Added persistent risk alert table and trigger in event tracking
  • Added instructor risk alerts APIs and resolve action
  • Added admin risk settings page and instructor risk alerts page
  • Added custom trend range support in analytics API and UI
  • Added daily digest service, command, schedule, and admin digest APIs
  • Added admin digest management UI and fixed re-notify behavior for repeated risk events
  • Added risk alert detail API with ordered audit trail
  • Added resolve/reopen note support and audit persistence
  • Added instructor UI actions for resolve/reopen with notes
  • Added frontend RoleRoute guards and role-aware navigation visibility
  • Added user profile persistence (`pcat_user`) in frontend auth client
  • Added admin risk digest filters and CSV export endpoint/UI
  • Added frontend auth-change event + `/me`-based session re-hydration
  • Added logout action in top navigation
  • Added critical risk alert notification service (mail + optional webhook)
  • Added deduplicated `notified_at` behavior for repeated critical events
  • Added instructor dashboard alert trend data + UI table
  • Added digest run entry CSV export endpoint and admin UI action
  • Added instructor risk alert search/risk filters in backend and frontend
  • Added instructor risk alert filtered CSV export endpoint and frontend export action
  • Added instructor alert trend presets (`trend_preset=7d|30d|custom`) in dashboard API and frontend
  • Added risk alert list/export sort + date filters (`sort_by`, `sort_dir`, `date_from`, `date_to`)
  • Added critical webhook delivery audit table/model/API and retry command scheduler
  • Added in-app notifications table/model/API and notifications frontend page
  • Added risk alert detail frontend page with audit + webhook delivery timeline
  • Added course progress analytics endpoint and assignment metrics endpoint
  • Added assignment submissions base table for upcoming submission/review workflows
  • Added admin observability health endpoint and dashboard visibility
  • Added feature test for new API auth gates and executed successful test run
  • Added student assignment submission APIs (list/save/upload/submit)
  • Added instructor assignment review APIs (queue/detail/review)
  • Added assignment upload validation + storage service integration (S3/R2 compatible disk abstraction)
  • Added optional malware scan hook for assignment uploads (config/env driven)
  • Added due-date aware submission status logic with overdue auto-flagging
  • Added frontend student assignment page, instructor review queue, and assignment detail view with review history
  • Added scheduled assignment status sync command (`pcat:course-assignment-status-sync`) and hourly scheduler entry
  • Added assignment metrics trend presets (`trend_preset=7d|30d|custom`)
  • Added instructor course analytics CSV export endpoint
  • Added assignment metrics CSV export endpoint
  • Added instructor notifications filtered CSV export endpoint
  • Added webhook delivery filtered CSV export endpoint
  • Added webhook dead-letter requeue endpoint
  • Added webhook delivery detail frontend page with payload/response/error visibility and requeue action
  • Added instructor risk alerts pagination-size selector and configurable CSV `max_rows`
  • Added webhook delivery bulk requeue endpoint and frontend multi-select action
  • Added webhook delivery attempt timeline persistence (`critical_risk_webhook_delivery_attempts`)
  • Added HMAC webhook signing support and per-endpoint signing secret overrides
  • Added configurable retry base/jitter and circuit-breaker settings (config + admin settings UI)
  • Added instructor notifications bulk mark-read action
  • Added risk alert detail deep-link to instructor attempt review list
  • Added richer milestone timeline rendering in risk alert detail UI
  • Added lightweight alert trend bar visualization in instructor dashboard UI
  • Added resilience feature tests that run without full migration refresh by auto-bootstrapping minimal schema in test setup
  • Added auth-gate test coverage for `GET /api/v1/admin/observability/timeseries-export-csv`
  • Added admin dashboard observability cards for retry success + p95/p99 latency and visibility for heartbeat/failure/dead-letter trend datasets
  • Added admin dashboard CSV action for observability time-series export
  • Added quick-test curl example for observability timeseries CSV export
  • Added admin observability preset selector (`7d|30d|90d`) and series-mode toggle (deliveries vs dead letters)
  • Added frontend observability legend and stale-heartbeat anomaly highlighting in admin dashboard
  • Added backend feature tests for observability health payload and timeseries CSV row/header validation
  • Added OpenAPI schema details for observability health nested response payload
  • Added instructor top-navigation unread notifications badge
  • Added filtered risk-alert CSV filename labeling by active status/risk/date filters
  • Added admin endpoint for webhook delivery attempt timeline CSV export
  • Added admin webhook delivery detail UI action for attempt timeline CSV export
  • Added webhook attempt retention cleanup command (`pcat:webhook-attempts-prune`) with schedule and configurable retention days
  • Added webhook delivery attempt correlation IDs (storage + export visibility)
  • Added observability retention metrics payload (`webhook_attempt_retention`) and prune heartbeat tracking
  • Added admin risk settings support for `attempt_retention_days` (backend validation + frontend field)
  • Added backend feature tests for webhook attempt export CSV and retention settings bounds/fallback
  • Added instructor risk alert quick date presets (`Heute`, `Letzte 7 Tage`, `Letzte 30 Tage`)
  • Added notification badge optimistic sync via frontend event bus (`pcat-notifications-changed`)
  • Added lightweight observability sparkline bars on admin dashboard
  • Added OpenAPI examples for observability payload + webhook attempt export CSV
  • Added deployment runbook stale-heartbeat troubleshooting playbook
  • Added public `htdocs/index.php` project status page that auto-reads `docs/PROJECT_MASTERPROMPT.md` (completed + next tasks + latest execution update)
  • Added htdocs routing safeguard: API/sanctum requests and `?app=1` still forward to Laravel backend entrypoint

Aktuell anstehende Aufgaben

  1. Add API rate-limit telemetry counters to observability health (auth failures/429s).
  2. Add admin dashboard widget for reCAPTCHA verification failure trend.
  3. Add test coverage for reCAPTCHA-enabled login failure/success branches.
  4. Add webhook payload version field and versioned schema docs.
  5. Add observability CSV parser fallback handling for future quoted/text columns.
  6. Add optional index strategy for webhook attempt correlation-id lookups at higher scale.
  7. Add UI-level sort controls for admin webhook deliveries (`sort_by`, `sort_dir`).
  8. Add frontend deep-link presets for webhook deliveries filters (`status`, date range, correlation).
  9. Add end-to-end smoke script for admin observability + webhook delivery audit flows.
  10. Add API telemetry for 5xx rates per endpoint group.
  11. Add telemetry for Sanctum token failures and invalid signatures.
  12. Add dashboard card for webhook circuit-breaker open/close state.
  13. Add alerting thresholds for rising dead-letter growth slope.
  14. Add automated check for stale scheduler heartbeats > SLA.
  15. Add synthetic login probe with reCAPTCHA disabled/enabled modes.
  16. Add automated daily OpenAPI drift check against route:list.
  17. Add OpenAPI schemas for instructor notification CSV export parameters.
  18. Add OpenAPI schemas for risk-alert CSV export sort/date filters.
  19. Add request validation tests for webhook requeue bulk payload.
  20. Add feature test for admin observability timeseries `days` bounds.
  21. Add feature test for admin observability timeseries empty-dataset behavior.
  22. Add feature test for instructor risk-alert CSV `max_rows` caps.
  23. Add pagination contract tests for webhook deliveries filters.
  24. Add correlation-id search performance benchmark dataset.
  25. Add DB index migration for frequently filtered webhook columns.
  26. Add DB index migration candidate for risk-alert date/risk-level filters.
  27. Add query plan logging toggle for heavy analytics endpoints.
  28. Add backend cache policy for expensive analytics aggregates.
  29. Add cache invalidation strategy for analytics after grading updates.
  30. Add API response-time histogram output in observability payload.
  31. Add admin dashboard panel for API p95/p99 by route family.
  32. Add export endpoint for observability heartbeat history CSV.
  33. Add webhook delivery retry timeline chart dataset endpoint.
  34. Add frontend retry timeline chart on webhook delivery detail page.
  35. Add frontend saved filter presets for risk alerts.
  36. Add frontend saved filter presets for webhook deliveries.
  37. Add URL-state persistence for webhook deliveries page controls.
  38. Add copy-share link button for filtered admin webhook list.
  39. Add instructor dashboard quick links to unresolved critical alerts.
  40. Add student exam attempt resume UX for interrupted sessions.
  41. Add autosave conflict handling when multiple tabs answer same attempt.
  42. Add explicit anti-cheat event reason codes mapping table in UI.
  43. Add event-rate anomaly flagging for suspicious attempt details.
  44. Add manual grading queue prioritization by pending age.
  45. Add manual grading SLA indicator cards for instructors.
  46. Add grader activity audit entries for short-answer changes.
  47. Add rubric template support for short-answer grading consistency.
  48. Add assignment review rubric support in instructor queue flow.
  49. Add assignment feedback attachments support (instructor side).
  50. Add student side rich feedback rendering for reviewed assignments.
  51. Add assignment late-penalty policy configuration by course.
  52. Add assignment resubmission policy controls (attempt limits/windows).
  53. Add course assignment plagiarism-check integration hook.
  54. Add malware scan retry/backoff behavior for transient scanner errors.
  55. Add storage quota monitoring per course and per tenant context.
  56. Add S3/R2 multipart upload support for large assignment files.
  57. Add signed URL expiration policy controls for file downloads.
  58. Add file retention lifecycle policy settings for assignment uploads.
  59. Add course lesson resource versioning metadata.
  60. Add course content drip scheduling UI and API wiring.
  61. Add lesson completion prerequisites and dependency graph support.
  62. Add live-class session model and Zoom meeting metadata storage.
  63. Add live-class join tracking and attendance analytics.
  64. Add enrollment domain model expansion for paid/free/course bundles.
  65. Add shopping cart domain scaffolding (API + persistence).
  66. Add wishlist domain scaffolding for courses and exams.
  67. Add coupon domain model and validation engine (course/exam scope).
  68. Add tax rule engine scaffold (region/currency aware).
  69. Add Stripe checkout session API for course purchases.
  70. Add PayPal order creation/capture API for course purchases.
  71. Add payment webhook intake endpoint with signature verification.
  72. Add payment transaction audit table and reconciliation command.
  73. Add instructor revenue share ledger entries per successful payment.
  74. Add payout schedule model and payout run command scaffold.
  75. Add payout export CSV and audit detail pages for admin.
  76. Add certificate template data model and asset storage flow.
  77. Add marksheet template data model and render pipeline scaffold.
  78. Add automatic certificate issuance trigger on completion criteria.
  79. Add downloadable certificate/marksheet endpoints with signed access.
  80. Add forum domain model (threads/posts/moderation states).
  81. Add forum API with RBAC moderation actions.
  82. Add forum notification triggers for replies/mentions.
  83. Add multilingual i18n key registry and translation storage schema.
  84. Add admin translation editor API (grouped sections support).
  85. Add frontend runtime locale switch with persistence.
  86. Add RTL layout support baseline in global styles.
  87. Add theme token system (colors/typography/spacing) in frontend.
  88. Add admin theme settings API with default theme selector.
  89. Add drag-and-drop page builder schema and section registry.
  90. Add page builder save/publish/version history API.
  91. Add media manager API unification for course/page-builder assets.
  92. Add maintenance mode admin controls with signed bypass tokens.
  93. Add backup job orchestration command with retention rules.
  94. Add restore dry-run validation command for backup archives.
  95. Add system diagnostics endpoint bundle for support operations.
  96. Add secure cache-clear endpoint with role + audit enforcement.
  97. Add automated release checklist script (tests/routes/build/docs).
  98. Add CI pipeline gate for API inventory and masterprompt freshness.
  99. Add monthly roadmap review cadence entry in project docs.
  100. Add quarterly architecture review checklist (security/perf/cost).

Latest execution update (2026-03-10 19:02 Europe/Berlin) - Files: - `backend/app/Http/Controllers/Api/Instructor/RiskAlertController.php` - `backend/routes/api.php` - `frontend/src/features/instructor/pages/InstructorRiskAlertsPage.tsx` - `docs/api/quick-test.md` - Endpoints: - `GET /api/v1/instructor/risk-alerts/export-csv` - Migrations: - None - Verification outcome: - `php -l backend/app/Http/Controllers/Api/Instructor/RiskAlertController.php` passed - `php -l backend/routes/api.php` passed - `php artisan route:list --path=api/v1/instructor/risk-alerts` passed and includes `GET api/v1/instructor/risk-alerts/export-csv` - `npm.cmd run build` (frontend) passed - Focused API smoke is partially blocked in current local Apache mapping: `POST /api/v1/auth/login` returns non-auth payload (`{\"app\":\"PCat LMS\",\"module_scope\":\"web\",\"status\":\"ok\"}`), so token-based export call could not be validated end-to-end from this shell session ## Latest execution update (2026-03-10 19:46 Europe/Berlin) - Files: - `backend/app/Http/Controllers/Api/Dashboard/DashboardSummaryController.php` - `backend/app/Http/Controllers/Api/Instructor/RiskAlertController.php` - `backend/app/Http/Controllers/Api/Instructor/NotificationController.php` - `backend/app/Http/Controllers/Api/Admin/RiskWebhookDeliveryController.php` - `backend/app/Http/Controllers/Api/Admin/ObservabilityController.php` - `backend/app/Http/Controllers/Api/Analytics/CourseAnalyticsController.php` - `backend/app/Services/Notifications/RiskAlertNotificationService.php` - `backend/app/Services/Notifications/CriticalRiskWebhookService.php` - `backend/app/Models/CriticalRiskWebhookDelivery.php` - `backend/app/Models/InAppNotification.php` - `backend/app/Models/Course/CourseAssignmentSubmission.php` - `backend/routes/api.php` - `backend/routes/console.php` - `backend/config/exam_analytics.php` - `backend/.env.example` - `backend/database/migrations/2026_03_10_191700_create_critical_risk_webhook_deliveries_table.php` - `backend/database/migrations/2026_03_10_191800_create_in_app_notifications_table.php` - `backend/database/migrations/2026_03_10_191900_create_course_assignment_submissions_table.php` - `backend/tests/TestCase.php` - `backend/tests/Feature/StandaloneExam/NewApiRoutesAuthTest.php` - `frontend/src/app/App.tsx` - `frontend/src/features/dashboard/instructor/InstructorDashboardPage.tsx` - `frontend/src/features/dashboard/admin/AdminDashboardPage.tsx` - `frontend/src/features/instructor/pages/InstructorRiskAlertsPage.tsx` - `frontend/src/features/instructor/pages/InstructorRiskAlertDetailPage.tsx` - `frontend/src/features/instructor/pages/InstructorCourseAnalyticsPage.tsx` - `frontend/src/features/instructor/pages/InstructorCoursesPage.tsx` - `frontend/src/features/notifications/NotificationsPage.tsx` - `frontend/src/features/admin/pages/AdminWebhookDeliveriesPage.tsx` - `docs/api/quick-test.md` - `docs/deployment/deployment-runbook.md` - Endpoints: - `GET /api/v1/instructor/risk-alerts/export-csv` (extended filter/sort) - `GET /api/v1/instructor/notifications` - `POST /api/v1/instructor/notifications/mark-all-read` - `POST /api/v1/instructor/notifications/{notification}/read` - `GET /api/v1/instructor/course/{course}/analytics` - `GET /api/v1/instructor/course/{course}/assignment-metrics` - `GET /api/v1/admin/risk-webhook-deliveries` - `GET /api/v1/admin/risk-webhook-deliveries/{delivery}` - `GET /api/v1/admin/observability/health` - Migrations: - `critical_risk_webhook_deliveries` - `in_app_notifications` - `course_assignment_submissions` - Verification outcome: - PHP lint passed for all changed backend files - Route checks passed for new instructor/admin/api paths - `npm.cmd run build` passed - `php artisan migrate --force` passed for all new migrations - `php artisan pcat:webhook-retry-critical-alerts --limit=1` passed - `php artisan test` passed (`1` test, `6` assertions) - Focused login-based HTTP smoke via Apache mapping remains constrained by local `/api/v1/auth/login` response mismatch (web-module payload instead of auth token) ## Latest execution update (2026-03-10 19:58 Europe/Berlin) - Files: - `backend/app/Http/Controllers/Api/Student/CourseAssignmentSubmissionController.php` - `backend/app/Http/Controllers/Api/Instructor/CourseAssignmentReviewController.php` - `backend/app/Services/Security/MalwareScanService.php` - `backend/app/Services/Storage/StorageService.php` - `backend/app/Models/Course/CourseAssignmentSubmission.php` - `backend/app/Models/Course/Course.php` - `backend/app/Models/Course/CourseLesson.php` - `backend/routes/api.php` - `backend/config/modules/course.php` - `backend/.env.example` - `backend/database/migrations/2026_03_10_195200_alter_course_assignment_submissions_add_content_and_review_fields.php` - `frontend/src/app/App.tsx` - `frontend/src/features/course/pages/CourseCatalogPage.tsx` - `frontend/src/features/course/pages/StudentCourseAssignmentsPage.tsx` - `frontend/src/features/instructor/pages/InstructorCoursesPage.tsx` - `frontend/src/features/instructor/pages/InstructorCourseAnalyticsPage.tsx` - `frontend/src/features/instructor/pages/InstructorAssignmentReviewQueuePage.tsx` - `frontend/src/features/instructor/pages/InstructorAssignmentSubmissionDetailPage.tsx` - `backend/tests/Feature/StandaloneExam/NewApiRoutesAuthTest.php` - `docs/api/quick-test.md` - Endpoints: - `GET /api/v1/student/course/{course}/assignments` - `POST /api/v1/student/course/{course}/assignments/{lesson}/save` - `POST /api/v1/student/course/{course}/assignments/{lesson}/upload` - `POST /api/v1/student/course/{course}/assignments/{lesson}/submit` - `GET /api/v1/instructor/course/{course}/assignments/submissions` - `GET /api/v1/instructor/course/{course}/assignments/submissions/{submission}` - `POST /api/v1/instructor/course/{course}/assignments/submissions/{submission}/review` - Migrations: - `alter_course_assignment_submissions_add_content_and_review_fields` - Verification outcome: - PHP lint passed for all changed backend files - Route checks passed for new student/instructor assignment endpoints - `php artisan migrate --force` passed - `php artisan test` passed (`1` test, `12` assertions) - `npm.cmd run build` passed - Focused login-based HTTP smoke via Apache mapping remains constrained by local `/api/v1/auth/login` response mismatch (web-module payload instead of auth token) ## Latest execution update (2026-03-10 20:15 Europe/Berlin) - Files: - `backend/app/Services/Course/CourseAssignmentStatusService.php` - `backend/routes/console.php` - `backend/app/Http/Controllers/Api/Analytics/CourseAnalyticsController.php` - `backend/app/Http/Controllers/Api/Instructor/NotificationController.php` - `backend/app/Http/Controllers/Api/Admin/RiskWebhookDeliveryController.php` - `backend/app/Http/Controllers/Api/Instructor/RiskAlertController.php` - `backend/routes/api.php` - `frontend/src/features/instructor/pages/InstructorRiskAlertsPage.tsx` - `frontend/src/features/instructor/pages/InstructorCourseAnalyticsPage.tsx` - `frontend/src/features/notifications/NotificationsPage.tsx` - `frontend/src/features/admin/pages/AdminWebhookDeliveriesPage.tsx` - `frontend/src/features/admin/pages/AdminWebhookDeliveryDetailPage.tsx` - `frontend/src/app/App.tsx` - `backend/tests/Feature/StandaloneExam/NewApiRoutesAuthTest.php` - `docs/api/quick-test.md` - `docs/deployment/deployment-runbook.md` - Endpoints: - `GET /api/v1/instructor/course/{course}/analytics/export-csv` - `GET /api/v1/instructor/course/{course}/assignment-metrics/export-csv` - `GET /api/v1/instructor/notifications/export-csv` - `GET /api/v1/admin/risk-webhook-deliveries/export-csv` - `POST /api/v1/admin/risk-webhook-deliveries/{delivery}/requeue` - Migrations: - None - Verification outcome: - PHP lint passed for all changed backend files - Route checks passed for new/updated instructor/admin endpoints - `php artisan pcat:course-assignment-status-sync` passed - `php artisan test` passed (`1` test, `17` assertions) - `npm.cmd run build` passed - Focused login-based HTTP smoke via Apache mapping remains constrained by local `/api/v1/auth/login` response mismatch (web-module payload instead of auth token) ## Latest execution update (2026-03-10 20:30 Europe/Berlin) - Files: - `backend/app/Services/Settings/CriticalWebhookSettingsService.php` - `backend/app/Services/Notifications/CriticalRiskWebhookService.php` - `backend/app/Http/Controllers/Api/Admin/RiskThresholdSettingsController.php` - `backend/app/Http/Controllers/Api/Admin/RiskWebhookDeliveryController.php` - `backend/app/Http/Controllers/Api/Instructor/NotificationController.php` - `backend/app/Models/CriticalRiskWebhookDelivery.php` - `backend/app/Models/CriticalRiskWebhookDeliveryAttempt.php` - `backend/database/migrations/2026_03_10_201700_create_critical_risk_webhook_delivery_attempts_table.php` - `backend/routes/api.php` - `backend/config/exam_analytics.php` - `backend/.env.example` - `frontend/src/features/admin/pages/AdminRiskSettingsPage.tsx` - `frontend/src/features/notifications/NotificationsPage.tsx` - `frontend/src/features/admin/pages/AdminWebhookDeliveriesPage.tsx` - `frontend/src/features/admin/pages/AdminWebhookDeliveryDetailPage.tsx` - `frontend/src/features/instructor/pages/InstructorRiskAlertDetailPage.tsx` - `frontend/src/features/dashboard/instructor/InstructorDashboardPage.tsx` - `backend/tests/Feature/StandaloneExam/NewApiRoutesAuthTest.php` - `docs/api/quick-test.md` - `docs/deployment/deployment-runbook.md` - Endpoints: - `POST /api/v1/admin/risk-webhook-deliveries/requeue-bulk` - `POST /api/v1/instructor/notifications/mark-read-bulk` - `GET /api/v1/admin/settings/risk-thresholds` (extended payload with webhook settings) - `PUT /api/v1/admin/settings/risk-thresholds` (webhook settings update support) - Migrations: - `critical_risk_webhook_delivery_attempts` - Verification outcome: - PHP lint passed for all changed backend files - `php artisan migrate --force` passed - Route checks passed for new/updated notification/webhook/settings endpoints - `php artisan pcat:webhook-retry-critical-alerts --limit=1` passed - `php artisan test` passed (`1` test, `19` assertions) - `npm.cmd run build` passed - Focused login-based HTTP smoke via Apache mapping remains constrained by local `/api/v1/auth/login` response mismatch (web-module payload instead of auth token) ## Latest execution update (2026-03-10 20:48 Europe/Berlin) - Files: - `backend/tests/Feature/Security/CriticalWebhookResilienceTest.php` - `backend/tests/Feature/StandaloneExam/NewApiRoutesAuthTest.php` - `frontend/src/features/dashboard/admin/AdminDashboardPage.tsx` - `docs/api/quick-test.md` - Endpoints: - `GET /api/v1/admin/observability/timeseries-export-csv` (auth test coverage + admin UI export action wired) - Migrations: - None - Verification outcome: - `php -l backend/tests/Feature/Security/CriticalWebhookResilienceTest.php` passed - `php -l backend/tests/Feature/StandaloneExam/NewApiRoutesAuthTest.php` passed - `php -l backend/app/Http/Controllers/Api/Admin/ObservabilityController.php` passed - `php artisan route:list --path=api/v1/admin/observability` passed (2 routes) - `php artisan test` passed (`3` tests, `27` assertions) - `npm.cmd run build` passed - `npm.cmd run test:integration` executed with expected `SKIP` (missing `INTEGRATION_INSTRUCTOR_TOKEN` and `INTEGRATION_ADMIN_TOKEN`) - Focused login-based HTTP smoke via Apache mapping remains constrained by local `/api/v1/auth/login` response mismatch (web-module payload instead of auth token) - Risks/edge cases: - Resilience tests now create only minimal required schema when missing; if production migrations change column contracts, tests may need synchronized fixture schema updates. - Integration check remains token-gated in this shell environment until dedicated instructor/admin bearer tokens are injected. ## Latest execution update (2026-03-10 20:58 Europe/Berlin) - Files: - `backend/app/Http/Controllers/Api/Admin/RiskWebhookDeliveryController.php` - `backend/routes/api.php` - `backend/routes/console.php` - `backend/config/exam_analytics.php` - `backend/.env.example` - `backend/tests/Feature/Admin/ObservabilityEndpointsTest.php` - `backend/tests/Feature/StandaloneExam/NewApiRoutesAuthTest.php` - `frontend/src/lib/apiClient.ts` - `frontend/src/features/dashboard/admin/AdminDashboardPage.tsx` - `frontend/src/features/admin/pages/AdminWebhookDeliveryDetailPage.tsx` - `frontend/src/features/instructor/pages/InstructorRiskAlertsPage.tsx` - `frontend/src/app/App.tsx` - `frontend/src/styles/global.css` - `docs/api/openapi.yaml` - `docs/api/quick-test.md` - Endpoints: - `GET /api/v1/admin/risk-webhook-deliveries/{delivery}/attempts-export-csv` - `GET /api/v1/admin/observability/health` (contract test + OpenAPI schema detail) - `GET /api/v1/admin/observability/timeseries-export-csv` (contract test + UI preset/toggle support) - Migrations: - None - Verification outcome: - PHP lint passed for all changed backend files - `php artisan route:list --path=api/v1/admin/observability` passed - `php artisan route:list --path=api/v1/admin/risk-webhook-deliveries` passed (includes attempts-export route) - `php artisan list | findstr /I "webhook-attempts-prune"` passed - `php artisan test` passed (`5` tests, `67` assertions) - `npm.cmd run build` passed - `npm.cmd run test:integration` executed with expected `SKIP` (missing `INTEGRATION_INSTRUCTOR_TOKEN` and `INTEGRATION_ADMIN_TOKEN`) - Focused login-based HTTP smoke via Apache mapping remains constrained by local `/api/v1/auth/login` response mismatch (web-module payload instead of auth token) - Risks/edge cases: - Admin observability timeseries parsing in frontend uses simple comma-split and assumes no quoted commas; safe for current numeric/date dataset, but should switch to a CSV parser if textual columns are added later. - Unread notification badge refreshes on app/auth lifecycle; for instant cross-page updates after notification actions, emit a dedicated frontend event in future iteration. ## Latest execution update (2026-03-10 21:11 Europe/Berlin) - Files: - `backend/database/migrations/2026_03_10_205900_add_correlation_id_to_webhook_delivery_attempts_table.php` - `backend/app/Models/CriticalRiskWebhookDeliveryAttempt.php` - `backend/app/Services/Notifications/CriticalRiskWebhookService.php` - `backend/app/Http/Controllers/Api/Admin/RiskWebhookDeliveryController.php` - `backend/app/Http/Controllers/Api/Admin/ObservabilityController.php` - `backend/app/Services/Settings/CriticalWebhookSettingsService.php` - `backend/app/Http/Controllers/Api/Admin/RiskThresholdSettingsController.php` - `backend/routes/console.php` - `backend/tests/Feature/Admin/ObservabilityEndpointsTest.php` - `backend/tests/Feature/Admin/RiskThresholdRetentionSettingsTest.php` - `frontend/src/features/dashboard/admin/AdminDashboardPage.tsx` - `frontend/src/features/admin/pages/AdminWebhookDeliveryDetailPage.tsx` - `frontend/src/features/admin/pages/AdminRiskSettingsPage.tsx` - `frontend/src/features/instructor/pages/InstructorRiskAlertsPage.tsx` - `frontend/src/features/notifications/NotificationsPage.tsx` - `frontend/src/app/App.tsx` - `frontend/src/styles/global.css` - `docs/api/openapi.yaml` - `docs/api/quick-test.md` - `docs/deployment/deployment-runbook.md` - Endpoints: - `GET /api/v1/admin/risk-webhook-deliveries/{delivery}/attempts-export-csv` (now with `correlation_id` column) - `GET /api/v1/admin/observability/health` (extended with `webhook_attempt_retention` + prune heartbeat) - `GET /api/v1/admin/settings/risk-thresholds` / `PUT /api/v1/admin/settings/risk-thresholds` (supports `webhook_settings.attempt_retention_days`) - Migrations: - `2026_03_10_205900_add_correlation_id_to_webhook_delivery_attempts_table` - Verification outcome: - PHP lint passed for changed backend files - `php artisan route:list --path=api/v1/admin/risk-webhook-deliveries` passed (includes attempts export route) - `php artisan route:list --path=api/v1/admin/observability` passed - `php artisan list | findstr /I "webhook-attempts-prune"` passed - `php artisan migrate --path=database/migrations/2026_03_10_205900_add_correlation_id_to_webhook_delivery_attempts_table.php --force` passed - `php artisan test` passed (`8` tests, `86` assertions) - `npm.cmd run build` passed - `npm.cmd run test:integration` executed with expected `SKIP` (missing integration bearer tokens) - Full `php artisan migrate --force` remains constrained by known local baseline mismatch (existing table + historical migration replay) - Risks/edge cases: - Correlation IDs are generated per attempt at write-time; historical attempts created before this migration keep `null` correlation values. - Notification badge is now optimistic and event-driven; if a backend write fails, subsequent `loadRows()` reconciliation restores server truth. ## Latest execution update (2026-03-10 21:17 Europe/Berlin) - Files: - `htdocs/index.php` - Endpoints: - None - Migrations: - None - Verification outcome: - `php -l htdocs/index.php` passed - Status page now renders project stand, completed tasks, upcoming tasks, and latest execution details directly from `docs/PROJECT_MASTERPROMPT.md` - API/sanctum compatibility preserved via passthrough to backend entrypoint for `/api*`, `/sanctum*`, and `?app=1` - Risks/edge cases: - Root path now serves status page by design; application UI can still be reached via `?app=1` on the same host. - If markdown section headings in `PROJECT_MASTERPROMPT.md` are renamed, parser adjustments in `htdocs/index.php` may be required. ## Latest execution update (2026-03-10 21:26 Europe/Berlin) - Files: - `docs/PROJECT_MASTERPROMPT.md` - Endpoints: - None - Migrations: - None - Verification outcome: - Master roadmap expanded from 10 to 50 next logical steps and persisted in this document - Stand timestamp updated to reflect latest planning update - Risks/edge cases: - Larger task queue requires strict prioritization by dependency and risk to avoid parallel change collisions ## Latest execution update (2026-03-10 21:35 Europe/Berlin) - Files: - backend/database/migrations/2026_03_10_212900_create_webhook_settings_audits_table.php - backend/app/Http/Controllers/Api/Admin/RiskThresholdSettingsController.php - backend/app/Http/Controllers/Api/Admin/ObservabilityController.php - backend/tests/Feature/Admin/WebhookAttemptsPruneCommandTest.php - backend/tests/Feature/Admin/RiskThresholdRetentionSettingsTest.php - backend/tests/Feature/Admin/ObservabilityEndpointsTest.php - frontend/src/lib/csv.ts - frontend/src/features/dashboard/admin/AdminDashboardPage.tsx - frontend/src/features/admin/pages/AdminWebhookDeliveryDetailPage.tsx - frontend/src/features/admin/pages/AdminRiskSettingsPage.tsx - frontend/tests/integration/notification-webhook-bulk.integration.mjs - docs/api/openapi.yaml - docs/deployment/deployment-runbook.md - Endpoints: - GET /api/v1/admin/observability/health (extended with migration_health) - GET /api/v1/admin/risk-webhook-deliveries/{delivery}/attempts-export-csv (copy-ready correlation_id workflow) - GET/PUT /api/v1/admin/settings/risk-thresholds (settings audit writes + retention UX support) - Migrations: - 2026_03_10_212900_create_webhook_settings_audits_table - Verification outcome: - PHP lint passed for changed backend files - php artisan migrate --path=database/migrations/2026_03_10_212900_create_webhook_settings_audits_table.php --force passed - Route checks passed for updated admin endpoints - php artisan test passed (10 tests, 102 assertions) - npm.cmd run build passed - npm.cmd run test:integration executed with expected SKIP (missing integration bearer tokens) - Risks/edge cases: - Full php artisan migrate --force remains locally constrained by known historical baseline table mismatch. - Observability schema drift flag may show warning in partially migrated local environments until all required tables/columns exist. ## Latest execution update (2026-03-10 21:53 Europe/Berlin) - Files: - backend/app/Http/Controllers/Api/Admin/RiskWebhookDeliveryController.php - backend/tests/Feature/Admin/RiskWebhookDeliveriesApiTest.php - backend/tests/Feature/Admin/RiskThresholdRetentionSettingsTest.php - docs/api/openapi.yaml - docs/api/quick-test.md - Endpoints: - GET /api/v1/admin/risk-webhook-deliveries (added `correlation_id`, `sort_by`, `sort_dir` filter/sort support) - GET /api/v1/admin/risk-webhook-deliveries/{delivery} (contract-tested attempts ordering) - Migrations: - None - Verification outcome: - PHP lint passed for changed backend files - php artisan route:list --path=api/v1/admin/risk-webhook-deliveries passed - php artisan test passed (14 tests, 138 assertions) - npm.cmd run build passed - Risks/edge cases: - List sorting now supports DB columns only (`id, created_at, updated_at, attempt_no, next_retry_at`); frontend must restrict user choices accordingly. - Correlation filter uses `LIKE` against attempts and can be expensive without additional indexing strategy on very large datasets. ## Latest execution update (2026-03-10 22:03 Europe/Berlin) - Files: - backend/app/Http/Controllers/Api/Admin/ObservabilityController.php - backend/tests/Feature/Admin/ObservabilityEndpointsTest.php - frontend/src/features/admin/pages/AdminWebhookDeliveriesPage.tsx - frontend/src/features/instructor/pages/InstructorRiskAlertsPage.tsx - frontend/src/features/dashboard/admin/AdminDashboardPage.tsx - docs/api/openapi.yaml - docs/api/quick-test.md - Endpoints: - GET /api/v1/admin/observability/health (added `webhooks.oldest_dead_letter_at` + `webhooks.oldest_dead_letter_age_minutes`) - GET /api/v1/admin/observability/timeseries-export-csv (added `retry_queue_depth` CSV column) - GET /api/v1/admin/risk-webhook-deliveries (frontend now exposes `correlation_id` filter input) - Migrations: - None - Verification outcome: - php -l app/Http/Controllers/Api/Admin/ObservabilityController.php passed - php -l tests/Feature/Admin/ObservabilityEndpointsTest.php passed - php artisan route:list --path=api/v1/admin/observability passed - php artisan test --filter=ObservabilityEndpointsTest passed (3 tests, 60 assertions) - php artisan test --filter=RiskWebhookDeliveriesApiTest passed (2 tests, 34 assertions) - npm.cmd run build passed - Risks/edge cases: - `retry_queue_depth` trend is currently derived from rows in `retry_scheduled` state by `next_retry_at` day; it is not a full historical queue snapshot model. - Risk-alert filter state is now URL-persisted; legacy deep links without params still work via safe defaults. ## Latest execution update (2026-03-10 23:40 Europe/Berlin) - Files: - frontend/src/features/dashboard/admin/AdminDashboardPage.tsx - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: not applicable (no API changes) - npm.cmd run build passed - Focused UI smoke validated via URL-state logic in Admin Dashboard observability controls (`obs_days`, `obs_mode`) and successful production build - Risks/edge cases: - URL state sync preserves existing query params; unknown params remain untouched by design. - If invalid URL values are provided (`obs_days`, `obs_mode`), frontend safely falls back to defaults (`30`, `deliveries`). ## Latest execution update (2026-03-11 08:57 Europe/Berlin) - Files: - docs/user-stories/backlog.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: not applicable (no API changes) - Frontend build: not applicable (documentation-only update) - Focused smoke: documentation structure validated (modular future feature registry fully populated) - Risks/edge cases: - Feature backlog is now intentionally broad; implementation sequencing must continue to follow dependency and security priorities. - Some items are partially implemented already and may require status refinement (`planned` vs `in-progress`) in later grooming. ## Future Integration Registry - Source of truth for planned modules and future functions: - `docs/user-stories/backlog.md` - `docs/roadmap/next-200-steps.md` (additional steps 101-300 in 20 sprint packages) - `docs/roadmap/master-steps-1-300.md` (unified table with status/owner/target sprint) - Usage rule: - New planned features must be added there first, grouped by module and priority lane. - Steps after the active 1-100 roadmap are maintained in `docs/roadmap/next-200-steps.md`. - Execution tracking across all roadmap steps uses `docs/roadmap/master-steps-1-300.md`. ## Extended Roadmap Reference - Current active roadmap: - `docs/PROJECT_MASTERPROMPT.md` -> `Next logical steps` (1-100) - Follow-up roadmap: - `docs/roadmap/next-200-steps.md` -> steps 101-300, grouped as Sprint 11-30 (10 steps each) - Unified operational table: - `docs/roadmap/master-steps-1-300.md` -> steps 1-300 with `Status`, `Owner`, `Target Sprint` ## System Vollinventur (Abhaengigkeiten) | Komponente | Abhaengigkeit/Technologie | Quelle | Status | |---|---|---|---| | Backend Runtime | PHP ^8.2 | backend/composer.json | Aktiv | | Backend Framework | laravel/framework ^11.0 | backend/composer.json | Aktiv | | Auth API | laravel/sanctum ^4.0 | backend/composer.json | Aktiv | | RBAC | spatie/laravel-permission ^6.0 | backend/composer.json | Aktiv | | Payments | stripe/stripe-php ^16.0 | backend/composer.json | Aktiv | | Payments | paypal/paypal-server-sdk ^1.0 | backend/composer.json | Aktiv | | Frontend Runtime | react ^18.3.1 | frontend/package.json | Aktiv | | Frontend Runtime | react-dom ^18.3.1 | frontend/package.json | Aktiv | | Frontend Routing | react-router-dom ^6.30.0 | frontend/package.json | Aktiv | | Build Tool | vite ^5.4.8 | frontend/package.json | Aktiv | | Type System | typescript ^5.6.2 | frontend/package.json | Aktiv | | DB | MySQL | Systemarchitektur | Aktiv | | Storage | Local/S3/R2 kompatibel | backend/.env.example + Services | Aktiv | | Security | Google reCAPTCHA v3 | backend/.env.example + RecaptchaVerifier | Aktiv | ## System Vollinventur (API, tabellarisch) Hinweis: Diese Tabelle ist identisch gespiegelt in `docs/api/full-inventory.md`. ### Public Endpoints | Methode | Endpoint | Zugriff | Modul | Feature/Funktion | Status | |---|---|---|---|---|---| | GET | /api/v1/health | Public | Core | Healthcheck | Live | | POST | /api/v1/auth/login | Public | Auth | Login (reCAPTCHA-gesichert per Config) | Live | | GET | /api/v1/course/catalog | Public | Course | Kurskatalog anzeigen | Live | | GET | /api/v1/standalone-exam/catalog | Public | Standalone Exam | Exam-Katalog anzeigen | Live | ### Authenticated Endpoints (Sanctum) | Methode | Endpoint | Zugriff | Modul | Feature/Funktion | Status | |---|---|---|---|---|---| | GET | /api/v1/me | Authenticated | Auth | Sessionprofil abrufen | Live | | POST | /api/v1/auth/logout | Authenticated | Auth | Logout | Live | ### Admin + Instructor Endpoints | Methode | Endpoint | Zugriff | Modul | Feature/Funktion | Status | |---|---|---|---|---|---| | GET | /api/v1/dashboard/instructor/summary | Admin/Instructor | Dashboard | Instructor Dashboard Summary | Live | | GET | /api/v1/instructor/risk-alerts | Admin/Instructor | Analytics/Security | Risk Alerts Liste | Live | | GET | /api/v1/instructor/risk-alerts/export-csv | Admin/Instructor | Analytics/Security | Risk Alerts CSV Export | Live | | GET | /api/v1/instructor/risk-alerts/{alert} | Admin/Instructor | Analytics/Security | Risk Alert Detail | Live | | POST | /api/v1/instructor/risk-alerts/{alert}/resolve | Admin/Instructor | Analytics/Security | Risk Alert Resolve | Live | | POST | /api/v1/instructor/risk-alerts/{alert}/reopen | Admin/Instructor | Analytics/Security | Risk Alert Reopen | Live | | GET | /api/v1/instructor/notifications | Admin/Instructor | Notifications | Notifications Liste | Live | | GET | /api/v1/instructor/notifications/export-csv | Admin/Instructor | Notifications | Notifications CSV Export | Live | | POST | /api/v1/instructor/notifications/mark-all-read | Admin/Instructor | Notifications | Alle als gelesen markieren | Live | | POST | /api/v1/instructor/notifications/mark-read-bulk | Admin/Instructor | Notifications | Mehrfach als gelesen markieren | Live | | POST | /api/v1/instructor/notifications/{notification}/read | Admin/Instructor | Notifications | Einzelne Notification als gelesen markieren | Live | ### Instructor Course Endpoints | Methode | Endpoint | Zugriff | Modul | Feature/Funktion | Status | |---|---|---|---|---|---| | GET | /api/v1/instructor/course/ | Admin/Instructor | Course | Kursliste | Live | | POST | /api/v1/instructor/course/ | Admin/Instructor | Course | Kurs anlegen | Live | | POST | /api/v1/instructor/course/bulk-action | Admin/Instructor | Course | Bulk-Aktionen | Live | | POST | /api/v1/instructor/course/import-csv | Admin/Instructor | Course | CSV Import | Live | | GET | /api/v1/instructor/course/export-filtered | Admin/Instructor | Course | Gefilterter CSV Export | Live | | POST | /api/v1/instructor/course/export-selected | Admin/Instructor | Course | Selektierter Export | Live | | GET | /api/v1/instructor/course/{course}/analytics | Admin/Instructor | Course Analytics | Kurs-Analytics | Live | | GET | /api/v1/instructor/course/{course}/analytics/export-csv | Admin/Instructor | Course Analytics | Kurs-Analytics CSV | Live | | GET | /api/v1/instructor/course/{course}/assignment-metrics | Admin/Instructor | Course Analytics | Assignment Metrics | Live | | GET | /api/v1/instructor/course/{course}/assignment-metrics/export-csv | Admin/Instructor | Course Analytics | Assignment Metrics CSV | Live | | GET | /api/v1/instructor/course/{course}/assignments/submissions | Admin/Instructor | Course Assignments | Submission Queue | Live | | GET | /api/v1/instructor/course/{course}/assignments/submissions/{submission} | Admin/Instructor | Course Assignments | Submission Detail | Live | | POST | /api/v1/instructor/course/{course}/assignments/submissions/{submission}/review | Admin/Instructor | Course Assignments | Submission Review | Live | | GET | /api/v1/instructor/course/{course} | Admin/Instructor | Course | Kurs Detail | Live | | PUT | /api/v1/instructor/course/{course} | Admin/Instructor | Course | Kurs aktualisieren | Live | | DELETE | /api/v1/instructor/course/{course} | Admin/Instructor | Course | Kurs loeschen | Live | | POST | /api/v1/instructor/course/{course}/publish | Admin/Instructor | Course | Kurs veroeffentlichen | Live | | POST | /api/v1/instructor/course/{course}/unpublish | Admin/Instructor | Course | Kurs zurueckziehen | Live | ### Instructor Standalone Exam Endpoints | Methode | Endpoint | Zugriff | Modul | Feature/Funktion | Status | |---|---|---|---|---|---| | GET | /api/v1/instructor/standalone-exam/ | Admin/Instructor | Standalone Exam | Exam-Liste | Live | | POST | /api/v1/instructor/standalone-exam/ | Admin/Instructor | Standalone Exam | Exam anlegen | Live | | POST | /api/v1/instructor/standalone-exam/bulk-action | Admin/Instructor | Standalone Exam | Bulk-Aktionen | Live | | POST | /api/v1/instructor/standalone-exam/import-csv | Admin/Instructor | Standalone Exam | CSV Import | Live | | GET | /api/v1/instructor/standalone-exam/export-filtered | Admin/Instructor | Standalone Exam | Gefilterter Export | Live | | POST | /api/v1/instructor/standalone-exam/export-selected | Admin/Instructor | Standalone Exam | Selektierter Export | Live | | GET | /api/v1/instructor/standalone-exam/{exam} | Admin/Instructor | Standalone Exam | Exam Detail | Live | | PUT | /api/v1/instructor/standalone-exam/{exam} | Admin/Instructor | Standalone Exam | Exam aktualisieren | Live | | DELETE | /api/v1/instructor/standalone-exam/{exam} | Admin/Instructor | Standalone Exam | Exam loeschen | Live | | POST | /api/v1/instructor/standalone-exam/{exam}/publish | Admin/Instructor | Standalone Exam | Exam veroeffentlichen | Live | | POST | /api/v1/instructor/standalone-exam/{exam}/unpublish | Admin/Instructor | Standalone Exam | Exam zurueckziehen | Live | | GET | /api/v1/instructor/standalone-exam/{exam}/questions | Admin/Instructor | Standalone Exam Questions | Fragenliste | Live | | POST | /api/v1/instructor/standalone-exam/{exam}/questions | Admin/Instructor | Standalone Exam Questions | Frage anlegen | Live | | GET | /api/v1/instructor/standalone-exam/{exam}/questions/{question} | Admin/Instructor | Standalone Exam Questions | Frage Detail | Live | | PUT | /api/v1/instructor/standalone-exam/{exam}/questions/{question} | Admin/Instructor | Standalone Exam Questions | Frage aktualisieren | Live | | DELETE | /api/v1/instructor/standalone-exam/{exam}/questions/{question} | Admin/Instructor | Standalone Exam Questions | Frage loeschen | Live | | GET | /api/v1/instructor/standalone-exam/{exam}/attempts | Admin/Instructor | Standalone Exam Attempts | Attempt-Liste | Live | | GET | /api/v1/instructor/standalone-exam/{exam}/attempts/{attempt} | Admin/Instructor | Standalone Exam Attempts | Attempt Detail inkl. Events | Live | | POST | /api/v1/instructor/standalone-exam/{exam}/attempts/{attempt}/manual-grade | Admin/Instructor | Standalone Exam Attempts | Manual Short-Answer Grading | Live | | GET | /api/v1/instructor/standalone-exam/{exam}/analytics | Admin/Instructor | Standalone Exam Analytics | Instructor Analytics | Live | | GET | /api/v1/instructor/standalone-exam/{exam}/analytics/export-csv | Admin/Instructor | Standalone Exam Analytics | Instructor Analytics CSV | Live | ### Admin + Student Endpoints | Methode | Endpoint | Zugriff | Modul | Feature/Funktion | Status | |---|---|---|---|---|---| | GET | /api/v1/dashboard/student/summary | Admin/Student | Dashboard | Student Dashboard Summary | Live | | GET | /api/v1/student/course/{course}/assignments | Admin/Student | Course Assignments | Student Assignment Uebersicht | Live | | POST | /api/v1/student/course/{course}/assignments/{lesson}/save | Admin/Student | Course Assignments | Assignment Draft speichern | Live | | POST | /api/v1/student/course/{course}/assignments/{lesson}/upload | Admin/Student | Course Assignments | Assignment Upload | Live | | POST | /api/v1/student/course/{course}/assignments/{lesson}/submit | Admin/Student | Course Assignments | Assignment final abgeben | Live | | GET | /api/v1/student/standalone-exam/{exam}/attempts | Admin/Student | Standalone Exam Attempts | Attempt History | Live | | GET | /api/v1/student/standalone-exam/{exam}/performance-summary | Admin/Student | Standalone Exam Analytics | Performance Summary | Live | | POST | /api/v1/student/standalone-exam/{exam}/attempts/start | Admin/Student | Standalone Exam Attempts | Attempt starten | Live | | GET | /api/v1/student/standalone-exam/{exam}/attempts/{attempt} | Admin/Student | Standalone Exam Attempts | Aktuellen Attempt laden | Live | | POST | /api/v1/student/standalone-exam/{exam}/attempts/{attempt}/answers | Admin/Student | Standalone Exam Attempts | Antwort speichern | Live | | POST | /api/v1/student/standalone-exam/{exam}/attempts/{attempt}/events | Admin/Student | Standalone Exam Security | Anti-Cheat Event tracking | Live | | POST | /api/v1/student/standalone-exam/{exam}/attempts/{attempt}/submit | Admin/Student | Standalone Exam Attempts | Attempt einreichen | Live | ### Admin Endpoints | Methode | Endpoint | Zugriff | Modul | Feature/Funktion | Status | |---|---|---|---|---|---| | GET | /api/v1/dashboard/admin/summary | Admin | Dashboard | Admin Dashboard Summary | Live | | GET | /api/v1/admin/standalone-exam/analytics/overview | Admin | Standalone Exam Analytics | Global Analytics Overview | Live | | GET | /api/v1/admin/standalone-exam/analytics/export-csv | Admin | Standalone Exam Analytics | Global Analytics CSV Export | Live | | GET | /api/v1/admin/settings/risk-thresholds | Admin | Settings/Security | Risk/Webhook Settings lesen | Live | | PUT | /api/v1/admin/settings/risk-thresholds | Admin | Settings/Security | Risk/Webhook Settings aktualisieren | Live | | GET | /api/v1/admin/risk-digests | Admin | Reporting | Digest Runs Liste | Live | | GET | /api/v1/admin/risk-digests/export-csv | Admin | Reporting | Digest Runs CSV | Live | | GET | /api/v1/admin/risk-digests/{run} | Admin | Reporting | Digest Run Detail | Live | | GET | /api/v1/admin/risk-digests/{run}/entries-export-csv | Admin | Reporting | Digest Entries CSV | Live | | POST | /api/v1/admin/risk-digests/run-now | Admin | Reporting | Digest manuell ausloesen | Live | | GET | /api/v1/admin/risk-webhook-deliveries | Admin | Webhook Resilience | Delivery-Liste/Filter | Live | | GET | /api/v1/admin/risk-webhook-deliveries/export-csv | Admin | Webhook Resilience | Delivery CSV Export | Live | | POST | /api/v1/admin/risk-webhook-deliveries/requeue-bulk | Admin | Webhook Resilience | Bulk Requeue | Live | | GET | /api/v1/admin/risk-webhook-deliveries/{delivery} | Admin | Webhook Resilience | Delivery Detail | Live | | GET | /api/v1/admin/risk-webhook-deliveries/{delivery}/attempts-export-csv | Admin | Webhook Resilience | Attempt Timeline CSV | Live | | POST | /api/v1/admin/risk-webhook-deliveries/{delivery}/requeue | Admin | Webhook Resilience | Einzel-Requeue | Live | | GET | /api/v1/admin/observability/health | Admin | Observability | Health + Heartbeats + Retention | Live | | GET | /api/v1/admin/observability/timeseries-export-csv | Admin | Observability | Timeseries CSV Export | Live | ### Betriebsfunktionen (Scheduler/Commands) | Typ | Name | Zweck | Takt | Status | |---|---|---|---|---| | Command | pcat:risk-digest | Daily Risk Digest generieren | daily 08:00 | Live | | Command | pcat:webhook-retry-critical-alerts | Kritische Webhooks retryen | every 5 minutes | Live | | Command | pcat:course-assignment-status-sync | Assignment-Status synchronisieren | hourly | Live | | Command | pcat:webhook-attempts-prune | Alte Webhook-Attempts aufraeumen | daily 03:30 | Live | ## Prioritaetsmatrix (Kritisch/Wichtig/Spaeter) ### Kritisch (Plattformstabilitaet, Sicherheit, Betriebsrisiko) | Prioritaet | Bereich | Thema | Zielbild | Abhaengigkeiten | |---|---|---|---|---| | Kritisch | Observability | API Rate-Limit Telemetrie (Auth-Fehler/429) | Betriebsfruehe Erkennung von Abuse/Spikes | ObservabilityController, Dashboard Admin | | Kritisch | Security | reCAPTCHA Failure Trend Widget (Admin) | Sichtbarkeit auf Login-Angriffs-/Fehlkonfigurationstrends | AuthController, RecaptchaVerifier, Dashboard API | | Kritisch | Quality | reCAPTCHA Testabdeckung (success/failure branches) | Regressionsschutz in sicherheitskritischer Login-Logik | PHPUnit Feature Tests | | Kritisch | Webhook Resilience | Payload-Versionierung + versionierte Schema-Doku | Kompatible Weiterentwicklung externer Integrationen | CriticalRiskWebhookService, OpenAPI | | Kritisch | Reliability | End-to-End Smoke fuer Observability + Webhook Audit Flows | Frueherkennung von Produktions-/Deploy-Breaks | API smoke scripts, tokens/env | ### Wichtig (Skalierung, UX, Wartbarkeit) | Prioritaet | Bereich | Thema | Zielbild | Abhaengigkeiten | |---|---|---|---|---| | Wichtig | Data/Analytics | CSV Parser Fallback fuer quoted/text Spalten | Robustheit bei kuenftigen Datensatz-Erweiterungen | frontend/src/lib/csv.ts | | Wichtig | Performance | Optionaler Index fuer correlation-id Lookups | Stabilere Query-Performance bei hohem Volumen | MySQL Migration/Indexstrategie | | Wichtig | Admin UX | Sortierkontrollen fuer Webhook Deliveries (`sort_by`,`sort_dir`) | Schnellere Incident-Analyse im UI | AdminWebhookDeliveriesPage + API Filter | | Wichtig | Admin UX | Deep-Link Presets fuer Webhook Filter | Teilbare operable Links fuer Support/Ops | Router Query State + Filter UI | | Wichtig | Governance | Inventur bei neuen Routen/Commands automatisch nachziehen | Doku bleibt synchron mit Runtime | API/console change checklist | ### Spaeter (Business-Ausbau gem. Backlog) | Prioritaet | Bereich | Thema | Zielbild | Abhaengigkeiten | |---|---|---|---|---| | Spaeter | Commerce | Vollausbau Cart/Wishlist/Checkout/Coupons/Tax | End-to-end Monetarisierung | Payment SDKs, Produktregeln | | Spaeter | Learning Experience | Zertifikate/Marksheet Builder + Auto-Issuance | Abschlussnachweise im Produktfluss | Template Engine, PDF/Storage | | Spaeter | Community | Diskussionsforen mit Moderation/Benachrichtigung | Lerninteraktion und Bindung | Notification System, RBAC | | Spaeter | CMS | Drag&Drop Page Builder (40+ Sections) | No-Code Frontend-Management | React Builder Module, Media Manager | | Spaeter | Globalization | Multi-Language inkl. RTL/LTR | Internationalisierung und Skalierung | Translation Layer, UI i18n | ## Latest execution update (2026-03-11 11:32 Europe/Berlin) - Files: - docs/roadmap/master-steps-1-300.md - docs/roadmap/next-200-steps.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (documentation continuity contract update) - Migrations: - None - Verification outcome: - Added permanent persistence/status contract to master tracker 1-300 - Added permanent persistence/status contract to roadmap source 101-300 - Risks/edge cases: - Status is intentionally centralized in `docs/roadmap/master-steps-1-300.md`; updating status in multiple files risks drift and should be avoided. ## Latest execution update (2026-03-11 11:28 Europe/Berlin) - Files: - docs/roadmap/next-500-steps.md - docs/THREAD_CONTINUATION_PACKET.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (documentation and continuity-governance update) - Migrations: - None - Verification outcome: - Roadmap generation sanity check passed: steps 301-800 present (500 rows) - Continuation packet created with startup commands, prompt block, and status-update protocol - Risks/edge cases: - ext-500-steps.md is intentionally broad and should be sprint-groomed before execution to avoid parallel scope overload. ## Latest execution update (2026-03-11 10:50 Europe/Berlin) - Files: - backend/tests/Feature/Admin/ObservabilityEndpointsTest.php - docs/roadmap/master-steps-1-300.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (test coverage extension only) - Migrations: - None - Verification outcome: - php -l backend/tests/Feature/Admin/ObservabilityEndpointsTest.php passed - php artisan test --filter=ObservabilityEndpointsTest passed (5 tests, 133 assertions) - Risks/edge cases: - Empty-dataset timeseries expectation currently enforces numeric zero columns; if CSV contract changes (e.g., empty strings), test update will be required. ## Latest execution update (2026-03-11 10:45 Europe/Berlin) - Files: - backend/app/Services/Observability/ApiTelemetryService.php - backend/app/Http/Controllers/Api/Admin/ObservabilityController.php - backend/config/exam_analytics.php - backend/.env.example - backend/routes/console.php - backend/tests/Feature/Admin/ObservabilityEndpointsTest.php - backend/tests/Feature/Admin/RiskWebhookDeliveriesApiTest.php - frontend/src/features/dashboard/admin/AdminDashboardPage.tsx - docs/api/openapi.yaml - docs/api/quick-test.md - scripts/smoke/synthetic-login-probe.ps1 - docs/roadmap/master-steps-1-300.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - GET /api/v1/admin/observability/health (extended telemetry + circuit/slope alert fields) - Migrations: - None - Verification outcome: - PHP lint passed for changed backend files - php artisan route:list --path=api/v1/admin/observability passed - php artisan list | findstr /I "heartbeat-check openapi-drift-check" passed - php artisan pcat:openapi-drift-check passed - php artisan test --filter=ObservabilityEndpointsTest passed (4 tests, 80 assertions) - php artisan test --filter=RiskWebhookDeliveriesApiTest passed (3 tests, 43 assertions) - php artisan test --filter=RecaptchaLoginTest passed (2 tests, 10 assertions) - npm.cmd run build passed - Risks/edge cases: - Heartbeat check intentionally reports stale entries until scheduled jobs run in the target environment. - Correlation-id index strategy (step 6) remains pending/in-progress due migration sequencing constraints. ## Latest execution update (2026-03-11 10:35 Europe/Berlin) - Files: - backend/app/Services/Observability/ApiTelemetryService.php - backend/app/Http/Middleware/ApiTelemetryMiddleware.php - backend/bootstrap/app.php - backend/app/Http/Controllers/Api/Auth/AuthController.php - backend/app/Http/Controllers/Api/Admin/ObservabilityController.php - backend/app/Services/Notifications/CriticalRiskWebhookService.php - backend/tests/Feature/Admin/ObservabilityEndpointsTest.php - backend/tests/Feature/Security/RecaptchaLoginTest.php - frontend/src/features/dashboard/admin/AdminDashboardPage.tsx - frontend/src/features/admin/pages/AdminWebhookDeliveriesPage.tsx - docs/api/openapi.yaml - docs/api/quick-test.md - scripts/smoke/admin-observability-webhook-smoke.ps1 - docs/roadmap/master-steps-1-300.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - GET /api/v1/admin/observability/health (extended with `api_telemetry` payload) - Migrations: - None - Verification outcome: - PHP lint passed for changed backend files - php artisan route:list --path=api/v1/admin/observability passed - php artisan test --filter=ObservabilityEndpointsTest passed (3 tests, 68 assertions) - php artisan test --filter=RecaptchaLoginTest passed (2 tests, 10 assertions) - npm.cmd run build passed - Added smoke script: `scripts/smoke/admin-observability-webhook-smoke.ps1` - Risks/edge cases: - API telemetry uses DB-backed daily counters in `system_settings`; at very high request throughput this simple update strategy may need batching. - Step 6 (optional correlation-id index strategy) is in progress and intentionally not migrated yet due local baseline migration constraints. - Smoke script requires explicit admin bearer token and optional delivery id. ## Latest execution update (2026-03-11 10:06 Europe/Berlin) - Files: - docs/roadmap/master-steps-1-300.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (documentation and execution-governance expansion) - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: not applicable (no API changes) - Frontend build: not applicable (documentation-only update) - Focused smoke: not applicable (documentation-only update) - Table generation sanity check: 300/300 steps present in `docs/roadmap/master-steps-1-300.md` - Risks/edge cases: - Owner assignments are intentionally `unassigned` by default and require explicit team allocation before sprint execution. - Manual status drift is possible without governance discipline; update cadence should be enforced per sprint review. ## Latest execution update (2026-03-11 09:56 Europe/Berlin) - Files: - docs/roadmap/next-200-steps.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (documentation expansion only) - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: not applicable (no API changes) - Frontend build: not applicable (documentation-only update) - Focused smoke: not applicable (documentation-only update) - Risks/edge cases: - Extended roadmap intentionally broad; should be sprint-groomed before execution to prevent scope overflow. - Dependency-heavy items (payments/SSO/AI/media) may require reprioritization based on external constraints. ## Latest execution update (2026-03-11 09:50 Europe/Berlin) - Files: - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (Roadmap-Clustering in Sprint-Pakete) - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: not applicable (no API changes) - Frontend build: not applicable (documentation-only update) - Focused smoke: not applicable (documentation-only update) - Risks/edge cases: - Sprint-Cluster setzen implizit Reihenfolge; bei externen Blockern (Payment/3rd-party APIs) kann einzelne Umplanung zwischen Sprints noetig sein. - Parallelarbeit an mehreren Clustern sollte nur mit klarer Ownership erfolgen, um Merge-Konflikte in Kernmodulen zu reduzieren. ## Latest execution update (2026-03-11 09:33 Europe/Berlin) - Files: - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (Roadmap-Erweiterung auf 100 Schritte) - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: not applicable (no API changes) - Frontend build: not applicable (documentation-only update) - Focused smoke: not applicable (documentation-only update) - Risks/edge cases: - Umfangreiche Roadmap erfordert strikte Sprint-Planung und Ownership-Zuweisung, um Kontextwechselkosten zu begrenzen. - Reihenfolge ist risikoorientiert; bei externen Abhaengigkeiten (z. B. Payment/Zoom) kann Umpriorisierung erforderlich sein. ## Latest execution update (2026-03-11 09:20 Europe/Berlin) - Files: - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (priorisierte Dokumentationsstruktur) - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: not applicable (no API changes) - Frontend build: not applicable (documentation-only update) - Focused smoke: not applicable (documentation-only update) - Risks/edge cases: - Priorisierung ist aktuell auf Stabilitaet/Sicherheit optimiert; Business-Features bleiben bewusst in `Spaeter`, bis kritische Betriebsrisiken weiter reduziert sind. - Bei geaenderter Teamkapazitaet sollte die Matrix pro Sprint neu gewichtet werden. ## Latest execution update (2026-03-11 09:15 Europe/Berlin) - Files: - docs/api/full-inventory.md - docs/PROJECT_MASTERPROMPT.md - Endpoints: - None (dokumentarische Vollinventur auf Basis bestehender Routen) - Migrations: - None - Verification outcome: - PHP syntax checks: not applicable (no backend files changed) - Route checks: source `backend/routes/api.php` and `backend/routes/console.php` used as inventory basis - Frontend build: not applicable (documentation-only update) - Focused smoke: not applicable (documentation-only update) - Risks/edge cases: - Die Inventur bildet den aktuellen Stand exakt ab; bei neuen Routen/Commands muss sie aktiv nachgezogen werden. - Pfade mit dynamischen Parametern (`{...}`) sind bewusst funktional gruppiert, nicht nach interner Controller-Methode sortiert. ## Next logical steps Progress note (2026-03-11 10:35): - Steps 1-5 and 7-21 are implemented. - Step 6 is currently in progress. 1. Add API rate-limit telemetry counters to observability health (auth failures/429s). 2. Add admin dashboard widget for reCAPTCHA verification failure trend. 3. Add test coverage for reCAPTCHA-enabled login failure/success branches. 4. Add webhook payload version field and versioned schema docs. 5. Add observability CSV parser fallback handling for future quoted/text columns. 6. Add optional index strategy for webhook attempt correlation-id lookups at higher scale. 7. Add UI-level sort controls for admin webhook deliveries (`sort_by`, `sort_dir`). 8. Add frontend deep-link presets for webhook deliveries filters (`status`, date range, correlation). 9. Add end-to-end smoke script for admin observability + webhook delivery audit flows. 10. Add API telemetry for 5xx rates per endpoint group. 11. Add telemetry for Sanctum token failures and invalid signatures. 12. Add dashboard card for webhook circuit-breaker open/close state. 13. Add alerting thresholds for rising dead-letter growth slope. 14. Add automated check for stale scheduler heartbeats > SLA. 15. Add synthetic login probe with reCAPTCHA disabled/enabled modes. 16. Add automated daily OpenAPI drift check against route:list. 17. Add OpenAPI schemas for instructor notification CSV export parameters. 18. Add OpenAPI schemas for risk-alert CSV export sort/date filters. 19. Add request validation tests for webhook requeue bulk payload. 20. Add feature test for admin observability timeseries `days` bounds. 21. Add feature test for admin observability timeseries empty-dataset behavior. 22. Add feature test for instructor risk-alert CSV `max_rows` caps. 23. Add pagination contract tests for webhook deliveries filters. 24. Add correlation-id search performance benchmark dataset. 25. Add DB index migration for frequently filtered webhook columns. 26. Add DB index migration candidate for risk-alert date/risk-level filters. 27. Add query plan logging toggle for heavy analytics endpoints. 28. Add backend cache policy for expensive analytics aggregates. 29. Add cache invalidation strategy for analytics after grading updates. 30. Add API response-time histogram output in observability payload. 31. Add admin dashboard panel for API p95/p99 by route family. 32. Add export endpoint for observability heartbeat history CSV. 33. Add webhook delivery retry timeline chart dataset endpoint. 34. Add frontend retry timeline chart on webhook delivery detail page. 35. Add frontend saved filter presets for risk alerts. 36. Add frontend saved filter presets for webhook deliveries. 37. Add URL-state persistence for webhook deliveries page controls. 38. Add copy-share link button for filtered admin webhook list. 39. Add instructor dashboard quick links to unresolved critical alerts. 40. Add student exam attempt resume UX for interrupted sessions. 41. Add autosave conflict handling when multiple tabs answer same attempt. 42. Add explicit anti-cheat event reason codes mapping table in UI. 43. Add event-rate anomaly flagging for suspicious attempt details. 44. Add manual grading queue prioritization by pending age. 45. Add manual grading SLA indicator cards for instructors. 46. Add grader activity audit entries for short-answer changes. 47. Add rubric template support for short-answer grading consistency. 48. Add assignment review rubric support in instructor queue flow. 49. Add assignment feedback attachments support (instructor side). 50. Add student side rich feedback rendering for reviewed assignments. 51. Add assignment late-penalty policy configuration by course. 52. Add assignment resubmission policy controls (attempt limits/windows). 53. Add course assignment plagiarism-check integration hook. 54. Add malware scan retry/backoff behavior for transient scanner errors. 55. Add storage quota monitoring per course and per tenant context. 56. Add S3/R2 multipart upload support for large assignment files. 57. Add signed URL expiration policy controls for file downloads. 58. Add file retention lifecycle policy settings for assignment uploads. 59. Add course lesson resource versioning metadata. 60. Add course content drip scheduling UI and API wiring. 61. Add lesson completion prerequisites and dependency graph support. 62. Add live-class session model and Zoom meeting metadata storage. 63. Add live-class join tracking and attendance analytics. 64. Add enrollment domain model expansion for paid/free/course bundles. 65. Add shopping cart domain scaffolding (API + persistence). 66. Add wishlist domain scaffolding for courses and exams. 67. Add coupon domain model and validation engine (course/exam scope). 68. Add tax rule engine scaffold (region/currency aware). 69. Add Stripe checkout session API for course purchases. 70. Add PayPal order creation/capture API for course purchases. 71. Add payment webhook intake endpoint with signature verification. 72. Add payment transaction audit table and reconciliation command. 73. Add instructor revenue share ledger entries per successful payment. 74. Add payout schedule model and payout run command scaffold. 75. Add payout export CSV and audit detail pages for admin. 76. Add certificate template data model and asset storage flow. 77. Add marksheet template data model and render pipeline scaffold. 78. Add automatic certificate issuance trigger on completion criteria. 79. Add downloadable certificate/marksheet endpoints with signed access. 80. Add forum domain model (threads/posts/moderation states). 81. Add forum API with RBAC moderation actions. 82. Add forum notification triggers for replies/mentions. 83. Add multilingual i18n key registry and translation storage schema. 84. Add admin translation editor API (grouped sections support). 85. Add frontend runtime locale switch with persistence. 86. Add RTL layout support baseline in global styles. 87. Add theme token system (colors/typography/spacing) in frontend. 88. Add admin theme settings API with default theme selector. 89. Add drag-and-drop page builder schema and section registry. 90. Add page builder save/publish/version history API. 91. Add media manager API unification for course/page-builder assets. 92. Add maintenance mode admin controls with signed bypass tokens. 93. Add backup job orchestration command with retention rules. 94. Add restore dry-run validation command for backup archives. 95. Add system diagnostics endpoint bundle for support operations. 96. Add secure cache-clear endpoint with role + audit enforcement. 97. Add automated release checklist script (tests/routes/build/docs). 98. Add CI pipeline gate for API inventory and masterprompt freshness. 99. Add monthly roadmap review cadence entry in project docs. 100. Add quarterly architecture review checklist (security/perf/cost). ## Sprint-Pakete (10 x 10 Schritte)

Keine Detailzeilen vorhanden.