feat(anonymisation-append-basis-summary-flag): implement spec (#154)

[rubenvdlinde]

Closes #154

Summary

Auto-generated draft PR for OpenSpec change anonymisation-append-basis-summary-flag.
The Hydra builder ran the spec but could not run gh pr create itself
(Phase D+E credential strip — Claude has no GH_TOKEN by design).
The entrypoint detected commits on the feature branch with no PR and
created this draft so the reviewer + security + applier can proceed.

Spec Reference

• Issue: Implement: Anonymisation Append Basis Summary Flag #154
• Spec: /spec/
  • /spec/proposal.md
  • /spec/design.md
  • /spec/tasks.md

Commits on this branch

• 48af505 chore: add task-audit.json per Rule 2a (Implement: Anonymisation Append Basis Summary Flag #154)
• 25b036e chore: set design.md status to pr-created (Implement: Anonymisation Append Basis Summary Flag #154)
• 34f4787 feat: add appendBasisSummary flag to anonymise endpoints (Implement: Anonymisation Append Basis Summary Flag #154)

Files changed

• CHANGELOG.md
• docs/features/anonymization.md
• lib/Controller/AnonymizationController.php
• lib/Controller/BatchAnonymizationController.php
• lib/Service/AnonymizationService.php
• lib/Service/BatchAnonymizeService.php
• openspec/changes/anonymisation-append-basis-summary-flag/design.md
• openspec/changes/anonymisation-append-basis-summary-flag/tasks.md
• task-audit.json
• tests/bootstrap-unit.php
• tests/stubs/NextcloudStubs.php
• tests/unit/Controller/AnonymizationControllerTest.php
• tests/unit/Service/AnonymizationServiceTest.php
• tests/unit/Service/BatchAnonymizeServiceTest.php

---

PR auto-created by Hydra builder entrypoint (hydra_ensure_pr_exists)
because Claude's session closed without running gh pr create.
Reviewer + applier follow as normal.

[github-actions]

Quality Report — ConductionNL/docudesk @ c44d894

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	✅
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		❌
stylelint		❌
composer			✅	✅ 108/108
npm			❌	❌
PHPUnit					⏭️
Newman					⏭️
Playwright					⏭️

---

Quality workflow — 2026-05-18 19:20 UTC

Download the full PDF report from the workflow artifacts.

[rubenvdlinde]

Code Review — Juan Claude van Damme

Result: FAIL (1 fix applied, 3 unfixed findings, 2 checks skipped)

---

Fix Applied

• appinfo/info.xml: Resolved merge conflict — kept PR branch version 0.0.34-unstable.8 over development's 0.0.33.

---

Gate Results

Gate	Result	Notes
gate-1 spdx-headers	PASS
gate-2 forbidden-patterns	PASS
gate-3 stub-scan	PASS
gate-5 route-auth	PASS
gate-6 orphan-auth	PASS
gate-7 no-admin-idor	FAIL	13 methods — ALL pre-existing on origin/development
gate-8 unsafe-auth-resolver	PASS
gate-9 semantic-auth	PASS
gate-14 route-reachability	FAIL	Gate-script false positive — snake_case vs camelCase routing

---

Unfixed Findings

[CRITICAL] Gate-7 — No-admin-IDOR: AnonymizationController (4 methods)
File: lib/Controller/AnonymizationController.php:80,116,179,215
Methods files, upload, extract, anonymize all carry @NoAdminRequired but have no per-object ownership guard. Pre-existing on origin/development — not introduced by this PR. Security finding → escalated to Clyde.

[CRITICAL] Gate-7 — No-admin-IDOR: BatchAnonymizationController (9 methods)
File: lib/Controller/BatchAnonymizationController.php:101,136,178,199,250,303,348,368,382
Methods batchUpload, folderBatch, batchExtract, batchStatus, batchEntities, batchAnonymize, batchReport, getProfiles, updateProfiles all carry @NoAdminRequired but have no per-object ownership guard. Pre-existing on origin/development — not introduced by this PR. Security finding → escalated to Clyde.

[WARNING] Gate-14 — Route-reachability: gate-script false positive (9 methods)
File: lib/Controller/BatchAnonymizationController.php
The gate derives expected slug batchAnonymization#... (lowercase-first-char of BatchAnonymization) but Nextcloud uses snake_case batch_anonymization for multi-word controller names. All 9 routes are correctly defined in appinfo/routes.php and are functional. This is a gate-script limitation, not a broken route. Pre-existing on origin/development — not introduced by this PR.

---

Checks Skipped

• composer check:strict (phpcs/psalm/phpstan/phpmd): not installed in reviewer container; builder's Rule 0b ran these in the authoritative environment per CLAUDE.md.
• composer test:unit (phpunit): same reason. Builder passed unit tests before PR creation.

npm

• npm run lint: PASS (no eslint errors)
• npm test: unit suite PASS (src/store/modules/navigation.spec.ts — 3 tests); e2e failure on tests/e2e/docs-screenshots.spec.ts is pre-existing, not in PR diff.

---

Code Quality Assessment

The appendBasisSummary feature implementation is clean and correct:

• AnonymizationController.anonymize() extracts and validates the flag via the new extractAppendBasisSummary() private helper (clean extraction pattern).
• BatchAnonymizationController.batchAnonymize() validates the flag inline (minor duplication vs. the single-file controller, but acceptable given they are separate classes).
• AnonymizationService.tryAppendBasisSummary() correctly soft-fails: catches \Throwable, logs a warning, adds a structured warning field to the result — never silently drops the anonymized file.
• BatchAnonymizeService.anonymizeBatch() correctly forwards appendBasisSummary to each per-file call and surfaces per-file warning/summaryFileId fields.
• Tests cover the new params, flag forwarding, warning field shape, and preserve-mode summary fields.
• The NextcloudStubs.php correctly stubs OCP interfaces needed for controller unit tests.

---

Advisories

MCP coverage (advisory) — This app does not yet publish an IMcpToolProvider and has no opt-out recorded in openspec/project.md. Per ADR-035, consider whether this PR's surface (anonymization endpoints with @NoAdminRequired) should be MCP-callable. If yes, file a follow-up issue. If the app should opt out, add an ## MCP coverage block to project.md in a follow-up PR.

---

Out-of-scope inherited debt (informational)

• Gate-7 violations affect ALL @NoAdminRequired methods across both anonymization controllers — these pre-date this PR and should be addressed in a dedicated security hardening PR reviewed by Clyde.
• Gate-14 false positive for BatchAnonymizationController reflects a gate-script limitation: it doesn't apply the CamelCase→snake_case conversion that Nextcloud uses for multi-word controller names. The script should be updated to treat BatchAnonymization → batch_anonymization as the expected route prefix.

---

🤖 Changes Juan Claude van Damme applied

• 442cf2a — Initial commit
• 7eab992 — Lets setup the app
• 36e2603 — Lets commit a bit more
• 1f361c5 — Bump version to 0.0.3
• 5e41e39 — Firt tit tats of frontent
• 6ba3f48 — Setting up th docs
• f00ac48 — Remove the custom sidebar
• 22063c5 — Side bar fix
• 7b3ece3 — Last Docu Desk naming
• 3b2e8e2 — Forgot One
• 582641e — Add the puml
• b234fcc — Render PlantUML files
• e48c908 — Rework the puml
• c928123 — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• 37976cc — Stupid typo
• 52fad7c — Recovering the gdpr instruction
• 1251695 — Small fixes to the anonimisation flow
• 5f36cf1 — Render PlantUML files
• fa20688 — Remove handwritten
• 4a2267e — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• 1cd19d1 — Render PlantUML files
• 735a804 — Lets talk about workflows
• 3c09016 — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• 9de2f71 — Let set a puml for the workflow
• a71f9ad — Render PlantUML files
• 59de266 — Add the logo
• 1759b57 — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• fa0f30a — Lets make the workflow visable
• aa23b7f — Correct logo
• 1d32cd1 — Lets not use the word flow two time
• e844ea4 — Lets add .app to the website name
• 5b60696 — Small schema fixes
• 4510849 — Render PlantUML files
• dc9c520 — Lets get a better tagline
• 41acfce — Style fixes
• b9579ff — Propper domain name
• a063dad — Lets try a slash deployment
• 7aebb93 — Opdate the DocuDesk theme
• e819bf6 — Fix CNAME
• c11e322 — Switch to docusaurus
• f13d94a — Fix the settings page
• dde2fe5 — Lets add api docs
• 74e2c5d — Broken api specs link
• 5b34f9d — Update the documentation
• 2d187be — Code cleanup
• c887e18 — So that fixes the layput
• 409a216 — Fixing the settings page
• 7838fb4 — The actual logic for the reporting analasys
• bc8004a — Adding to the settings page
• 912ea32 — Fixing report creation
• 7bc703c — Icon fixes
• eba2781 — Cleanup on property names
• dc1c00e — Lets deal with no text docments
• 5840831 — Lets make our limits known
• 210536f — Remove action menu
• c4908ad — Drop some non used stuff
• e650560 — Lets go on to extracting the texts
• 0c9e520 — Fixed reading txt files
• 9d0ddc7 — Bit of extra loging
• 74570bc — Fixed presidio
• 8bb6de8 — Lets make it a bit more readable
• 9aa1999 — Update to anonimization service
• d3fc3dc — Fixed circular reference
• b4372be — A raign of fixes
• 80122b7 — fixed invinite file creation
• 73a69c6 — Fixed the string replacement
• ddc9e45 — Ad gdpr workflow
• 3f14109 — Build the new docs
• 807f038 — Lets try this again
• d33fad0 — More broken links
• 73ed5d6 — Create crs-flow.yaml
• b717af0 — Bump version to 0.0.4
• 81aeb12 — Create docudesk.csr
• c29ea51 — Bump version to 0.0.5
• e875b1b — Merge pull request Documentation #26 from ConductionNL/documentation
• 7e5cfd3 — Bump version to 0.0.6
• add6ebb — Bump version to 0.0.7
• 22a82c6 — Update release-workflow.yaml
• 74b1a07 — Bump version to 0.0.8
• b3d1fb6 — Update release-workflow.yaml
• 74f941f — Bump version to 0.0.9
• 877ff24 — Update release-workflow.yaml
• 65dc2b7 — Bump version to 0.0.10
• 2b1ca47 — Update composer.json
• cb99280 — Bump version to 0.0.11
• f348f6d — Create beta-release.yaml
• 6bd034e — Bump version to 0.0.12
• 0a82880 — Lets get some work into supporting the new open register
• 679adc2 — Bump version to 0.0.13
• cb6bdb2 — Let fix some phpcs
• 4a72a2a — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 60073ce — Bump version to 0.0.14
• 2bc51c6 — Lets run report creation
• 3300e1e — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• c4a1d65 — Bump version to 0.0.15
• 7dba37d — Add the proper impoert
• 88541f6 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 3243383 — Bump version to 0.0.16
• a90276d — Procces reports
• feb1e62 — Fixed the autoloader issue
• 289280d — Get the text from word document
• e18d180 — Getting the text from pdf
• 5b7fae4 — Fixed doble reports
• 377b250 — Properly creating annonymization objects
• 16a801f — Dont loop anonymisations
• f192137 — Creating annomyized word files
• 534bc5e — Merge branch 'hotfix/zuiddrecht'
• 7f225e2 — Merge remote-tracking branch 'origin/main'
• 651aaf8 — Bump version to 0.0.17
• f99e0d1 — Lets fix the frontend
• 612741c — Fixed the index pages
• 0c9a337 — Update info.xml
• bb702f7 — Bump version to 0.0.18
• c17f0a3 — Update info.xml
• edfc7f0 — Bump version to 0.0.19
• 9864979 — First settup for settings service
• 0953d5d — Update to the configuration service
• 24016be — Merge remote-tracking branch 'origin/main' into hotfix/frontend
• cb4b11b — Merge branch 'hotfix/frontend'
• f15847f — Bump version to 0.0.20
• f148707 — Merge branch 'main' into hotfix/frontend
• 280786a — Fixes on build and $obj
• be7a4f6 — Fixes on build and $obj
• 1801bb0 — Merge branch 'hotfix/frontend'
• 6b0987e — Bump version to 0.0.21
• 16187d5 — Add licence checking
• 25d1926 — Lets automate our code quality checks
• f5b9a4f — Update README.md
• 60f090e — Bump version to 0.0.22
• 84c0ec2 — Fix for non-admin users
• e3e5ce5 — Merge branch 'hotfix/frontend'
• d762698 — Bump version to 0.0.23
• b842bf1 — Lets start linting this repository
• 5afe1ac — More styling fixes
• d9a46c7 — Remove some of the conflicting code
• b1ddac9 — Last of the linting :)
• 25a0026 — Lets update the code quality workflow
• f040f16 — Merge branch 'hotfix/frontend'
• b3cb216 — Bump version to 0.0.24
• 114cf74 — Lets update the code quility workflow
• e981d1d — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 3411723 — Bump version to 0.0.25
• 1f4f9ae — Lets try to fix the quality code code
• 6578e64 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 43ad3a8 — Bump version to 0.0.26
• d855047 — Bit more cleanup on the qi part
• bbffc73 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• d436652 — Bump version to 0.0.27
• bbef666 — Lets try to setup better testing
• a4a5fc4 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 4d14190 — Bump version to 0.0.28
• f923eb2 — Lets take a look at the linting of javascript files
• 4945d5e — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 7169e0e — Bump version to 0.0.29
• 117bd6e — Merge branch 'main' into hotfix/frontend
• 2812577 — Bit of work to get the quility checks more acurate
• b2075a8 — Lets switch to a reports page concept
• 93b6d55 — Mooie nieuwe raportage pagina's
• 7ead736 — Vernieuwde opzet van anonimizeren inc gdpr register
• 89c2d7e — Voorkom dubel raporteren van genonimiseerde bestanden
• c86bcf8 — Merge branch 'hotfix/frontend'
• 2b6f923 — Bump version to 0.0.30
• cca1861 — Lets add the entities Register
• c63d14b — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 4147f11 — Merge branch 'main' into hotfix/frontend
• 7ea7084 — Bump version to 0.0.31
• cef357c — First steps in indexing documents to solr
• 6e75343 — Add solr docker compose example
• b751bf0 — First working version including deletion
• c82335d — Finish up setting config for solr, also add a search provider to search
• 31c04c2 — Add documentation
• b55a5ca — feat: add Nextcloud 32 support
• 0e341be — Merge pull request Feature/nextcloud 32 support #31 from ConductionNL/feature/nextcloud-32-support
• 7639384 — Merge remote-tracking branch 'origin/feature/WOO-404/write-to-solr' into development
• 7178558 — Let get the code back to work
• b3a319a — Add dashboard widget, consent management, and CI/CD workflows
• ba735cb — Bump unstable version to 0.0.32-unstable.1 [skip ci]
• 4c2efc2 — Update branch protection: main from beta, beta from development
• 56b0550 — Bump unstable version to 0.0.32-unstable.2 [skip ci]
• a7d5d31 — Fix invalid dependency in info.xml
• 35ff5aa — Add three-tier release workflow files [skip ci]
• f34900b — fix: PHPCS coding standard fixes and quality tooling (fix: PHPCS coding standard fixes and quality tooling #35)
• 601e239 — Bump unstable version to 0.0.32-unstable.3 [skip ci]
• a48088a — Merge pull request chore: Merge development into main #38 from ConductionNL/development
• c293e40 — Bump version to 0.0.33 [skip ci]
• b0b3d9d — Merge https://github.com/ConductionNL/docudesk into pr-branch
• 893ab0d — fix(code-review bounded): Juan post-run mechanical commit

View full diff · 10 files changed, 125 insertions(+)

[rubenvdlinde]

📍 appinfo/info.xml:32 (outside PR diff — line-comment API rejected, posted as issue comment)

[fixed: merge conflict resolved] Kept PR branch version 0.0.34-unstable.8 over development's 0.0.33 — feature branch version wins.

[rubenvdlinde]

📍 lib/Controller/AnonymizationController.php:80 (outside PR diff — line-comment API rejected, posted as issue comment)

[unfixed: CRITICAL, security escalated to Clyde] gate-7-no-admin-idor: methods files(80), upload(116), extract(179), anonymize(215) carry @NoAdminRequired with no per-object ownership guard. Pre-existing on origin/development — not introduced by this PR.

[rubenvdlinde]

📍 lib/Controller/BatchAnonymizationController.php:101 (outside PR diff — line-comment API rejected, posted as issue comment)

[unfixed: CRITICAL, security escalated to Clyde] gate-7-no-admin-idor: methods batchUpload(101), folderBatch(136), batchExtract(178), batchStatus(199), batchEntities(250), batchAnonymize(303), batchReport(348), getProfiles(368), updateProfiles(382) carry @NoAdminRequired with no per-object ownership guard. Pre-existing on origin/development — not introduced by this PR.

[rubenvdlinde]

[unfixed: WARNING, gate false positive] gate-14-route-reachability: gate expects slug 'batchAnonymization#...' but Nextcloud uses snake_case 'batch_anonymization' for multi-word controller names. Routes ARE correctly defined in appinfo/routes.php. Gate-script limitation — not a real routing bug. Pre-existing on origin/development.

[rubenvdlinde]

📍 lib/Service/AnonymizationService.php:183 (outside PR diff — line-comment API rejected, posted as issue comment)

[info] tryAppendBasisSummary() catch(\Throwable) is correct soft-failure behavior for a non-auth feature method — gate-8 correctly does not flag this (not an auth/permission resolver).

[github-actions]

Quality Report — ConductionNL/docudesk @ 70fa65f

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	✅
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		✅
stylelint		✅
composer			✅	✅ 108/108
npm			✅	✅ 529/529
PHPUnit					✅
Newman					⏭️
Playwright					⏭️

Coverage: 0% (0/10 statements)

---

Quality workflow — 2026-05-19 03:09 UTC

Download the full PDF report from the workflow artifacts.

[rubenvdlinde]

Security Review — Clyde Barcode

Result: PASS (0 fixed, 1 unfixed SUGGESTION, 0 blocking)

Check	Result
Semgrep p/security-audit + p/owasp-top-ten	✅ 0 findings (4 PHP files)
Semgrep p/secrets	✅ 0 findings (9 files)
gitleaks	✅ no secrets
composer audit --locked	✅ no PHP dep CVEs
npm audit --production	⚠️ 59 CVEs (inherited — package.json unchanged)
Manual OWASP review	✅ 1 SUGGESTION only

Findings

[SUGGESTION] outputFormat lacks allowlist validation (lib/Controller/AnonymizationController.php:236)

The outputFormat string param is accepted from user input without an allowlist check. Currently safe — only compared with === 'preserve' and logged as a PSR-3 context field, never used in file paths or OS calls. Recommend: in_array($outputFormat, ['pdf', 'preserve'], true) check at controller boundary, HTTP 400 on unknown values.

Inherited debt (informational, non-blocking)

• gate-7: 12–13 @NoAdminRequired methods across both controllers lack per-object ownership guards. All pre-existing (same counts on origin/development); this PR added zero new unguarded public methods. Recommend a dedicated ADR-005 compliance PR.
• gate-14: BatchAnonymizationController slug mismatch (batchAnonymization vs batch_anonymization). All routes correctly registered — gate false positive. Pre-existing.
• npm audit: 59 CVEs in Vue2 ecosystem transitive deps. package.json unchanged by this PR. Recommend a dedicated dep-bump PR.

See inline comments for per-finding detail.

---

🤖 Changes Clyde Barcode applied

None — review-only, no commits pushed to your branch.

[rubenvdlinde]

[unfixed: SUGGESTION] Rule: OWASP A03:2021 — outputFormat accepted as any string without allowlist validation. Currently safe (only compared with === 'preserve', never used in file paths/OS calls), but recommend in_array(['pdf','preserve']) check at controller boundary with HTTP 400 on unknown values.

[github-actions]

Quality Report — ConductionNL/docudesk @ ad5ef2b

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	✅
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		✅
stylelint		✅
composer			✅	✅ 108/108
npm			✅	✅ 529/529
PHPUnit					✅
Newman					⏭️
Playwright					⏭️

Coverage: 0% (0/10 statements)

---

Quality workflow — 2026-05-19 03:22 UTC

Download the full PDF report from the workflow artifacts.