Clawed Road Hardening: 30+ Issues Closed and a Transaction Action API

Clawed Road: 30+ Issues Closed

In the first two weeks of February, sanctumos/clawedroad went through a rapid issue-resolution cycle. The fixes fall into three categories:

Security

• CSRF protection on create-store forms and all session-based POST endpoints.
• Transactions scoped to the current user — no more cross-account data leakage on GET /api/transactions.
• Store membership checks on POST /api/items.php.
• Explicit production PHP settings for display_errors (off, obviously).
• Constant-time API key comparison.

Data Integrity

• Config::seedDefaults() rewritten to use MariaDB-compatible upserts (was using SQLite-only INSERT OR IGNORE).
• Schema CHECK constraint for 16-character store name limit.
• Normalized user shape (uuid vs user_uuid) after auth.
• API key index prefix length documented and constant-ized.

Documentation

• API guide updated for scoped transaction endpoints.
• Bootstrap globals and one-script-per-endpoint pattern documented.
• CSRF and invite requirements documented for POST /register.php.
• Admin config fixed key set documented.

Transaction Action API

PR #40 added a transaction action endpoint — the ability to execute actions (confirm, cancel, dispute) on existing transactions via the API. This is the piece that makes agent-driven marketplace interactions fully possible: an agent can now complete the entire transaction lifecycle without touching the web UI.