Feat security

.manifest

@@ -3,8 +3,8 @@
 # APP_CHANNEL defines the target branch inside the specified repository.
 
 ##> aavion/studio manifest ###
-APP_VERSION=0.2.4
-APP_DATE=2026-06-14
+APP_VERSION=0.2.5
+APP_DATE=2026-06-17
 APP_NAME=Studio
 APP_AUTHOR=Dominik Letica
 APP_DESCRIPTION=Symfony 8.1 based content-management system for structured project websites.

AGENTS.md

@@ -100,7 +100,21 @@
 - Translation changes must keep matching source catalogue files and keys synchronized across all locale directories under `translations/languages/`; runtime `translations/messages.*.yaml` files are generated from those sources.
 - Refactors before the first public `1.0.0` release may remove obsolete code instead of keeping compatibility shims, but callers, tests, docs, and class map entries must be updated immediately.
 - If a requested narrow change exposes unrelated drift, fix it only when it blocks the task; otherwise record the follow-up in `dev/WORKLOG.md`.
-- When addressing review findings, trace adjacent and analogous code paths that share the same policy, transition, or boundary, and apply or explicitly rule out the same fix there to avoid one-path-only hardening.
+
+### Review Finding Fixes
+- Before applying a fix for a review finding, trace the affected boundary from source to sink and inspect adjacent, related, and analogous code paths that share the same classifier, subscriber, guard, resolver, route family, subject selection, response behavior, storage boundary, or policy decision.
+- Prefer fixing the narrowest central boundary that covers all affected paths. Apply a path-local fix only when evidence shows the issue is truly path-specific.
+- Keep review fixes simple, modular, and minimally invasive. Do not broaden them into unrelated refactors, compatibility shims, or speculative redesigns.
+- While tracing the affected boundary, actively look for additional unreported edge cases, including bypasses, abuse paths, privacy leaks, performance regressions, setup/pre-auth behavior, disabled-feature fallbacks, response redaction, and cache/storage failure behavior.
+- Fix small in-scope adjacent issues directly when they share the same boundary and risk profile. Record larger or behavior-changing follow-ups in `dev/WORKLOG.md` instead of hiding them inside the review fix.
+- Add or update regression coverage for the reported finding and any adjacent paths changed by the fix. When an analogous path is inspected and intentionally not changed, make that reasoning clear in the worklog, final notes, or PR response where useful.
+
+### PR Readiness Audits
+- Before marking a branch, pull request, or feature slice ready for review, run the PR-readiness checklist as a real audit pass over the branch diff and the affected runtime surfaces. Do not treat checklist items as passive boxes to tick.
+- The audit must explicitly review security/privacy considerations; public entry points; authentication, authorization, sessions, secrets, browser storage, and response redaction; package/module boundaries; access levels; route/API/live endpoint scopes; naming and collision risks; setup/init/CI behavior; cross-platform behavior; disabled-feature fallbacks; process and environment handling; default seed coverage for implemented config keys; translations and user-facing copy; project-rule, architecture, naming, documentation, and performance drift; and captured follow-up tasks.
+- Use evidence from code inspection, focused tests, render checks, linting, documentation diffs, class map/worklog updates, and seed/default coverage as appropriate for the changed surface. If a checklist item is not applicable, record why instead of silently skipping it.
+- Fix small readiness issues directly when they are in scope and low risk. Record larger, behavior-changing, or separate-domain issues in `dev/WORKLOG.md` with a clear next action.
+- PR notes must summarize the readiness audit outcome, including verification commands, skipped checks or proof gaps, documentation/worklog/classmap status, translation status, security/privacy considerations, and remaining follow-ups.
 
 ## Build and Verification Commands
 - `bin/init` initializes the repository, refreshes dependencies and assets, locks referenced Symfony UX icons locally when possible, and is the preferred recovery path for broken or incomplete `vendor/` packages because it removes an existing `vendor/` tree before Composer runs.
@@ -183,6 +197,8 @@
 
 ## Review Mode
 - In code review, lead with findings ordered by severity and include file and line references.
+- Review-fix implementation must follow the Review Finding Fixes rules under Change Expectations before applying code changes.
+- PR-readiness sign-off must follow the PR Readiness Audits rules under Change Expectations instead of only copying checklist items.
 - Verify worklog, documentation, tests, class map, translations, screenshots, security notes, and PR checklist items when they are relevant to the reviewed change.
 - Check drift between code and feature drafts in `dev/draft/`; update it only when asked to make changes, otherwise report the drift.
 - Review translation coverage with `bin/lint <changed translation paths...>` when user-facing copy changed.

README.md

@@ -1,8 +1,8 @@
 # Studio
 
-> **Version**: 0.2.4  
+> **Version**: 0.2.5  
 > **Status**: Active development  
-> **Updated**: 2026-06-14  
+> **Updated**: 2026-06-17  
 > **Owner**: Dominik Letica  
 > **Purpose:** A Symfony-based CMS foundation for structured, extensible project websites.  
 

SECURITY.md

@@ -1,21 +1,21 @@
 # Security Policy
 
 > **Status**: Active  
-> **Updated**: 2026-05-20   
+> **Updated**: 2026-06-16   
 > **Owner**: Dominik Letica  
 > **Purpose:** Support and reporting policy.  
 
 ## Supported Versions
 
-### main-Channel
-Stable builds (`main`-branch or stable releases, where `main` always reflects the latest stable release) are supported at least until the next version is publicly available.  
+### stable-Channel
+Stable builds (`stable-*`-branch or tagless releases) are supported at least until the next version is publicly available.  
 Please consider to keep your environment always up to date for security patches to apply.  
 If you're facing any problems, please feel free to [report](https://github.com/aavion/studio/issues) them to get assistance.  
 **Note:** Versions prior to the first major release are considered `dev` (see below).  
 
 | Version | Supported          |
 | ------- | ------------------ |
-| < 1.0.0 | :x: (see `dev`)    |
+| < 1.0.0 | :x:                |
 
 ### beta-Channel
 Beta builds (`beta-*` branch or releases with `beta`-tag) receive limited support via GitHub Issues at least until the next version is publicly available.  

assets/styles/system/base.css

@@ -685,6 +685,24 @@ html {
     border-bottom: 0;
 }
 
+.system-acl-group-grid {
+    display: grid;
+    gap: 0.5rem;
+    min-width: min(100%, 22rem);
+}
+
+.system-acl-group-row {
+    align-items: center;
+    display: grid;
+    gap: 0.5rem;
+    grid-template-columns: minmax(10rem, 1fr) minmax(8rem, 12rem);
+}
+
+.system-acl-group-row code {
+    display: block;
+    margin-top: 0.125rem;
+}
+
 .system-markdown,
 .system-rich-text {
     @apply text-base leading-7;

config/services.yaml

@@ -41,6 +41,9 @@ services:
         App\Core\Event\EventHookDescriptorProviderInterface:
             tags:
                 - { name: 'system.event_hook_provider', priority: 0 }
+        App\Core\Geo\GeoIpProviderInterface:
+            tags:
+                - { name: 'system.geoip_provider', priority: 0 }
         App\Backend\BackendViewProviderInterface:
             tags:
                 - { name: 'system.backend_view_provider', priority: 0 }
@@ -71,6 +74,9 @@ services:
         App\Security\AclGroupReferenceProviderInterface:
             tags:
                 - { name: 'system.acl_group_reference_provider', priority: 0 }
+        App\Core\AdminAcl\AdminFeatureProviderInterface:
+            tags:
+                - { name: 'system.admin_feature_provider', priority: 0 }
 
     # makes classes in src/ available to be used as services
     # this creates a service per class whose id is the fully-qualified class name
@@ -106,6 +112,7 @@ services:
             - '../src/**/*Scope.php'
             - '../src/**/*Source.php'
             - '../src/Debug/RouteRenderOptions.php'
+            - '../src/Core/Geo/GeoIp2MaxMindDatabaseReader.php'
             - '../src/Core/Package/PackageSpec.php'
             - '../src/**/*Spec.php'
             - '../src/**/*Status.php'
@@ -172,6 +179,10 @@ services:
         arguments:
             $sessionFactory: '@session.factory'
 
+    App\Command\RenderRouteCommand:
+        arguments:
+            $environment: '%kernel.environment%'
+
     App\Setup\SetupRedirectSubscriber:
         arguments:
             $projectDir: '%kernel.project_dir%'
@@ -211,6 +222,10 @@ services:
         arguments:
             $providers: !tagged_iterator { tag: system.backend_view_provider }
 
+    App\Core\AdminAcl\AdminFeatureRegistry:
+        arguments:
+            $providers: !tagged_iterator { tag: system.admin_feature_provider }
+
     App\View\Injection\ViewInjectionRegistry:
         arguments:
             $staticProviders: !tagged_iterator { tag: system.static_view_injection_provider }
@@ -249,6 +264,20 @@ services:
         arguments:
             $providers: !tagged_iterator { tag: system.acl_group_reference_provider }
 
+    App\Security\RateLimit\RateLimitLimiterFactory:
+        arguments:
+            $cachePool: '@cache.rate_limiter'
+            $lockFactory: '@lock.factory'
+
+    App\Security\RateLimit\RateLimitRequestSubscriber:
+        arguments:
+            $environment: '%kernel.environment%'
+            $projectDir: '%kernel.project_dir%'
+
+    App\Security\RateLimit\RateLimitAuthenticationSubscriber:
+        arguments:
+            $environment: '%kernel.environment%'
+
     App\Localization\TranslationLanguageCatalog:
         arguments:
             $projectDir: '%kernel.project_dir%'
@@ -372,7 +401,33 @@ services:
         alias: App\Core\Log\AccessLogger
 
     App\Core\Geo\GeoIpResolverInterface:
-        alias: App\Core\Geo\NullGeoIpResolver
+        alias: App\Core\Geo\GeoIpResolver
+
+    App\Core\Geo\GeoIpResolver:
+        arguments:
+            $providers: !tagged_iterator { tag: system.geoip_provider }
+            $fallbackProvider: '@App\Core\Geo\NullGeoIpProvider'
+
+    App\Core\Geo\MaxMindGeoIpDatabaseReaderFactoryInterface:
+        alias: App\Core\Geo\GeoIp2MaxMindDatabaseReaderFactory
+
+    App\Core\Geo\MaxMindGeoIpDownloadClientInterface:
+        alias: App\Core\Geo\HttpMaxMindGeoIpDownloadClient
+
+    App\Core\Geo\MaxMindGeoIpArchiveExtractorInterface:
+        alias: App\Core\Geo\MaxMindGeoIpArchiveExtractor
+
+    App\Core\Geo\HttpMaxMindGeoIpDownloadClient:
+        arguments:
+            $httpClient: null
+
+    App\Core\Geo\MaxMindGeoIpProvider:
+        arguments:
+            $projectDir: '%kernel.project_dir%'
+
+    App\Core\Geo\MaxMindGeoIpDatabaseUpdater:
+        arguments:
+            $projectDir: '%kernel.project_dir%'
 
     App\Core\Log\OperationLoggerInterface:
         alias: App\Core\Log\OperationLogger
@@ -407,6 +462,10 @@ services:
             $cacheDir: '%kernel.project_dir%/var/cache'
             $environment: '%kernel.environment%'
 
+    App\Security\Abuse\AbuseSubjectResolver:
+        arguments:
+            $secret: '%kernel.secret%'
+
     App\Core\Security\SecretPayloadProtector:
         arguments:
             $secret: '%kernel.secret%'
@@ -511,6 +570,8 @@ services:
 
     App\View\Http\HttpErrorRenderer:
         arguments:
+            $projectDir: '%kernel.project_dir%'
+            $environment: '%kernel.environment%'
             $debug: '%kernel.debug%'
 
     App\View\Http\HttpErrorSubscriber: