AIOS Build — Status Dashboard

Live assessment · generated 2026-07-02 11:13:10 UTC · regenerate with php bin/aios-assess.php

18
Passing
0
Failing
1
Warnings
3
Open Bugs
6
Fixed

Environment

Runtime prerequisites the app needs to boot.

PASS
PHP runtime
PHP 8.4.7 (requires >= 8.2)
8.4.7
PASS
MySQL connection (database "aiosbuild")
Connected to dev database.
server 9.6.0
PASS
API server reachable (:8080)
API server responding.
HTTP 200
PASS
Web server reachable (:8090)
Web server responding.
HTTP 200

Database & Seed Data

Schema presence and whether reference data is loaded.

PASS
Core tables present
11 expected tables exist.
directives, directive_categories, escalation_rules, knowledge_patterns, projects, roles, users, permissions, audit_log, governance_requests, sessions
PASS
Directives seeded
6 directives loaded — intent matching can work.
count=6
PASS
Escalation rules seeded (table)
8 rows.
count=8
PASS
Roles & users seeded
roles=5, users=1 — login is impossible with 0 roles/users (DATA-02).

API Layer (:8080)

The locked v1 governance API surface.

PASS
GET /api/v1/health
status=healthy, pipeline_services=7
{"status":"healthy","service_name":"AIOS Build Governance API","phase":"3.2","locked_phase":"3.2B","test_baseline":347,"governance_status":"locked","api_status"
PASS
GET /api/v1/governance/rules
8 rules returned.
{"total_rules":8,"rules":[{"rule_id":1,"rule_name":"Performance Impact Rule","public_description":"Detects changes with
PASS
POST /api/v1/requests (pipeline)
decision=approve, risk=15
{"request_id":"req_124f53327d9e3506967102489583c872","decision":"approve","risk_score":15,"risk_severity":"medium","escalation_rules_trigger
PASS
API error responses are clean JSON (no PHP warning leak)
Error path returns clean JSON.
{"error":{"code":"VALIDATION_ERROR","message":"request field is required","status":400},"status_code
PASS
No PHP 8.4 implicit-nullable deprecations (source)
No implicit-nullable typed params found.
PASS
Confidence value is a sane percentage
confidence=65%
confidence: 65%

Web / UI Layer (:8090)

Browser-facing pages and auth gating.

PASS
GET /login renders
Login page renders with a form.
HTTP 200
PASS
GET /governance requires auth
Redirects unauthenticated users to /login.
HTTP 302
PASS
GET /governance/history requires auth
Redirects unauthenticated users to /login.
HTTP 302
PASS
End-to-end login flow
Logged in as 'admin' — POST /login redirects (302) to /governance.
Location: /governance

Automated Test Suite

PHPUnit unit + integration coverage.

INFO
PHPUnit
Skipped (--fast).

CLI & Relay Components

Ancillary tooling shipped in the repo.

WARN
bin/aios-audit CLI
Runs but requires AIOS_API_KEY env var to talk to the audit API.
Error: AIOS_API_KEY environment variable not set
INFO
AIOS_RELAY present
Separate Python relay component exists (assessed separately — not part of the core web app).
AIOS_RELAY/aios_relay.py

Known Issues Registry

Curated findings & fix status (from bin/aios-assess-bugs.json). Sorted: open first, then by severity.

MEDIUM
Root router.php is a Phase-1a stub (only /health) CFG-01 Config
index.php -> router.php only answers GET /health and 404s everything else with 'Phase 1a database foundation only.' The real app is split across src/web/index.php and src/api/index.php, which is undocumented and confusing as the apparent front door.
MEDIUM
Hardcoded API URL + undocumented two-server topology CFG-02 Config
src/web/index.php constructs APIClient('http://localhost:8080'). README documents ports 8000 (backend) and 3000 (frontend), which match neither the code nor each other. Running the UI requires two PHP servers (API on 8080, web on another port) plus MySQL, none of which is documented.
LOW
escalation_rules DB table is unused (rules hardcoded in PHP) CFG-03 Config
GET /governance/rules and the pipeline return 8 escalation rules sourced from PHP code even when the escalation_rules table is empty. The seeded table and the code list can drift apart with no single source of truth.
CRITICAL
Dev database 'aiosbuild' did not exist ENV-01 FIXED
Only 'aiosbuild_test' existed. The running app connects to 'aiosbuild' (per .env) and was dead on arrival until the DB was created and migrated.
✓ Created database + ran all 6 migrations (bin/migrate.php).
CRITICAL
Seed data never loaded (directives / categories / rules empty) DATA-01 FIXED
directives, directive_categories, knowledge_pattern_categories, escalation_rules tables were all empty. Intent detection returned 0% confidence / 'No Matching Directive' for every request, gutting the core NL->directive product value. migrate.php does not load database/seeds/*.sql.
✓ Loaded database/seeds/*.sql (6 directives, 6 categories, 8 rules) AND fixed the root cause: bin/migrate.php now auto-runs bin/seed.php, which loads reference data when tables are empty. Fresh installs are runnable from migrate alone.
CRITICAL
No user/role seed - login impossible out of the box DATA-02 FIXED
roles, users, permissions tables are empty after migration. The /governance and /governance/history web routes require Admin/Operator/Reviewer/Requester roles that do not exist, so no one can ever log in on a fresh install.
✓ Added bin/seed.php: seeds the 5 roles via RoleService and creates a bootstrap 'admin' user (default password admin1234, override via AIOS_SEED_ADMIN_PASSWORD) assigned Admin. Verified: POST /login -> 302 -> /governance.
CRITICAL
session_start() never called - login always fails even with a valid user AUTH-01 FIXED
src/web/index.php never started a PHP session, so $_SESSION was empty on every request. The login CSRF token stored in $_SESSION['_csrf_token'] could never be validated, so POST /login always re-rendered the form (HTTP 200) instead of authenticating - login was impossible regardless of credentials. Found while verifying the DATA-02 seed.
✓ Added session_start() (httponly, SameSite=Strict) at the top of src/web/index.php before any output. Verified end-to-end: session cookie set, POST /login -> 302 -> /governance 200.
HIGH
PHP 8.4 Deprecation warning leaks into API JSON response body API-01 FIXED
ErrorResponse::error() declared 'int $statusCode = null' (implicit nullable, deprecated in PHP 8.4). When the API is served directly (php -S src/api/index.php) display_errors is on, so a raw '<br /><b>Deprecated</b>...' HTML block was prepended to the JSON body on the first error after a cold start, corrupting the response for any JSON client. Would become a fatal TypeError in PHP 9.
✓ Changed signature to '?int $statusCode = null'. Verified cold-start error response is now clean JSON.
HIGH
Confidence rendered as 6500% (0-1 vs 0-100 scale inconsistency) PIPE-01 FIXED
Root cause is a subsystem-wide scale inconsistency, not a one-line typo. The runtime + model contract use a 0-100 confidence scale (IntentClassification::validate() enforces 0..100; RuleEvaluator compares '< 70'; production emits 65), but the explainability subsystem (ExplainabilityService, ConfidenceExplanationBuilder, AuditTrailBuilder) was written for a 0-1 scale: it multiplied by 100 for display (-> 6500%), used '< 0.8'/'< 0.85' thresholds, and clamped overall confidence to min(1.0,...). The unit tests reinforced the mismatch by mocking 0-1 values (0.65, 0.85), so the suite never caught it.
✓ Standardized the explainability path on the authoritative 0-100 contract: removed the extra x100 in ExplainabilityService + ConfidenceExplanationBuilder + AuditTrailBuilder, changed thresholds to <80/<85, clamped overall to 100.0, and updated the 0-1 test fixtures/assertions across 4 test files to 0-100. Verified: live pipeline now shows 'confidence: 65%' and the full 527-test suite passes.
How to run the app (three processes):
1. mysql up & php bin/migrate.php
2. API: php -S localhost:8080 src/api/index.php
3. Web UI: php -S localhost:8090 src/web/index.php → open http://localhost:8090/login

This file is generated. Do not hand-edit — update checks in bin/aios-assess.php or findings in bin/aios-assess-bugs.json, then re-run.