# SOP v3.5.2 -- AI AGENT ENFORCEMENT MODE

Project Architecture Blueprint v3.5.2

------------------------------------------------------------------------

## DOCUMENT CONTROL

- Version: v3.5.2
- Status: Active
- Classification: Internal Architecture Standard
- Generated At: 2026-03-01 00:00:00 UTC
- Approved By: System Architecture Authority
- Review Cycle: Mandatory Review Every Major Version Upgrade

------------------------------------------------------------------------

## FILOSOFI

Strict Logic--View Separation  
Hardened Routing  
Centralized Logging  
Zero-Trust Security by Default  
Admin/Public Structural Clarity  
Defense-in-Depth Architecture  
Least Privilege Principle

------------------------------------------------------------------------

# SECTION 1 --- PROJECT STRUCTURE (STRICTLY ENFORCED)

/root-project  
├── /config  
├── /core  
├── /src/modules/public  
├── /src/modules/admin  
├── /templates/pages/public  
├── /templates/pages/admin  
├── /storage/logs  
├── /storage/uploads  
├── /storage/cache  
├── /storage/audit  
├── /public (WEBROOT)  
├── bootstrap.php  
└── .env

Document root WAJIB diarahkan ke `/public`.

DILARANG:
- Menaruh file executable di `/storage`
- Menaruh `.env` di dalam `/public`
- Menaruh source PHP di dalam `/public`

------------------------------------------------------------------------

# SECTION 2 --- ENVIRONMENT & ERROR SYSTEM

Production:
- display_errors = 0
- log_errors = 1
- error_log → /storage/logs
- expose_php = Off

Development:
- display_errors = 1
- error_reporting = E_ALL

Session Security:
- cookie_httponly = 1
- cookie_secure = true jika HTTPS
- cookie_samesite = Lax
- session_regenerate_id(true) setelah login
- Session timeout wajib diterapkan
- Session fixation prevention mandatory

Error Policy:
- Never expose stack trace in production
- Internal exception only in logs
- All fatal errors must be logged

------------------------------------------------------------------------

# SECTION 3 --- ROUTER HARDENING

- Regex whitelist: [a-zA-Z0-9/_-]+$
- Block ".."
- realpath() validation
- Must remain inside /src/modules
- abort(404) if invalid

Admin routes (`admin/*`) → resolve only to `/src/modules/admin/*`  
Other routes → resolve only to `/src/modules/public/*`

All admin modules MUST use:
- require_auth()
- require_role('admin')

Default policy:
- deny unless explicitly allowed

Router Security Rules:
- No dynamic include without validation
- No direct file access
- No arbitrary controller execution
- All route params must be sanitized

------------------------------------------------------------------------

# SECTION 4 --- ZERO-TRUST AUTHORIZATION

DILARANG:
- Direct $_SESSION access
- die('Forbidden')
- Role check manual inline

WAJIB:
- require_auth()
- require_role('admin')
- abort(403)
- Centralized authorization middleware

Authorization Principles:
- Least privilege access
- Deny by default
- Explicit allow policy
- Role escalation prevention mandatory

------------------------------------------------------------------------

# SECTION 5 --- LOGIC & VIEW SEPARATION

/src/modules → Logic only  
/templates → View only

Prepared statements mandatory.  
CSRF verification mandatory for POST.

DILARANG:
- SQL di template
- HTML di src/modules
- Business logic di template
- Direct echo user input

WAJIB:
- e() escaping untuk semua output user
- View rendering terpisah
- Validation sebelum processing

------------------------------------------------------------------------

# SECTION 6 --- DATABASE SECURITY

- Prepared statements only
- No SQL interpolation
- Use Database::query($sql, $params)
- Parameter binding mandatory
- Database credentials via .env only

Password Policy:
- password_hash() mandatory
- password_verify() mandatory
- Use PASSWORD_ARGON2ID jika tersedia
- Fallback PASSWORD_BCRYPT
- Plaintext password strictly forbidden

Database Protection:
- Disable root DB usage in production
- Principle of minimum privilege
- Separate DB user for production
- Query logging for critical operations

------------------------------------------------------------------------

# SECTION 7 --- CSRF PROTECTION

All POST endpoints must call verify_csrf().  
All forms must include csrf() hidden field.

Additional Requirements:
- CSRF token rotation supported
- Token expiration validation
- Reject missing token automatically

------------------------------------------------------------------------

# SECTION 8 --- XSS PROTECTION

WAJIB:
- e() untuk semua output variable
- htmlspecialchars ENT_QUOTES UTF-8
- Escape output by default

DILARANG:
- raw echo user input
- innerHTML tanpa sanitasi
- render HTML user tanpa purifier

Optional Hardening:
- HTMLPurifier untuk rich text input
- CSP header enforcement

------------------------------------------------------------------------

# SECTION 9 --- UPLOAD SECURITY

- Store in /storage/uploads
- Random filename
- Validate MIME
- Allowlist: jpg, png, pdf
- Block executable types
- Never store executable in /public
- Max upload size enforced
- Double extension blocked

WAJIB:
- finfo_file() MIME verification
- Rename uploaded file
- Scan extension + MIME

DILARANG:
- Original filename trust
- Public executable upload
- Direct user path usage

------------------------------------------------------------------------

# SECTION 10 --- RESPONSE STANDARDIZATION

Use:
- abort(403)
- abort(404)
- abort(500)

Never expose stack trace in production.

API Response Rules:
- Consistent JSON structure
- Standardized error schema
- No internal path leakage
- No SQL error exposure

------------------------------------------------------------------------

# SECTION 11 --- RATE LIMITING & ABUSE PROTECTION

WAJIB:
- Login rate limiting
- API abuse throttling
- Request flood protection
- Brute force mitigation

Recommended:
- IP-based throttling
- User-based throttling
- Temporary lockout after repeated failures

------------------------------------------------------------------------

# SECTION 12 --- SECURITY HEADERS

WAJIB:
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy minimal access

Recommended:
- Content-Security-Policy (CSP)
- Strict-Transport-Security (HSTS)

DILARANG:
- Inline script tanpa CSP strategy
- Weak security header configuration

------------------------------------------------------------------------

# SECTION 13 --- AUDIT LOGGING

Critical actions MUST be logged:
- Login
- Logout
- Failed login
- Password reset
- Admin CRUD
- Permission changes
- Sensitive data access

Audit log format minimum:
- User ID
- Timestamp
- IP Address
- Action
- Target resource

Logs must be stored in:
- /storage/audit

------------------------------------------------------------------------

# SECTION 14 --- VALIDATION LAYER

WAJIB:
- Centralized validation system
- Input sanitization
- Type enforcement
- Length validation
- Allowlist validation

DILARANG:
- Trust raw request data
- Processing unvalidated input

Recommended:
- DTO / Request object pattern
- Validation helper abstraction

------------------------------------------------------------------------

# SECTION 15 --- DEPENDENCY & PACKAGE SECURITY

WAJIB:
- Dependency version pinning
- Composer audit before deployment
- Remove unused dependency
- Environment separation

Recommended:
- Vulnerability scanning
- Automated dependency check
- Lock file validation

DILARANG:
- Installing unknown package without review
- Production debug dependency

------------------------------------------------------------------------

# SECTION 16 --- AI ENFORCEMENT RULES

AI MUST NOT:
- Mix logic & view
- Disable security
- Create raw SQL
- Store executable uploads in public
- Bypass middleware
- Modify bootstrap without approval
- Disable validation
- Bypass CSRF
- Output unsafe HTML

AI MUST:
- Follow layered architecture
- Respect routing boundaries
- Apply security by default
- Preserve auditability

------------------------------------------------------------------------

# SECTION 17 --- MANDATORY AI OUTPUT CHECKLIST

[ ] Prepared statement used  
[ ] XSS protected with e()  
[ ] CSRF verified  
[ ] Role middleware applied  
[ ] No logic in templates  
[ ] No HTML in src  
[ ] Router safe  
[ ] Upload policy respected  
[ ] Session security maintained  
[ ] Error handled with abort()  
[ ] Password hashing applied  
[ ] Validation enforced  
[ ] Security headers configured  
[ ] Rate limiting applied  
[ ] Audit logging enabled

------------------------------------------------------------------------

# SECTION 18 --- UI/UX RULES (TAILWIND)

- One H1 per page
- One primary CTA
- Mobile-first
- Focus ring must remain
- e() required for all output variables
- Accessible form labels mandatory
- Semantic HTML preferred

------------------------------------------------------------------------

## DOCUMENT INTEGRITY

This document is auto-generated and version-controlled.

------------------------------------------------------------------------

## DIGITAL SIGNATURE

Document Hash (SHA-256):

[GENERATE HASH AFTER FINAL APPROVAL]

This hash ensures document integrity.  
Any modification to this file will change the hash value.

END OF SOP v3.5.2

