{
  "generatedAt": "2026-07-05T05:01:27+02:00",
  "scope": "Read-only endpoint inventory plus local regression evidence for SOLCOM Dogfood report",
  "safety": {
    "productionWritesPerformed": false,
    "sensitiveValuesPrinted": false,
    "notes": [
      "No live Salesforce Web-to-Lead POST was performed.",
      "No live Personio application smoke-test was performed.",
      "No Salesforce URL writeback or hard-delete migration was executed.",
      "Secrets were checked only as boolean value_present flags."
    ]
  },
  "environment": {
    "ddev": {
      "status": "running",
      "primaryUrl": "https://solcom.ddev.site",
      "php": "8.4",
      "database": "MariaDB 11.8",
      "mailpit": {
        "internalApi": "http://localhost:8025/api/v1/messages?limit=50",
        "publicUrl": "http://solcom.ddev.site:8025",
        "redactedSnapshot": "mailpit-redacted-snapshot-2026-07-05.json",
        "messages": 9
      },
      "routerWarning": "Router count mismatch: 30 loaded, 36 expected"
    },
    "runtimeConfig": {
      "symfonyMailerDefaultTransport": "sendgrid",
      "sendgridHost": "smtp.sendgrid.net",
      "sendgridPort": 587,
      "sendgridPassPresent": false,
      "friendlyCaptchaEndpoint": "local",
      "personioApiKeyValuePresent": false,
      "salesforceFcsbKeyValuesPresent": true
    }
  },
  "regressionRuns": [
    {
      "id": "salesforce_web_to_lead",
      "command": "ddev exec ./vendor/bin/phpunit -c web/core/phpunit.xml.dist web/modules/custom/solcom_salesforce_web_to_lead/tests",
      "exitCode": 0,
      "duration": "01:15.235",
      "tests": 9,
      "assertions": 52,
      "deprecations": 4,
      "result": "PASS with deprecations",
      "covered": [
        "Webform submission maps fixed hidden Salesforce fields",
        "New submissions post through a test double and mark sent",
        "HTTP failures mark the submission failed without throwing",
        "Submission updates do not duplicate-post"
      ]
    },
    {
      "id": "personio_application",
      "command": "ddev exec ./vendor/bin/phpunit -c web/core/phpunit.xml.dist web/modules/custom/solcom_vacancy_application/tests/src/Kernel/PersonioApplicationClientTest.php web/modules/custom/solcom_vacancy_application/tests/src/Kernel/ApplicationQueueWorkerTest.php web/modules/custom/solcom_vacancy_application/tests/src/Kernel/ApplicationPurgerTest.php web/modules/custom/solcom_vacancy_application/tests/src/Kernel/DlqAdminControllerTest.php web/modules/custom/solcom_vacancy_application/tests/src/Kernel/DlqConfirmFormTest.php",
      "exitCode": 0,
      "duration": "12:25.167",
      "tests": 36,
      "assertions": 306,
      "deprecations": 15,
      "result": "PASS with deprecations",
      "covered": [
        "Application JSON mapping and required fields",
        "Document upload request composition",
        "2xx, 4xx, 429, 5xx and network result handling",
        "Idempotency header determinism",
        "Queue retry, DLQ and purge lifecycle",
        "DLQ listing, requeue and resolve forms"
      ]
    },
    {
      "id": "salesforce_project_offer",
      "command": "ddev exec ./vendor/bin/phpunit -c web/core/phpunit.xml.dist web/modules/custom/solcom_project_offer/tests/src/Kernel/SalesforceClientTest.php web/modules/custom/solcom_project_offer/tests/src/Kernel/SfHttpFetcherTest.php web/modules/custom/solcom_project_offer/tests/src/Kernel/HardDeleteSubscriberTest.php",
      "exitCode": 0,
      "duration": "03:03.414",
      "tests": 8,
      "assertions": 39,
      "deprecations": 5,
      "result": "PASS with deprecations",
      "covered": [
        "Salesforce token refresh and cache hit",
        "401 retry and persistent 401 guard",
        "SOQL fetcher single page and pagination",
        "Hard-delete sweep empty-feed protection and missing-record deletion behavior"
      ]
    },
    {
      "id": "consent_and_maps",
      "command": "ddev exec ./vendor/bin/phpunit -c web/core/phpunit.xml.dist web/modules/custom/solcom_seo/tests/src/Kernel/UsercentricsAttachmentTest.php web/modules/custom/solcom_standort/tests/src/Kernel/StandortDisplayBlockTest.php",
      "exitCode": 0,
      "duration": "02:22.167",
      "tests": 5,
      "assertions": 37,
      "deprecations": 4,
      "result": "PASS with deprecations",
      "covered": [
        "Local Usercentrics fallback for DDEV hosts",
        "Production Usercentrics loader replacement",
        "GTM consent gating",
        "Standort map fallback without API key",
        "Google Maps API script loads only after explicit user action"
      ]
    }
  ],
  "endpoints": [
    {
      "id": "salesforce_fcsb_oauth",
      "service": "Salesforce FCSB OAuth",
      "method": "POST",
      "endpoint": "https://test.salesforce.com/services/oauth2/token",
      "sources": [
        "config/sync/solcom_project_offer.settings.yml",
        "web/modules/custom/solcom_project_offer/src/Service/SalesforceClient.php"
      ],
      "liveTestStatus": "not executed in this continuation",
      "localEvidence": "Runtime key values are present locally as booleans; previous local watchdog evidence shows repeated unsupported_grant_type token-refresh failures.",
      "risk": "blocker",
      "reason": "Project offer import/writeback readiness is not clean until token-refresh succeeds or cron is disabled for dogfood."
    },
    {
      "id": "salesforce_project_offer_rest",
      "service": "Salesforce Project Offer REST",
      "method": "GET/PATCH",
      "endpoint": "<salesforce-instance-url>/services/data/v60.0/...",
      "sources": [
        "web/modules/custom/solcom_project_offer/src/Plugin/migrate_plus/data_fetcher/SfHttpFetcher.php",
        "web/modules/custom/solcom_project_offer/src/Plugin/QueueWorker/SalesforceUrlWriteback.php",
        "web/modules/custom/solcom_project_offer/src/EventSubscriber/HardDeleteSubscriber.php"
      ],
      "liveTestStatus": "not executed against Salesforce",
      "localEvidence": "8 local Kernel tests PASS with 39 assertions for client/fetcher/hard-delete protection.",
      "risk": "medium",
      "reason": "Read/write contracts are locally covered, but live OAuth currently blocks production-like API validation."
    },
    {
      "id": "salesforce_web_to_lead",
      "service": "Salesforce Web-to-Lead",
      "method": "POST",
      "endpoint": "https://webto.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8&orgId=<redacted>",
      "sources": [
        "web/modules/custom/solcom_salesforce_web_to_lead/src/Service/SalesforceWebToLeadClient.php",
        "web/modules/custom/solcom_salesforce_web_to_lead/src/Plugin/WebformHandler/SalesforceWebToLeadHandler.php",
        "config/sync/webform.webform.salesforce_web_to_lead.yml"
      ],
      "liveTestStatus": "blocked without production-write approval",
      "localEvidence": "9 local PHPUnit tests PASS with 52 assertions against mapper/handler/client test doubles.",
      "risk": "medium",
      "reason": "Code path is locally covered, but no real lead was created by design."
    },
    {
      "id": "personio_vacancy_feed",
      "service": "Personio public vacancy feed",
      "method": "GET",
      "endpoint": "https://solcom-gmbh.jobs.personio.de/xml",
      "sources": [
        "config/sync/migrate_plus.migration.solcom_vacancy.yml",
        "web/modules/custom/solcom_vacancy/solcom_vacancy.module",
        "web/modules/custom/solcom_vacancy/src/EventSubscriber/VacancyHardDeleteSubscriber.php"
      ],
      "liveTestStatus": "not re-imported",
      "localEvidence": "Migration config and hard-delete guard inspected; no destructive import/hard-delete run started.",
      "risk": "medium",
      "reason": "Read feed is public, but import/hard-delete has local data impact and was not run during no-fix dogfood."
    },
    {
      "id": "personio_application_api",
      "service": "Personio Recruiting API application submit",
      "method": "POST",
      "endpoint": "https://api.personio.de/v1/recruiting/applications",
      "sources": [
        "web/modules/custom/solcom_vacancy_application/src/Service/PersonioApplicationClient.php",
        "web/modules/custom/solcom_vacancy_application/src/Plugin/QueueWorker/ApplicationQueueWorker.php",
        "web/modules/custom/solcom_vacancy_application/src/Commands/PersonioSmokeTestCommands.php"
      ],
      "liveTestStatus": "blocked without production-write approval",
      "localEvidence": "Personio API key is not present locally; 36 Kernel tests PASS with 306 assertions against HTTP mock handlers.",
      "risk": "medium",
      "reason": "Local contract is strongly covered, but live delivery cannot be considered passed without approved smoke application."
    },
    {
      "id": "personio_documents_api",
      "service": "Personio Recruiting API document upload",
      "method": "POST",
      "endpoint": "https://api.personio.de/v1/recruiting/applications/documents",
      "sources": [
        "web/modules/custom/solcom_vacancy_application/src/Service/PersonioApplicationClient.php"
      ],
      "liveTestStatus": "blocked without production-write approval",
      "localEvidence": "Document upload request and error handling covered by local Kernel tests.",
      "risk": "medium",
      "reason": "Uploads are production writes and can contain applicant files."
    },
    {
      "id": "personio_readback",
      "service": "Personio Recruiting API readback",
      "method": "GET",
      "endpoint": "https://api.personio.de/v2/recruiting/applications",
      "sources": [
        "web/modules/custom/solcom_vacancy_application/src/Commands/PersonioSmokeTestCommands.php"
      ],
      "liveTestStatus": "not executed",
      "localEvidence": "Command code inspected; readback is best-effort and only meaningful after a live smoke submit.",
      "risk": "low",
      "reason": "Diagnostic endpoint, not part of normal user flow."
    },
    {
      "id": "sendgrid_smtp",
      "service": "SendGrid SMTP",
      "method": "SMTP",
      "endpoint": "smtp.sendgrid.net:587",
      "sources": [
        "config/sync/symfony_mailer_lite.symfony_mailer_lite_transport.sendgrid.yml",
        "config/sync/symfony_mailer_lite.settings.yml",
        "config/sync/mailsystem.settings.yml"
      ],
      "liveTestStatus": "not executed",
      "localEvidence": "Default transport is sendgrid but pass/pass_key are empty in config; local Mailpit snapshot contains 9 messages from prior dogfood flows.",
      "risk": "medium",
      "reason": "Mailpit validates local capture, but production SendGrid credentials/transport were not exercised."
    },
    {
      "id": "mailpit_local",
      "service": "Mailpit local",
      "method": "HTTP API",
      "endpoint": "http://localhost:8025/api/v1/messages?limit=50 inside DDEV web",
      "sources": [
        "ddev describe -j",
        "mailpit-redacted-snapshot-2026-07-05.json"
      ],
      "liveTestStatus": "executed locally",
      "localEvidence": "9 messages captured and redacted; includes registration, verification, password reset, email change, application mails and admin notifications.",
      "risk": "low",
      "reason": "Local mail capture is working; host-port API returns schema-style output while DDEV-internal API returns concrete JSON."
    },
    {
      "id": "friendlycaptcha",
      "service": "FriendlyCaptcha",
      "method": "local validation",
      "endpoint": "local",
      "sources": [
        "config/sync/friendlycaptcha.settings.yml"
      ],
      "liveTestStatus": "partially tested through browser behavior",
      "localEvidence": "Runtime config endpoint is local; Expertenformular browser test remained blocked by captcha state .UNSTARTED/.HEADLESS_ERROR.",
      "risk": "medium",
      "reason": "Captcha protects real submit flows; browser automation cannot claim full submit success."
    },
    {
      "id": "usercentrics_cmp",
      "service": "Usercentrics CMP",
      "method": "client script",
      "endpoint": "https://web.cmp.usercentrics.eu/ui/loader.js",
      "sources": [
        "web/modules/custom/solcom_seo/solcom_seo.module",
        "web/modules/custom/solcom_seo/tests/src/Kernel/UsercentricsAttachmentTest.php"
      ],
      "liveTestStatus": "locally fallback-tested, production loader not fetched",
      "localEvidence": "Kernel test PASS verifies local DDEV fallback and production URL replacement.",
      "risk": "low",
      "reason": "Consent URL wiring is covered locally; external CDN availability was not probed."
    },
    {
      "id": "salesforce_marketing_cloud_forms_host",
      "service": "Salesforce Marketing Cloud forms host",
      "method": "client script",
      "endpoint": "https://solcom.my.site.com/lp/assets/scripts/external-forms-host.min.js",
      "sources": [
        "web/modules/custom/solcom_seo/solcom_seo.module",
        "web/modules/custom/solcom_seo/js/salesforce-consent.js"
      ],
      "liveTestStatus": "not fetched",
      "localEvidence": "Script is converted to type=text/plain with data-usercentrics=Salesforce Marketing Cloud until consent.",
      "risk": "medium",
      "reason": "Consent gating is plausible, but live marketing form execution was not dogfooded."
    },
    {
      "id": "google_maps_js",
      "service": "Google Maps JavaScript API",
      "method": "client script after user action",
      "endpoint": "https://maps.googleapis.com/maps/api/js?key=<redacted>&libraries=marker&callback=__solcomGMapsReady&loading=async",
      "sources": [
        "web/modules/custom/solcom_standort/src/Plugin/Block/StandortDisplayBlock.php",
        "web/modules/custom/solcom_standort/js/standort-map.js",
        "web/modules/custom/solcom_standort/tests/src/Kernel/StandortDisplayBlockTest.php"
      ],
      "liveTestStatus": "not fetched",
      "localEvidence": "Kernel test PASS verifies fallback without API key and explicit load action before script injection.",
      "risk": "low",
      "reason": "Privacy-friendly lazy loading is covered; external Google API availability was not probed."
    },
    {
      "id": "google_maps_search",
      "service": "Google Maps search link",
      "method": "external link",
      "endpoint": "https://www.google.com/maps/search/?api=1&query=<lat,lon>",
      "sources": [
        "web/modules/custom/solcom_standort/src/Plugin/Block/StandortDisplayBlock.php"
      ],
      "liveTestStatus": "not opened externally",
      "localEvidence": "URL generation covered by StandortDisplayBlockTest.",
      "risk": "low",
      "reason": "External user navigation, not an automatic write or API submit."
    },
    {
      "id": "youtube_embed",
      "service": "YouTube embed",
      "method": "client iframe/render token",
      "endpoint": "https://www.youtube.com/embed/<video-id>",
      "sources": [
        "web/modules/custom/solcom_seo/src/Plugin/Filter/RemoteVideoTokenRender.php"
      ],
      "liveTestStatus": "not fetched",
      "localEvidence": "Static inventory only.",
      "risk": "low",
      "reason": "External media availability not covered by current dogfood scope."
    }
  ],
  "overallEndpointAssessment": {
    "status": "not clean",
    "releaseImpact": "External-write integrations are locally covered by regression tests but not live-verified; Salesforce FCSB token errors and captcha-blocked submits remain release risks.",
    "scoreImpact": "No score increase. Endpoint evidence supports keeping the report at 52/100."
  }
}
