Forums Feature Requests Thread

[Enhancement] Integration / API: ProjectController + /api/projects/* routes are policy-disabled (projects feature never enables) — removal candidate

Patrick Bass · Jun 6 · 14 · 0
[Normal Priority] [Feature Enhancement] [Under Consideration]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 7:51pm

Area: Integration / API (audit p13) · Surface: POST /api/projects/vote, POST /api/projects/follow (Api\ProjectController@vote, @follow) · Dimension: dead-code · Severity: enhancement

The Integration-area surfaces POST /api/projects/vote and POST /api/projects/follow resolve to ProjectController, whose constructor calls $this->features->require('projects'). The `projects` feature key is listed in FeatureCatalog::POLICY_DISABLED (platform-admin/src/Domain/FeatureCatalog.php:78) and defaults to false, so per Patrick's standing 2026-05-03 directive it never auto-enables for any tenant. Every request to these endpoints therefore throws FeatureDisabledException and 404s on every real tenant (only the dev demo tenant can toggle it on). This is intentionally-off code, not a bug — flagging it as a removal candidate per the policy-disabled rule. The full ProjectController and its Models (Project, BomItem, ProjectVote, ProjectFollow, etc.) plus the broader /projects/* route block are in the same boat.

Evidence

ProjectController constructor hard-gates every action on the `projects` flag:

  src/Controllers/ProjectController.php:21-28
    public function __construct() {
        parent::__construct();
        // Every action in this controller is gated by the projects
        // feature flag. When off, direct-URL hits 404 via the
        // bootstrap exception handler's FeatureDisabledException case.
        $this->features->require('projects');
    }

require() throws FeatureDisabledException -> 404 when the flag is off:
  src/Services/Features.php:449-454
    public function require(string $key): void {
        if (!$this->is($key)) { throw new FeatureDisabledException($key); }
    }

`projects` is in POLICY_DISABLED:
  $ grep -n "'projects'" platform-admin/src/Domain/FeatureCatalog.php
  78:        'projects',          (POLICY_DISABLED list)
  125:        'projects' => [... 'default' => false ...]

The Integration routes are the only /api/projects entries:
  $ grep -n 'api/projects' platform/src/routes.php
  913:    $router->post('/api/projects/vote', 'ProjectController@vote');
  914:    $router->post('/api/projects/follow', 'ProjectController@follow');

Suggested fix. No action required unless trimming the repo. If a code-reduction pass is desired, ProjectController + the /projects/* and /api/projects/* route block + the Project* models are candidates for removal, since `projects` is POLICY_DISABLED and will never enable on a customer tenant. Keep if the dev/demo tenant still showcases it.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Related Discussions

[Enhancement] Engagement: Removal candidate (policy-disabled): DIY Projects subsystem (ProjectController, 1287 lines + 7 templates)
Feature Requests · 1 replies · 10 views
[Enhancement] Admin plane: Policy-disabled feature code retained: AdminDoorGameController + door-games admin routes (door_games is POLICY_DISABLED)
Feature Requests · 0 replies · 14 views
[Enhancement] Engagement: Removal candidate (policy-disabled): Founding-Member Community Challenge (public + admin controllers + templates)
Feature Requests · 1 replies · 15 views
[Enhancement] Engagement: Removal candidate (policy-disabled): Retro platform game shelves (PlatformGameController + GameModController + admin)
Feature Requests · 1 replies · 18 views
[Enhancement] Engagement: Removal candidate (policy-disabled): Terminal minigames (guess-byte / trivia / hangman in GameController)
Feature Requests · 1 replies · 17 views

Log in or register to reply to this thread.