Download the PHP package mindtwo/base-monitoring without Composer
On this page you can find all versions of the php package mindtwo/base-monitoring. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download mindtwo/base-monitoring
More information about mindtwo/base-monitoring
Files in mindtwo/base-monitoring
Package base-monitoring
Short Description Framework-agnostic core of the mindtwo monitoring suite. Safely collects infrastructure, package and security-audit data and ships it as a signed snapshot.
License MIT
Homepage https://github.com/mindtwo/base-monitoring
Informations about the package base-monitoring
mindtwo/base-monitoring
The framework-agnostic collecting core of the mindtwo monitoring suite. It safely gathers infrastructure, package and security-audit data from any PHP environment and ships it as a signed, versioned JSON snapshot — either pushed to the central monitoring endpoint or served through a plugin's pull endpoint.
Framework plugins build on this core:
| Package | Adds |
|---|---|
mindtwo/laravel-monitoring |
Laravel collectors, scheduler push, signed pull endpoint |
mindtwo/wordpress-monitoring |
WordPress core/plugin/theme collectors, WP-Cron push |
mindtwo/craftcms-monitoring |
Craft CMS collectors, console/queue push |
mindtwo/server-monitoring |
Standalone server-level monitoring (Docker, load) |
What it collects
| Metric key | Source |
|---|---|
os |
/etc/os-release (Linux), sw_vers (macOS), php_uname() fallback |
php |
PHP_VERSION, SAPI, memory limit — always available |
database |
best-effort CLI client detection (mysql/mariadb/psql/sqlite3) — plugins override with the live connection |
nginx, apache, caddy, redis |
version output of the respective binary, when installed |
node |
node --version plus the npm version |
system |
CPU count, total/available memory, total/free disk |
composer_packages |
parsed offline from composer.lock, with dev/direct flags |
npm_packages |
parsed offline from package-lock.json (v1–v3), npm-shrinkwrap.json, yarn.lock (classic & berry) or pnpm-lock.yaml (v6 & v9) |
composer_audit |
composer audit --format=json — advisories and abandoned packages |
composer_licenses |
composer licenses --format=json — license summary and per-package list |
npm_audit |
npm audit --json — severity counts plus per-advisory detail |
git |
branch, commit, dirty state, changed files (capped) |
Detected software is normalized to a technology slug pinned from
endoflife.date, so the central dashboard can match versions against
end-of-life data. Unknown software degrades to a slug derived from the package or org/repo
name — resolution is always offline.
Safety guarantees
The core is built to run on any environment without ever breaking the host application:
- Per-collector fault isolation — every collector runs inside its own guard. A throwing
collector becomes a
failedmetric, a missing binary anunsupportedmetric. One bad collector can never abort the snapshot. - No shell interpolation — commands run as argv arrays through a
ProcessRunner(symfony/process when installed, a dependency-freeproc_openrunner otherwise). Every run is timeout-bounded and degrades gracefully where process functions are disabled. - Binary discovery without shelling out — the
ExecutableFinderscansPATHplus common sbin directories in pure PHP. - Zero runtime dependencies — PHP >= 8.0 and ext-json are all it needs.
Installation
Quick start
Pushing to the central endpoint
Custom collectors
A collector is one unit of data collection. Implement the contract (or extend
AbstractCollector), return a CollectionResult, register it:
The snapshot payload
metrics is an open map — each collector owns the shape under its key, so adding a collector
adds a key and never requires a schema migration. Empty custom_data serializes as {}.
Every metric carries a status: ok, warning, failed, skipped or unsupported.
Authentication: signed requests (v1)
Authentication uses a project key + secret pair. The secret never travels on the wire — requests carry an HMAC signature instead, with a timestamp baked into the signed string for replay protection:
| Header | Value |
|---|---|
X-Monitoring-Key |
the project key |
X-Monitoring-Timestamp |
current Unix timestamp |
X-Monitoring-Signature |
the HMAC signature above |
payloadis the raw request body (the exact JSON bytes for a push, the empty string for a body-less pull request).- Verifiers reject timestamps outside a tolerance window (default 300 seconds) and compare
in constant time (
hash_equals).
Architecture
Every variable behavior is a contract in Mindtwo\Monitoring\Contracts with a default
implementation — plugins extend, never modify:
| Contract | Responsibility | Default |
|---|---|---|
Collector |
one unit of collection | 15-collector catalog |
Transport |
deliver a snapshot | HttpTransport (curl/stream) |
ConfigurationRepository |
per-framework config chain | provided by plugins |
RequestSigner / SignatureVerifier |
request authentication | HMAC-SHA256 v1 |
TechnologyResolver |
slug normalization | pinned endoflife.date registry |
ProcessRunner |
guarded shell access | symfony/process or native |
Plugins additionally reuse Http\PullRequestHandler (the complete pull-endpoint guard
chain), Support\FixedWindowRateLimiter, Support\IpMatcher and
Support\DatabaseVersion, so security-relevant behavior is implemented and tested exactly
once. Every metric carries a duration_ms so slow collectors are visible centrally.
Technology slug registry
The slug list is pinned in code (Technology\Slugs) for offline, deterministic resolution.
Refresh it from the endoflife.date release data:
Review the diff, commit, release. Aliases for differing detector output live in
Technology\Aliases and are extensible via the resolver constructor.
Development
PHP 8.0 compatibility is enforced statically (phpVersion: 80000 in phpstan.neon.dist).
Security
If you discover a security issue, please email [email protected] instead of opening a public issue.
License
The MIT License (MIT). See LICENSE.md.
All versions of base-monitoring with dependencies
ext-json Version *
composer-runtime-api Version ^2.0