[!warning] CRITICAL — the skill's template enables PHP error display in production
Verified against kyaulabs/aurora aurora.inc.php (cloned fresh). The real signature is:
public function __construct(?string $template = null, ?string $cdn = '/cdn',
bool $status = false, bool $html = false,
?string $templateDir = null)
The skill documents parameters 3 and 4 as $sri and $perf. They are actually $status and $html:
$status = true sets display_errors=1, display_startup_errors=1, error_reporting=-1, html_errors=1. It is a debug flag, not SRI.
$html = true sets mb_http_output('UTF-8') and sends the Content-Type: text/html; charset=UTF-8 header. It is not "performance statistics."
The skill's canonical page template hardcodes new KYAULabs\Aurora("index.html", "/cdn", true, true) — so every PHP page scaffolded through this skill ships with full error display enabled: stack traces, absolute paths, and potentially SQL fragments rendered to any visitor on an unhandled error. In a harness whose security-coding skill correctly preaches fail-closed behavior, this is the single highest-severity defect, and it's an instruction defect, so it replicates into every project generated from the template.
Compounding inaccuracies in the same skill, all verified against source:
- SRI is unconditional in Aurora —
integrity="sha512-..." attributes are emitted regardless of constructor arguments. The skill attributes SRI to param 3.
- The
$rus = getrusage() claim is half-true. Aurora's comment(array $rus, string $script) consumes it for the compute/syscall timing footer, but the skill's template never calls comment() — so as written, $rus is dead code and the "performance footer" never renders. Either add the $site->comment($rus, basename(__FILE__)) call the pattern implies, or drop the claim.
- The 5th parameter
$templateDir (template overlay path) is omitted entirely.
- Upstream footgun worth an issue on
kyaulabs/aurora itself: the constructor unconditionally runs ini_set('display_errors','1') (and -1 reporting) at its top, before the $status gate later resets it. Any AuroraException thrown in between — missing template, bad CDN dir — renders verbosely even when $status=false. Also, the private default is $status = true while the constructor default is false, and ($html) ? $this->html = $html : ''; is a ternary used as a no-op statement. None of these are harness bugs, but the harness is the layer documenting the framework, so the skill should at least carry a Gotcha about the early-exception window.
Verified against
kyaulabs/auroraaurora.inc.php(cloned fresh). The real signature is:The skill documents parameters 3 and 4 as
$sriand$perf. They are actually$statusand$html:$status = truesetsdisplay_errors=1,display_startup_errors=1,error_reporting=-1,html_errors=1. It is a debug flag, not SRI.$html = truesetsmb_http_output('UTF-8')and sends theContent-Type: text/html; charset=UTF-8header. It is not "performance statistics."The skill's canonical page template hardcodes
new KYAULabs\Aurora("index.html", "/cdn", true, true)— so every PHP page scaffolded through this skill ships with full error display enabled: stack traces, absolute paths, and potentially SQL fragments rendered to any visitor on an unhandled error. In a harness whosesecurity-codingskill correctly preaches fail-closed behavior, this is the single highest-severity defect, and it's an instruction defect, so it replicates into every project generated from the template.Compounding inaccuracies in the same skill, all verified against source:
integrity="sha512-..."attributes are emitted regardless of constructor arguments. The skill attributes SRI to param 3.$rus = getrusage()claim is half-true. Aurora'scomment(array $rus, string $script)consumes it for the compute/syscall timing footer, but the skill's template never callscomment()— so as written,$rusis dead code and the "performance footer" never renders. Either add the$site->comment($rus, basename(__FILE__))call the pattern implies, or drop the claim.$templateDir(template overlay path) is omitted entirely.kyaulabs/auroraitself: the constructor unconditionally runsini_set('display_errors','1')(and-1reporting) at its top, before the$statusgate later resets it. AnyAuroraExceptionthrown in between — missing template, bad CDN dir — renders verbosely even when$status=false. Also, the private default is$status = truewhile the constructor default isfalse, and($html) ? $this->html = $html : '';is a ternary used as a no-op statement. None of these are harness bugs, but the harness is the layer documenting the framework, so the skill should at least carry a Gotcha about the early-exception window.