// 場景對比：處理用戶登錄

// ? 通用Claude可能給你的代碼
<?php
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($query);  // 已廢棄的函數(shù)！SQL注入風(fēng)險(xiǎn)！

if (mysql_num_rows($result) > 0) {
    $_SESSION['logged_in'] = true;
    echo"Login successful";
}
// 問題：SQL注入、明文密碼、過時函數(shù)、沒有CSRF保護(hù)

// ? PHP子代理會給你的專業(yè)方案
<?php
declare(strict_types=1);

namespaceApp\Http\Controllers\Auth;

useApp\Models\User;
useApp\Http\Requests\LoginRequest;
useApp\Services\Auth\AuthenticationService;
useApp\Events\UserLoggedIn;
useIlluminate\Http\JsonResponse;
useIlluminate\Support\Facades\RateLimiter;
useSymfony\Component\HttpFoundation\Response;

finalclass LoginController extends Controller
{
    publicfunction __construct(
        private readonly AuthenticationService $authService
    ) {}

    /**
     * 處理用戶登錄請求
     * 
     * @param LoginRequest $request 驗(yàn)證過的請求對象
     * @return JsonResponse
     * @throws \Throwable
     */
    publicfunction login(LoginRequest $request): JsonResponse
    {
        // 1. 速率限制檢查
        $key = 'login:' . $request->ip();
        if (RateLimiter::tooManyAttempts($key, 5)) {
            return response()->json([
                'message' => '登錄嘗試次數(shù)過多，請稍后再試',
                'retry_after' => RateLimiter::availableIn($key)
            ], Response::HTTP_TOO_MANY_REQUESTS);
        }

        try {
            // 2. 驗(yàn)證憑據(jù)（自動處理密碼哈希驗(yàn)證）
            $credentials = $request->validated();
            
            // 3. 嘗試認(rèn)證
            $result = $this->authService->attempt(
                email: $credentials['email'],
                password: $credentials['password'],
                remember: $credentials['remember'] ?? false
            );

            if (!$result->success) {
                RateLimiter::hit($key, 300); // 5分鐘窗口
                
                return response()->json([
                    'message' => '郵箱或密碼錯誤',
                    'errors' => ['email' => ['認(rèn)證失敗']]
                ], Response::HTTP_UNPROCESSABLE_ENTITY);
            }

            // 4. 清除速率限制
            RateLimiter::clear($key);

            // 5. 生成安全的會話/JWT令牌
            $token = $result->token;
            $user = $result->user;

            // 6. 觸發(fā)登錄事件（用于日志、通知等）
            event(new UserLoggedIn($user, $request->ip(), $request->userAgent()));

            // 7. 返回響應(yīng)（包含CSRF令牌）
            return response()->json([
                'message' => '登錄成功',
                'data' => [
                    'user' => $user->only(['id', 'name', 'email', 'avatar']),
                    'token' => $token,
                    'token_type' => 'Bearer',
                    'expires_in' => config('jwt.ttl') * 60
                ]
            ])->withHeaders([
                'X-CSRF-TOKEN' => csrf_token()
            ]);

        } catch (\Exception $e) {
            // 8. 錯誤處理和日志
            report($e);
            
            return response()->json([
                'message' => '登錄過程中發(fā)生錯誤，請稍后重試'
            ], Response::HTTP_INTERNAL_SERVER_ERROR);
        }
    }
}

// LoginRequest.php - 請求驗(yàn)證
namespaceApp\Http\Requests;

useIlluminate\Foundation\Http\FormRequest;
useIlluminate\Validation\Rules\Password;

class LoginRequest extends FormRequest
{
    publicfunction authorize(): bool
    {
        returntrue;
    }

    publicfunction rules(): array
    {
        return [
            'email' => [
                'required',
                'email:rfc,dns',
                'max:255'
            ],
            'password' => [
                'required',
                Password::min(8)
                    ->mixedCase()
                    ->numbers()
                    ->symbols()
            ],
            'remember' => ['boolean'],
            'captcha' => ['required_if:failed_attempts,>,3', 'captcha']
        ];
    }

    publicfunction messages(): array
    {
        return [
            'email.required' => '請輸入郵箱地址',
            'email.email' => '請輸入有效的郵箱地址',
            'password.required' => '請輸入密碼',
            'captcha.required_if' => '多次失敗后需要驗(yàn)證碼'
        ];
    }
}

---
name: php-developer
description: Develop modern PHP applications with advanced OOP, performance optimization, and security best practices. Specializes in Laravel, Symfony, and high-performance PHP patterns. Use PROACTIVELY for PHP-specific optimizations and enterprise applications.
model: sonnet
---
You are a PHP development expert specializing in modern PHP 8.3+ development with focus on performance, security, and maintainability.

## Modern PHP Expertise
- PHP 8.3+ features (readonly classes, constants in traits, typed class constants)
- Advanced OOP (inheritance, polymorphism, composition over inheritance)
- Trait composition and conflict resolution strategies
- Reflection API and attribute-based programming
- Memory optimization with generators and SPL data structures
- OpCache configuration and performance tuning
- Composer dependency management and PSR standards
- Security hardening and vulnerability prevention

## Framework Proficiency
1. Laravel ecosystem (Eloquent ORM, Artisan commands, queues)
2. Symfony components and dependency injection container
3. PSR compliance (PSR-4 autoloading, PSR-7 HTTP messages)
4. Doctrine ORM with advanced query optimization
5. PHPUnit testing with data providers and mocking
6. Performance profiling with Xdebug and Blackfire
7. Static analysis with PHPStan and Psalm
8. Code quality with PHP CS Fixer and PHPMD

## Security and Performance Focus
- Input validation and sanitization with filter functions
- SQL injection prevention with prepared statements
- XSS protection with proper output escaping
- CSRF token implementation and validation
- Password hashing with password_hash() and Argon2
- Rate limiting and brute force protection
- Session security and cookie configuration
- File upload security with MIME type validation
- Memory leak prevention and garbage collection tuning

## Enterprise Development
- Clean architecture with domain-driven design
- Repository pattern with interface segregation
- Event sourcing and CQRS implementation
- Microservices with API gateway patterns
- Database sharding and read replica strategies
- Caching layers with Redis and Memcached
- Queue processing with proper job handling
- Logging with Monolog and structured data
- Monitoring with APM tools and health checks

Build PHP applications that are secure, performant, and maintainable at enterprise scale. Focus on modern PHP practices while avoiding legacy patterns and security vulnerabilities.

---
name: php-developer
description: 使用高級OOP、性能優(yōu)化和安全最佳實(shí)踐開發(fā)現(xiàn)代PHP應(yīng)用。專精Laravel、Symfony和高性能PHP模式。在PHP優(yōu)化和企業(yè)應(yīng)用時主動使用。
model: sonnet
---
你是一位PHP開發(fā)專家，專精現(xiàn)代PHP 8.3+開發(fā)，專注于性能、安全和可維護(hù)性。

## 現(xiàn)代PHP專業(yè)技能 / Modern PHP Expertise
- PHP 8.3+特性（只讀類、trait中的常量、類型化類常量）
- 高級OOP（繼承、多態(tài)、組合優(yōu)于繼承）
- Trait組合和沖突解決策略
- 反射API和基于屬性的編程
- 使用生成器和SPL數(shù)據(jù)結(jié)構(gòu)進(jìn)行內(nèi)存優(yōu)化
- OpCache配置和性能調(diào)優(yōu)
- Composer依賴管理和PSR標(biāo)準(zhǔn)
- 安全加固和漏洞預(yù)防

## 框架精通 / Framework Proficiency
1. Laravel生態(tài)系統(tǒng)（Eloquent ORM、Artisan命令、隊(duì)列）
2. Symfony組件和依賴注入容器
3. PSR合規(guī)（PSR-4自動加載、PSR-7 HTTP消息）
4. Doctrine ORM高級查詢優(yōu)化
5. PHPUnit測試與數(shù)據(jù)提供者和模擬
6. 使用Xdebug和Blackfire進(jìn)行性能分析
7. 使用PHPStan和Psalm進(jìn)行靜態(tài)分析
8. 使用PHP CS Fixer和PHPMD保證代碼質(zhì)量

## 安全和性能關(guān)注 / Security and Performance Focus
- 使用過濾函數(shù)進(jìn)行輸入驗(yàn)證和清理
- 使用預(yù)處理語句防止SQL注入
- 通過適當(dāng)?shù)妮敵鲛D(zhuǎn)義防止XSS
- CSRF令牌實(shí)現(xiàn)和驗(yàn)證
- 使用password_hash()和Argon2進(jìn)行密碼哈希
- 速率限制和暴力破解保護(hù)
- 會話安全和Cookie配置
- 使用MIME類型驗(yàn)證的文件上傳安全
- 內(nèi)存泄漏預(yù)防和垃圾回收調(diào)優(yōu)

## 企業(yè)級開發(fā) / Enterprise Development
- 使用領(lǐng)域驅(qū)動設(shè)計(jì)的清潔架構(gòu)
- 帶接口隔離的倉儲模式
- 事件溯源和CQRS實(shí)現(xiàn)
- 帶API網(wǎng)關(guān)模式的微服務(wù)
- 數(shù)據(jù)庫分片和讀副本策略
- 使用Redis和Memcached的緩存層
- 適當(dāng)?shù)淖鳂I(yè)處理和隊(duì)列處理
- 使用Monolog和結(jié)構(gòu)化數(shù)據(jù)記錄日志
- 使用APM工具和健康檢查進(jìn)行監(jiān)控

構(gòu)建安全、高性能、可維護(hù)的企業(yè)級PHP應(yīng)用。
專注于現(xiàn)代PHP實(shí)踐，同時避免遺留模式和安全漏洞。

// 1. 什么是PHP 8.3+新特性？
// 只讀類 - 類的所有屬性自動只讀
readonly class User {
    publicfunction __construct(
        public string $name,
        public string $email
    ) {}
}

// 2. 什么是Trait？
// 就像"能力包"，可以給類添加功能
trait Timestampable {
    public DateTime $createdAt;
    public DateTime $updatedAt;
    
    publicfunction touch(): void {
        $this->updatedAt = new DateTime();
    }
}

class Post {
    useTimestampable;  // 獲得時間戳能力
}

// 3. 什么是生成器？
// 省內(nèi)存的迭代方式
function readLargeFile($file) {
    $handle = fopen($file, 'r');
    while (!feof($handle)) {
        yield fgets($handle);  // 一次只讀一行
    }
    fclose($handle);
}

// 4. 什么是依賴注入？
// 不要在類內(nèi)部創(chuàng)建依賴，而是從外部傳入
class UserService {
    publicfunction __construct(
        private UserRepository $repository  // 注入依賴
    ) {}
}

# 在Claude Code中輸入
/agents

創(chuàng)建一個商品管理的RESTful API，要考慮性能和安全

<?php
// app/Http/Controllers/Api/ProductController.php
declare(strict_types=1);

namespaceApp\Http\Controllers\Api;

useApp\Http\Controllers\Controller;
useApp\Http\Requests\Product\{StoreRequest, UpdateRequest};
useApp\Http\Resources\ProductResource;
useApp\Models\Product;
useApp\Services\ProductService;
useApp\Repositories\ProductRepository;
useIlluminate\Http\{JsonResponse, Resources\Json\AnonymousResourceCollection};
useIlluminate\Support\Facades\{Cache, DB};
useSymfony\Component\HttpFoundation\Response;

finalclass ProductController extends Controller
{
    publicfunction __construct(
        private readonly ProductService $productService,
        private readonly ProductRepository $productRepository
    ) {
        // 中間件配置
        $this->middleware('auth:sanctum');
        $this->middleware('throttle:api');
        $this->middleware('cache.headers:public;max_age=300')->only(['index', 'show']);
    }

    /**
     * 獲取商品列表（帶緩存和分頁）
     */
    publicfunction index(): AnonymousResourceCollection
    {
        // 構(gòu)建緩存鍵
        $cacheKey = 'products:' . md5(serialize(request()->all()));
        
        $products = Cache::tags(['products'])->remember(
            $cacheKey,
            now()->addMinutes(10),
            function () {
                return$this->productRepository
                    ->with(['category', 'brand'])  // 預(yù)加載關(guān)聯(lián)，避免N+1
                    ->filter(request()->all())
                    ->sortBy(request('sort', 'created_at'))
                    ->paginate(request('per_page', 15));
            }
        );

        return ProductResource::collection($products)
            ->additional([
                'meta' => [
                    'available_filters' => $this->productRepository->getAvailableFilters(),
                    'cache_hit' => Cache::tags(['products'])->has($cacheKey)
                ]
            ]);
    }

    /**
     * 創(chuàng)建新商品
     */
    publicfunction store(StoreRequest $request): JsonResponse
    {
        try {
            $product = DB::transaction(function () use ($request) {
                // 1. 創(chuàng)建商品
                $product = $this->productService->create(
                    $request->validated()
                );

                // 2. 處理圖片上傳
                if ($request->hasFile('images')) {
                    $this->productService->attachImages(
                        $product,
                        $request->file('images')
                    );
                }

                // 3. 清除緩存
                Cache::tags(['products'])->flush();

                return $product;
            });

            return response()->json([
                'message' => '商品創(chuàng)建成功',
                'data' => new ProductResource($product->load(['category', 'brand', 'images']))
            ], Response::HTTP_CREATED);

        } catch (\Exception $e) {
            report($e);
            
            return response()->json([
                'message' => '創(chuàng)建商品失敗',
                'error' => app()->isProduction() ? '服務(wù)器錯誤' : $e->getMessage()
            ], Response::HTTP_INTERNAL_SERVER_ERROR);
        }
    }

    /**
     * 獲取單個商品（帶緩存）
     */
    publicfunction show(Product $product): ProductResource
    {
        // 使用緩存的查詢結(jié)果
        $cachedProduct = Cache::tags(['products', "product:{$product->id}"])
            ->remember(
                "product:{$product->id}:full",
                now()->addHours(1),
                fn() => $product->load([
                    'category',
                    'brand',
                    'images',
                    'variants',
                    'reviews' => fn($q) => $q->latest()->limit(5)
                ])
            );

        returnnew ProductResource($cachedProduct);
    }

    /**
     * 更新商品
     */
    publicfunction update(UpdateRequest $request, Product $product): JsonResponse
    {
        $this->authorize('update', $product);

        try {
            $updated = DB::transaction(function () use ($request, $product) {
                $product = $this->productService->update(
                    $product,
                    $request->validated()
                );

                // 清除相關(guān)緩存
                Cache::tags(['products', "product:{$product->id}"])->flush();

                return $product;
            });

            return response()->json([
                'message' => '商品更新成功',
                'data' => new ProductResource($updated)
            ]);

        } catch (\Exception $e) {
            report($e);
            
            return response()->json([
                'message' => '更新失敗',
                'error' => $e->getMessage()
            ], Response::HTTP_INTERNAL_SERVER_ERROR);
        }
    }

    /**
     * 刪除商品（軟刪除）
     */
    publicfunction destroy(Product $product): JsonResponse
    {
        $this->authorize('delete', $product);

        $this->productService->delete($product);
        
        Cache::tags(['products', "product:{$product->id}"])->flush();

        return response()->json([
            'message' => '商品刪除成功'
        ], Response::HTTP_NO_CONTENT);
    }
}

// app/Services/ProductService.php
<?php
declare(strict_types=1);

namespaceApp\Services;

useApp\Models\Product;
useApp\Repositories\ProductRepository;
useIlluminate\Http\UploadedFile;
useIlluminate\Support\Facades\Storage;
useIntervention\Image\Facades\Image;

finalclass ProductService
{
    publicfunction __construct(
        private readonly ProductRepository $repository
    ) {}

    /**
     * 創(chuàng)建商品（使用DTO模式）
     */
    publicfunction create(array $data): Product
    {
        // 數(shù)據(jù)轉(zhuǎn)換和驗(yàn)證
        $productData = $this->prepareData($data);
        
        // SKU生成
        $productData['sku'] = $this->generateUniqueSku($data['name']);
        
        // 創(chuàng)建商品
        return$this->repository->create($productData);
    }

    /**
     * 處理圖片上傳（多尺寸生成）
     */
    publicfunction attachImages(Product $product, array $images): void
    {
        $imagePaths = [];
        
        foreach ($images as $image) {
            if (!$image instanceof UploadedFile) {
                continue;
            }

            // 驗(yàn)證MIME類型
            if (!in_array($image->getMimeType(), ['image/jpeg', 'image/png', 'image/webp'])) {
                thrownew \InvalidArgumentException('不支持的圖片格式');
            }

            // 生成文件名
            $filename = $this->generateImageFilename($image);
            
            // 創(chuàng)建多個尺寸
            $sizes = [
                'thumbnail' => [150, 150],
                'medium' => [500, 500],
                'large' => [1000, 1000]
            ];

            foreach ($sizes as $sizeName => $dimensions) {
                $resized = Image::make($image)
                    ->fit($dimensions[0], $dimensions[1])
                    ->encode('webp', 85);
                
                $path = "products/{$product->id}/{$sizeName}_{$filename}.webp";
                Storage::disk('public')->put($path, $resized);
                
                $imagePaths[$sizeName] = $path;
            }

            // 保存原圖
            $originalPath = "products/{$product->id}/original_{$filename}";
            Storage::disk('public')->putFileAs(
                "products/{$product->id}",
                $image,
                "original_{$filename}"
            );
            $imagePaths['original'] = $originalPath;
        }

        // 保存到數(shù)據(jù)庫
        $product->images()->create($imagePaths);
    }

    /**
     * 生成唯一SKU
     */
    privatefunction generateUniqueSku(string $name): string
    {
        $base = strtoupper(substr(preg_replace('/[^A-Za-z0-9]/', '', $name), 0, 3));
        $suffix = random_int(1000, 9999);
        $sku = "PRD-{$base}-{$suffix}";
        
        // 確保唯一性
        while ($this->repository->exists(['sku' => $sku])) {
            $suffix = random_int(1000, 9999);
            $sku = "PRD-{$base}-{$suffix}";
        }
        
        return $sku;
    }

    privatefunction prepareData(array $data): array
    {
        // 數(shù)據(jù)清理和轉(zhuǎn)換
        return [
            'name' => trim($data['name']),
            'description' => strip_tags($data['description'], '<p><br><strong><em>'),
            'price' => (float) $data['price'],
            'quantity' => (int) $data['quantity'],
            'category_id' => $data['category_id'],
            'brand_id' => $data['brand_id'] ?? null,
            'is_active' => $data['is_active'] ?? true,
            'meta' => $data['meta'] ?? []
        ];
    }

    privatefunction generateImageFilename(UploadedFile $file): string
    {
        return sprintf(
            '%s_%s',
            time(),
            hash('sha256', $file->getClientOriginalName())
        );
    }
}

創(chuàng)建一個安全的JWT認(rèn)證系統(tǒng)

<?php
// app/Services/Auth/JwtAuthService.php
declare(strict_types=1);

namespaceApp\Services\Auth;

useApp\Models\User;
useFirebase\JWT\{JWT, Key, ExpiredException};
useIlluminate\Support\Facades\Hash;

finalclass JwtAuthService
{
    privateconst ALGORITHM = 'HS256';
    private string $secretKey;
    private int $accessTokenTtl;
    private int $refreshTokenTtl;

    publicfunction __construct()
    {
        $this->secretKey = config('jwt.secret');
        $this->accessTokenTtl = config('jwt.access_ttl', 900); // 15分鐘
        $this->refreshTokenTtl = config('jwt.refresh_ttl', 604800); // 7天
    }

    /**
     * 生成JWT令牌對
     */
    publicfunction generateTokenPair(User $user): array
    {
        $accessToken = $this->generateAccessToken($user);
        $refreshToken = $this->generateRefreshToken($user);

        // 存儲刷新令牌的哈希值
        $user->refresh_tokens()->create([
            'token_hash' => hash('sha256', $refreshToken),
            'expires_at' => now()->addSeconds($this->refreshTokenTtl),
            'ip_address' => request()->ip(),
            'user_agent' => request()->userAgent()
        ]);

        return [
            'access_token' => $accessToken,
            'refresh_token' => $refreshToken,
            'token_type' => 'Bearer',
            'expires_in' => $this->accessTokenTtl
        ];
    }

    /**
     * 驗(yàn)證訪問令牌
     */
    publicfunction validateAccessToken(string $token): ?User
    {
        try {
            $decoded = JWT::decode($token, new Key($this->secretKey, self::ALGORITHM));
            
            // 驗(yàn)證令牌類型
            if ($decoded->type !== 'access') {
                returnnull;
            }

            // 檢查是否在黑名單中
            if ($this->isTokenBlacklisted($token)) {
                returnnull;
            }

            return User::find($decoded->sub);

        } catch (ExpiredException $e) {
            thrownew TokenExpiredException('訪問令牌已過期');
        } catch (\Exception $e) {
            returnnull;
        }
    }

    /**
     * 刷新訪問令牌
     */
    publicfunction refreshAccessToken(string $refreshToken): array
    {
        try {
            $decoded = JWT::decode($refreshToken, new Key($this->secretKey, self::ALGORITHM));
            
            if ($decoded->type !== 'refresh') {
                thrownew \InvalidArgumentException('無效的刷新令牌');
            }

            $user = User::find($decoded->sub);
            if (!$user) {
                thrownew \InvalidArgumentException('用戶不存在');
            }

            // 驗(yàn)證刷新令牌是否有效
            $tokenHash = hash('sha256', $refreshToken);
            $storedToken = $user->refresh_tokens()
                ->where('token_hash', $tokenHash)
                ->where('expires_at', '>', now())
                ->where('revoked', false)
                ->first();

            if (!$storedToken) {
                thrownew \InvalidArgumentException('刷新令牌無效或已撤銷');
            }

            // 更新最后使用時間
            $storedToken->update(['last_used_at' => now()]);

            // 生成新的訪問令牌
            return [
                'access_token' => $this->generateAccessToken($user),
                'token_type' => 'Bearer',
                'expires_in' => $this->accessTokenTtl
            ];

        } catch (\Exception $e) {
            thrownew \InvalidArgumentException('刷新令牌無效: ' . $e->getMessage());
        }
    }

    /**
     * 撤銷所有令牌
     */
    publicfunction revokeAllTokens(User $user): void
    {
        $user->refresh_tokens()->update(['revoked' => true]);
        
        // 可選：添加到黑名單緩存
        Cache::tags(['jwt:blacklist'])->put(
            "user:{$user->id}:revoked",
            true,
            now()->addSeconds($this->refreshTokenTtl)
        );
    }

    privatefunction generateAccessToken(User $user): string
    {
        $payload = [
            'iss' => config('app.url'),
            'sub' => $user->id,
            'iat' => time(),
            'exp' => time() + $this->accessTokenTtl,
            'type' => 'access',
            'jti' => $this->generateJti(),
            'user' => [
                'email' => $user->email,
                'role' => $user->role
            ]
        ];

        return JWT::encode($payload, $this->secretKey, self::ALGORITHM);
    }

    privatefunction generateRefreshToken(User $user): string
    {
        $payload = [
            'iss' => config('app.url'),
            'sub' => $user->id,
            'iat' => time(),
            'exp' => time() + $this->refreshTokenTtl,
            'type' => 'refresh',
            'jti' => $this->generateJti()
        ];

        return JWT::encode($payload, $this->secretKey, self::ALGORITHM);
    }

    privatefunction generateJti(): string
    {
        return bin2hex(random_bytes(16));
    }

    privatefunction isTokenBlacklisted(string $token): bool
    {
        return Cache::tags(['jwt:blacklist'])->has(
            'token:' . hash('sha256', $token)
        );
    }
}

## Framework Proficiency
- Laravel 11全棧開發(fā)
- Livewire實(shí)時組件
- Inertia.js + Vue/React
- Laravel Octane性能加速
- Horizon隊(duì)列管理

## Framework Proficiency
- Symfony 7組件架構(gòu)
- API Platform構(gòu)建
- Messenger組件
- Doctrine ORM優(yōu)化
- Twig模板引擎

## Team Standards
- 代碼風(fēng)格：PSR-12標(biāo)準(zhǔn)
- 命名規(guī)范：駝峰命名法
- 文檔：PHPDoc完整注釋
- 測試覆蓋：最低80%
- Git工作流：GitFlow

// PHP 8.0+
#[Attribute]
class Route {}

// PHP 7.4兼容寫法
/** @Annotation */
class Route {}