AI Audit: Findings and Recommendations

[koxon]

Summary

Two-pass AI audit of the deprecated aws-elasticsearch-php-handler library, focused on deprecation status, security, and migration completeness.

Key Findings

• 1 Critical: sa_site_v2/scripts/composer.lock still resolves the OpenSearch package name to this repo's git URL — installing the deprecated Elasticsearch client instead of the OpenSearch client
• 3 High: Lucene query string injection in all query methods; repo not archived on GitHub despite full deprecation; EOL elasticsearch/elasticsearch v6.8.3 dependency
• 7 Medium: Deprecated GitHub Actions (checkout@v2), long-lived AWS keys in CI, $_SERVER region with no fallback, undeclared PHP property, silent error swallowing, unbounded memory in scan(), backup workflow targets wrong branch
• 6 Low: PSR-0 autoloading, PHP 7.0 EOL minimum, dead code, README parameter order mismatch, fragile type derivation, missing HTTP timeout

Migration Status

Migration is functionally complete. No PHP files in the codebase import ElasticsearchHandler. All composer.json files reference the OpenSearch handler. Only a stale composer.lock remains as a residual artifact.

Deliverables

• FINDINGS.md — Severity-ranked findings with evidence, impact, and fixes
• CLAUDE.md — Rewritten with deprecation warning, migration status table, security findings, and accurate gotchas

Recommended Next Steps

1. Fix the stale composer.lock in sa_site_v2/scripts/ (Critical)
2. Archive this repo on GitHub
3. File the query injection finding against aws-opensearch-php-handler (same pattern, active codebase)
4. Verify Packagist package registration for both handlers

---

Generated with Claude Code