Lukas Manera

Playbook for Hardening Legacy PHP

Mon, 06 Apr 2026 12:00:00 +0200

This is my practical follow-up to my post on threat modeling legacy PHP in constrained environments.

That post is more about mindset, prioritization, and how to think about risk when the system is messy but the business relies on it.

This one is the hands-on version. It is the kind of outline I come back to at the start of a new project where the codebase is fragile, the DevOps story is rudimentary at best, and nobody is getting six months to clean things up before security work starts.

Privacy Policy

Mon, 06 Apr 2026 00:00:00 +0000

1. Controller

Lukas Manera
Germany

hey@xarc.dev

2. General information on data processing

Protecting your personal data is important to me. Personal data is processed on this website only to the extent technically necessary and, where applicable, based on information you voluntarily provide.

3. Access data / server log files

When you access this website, the hosting provider automatically collects and stores information in so-called server log files. This may include in particular:

tracepack

Mon, 06 Apr 2026 00:00:00 +0000

tracepack is a small Go CLI that quickly scans codebases for patterns and saves the results as Markdown, designed to stay simple, fast, and flexible through YAML profiles.

Stack

Why I built it

When you inherit a large, old, or unfamiliar codebase, the first problem is usually not deep semantic analysis. It is getting a fast, reusable overview of what is there: size, structure, hotspots, and recurring patterns worth reviewing first.

Tradeoffs

The tool is intentionally lightweight and pattern-driven. That keeps it flexible and easy to adapt with YAML profiles, but it also means it is not a replacement for deeper static analysis, framework-aware tooling, or manual review.

Notes

The most useful output is often a compact footprint plus a saved Markdown bundle of searches and command output. That makes triage, migration planning, legacy reviews, and sharing findings with others much easier.

It supports two modes:

Hardening Legacy PHP in Constrained Environments

Sun, 05 Apr 2026 12:00:00 +0200

The moment you realize that the roughest codebase you’ve seen is also one of the most valuable systems you’ve touched, things start to look a little different.

“Just modernize it” is not a security strategy if the main thing that matters is keeping core business processes running in a system that drives major revenue.

If you get called into an old PHP application, it can feel a bit like arriving at a crash site. After the initial shock, instead of judging, you start to think like an emergency responder: assess the scene, stabilize what matters most, and reduce the risk without making the situation worse.

About

Sun, 05 Apr 2026 00:00:00 +0000

I’m a software engineer focused on security automation and tooling.

I build and secure fullstack web systems. Mostly PHP/SQL and Go. A lot of that work sits somewhere between legacy web apps, reliability, and making systems safer.

Currently working toward CKA with Linux Foundation.

This blog is about:

legacy PHP and web application hardening
monitoring, observability, and operational reliability
developer tooling and terminal-first workflows
the occasional note on productivity systems

On the side I build things like TaskVanguard, an AI-assisted companion for Taskwarrior, and hyprorbit, a workspace orchestration tool for Hyprland.

hyprorbit

Sat, 18 Oct 2025 00:00:00 +0000

hyprorbit is a workspace orchestration tool for Hyprland designed to preserve muscle memory while switching between projects or operating contexts.

Stack

Why I built it

Switching between projects usually meant sacrificing my window arrangement or rebuilding it. I wanted the same predictable, project-based layout available in multiple contexts at once. Hyprland did not make that easy on its own.

Tradeoffs

It adds complexity. Moving windows across orbits needs extra keybindings, and selecting windows or configuring window rules with multiple monitors gets a bit messy and takes more setup than plain Hyprland. It also would probably be better as a Hyprland plugin than as an external layer.

Notes

A daemon/client split was worth it for low-latency. It fits my workflow but I rarely have more than one orbit running at a time tbh so much of it could be achieved with hyprland on its own.

Built as a Go daemon and CLI, hyprorbit uses persistent IPC, YAML-driven configuration, and direct Hyprland integration to orchestrate workspace focus, window placement, and orbit switching with minimal latency.

TaskVanguard

Fri, 20 Jun 2025 00:00:00 +0000

Stack

Screenshot

Why I built it

Task managers are great at storing tasks but dont help much with starting them. TaskVanguard tries addressing the friction between knowing what to do and actually doing it — lowering the activation energy through LLM-powered task reframing, impact tagging, and context-aware spot suggestions.

Tradeoffs

It works best when pulling a specific task forward from urgency, tags, and current context. Restructuring large backlogs or generating projects dynamically is weaker, because the model does not have enough context to understand the full shape of the work.

Notes

The best part therefore is still the ‘spot’ workflow: lowering friction around the next actionable task.

Status

Released. Available via go install and AUR (yay -S taskvanguard).

MATA: Monitoring Legacy PHP Applications

Tue, 10 Jun 2025 10:00:00 +0200

Most monitoring platforms assume you control the environment.

They assume you can install agents, open ports, run background services, provision a database, and standardize deployment across every machine you touch.

That is not the reality I run into most often.

A lot of the PHP systems I work with are older revenue-generating applications running on shared hosting, constrained VPS setups, or managed servers where “just install another service” is not a serious option. They are often business-critical, rarely refactored, and maintained with a pragmatic mindset: keep them running, keep them secure, and avoid unnecessary moving parts.

TaskVanguard: LLM-driven task management

Tue, 10 Jun 2025 10:00:00 +0200

You type task into your CLI and get a perfect, color-coded list sorted by urgency.

One item is marked “high priority.” It has been sitting there for 19 days.

You know what it is. You know why it matters. And somehow you still close the terminal and end up cleaning the coffee grinder instead.

I’ve been there: polishing dotfiles instead of fixing a two-line bug because the bug required an uncomfortable conversation.

MATA

Wed, 02 Apr 2025 00:00:00 +0000

MATA is a lightweight monitoring dashboard for PHP-heavy environments where full observability stacks are impractical.

Stack

Screenshot

Why I built it

I wanted monitoring that still works on shared hosting, constrained VPSes, and legacy PHP environments where you cannot install agents or extra services. Existing stacks were usually heavier than the problem called for.

Tradeoffs

It is intentionally not a full observability platform. The design stays small and deployable through read-only PHP nodes and pull-based collection, which fits small server fleets well but is not meant for large-scale or Kubernetes-style monitoring.

Notes

The useful part is combining uptime checks, PHP logs, server metrics, Composer inventory, and alerts in one place. OPA handles alarm decisions cleanly, Taskfile became part of the day-to-day workflow for setup, deploys, and user management, and optional Docker support keeps deployment flexible.

Status

Released. Demo available at demo.mata.sh.