🏗️ ARCHITECTURE: Component Installation System Refactor

[jordanpartridge]

Refactor component installation architecture to eliminate main composer.json pollution and implement proper component isolation with git-tag based versioning.

🚨 Current Problem

The current component installation system has critical architectural flaws identified in PR #75 analysis:

Issues:

• ❌ Components modify main composer.json via composer require
• ❌ Dual storage anti-pattern (JSON + database registry)
• ❌ Components ship with core Conduit product
• ❌ No proper versioning or rollback capability
• ❌ Security vulnerabilities in package installation

🎯 Proposed Architecture: Isolated Component System

Component Isolation Pattern:

conduit/
├── composer.json ← Clean\! Only core dependencies
├── vendor/ ← Only core dependencies  
└── conduit-components/
    ├── components.json ← Version registry
    ├── env-manager/           ← Git repo at specific tag
    │   ├── .git/
    │   ├── composer.json      ← Component's own deps
    │   ├── vendor/            ← Isolated component deps
    │   └── src/
    └── docker/                ← Git repo at specific tag
        ├── .git/
        ├── composer.json
        ├── vendor/
        └── src/

Version Registry System:

{
  "registry": {
    "env-manager": {
      "package": "jordanpartridge/conduit-env-manager",
      "version": "v1.2.3",
      "git_url": "https://github.com/jordanpartridge/conduit-env-manager.git",
      "installed_at": "2025-01-28T10:30:00Z",
      "status": "active"
    }
  }
}

🔧 Implementation Plan

Phase 1: Git-Tag Based Installation

class ComponentInstaller
{
    public function install(string $componentName, string $version = 'latest'): ComponentResult
    {
        // 1. Resolve version to specific tag
        $resolvedVersion = $this->resolveVersion($componentName, $version);
        
        // 2. Clone component at specific tag
        $componentPath = $this->cloneComponent($componentName, $resolvedVersion);
        
        // 3. Run composer install in component directory  
        $this->installComponentDependencies($componentPath);
        
        // 4. Register in local registry
        $this->registerComponent($componentName, $resolvedVersion);
        
        // 5. Register autoloader
        $this->registerComponentAutoloader($componentPath);
    }
}

Phase 2: Version Resolution

// Support composer-like version constraints
conduit components install env-manager          // latest
conduit components install env-manager@v1.2.3   // exact
conduit components install env-manager@^1.0     // semver range
conduit components install env-manager@~1.2.0   // patch range

Phase 3: Runtime Component Loading

class ComponentLoader
{
    public function loadActiveComponents(): void
    {
        foreach ($this->getActiveComponents() as $component) {
            $componentPath = base_path("conduit-components/{$component}");
            
            // Load component's isolated autoloader
            $autoloadFile = "{$componentPath}/vendor/autoload.php";
            if (file_exists($autoloadFile)) {
                require_once $autoloadFile;
            }
            
            // Register service provider
            $this->app->register($component['service_provider']);
        }
    }
}

✅ Benefits

• ✅ Clean Core: Main composer.json never touched
• ✅ Proper Versioning: Git tags with semver support
• ✅ Isolated Dependencies: Each component manages its own deps
• ✅ Easy Updates: git fetch && git checkout v1.3.0
• ✅ Rollback Capability: Switch between any tagged version
• ✅ True Microkernel: Components are completely optional
• ✅ Security: No main project pollution

🎯 User Experience

# Clean, familiar commands
conduit components install env-manager@^1.0
conduit components update env-manager
conduit components list
conduit components remove env-manager

# Version-aware operations
conduit components history env-manager
conduit components rollback env-manager v1.1.0

🔐 Security Improvements

• Remove hardcoded package whitelist
• Implement proper path validation
• Add component signing verification
• Comprehensive input sanitization

📋 Acceptance Criteria

• Git-tag based component installation
• Semantic version resolution (^1.0, ~1.2.0)
• Isolated component dependencies
• Runtime autoloader registration
• Component update/rollback commands
• Clean main composer.json (never modified)
• Migration path from current system
• Comprehensive security improvements

🔗 Dependencies

• Relates to event-driven architecture (🧠 EPIC: Knowledge System v3 - Event-Driven Workflow Orchestration #43)
• Addresses security concerns ([Security] Component Policy Framework (Laravel-style) #16)
• Builds on component scaffolding (PR 🚀 FEATURE: Component Scaffolding System #75)

⚠️ Breaking Changes

This will require migrating existing component installations. Plan proper migration strategy and documentation.

---

Priority: High - Foundational architecture that enables proper component ecosystem.