PROFESSIONAL

Forge

Manages project tracking, tasks, inventory, and reporting using a custom PHP MVC framework with Microsoft 365 and Xero integrations.

6 router types handling page, action, AJAX, iframe, proxy, and SSO request patterns.

66 database entities across the full domain model.

133 CSRF protected forms — audited and verified.

76 AJAX endpoint handlers across 16 handler groups.

The Full Story

What it is

Forge is an internal business operations platform. It centralizes project management, task tracking, time and expense logging, equipment booking, and inventory. It includes portals for employees and clients, and an admin layer. The system integrates with Microsoft 365, Slack, Xero, and AWS. It is built on a custom PHP MVC framework.

Why I built it

Built to replace disconnected tools with a single system tailored to specific operational workflows. I developed the routing, ORM, and security model to maintain full control over the stack. The implementation includes PHPStan at maximum strictness and a 126-test suite. It integrates Microsoft Entra SSO and Xero accounting for automated business processes.

Technical Highlights

Framework & Architecture

•Scarlett — a custom PHP MVC framework with six router types (page, action, AJAX, iframe, proxy, SSO).

•66 database entities providing an ORM abstraction layer.

•FormDriver for automated CSRF injection and field validation.

Core Modules

•Project management with task assignment and cost centers.

•Client management covering billing and expense tracking.

•Equipment booking with conflict detection.

•Inventory system with supplier management and transaction ledgers.

•20 SQL-backed reports.

Security

•CSRF protection on all forms with timing-attack-resistant validation.

•TaskPermission system for role-based access.

•TOTP 2FA and SAML SSO via Microsoft Entra ID.

•PHPStan level 8 enforcement.

Integrations

•Microsoft Entra ID and SharePoint for document management.

•AWS SES, SNS, and S3.

•Xero OAuth2 for accounting sync.

•OpenAI API for data features.

•Nager Date API for holiday-aware scheduling.

Code Quality & Testing

•126 PHPUnit tests covering entities, routing, and AJAX endpoints.

•PSR standards enforcement via PHP-CS-Fixer.

•Documented security and deployment specifications.

What I solved

Built security into the framework layer to ensure CSRF protection and authentication are enforced by default. Developed a routing and form abstraction that handles complex communication patterns across multiple modules. Integrated disparate enterprise APIs into a unified data model.

By the numbers

•6 router types handling page, action, AJAX, iframe, proxy, and SSO request patterns.

•66 database entities across the full domain model.

•133 CSRF-protected forms — audited and verified.

•76 AJAX endpoint handlers across 16 handler groups.

•84 page templates across employee, client, and public views.

•20+ SQL-backed reports.

•126 automated tests, 100% passing.

•PHPStan level 8, 0 composer vulnerabilities.

•1 developer — framework, application, integrations, tests, deployment.