5 commits

Author	SHA1	Message	Date
Snider	7d7c489509	fix: add unsafe-eval to production CSP — Livewire uses eval() ... Alpine.js evaluates expressions via eval() at runtime. Co-Authored-By: Virgil <virgil@lethean.io>	2026-03-10 05:32:46 +00:00
Snider	87ae36ef22	fix: remove host_analytics from framework CSP config ... Website-specific CSP sources belong in app config, not framework. Co-Authored-By: Virgil <virgil@lethean.io>	2026-03-10 05:28:01 +00:00
Snider	95cd788bc9	fix: CSP defaults for Livewire — disable nonces, allow unsafe-inline ... Livewire and Alpine inject inline scripts/styles at runtime without nonce attributes. Nonce-based CSP breaks all Livewire apps out of the box. Change defaults: - nonce_enabled: false (opt-in via SECURITY_CSP_NONCE_ENABLED=true) - production env: add 'unsafe-inline' for script-src and style-src - Add host_analytics external source (SECURITY_CSP_HOST_ANALYTICS) Co-Authored-By: Virgil <virgil@lethean.io>	2026-03-10 05:25:57 +00:00
Snider	affedb3d46	refactor: extract Service + Client to standalone packages ... Core\Service → core/php-service (lthn/service) Core\Website\Service → core/php-service (lthn/service) Core\Front\Client → core/php-client (lthn/client) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-09 18:56:43 +00:00
Snider	28d004ff61	feat: replace Go CLI with PHP framework ... Go CLI commands moved to core/go-php. This repo now contains the Laravel modular monolith framework (previously php-framework). - Remove all Go files (now in core/go-php) - Add PHP framework: event-driven module loading, lifecycle events - Composer package: core/php - core/php-framework remains as-is for backward compat Co-Authored-By: Virgil <virgil@lethean.io>	2026-03-06 08:49:51 +00:00