Resolve stale forge.lthn.ai/core/cli v0.1.0 references (tag never existed,
earliest is v0.0.1) and regenerate go.sum via workspace-aware go mod tidy.
Co-Authored-By: Virgil <virgil@lethean.io>
Commands must be in `.claude-plugin/commands/` for Claude Code auto-discovery.
Fixed plugin.json to use `{name, description, file}` array format.
Co-Authored-By: Virgil <virgil@lethean.io>
Restructure for production embedding — all Go source now under pkg/php/
with locales embedded alongside. Entry point at cmd/core-php/ imports
forge.lthn.ai/core/php/pkg/php. Prepares for Gin router frontend and
native binary production deployment.
Co-Authored-By: Virgil <virgil@lethean.io>
class_exists() can trigger uncatchable E_COMPILE_ERROR when autoloading
classes with method signature mismatches (e.g. Activity model vs updated
Spatie parent). Now checks file contents for '#[Scheduled' string before
attempting to load — avoids autoloading hundreds of unrelated classes.
Also fixes Activity::getChangesAttribute() return type to match the
updated Spatie parent (Collection instead of array).
Co-Authored-By: Virgil <virgil@lethean.io>
Test files inside module Tests/ directories (e.g. app/Mod/Lem/Tests/)
extend Tests\TestCase which isn't available in production without dev
dependencies. The scanner now skips /Tests/ directories and *Test.php
files, and wraps class_exists() in try/catch for defence in depth.
Co-Authored-By: Virgil <virgil@lethean.io>
- Add ALLOWED_NAMESPACES prefix allowlist to ScheduleServiceProvider
- Add ALLOWED_FREQUENCIES method allowlist (prevents arbitrary method dispatch)
- Verify Action trait on scheduled classes before dispatch
- Move try/catch inside foreach for per-action isolation
- Add empty-scan guard to ScheduleSyncCommand (prevents disabling all rows)
- Consolidate ScheduledActionScanner to single tokenisation pass
- Cast numeric frequency args via ctype_digit() in ScheduledAction
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Livewire and Alpine inject inline scripts/styles at runtime without
nonce attributes. Nonce-based CSP breaks all Livewire apps out of the
box. Change defaults:
- nonce_enabled: false (opt-in via SECURITY_CSP_NONCE_ENABLED=true)
- production env: add 'unsafe-inline' for script-src and style-src
- Add host_analytics external source (SECURITY_CSP_HOST_ANALYTICS)
Co-Authored-By: Virgil <virgil@lethean.io>
AddPHPRootCommands registers commands directly on root so
the standalone binary uses `core-php dev` not `core-php php dev`.
AddPHPCommands remains for use inside the `core` CLI.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move 8 plug contract interfaces (Authenticable, Commentable, Deletable,
Listable, MediaUploadable, Postable, Readable, Refreshable) from the
Laravel app into the framework under Core\Plug\Contract namespace. Add
register() method to Registry so extracted packages can self-register
their providers without filesystem scanning.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
QA subcommands (fmt, stan, psalm, audit, security, rector, infection,
test, qa) now live in core/lint cmd/qa/. Library code (quality.go,
testing.go) retained for cmd_ci.go.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go CLI commands moved to core/go-php. This repo now contains
the Laravel modular monolith framework (previously php-framework).
- Remove all Go files (now in core/go-php)
- Add PHP framework: event-driven module loading, lifecycle events
- Composer package: core/php
- core/php-framework remains as-is for backward compat
Co-Authored-By: Virgil <virgil@lethean.io>
Use GITHUB_TOKEN to clone sister packages (host-uk/core, etc.) that are
referenced as path repositories in composer.json. These packages aren't
on Packagist so CI needs to clone them alongside the main repo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Detect whether pest, phpunit, or pint are installed before running them.
Repos without test runners will skip gracefully instead of failing with
"No such file or directory".
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Port all PHP command files from core/cli internal/cmd/php/ into a
standalone module. Inlines workspace dependency to avoid cross-module
internal imports.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
