- Add ALLOWED_NAMESPACES prefix allowlist to ScheduleServiceProvider
- Add ALLOWED_FREQUENCIES method allowlist (prevents arbitrary method dispatch)
- Verify Action trait on scheduled classes before dispatch
- Move try/catch inside foreach for per-action isolation
- Add empty-scan guard to ScheduleSyncCommand (prevents disabling all rows)
- Consolidate ScheduledActionScanner to single tokenisation pass
- Cast numeric frequency args via ctype_digit() in ScheduledAction
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Livewire and Alpine inject inline scripts/styles at runtime without
nonce attributes. Nonce-based CSP breaks all Livewire apps out of the
box. Change defaults:
- nonce_enabled: false (opt-in via SECURITY_CSP_NONCE_ENABLED=true)
- production env: add 'unsafe-inline' for script-src and style-src
- Add host_analytics external source (SECURITY_CSP_HOST_ANALYTICS)
Co-Authored-By: Virgil <virgil@lethean.io>
AddPHPRootCommands registers commands directly on root so
the standalone binary uses `core-php dev` not `core-php php dev`.
AddPHPCommands remains for use inside the `core` CLI.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move 8 plug contract interfaces (Authenticable, Commentable, Deletable,
Listable, MediaUploadable, Postable, Readable, Refreshable) from the
Laravel app into the framework under Core\Plug\Contract namespace. Add
register() method to Registry so extracted packages can self-register
their providers without filesystem scanning.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
QA subcommands (fmt, stan, psalm, audit, security, rector, infection,
test, qa) now live in core/lint cmd/qa/. Library code (quality.go,
testing.go) retained for cmd_ci.go.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Go CLI commands moved to core/go-php. This repo now contains
the Laravel modular monolith framework (previously php-framework).
- Remove all Go files (now in core/go-php)
- Add PHP framework: event-driven module loading, lifecycle events
- Composer package: core/php
- core/php-framework remains as-is for backward compat
Co-Authored-By: Virgil <virgil@lethean.io>
Use GITHUB_TOKEN to clone sister packages (host-uk/core, etc.) that are
referenced as path repositories in composer.json. These packages aren't
on Packagist so CI needs to clone them alongside the main repo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Detect whether pest, phpunit, or pint are installed before running them.
Repos without test runners will skip gracefully instead of failing with
"No such file or directory".
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Port all PHP command files from core/cli internal/cmd/php/ into a
standalone module. Inlines workspace dependency to avoid cross-module
internal imports.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
