Architecture Goals
Why the core is structured the way it is.
Traceable lifecycle #
You should be able to follow a request from entry point to response without stepping into hidden layers.
Small core, strong edges #
Core stays minimal and predictable. Modules can add features without changing core behavior.
Explicit configuration #
All runtime settings live in PHP config files. User overrides in user/config/ merge over defaults in config/.
| Layer | Path | Priority |
|---|---|---|
| Defaults | config/*.php |
Lowest |
| User | user/config/*.php |
Medium |
| Tenant | user/tenants/<id>/config/*.php |
Highest |
Safety by default #
Default configuration favors safe behavior:
- Auto-escaping in templates (
{{ $var }}) - CSRF protection via middleware
- Path normalization to prevent traversal attacks
- HTTP-only cookies enabled by default