Updater

PointArt includes a built-in self-updater that pulls new framework versions from GitHub Releases — no CLI or SSH required. Designed for shared hosting environments where terminal access is not available.

Namespaces PointStart\Core — Updater

Setup

The updater is disabled by default. To enable it, add two keys to your .env:

UPDATER_ENABLED=true
UPDATER_SECRET=your-secret-here

Both are required. If UPDATER_ENABLED is false or missing, the updater routes do not exist — they return 404 like any other unmatched path. If UPDATER_SECRET is empty, access is denied with 403.

Choose a strong secret The updater secret protects a route that can overwrite framework files. Use a long, random string — not a word or short password.

Usage

Visit /pointart/update in your browser
Enter your updater secret and submit
Review the current and latest versions, plus release notes
Click Update Now to apply the update

The secret is sent via POST body — it never appears in the URL, so it won't leak into server access logs or browser history.

What Gets Updated

The updater replaces framework files only. Your application code and data are never touched.

Updated	Never Touched
`framework/**`	`app/**` — your controllers, models, views
`index.php`	`.env` — your configuration
`.htaccess`	`*.sqlite` — your database
`config.php`	`.env.example`
`README.md`, `LICENSE`, `CONTRIBUTING.md`	`cache/` — cleared, not replaced

Backups

Before overwriting any file, the updater creates a full backup at:

cache/update-backup-{old-version}/

If something goes wrong, you can restore files from this directory. Each update creates a separate backup folder named after the version that was replaced.

Update Channels

The updater page includes a channel selector:

Channel	Description
Stable (default)	Production-ready releases. Only shows GitHub releases that are not marked as prerelease.
Dev	Development releases for testing. Only shows GitHub releases marked as prerelease. A warning is displayed when this channel is selected.

Releases use standard semver tags (e.g. v1.1.0, v1.2.0-beta). The channel is determined by the prerelease checkbox on the GitHub release — no special tag naming required.

Version Tracking

The installed framework version is stored in framework/VERSION — a plain text file containing just the version string (e.g. 1.1.0). The updater compares this against the latest GitHub Release to determine whether an update is available.

Requirements

The updater uses standard PHP functions available on virtually all shared hosts:

file_get_contents with HTTPS — for GitHub API calls and downloading releases
ZipArchive — for extracting the downloaded release
allow_url_fopen = On — must be enabled in php.ini (enabled by default on most hosts)

Outbound HTTPS Some shared hosting providers block outbound HTTPS requests. If the updater reports "Could not reach GitHub", contact your host about enabling allow_url_fopen or outbound HTTPS.

Configuration

`.env` Key	Default	Description
`UPDATER_ENABLED`	`false`	Enable the updater route (`/pointart/update`)
`UPDATER_SECRET`	—	Secret key required to access the updater

Tip Disable the updater after updating (UPDATER_ENABLED=false) to reduce your attack surface. Only enable it when you need to check for or apply updates.

How It Works

Under the hood, the updater follows these steps:

Calls the GitHub Releases API to fetch the latest release metadata
Compares the release tag against the version in framework/VERSION
Downloads the release zip archive
Extracts it to a temporary directory inside cache/
Backs up every file that will be overwritten
Copies new files into place, skipping protected paths
Clears the route cache (cache/registry.ser)
Cleans up temporary files

The updater is a built-in framework route — it is handled directly by App before user routes are dispatched. It does not require a controller in app/ and does not appear in your route table.