# PointArt Framework

> A zero-dependency PHP micro-framework modelled after Spring Boot's programming model. Ship powerful features with the simplicity of plain PHP.

PointArt brings Spring Boot-style architecture to PHP — attribute-driven routing, a Reflection-based DI container, a zero-SQL ORM, and a runtime Repository code generator. No Composer dependencies. Runs on any shared host with PHP 8.1+ and Apache mod_rewrite.

## Start Here

- [Getting Started](https://pointartframework.com/getting-started): Installation, configuration, directory structure, and first steps.
- [GitHub Repository](https://github.com/cn8001/PointArt): Source code, issues, and contributions.

## Documentation
- [Routing](https://pointartframework.com/docs/routing): Attribute-based routing with #[Router] and #[Route]. Path parameters, query string injection, POST body injection via #[RequestParam], CSRF exemption.
- [Dependency Injection](https://pointartframework.com/docs/dependency-injection): #[Wired] for property injection, #[Service] for singleton registration, Reflection-based container resolution.
- [ORM](https://pointartframework.com/docs/orm): #[Entity], #[Column], #[Id] annotations. Static query methods (find, findAll, findBy, findOne). Instance methods (save, delete). PDO-backed, supports MySQL, PostgreSQL, SQLite.
- [Repositories](https://pointartframework.com/docs/repositories): Runtime Repository code generation. Dynamic finders parsed from method names (findByNameAndEmail, countByStatus, existsByEmail). #[Query] for custom SQL.
- [Views](https://pointartframework.com/docs/views): Plain .php view files, no template engine. Renderer::render() with data extraction into view scope.
- [Configuration](https://pointartframework.com/docs/configuration): .env keys for database (mysql/pgsql/sqlite), CORS, CSRF, and debug mode.
- [Updater](https://pointartframework.com/docs/updater): Built-in self-updater. Pull new framework versions from GitHub Releases via the browser — no CLI or SSH required. Disabled by default; enable with UPDATER_ENABLED and UPDATER_SECRET in .env.
- [Contributing](https://pointartframework.com/contributing): Roadmap, contribution guidelines, and open issues.
- [Changelog](https://pointartframework.com/changelog): Latest commits and updates.

## Core Concepts

- **Routing** — Mark controllers with `#[Router]` and methods with `#[Route]`. Supports path parameters (`{id}`), query string injection, and POST body injection via `#[RequestParam]`. Returns string for HTML, array/object for JSON.
- **Dependency Injection** — `#[Wired]` on a property triggers automatic injection. The container resolves constructor and property dependencies via Reflection API. `#[Service]` marks a class as a singleton.
- **ORM** — `#[Entity]`, `#[Column]`, `#[Id]` annotations map classes to database tables. `Model` provides `find()`, `findAll()`, `findBy()`, `save()`, `delete()` with no SQL.
- **Repository Pattern** — Extend `Repository`, declare abstract methods like `findByNameAndEmail()`, and the framework generates the SQL implementation at runtime — mirroring Spring Data JPA.
- **Performance** — ClassLoader scans `app/` once and serializes the route and service registry to `cache/registry.ser`. Subsequent requests read from cache — zero Reflection overhead on the hot path.
- **CORS** — Disabled by default, opt-in via `.env`. When enabled, headers are set on every response. `OPTIONS` preflight requests return `204 No Content` automatically — no controller needed. Supports configurable origins, methods, headers, credentials, and max-age.
- **Security** — Built-in CSRF protection (synchronizer-token pattern) enabled by default for POST requests. JSON API requests (`Content-Type: application/json`) skip the check automatically. Per-route `csrfExempt: true` flag for webhooks and public APIs. Use `csrf_field()` in forms or `csrf_token()` for AJAX via `X-CSRF-Token` header.
- **Updater** — Built-in self-updater pulls new framework versions from GitHub Releases — no CLI or SSH required. Updates framework files only; application code and `.env` are never touched. Supports stable and dev (prerelease) channels. Disabled by default.
- **Views** — Plain `.php` files, no template engine, no build step. `Renderer::render('view.name', $data)` extracts data into view scope.
- **Error Handling** — `httpError($code, $detail)` for any HTTP error. `APP_DEBUG=true` shows stack traces, false shows a clean error page.

## Directory Structure

- `index.php` — Single entry point
- `.htaccess` — Rewrites all requests to index.php via Apache mod_rewrite
- `framework/core/` — App, Container, ClassLoader, RouteHandler, Renderer
- `framework/ORM/` — Model, Repository
- `framework/attributes/` — Route, Router, Service, Wired, RequestParam, Entity, Column, Id, Query
- `app/components/` — Controllers and Services (auto-scanned)
- `app/models/` — Model subclasses
- `app/repositories/` — Repository subclasses
- `app/views/` — Plain .php view files
- `app/public/` — Static assets (CSS, JS, images)
- `cache/registry.ser` — Serialized route and service registry (auto-generated)

## Configuration (.env)

- `APP_DEBUG` — Show stack traces on error (default: false)
- `DB_DRIVER` — mysql | pgsql | sqlite (default: mysql)
- `DB_HOST`, `DB_PORT`, `DB_DATABASE`, `DB_USERNAME`, `DB_PASSWORD`, `DB_CHARSET`
- `DB_PATH` — Path to SQLite file (SQLite only)
- `CORS_ENABLED`, `CORS_ALLOWED_ORIGINS`, `CORS_ALLOWED_METHODS`, `CORS_ALLOWED_HEADERS`, `CORS_ALLOW_CREDENTIALS`, `CORS_MAX_AGE`
- `CSRF_ENABLED` — Enable CSRF token validation (default: true)
- `UPDATER_ENABLED` — Enable the built-in framework updater (default: false)
- `UPDATER_SECRET` — Secret key required to access the updater

## Dynamic Finder Operators

Supported suffixes on Repository method name segments: `GreaterThan`, `LessThan`, `GreaterThanEqual`, `LessThanEqual`, `Not`, `Like`, `IsNull`, `IsNotNull`

Examples: `findByAgeGreaterThan($age)`, `findByStatusNot($status)`, `findOneByEmail($email)`, `countByStatus($status)`, `existsByEmail($email)`, `deleteByStatus($status)`

## Requirements

- PHP 8.1+
- Apache with mod_rewrite enabled
- PDO extension (mysql, pgsql, or sqlite driver depending on config)

## License

Mozilla Public License 2.0 — modifications to MPL-licensed source files must be made available under MPL 2.0. Code that merely uses the framework does not need to be open-sourced.