Release Notes

Curated highlights, migration guidance, and structured summaries of Glueful framework releases.

This page is a curated layer over the raw authoritative CHANGELOG.md. For complete detail (including every Added/Changed/Removed/Fix line) consult the full changelog.

v1.70.0 - Albireo

Released: July 16, 2026

A blob-policy composition seam plus two long-standing database fixes. Extensions can now contribute blob access policies simultaneously through BlobAccessPolicyRegistry; whereIn() works on update()/delete(); and createTable() plain indexes are no longer silently discarded on SQLite/PostgreSQL. Additive API, no new env vars, no migrations. One operational note for pre-existing SQLite/PostgreSQL dev databases (see Migration Notes).

Key Highlights

Blob access policy composition — BlobAccessPolicyRegistry + CompositeBlobAccessPolicy

whereIn() / whereNotIn() on write operations

createTable() plain indexes on SQLite/PostgreSQL

Migration Notes

  • SQLite/PostgreSQL databases migrated before 1.70.0 are missing every plain index declared inline in a createTable() callback — they were silently discarded. Fresh migrations are correct automatically; for existing databases, re-run the relevant CREATE INDEX statements or re-migrate dev databases. Performance-only: data and query results were never affected.
  • No other action required — the registry seam is additive, and the whereIn() write fix turns a previously throwing call into the behavior its builders already advertised.
composer update glueful/framework

v1.69.0 - Albali

Released: July 14, 2026

A boot-time config override seam: ApplicationContext::overrideConfig(), frozen once boot completes. One additive method that lets applications and extensions override configuration during boot. No new env vars, no migrations, no default changes; unbound behavior is byte-for-byte identical to 1.68.x. No action required.

Key Highlights

Process-local config overrides — ApplicationContext::overrideConfig()

Migration Notes

  • No action required — the method is purely additive and nothing in the framework calls it. Existing apps behave identically.
  • To adopt it, call ApplicationContext::overrideConfig() from a service provider's register() (or any boot-phase code), before boot completes.
composer update glueful/framework

v1.68.0 - Ain

Released: July 10, 2026

Blob route extensibility: two generic, unbound-by-default seams over the blob endpoints, a reusable auth:optional mode, and a signed-URL fix for private uploads. No new env vars, no migrations, no default changes. The blob VIEW route's auth posture changes — but the controller remains the authoritative gate, so response shapes are identical. No action required.

Key Highlights

Per-action blob middleware — BlobRouteMiddlewareProvider

Application-chosen blob origins — BlobPublicUrlProvider

Optional route authentication — auth:optional

Fixed: signed URLs under globally private uploads

Migration Notes

  • No action required. Both seams are unbound pass-throughs; the VIEW behavior change only adds a previously-broken capability (anonymous signed access in private mode) while preserving all existing responses.
  • To adopt the seams, bind BlobRouteMiddlewareProvider and/or BlobPublicUrlProvider in a service provider — the blob route registration and signedUrl() soft-resolve them.
composer update glueful/framework

v1.67.0 - Adhil

Released: July 10, 2026

Four opt-in extension seams — independent DB sessions, around-execution wrappers, write-side row hooks, and blob lifecycle/authorization hooks. Every seam is an exact pass-through until your application binds it: no new env vars, no migrations, no default changes, and unbound behavior is byte-for-byte identical to 1.66.x. No action required — upgrade and adopt seams as needed.

Key Highlights

Independent database sessions — Connection::newPdo()

Around-execution wrappers — QueryExecutor::addExecutionWrapper()

Write-side row hooks — Connection::addInsertHook()

Blob lifecycle + authorization hooks

Migration Notes

  • No action required. All four seams are unbound by default and exact pass-throughs; existing applications behave identically.
  • To adopt a seam, bind your implementation in a service provider (e.g. bind BlobCreatedHook/BlobAccessPolicy to your classes) — the framework's UploadController factory soft-resolves them.
  • BlobRepository::forceDelete() permanently removes a blob row (bypasses soft-delete). Reach for it only in compensation paths; normal deletion remains the soft status='deleted' flow.
composer update glueful/framework

v1.66.3 - Adhara

Released: July 6, 2026

Route caching no longer crashes routes whose where() constraint contains parentheses. After 1.66.2 re-enabled route caching for apps that mount an SPA, any dynamic route with a parenthesized constraint — e.g. a non-capturing (?:twig|css|js) group — raised ValueError: array_combine(): … must have the same number of elements on its first request. The compiled cache now stores each route's original path and constraints and rebuilds from them, instead of reverse-engineering the path from the regex. No action required — the cache format is bumped, so stale route caches regenerate automatically on upgrade.

Key Highlights

Lossless dynamic-route reconstruction from the compiled cache

Migration Notes

  • No action required. The fix is transparent; the bumped cache-format version invalidates any pre-existing route cache so it rebuilds on the next boot. Running php glueful route:cache:clear (or cache:clear) forces it immediately.
composer update glueful/framework
php glueful route:cache:clear

v1.66.2 - Adhara

Released: July 6, 2026

Mounting an admin/SPA no longer disables route caching. serveFrontend() registered the SPA mount root and /{rest} catch-all as closures, and RouteCache refuses to cache a route table containing any closure — so every SPA-mounting app ran uncached and logged a [RouteCache] Skipping cache … Convert to [Controller::class, "method"] syntax warning on each boot. The seam now uses controller handlers backed by a mount registry; asset/index serving is byte-for-byte identical. No signature or config change, no new env vars — affected apps regain route caching automatically after upgrading.

Key Highlights

Route caching restored for SPA-mounting apps

Migration Notes

  • No action required. The serveFrontend() signature and behaviour are unchanged; there are no new env vars and no config changes. After upgrading, apps that mount an SPA will build the route cache normally and the [RouteCache] boot warning disappears.
composer update glueful/framework
php glueful cache:clear

v1.66.1 - Adhara

Released: July 6, 2026

The extension installer is now synchronous. The 1.66.0 installer spawned composer require as a detached background job and made the client poll — but forking a long-lived PHP CLI from a web server (Apache/php-cgi/nginx+FPM) proved unreliable, and installs simply hung in queued. POST /extensions/install now runs composer inline and returns the result in one response; the extension installs disabled and is activated with the enable toggle (WordPress-style). Also fixes the catalog 422 that hid any extension with release history. The install API changed shape (single response, no job polling); run php glueful cache:clear after upgrading.

Key Highlights

Synchronous install — no queue, no polling

Type re-verification judges the latest release, not every one

Migration Notes

  • The install API changed shape. POST /extensions/install returns the final result directly instead of a job id, and GET /extensions/install/{jobId} has been removed — await the single request. The 1.66.0 detached installer never worked under a web SAPI, so no functioning integration is affected.
  • Env (all optional): EXTENSIONS_INSTALL_PHP_BINARY — absolute path to a CLI php used to run composer (leave blank to auto-detect; set it when the web SAPI's php isn't a usable CLI interpreter, e.g. /usr/bin/php behind nginx+FPM). COMPOSER_BINARY — absolute composer path if it isn't on the web PATH. EXTENSIONS_INSTALL_AUTO_ENABLE has been removed.
  • After upgrading, run php glueful cache:clear so the corrected installable-extension catalog is rebuilt (the 1.66.0 catalog cache can hide affected packages until its TTL lapses).
composer update glueful/framework
php glueful cache:clear

v1.66.0 - Adhara

Released: July 5, 2026

Install extensions from the admin UI — no SSH required. A new install pipeline runs composer require for a catalog extension from the browser instead of the server terminal: the package is validated against the Packagist catalog, installed in a detached process that survives an FPM recycle, then auto-enabled in a fresh subprocess (to dodge the running worker's stale autoloader). Guarded by the system.config permission tier and a kill-switch that is off in production by default. Also fixes SVG uploads 400ing on the content check. Minor — three new optional EXTENSIONS_INSTALL_* env vars with safe defaults; no migrations, no breaking changes.

Key Highlights

Browser-driven extension install (composer require, detached)

Guardrails on the install path

SVG uploads no longer 400 on the content check

Migration Notes

  • Nothing required to upgrade. The new install block in config/extensions.php ships with working defaults.
  • New optional env vars for the extension installer:
    • EXTENSIONS_INSTALL_ENABLED — master kill-switch; defaults on outside production, off in production.
    • EXTENSIONS_INSTALL_AUTO_ENABLE (default true) — auto-enable right after a successful install.
    • EXTENSIONS_INSTALL_TIMEOUT (default 600) — seconds before a composer require run is timed out.
  • To use the installer in production, set EXTENSIONS_INSTALL_ENABLED=true and make the deploy's vendor/ tree writable by the web user.
composer update glueful/framework

v1.65.3 - Acrux

Released: July 3, 2026

Random-string buffer overrun and static-asset MIME fixes. RandomStringGenerator::generate() could read past its random-byte buffer under unlucky rejection sampling — an intermittent "Uninitialized string offset" in anything generating passwords or tokens, and a quiet output-bias risk. Separately, static assets served through serveFrontend() were content-sniffed to text/plain, which the accompanying nosniff header turns into browsers refusing CSS and module scripts outright. Patch — bugfixes only, no new env, no migrations, no behavioral changes.

Key Highlights

RandomStringGenerator rejection sampling stays inside its buffer

serveFrontend() assets get extension-mapped MIME types

Migration Notes

  • Nothing required. Pure bugfix patch — no new env, no migrations, no behavioral changes.
composer update glueful/framework

v1.65.2 - Acrux

Released: July 2, 2026

Array-valued field-selection params no longer 500. A public read/delivery endpoint that builds its FieldSelector from the request would return an unhandled 500 when a client sent fields/expand as an array (?fields[]=a), because Symfony's InputBag rejects non-scalar values. Field selection is a scalar syntax, so those params are now read tolerantly and an array value is treated as "no selection". Patch — bugfix only, no new env, no migrations, no behavioral changes.

Key Highlights

FieldSelector tolerates malformed array params

Migration Notes

  • Nothing required. Pure bugfix patch — no new env, no migrations, no behavioral changes.
composer update glueful/framework

v1.65.1 - Acrux

Released: July 1, 2026

Extension-toggle and CLI hygiene fixes. php glueful extensions:enable/disable no longer leave a stray trailing-whitespace line in config/extensions.php (which tripped phpcs/CI on the very next lint), and four console commands that were unrunnable due to option-shortcut clashes with Symfony's globals now start cleanly. Patch — bugfixes only, no new env, no migrations, no behavioral changes.

Key Highlights

extensions:enable/disable write clean config

Console commands no longer clash with global shortcuts

Migration Notes

  • Nothing required. Pure bugfix patch — no new env, no migrations, no behavioral changes. If you scripted php glueful install --quiet for unattended installs, switch it to --unattended (the global -q/--quiet now resolves normally on that command).
composer update glueful/framework

v1.65.0 - Acrux

Released: June 30, 2026

Database, validation, and routing improvements. New QueryBuilder::forceDelete() (hard-delete on a soft-deletable table without dropping to raw SQL), validator coercion rules (CastToInt / CastToBoolean / CastToDate), a DbUnique exclude-by-column argument, an api_key_uuid request attribute for per-key attribution, and ServiceProvider::resetLoadedRoutes() for clean re-boots. Plus three routing/schema fixes — auth.user is always populated after auth, file-defined require_scope: params are now enforced, and alterTable()->dropColumn() actually drops. Minor — no new env, no migrations; scope enforcement is tightened (see Migration Notes).

Key Highlights

Database & validation toolbelt

Routing & schema correctness

Migration Notes

  • Scope enforcement tightened. If you declared a route's scope as a middleware param — ->middleware('require_scope:read:content') — it was previously not enforced (it fell open) and now enforces fail-closed. Requests lacking the scope will correctly receive 403. Routes using the #[RequireScope] attribute are unaffected. Everything else is additive — no new env, no migrations.
composer update glueful/framework

v1.64.0 - Zosma

Released: June 28, 2026

Configurable, auditable API keys — plus webhook and blob-visibility fixes. ApiKeyService now reads its brand prefix from config (API_KEY_PREFIX, default gf) so apps can rebrand generated keys, and its create/rotate/revoke paths emit framework entity events so key lifecycle is auditable (identity only, never the secret). Also fixes three latent webhook-management bugs and a blob-visibility bug where "public" uploads were stored private and 401'd on retrieval. Minor — one new optional env (API_KEY_PREFIX), backward compatible, no migrations.

Key Highlights

Rebrandable, auditable API keys

Webhook management + blob visibility fixes

Migration Notes

  • Nothing required. Backward compatible: API_KEY_PREFIX defaults to gf (reproduces existing keys), and no migrations ship. Set API_KEY_PREFIX only if you want to rebrand keys. To audit key lifecycle, ensure an audit consumer is listening for the api_keys entity events.
composer update glueful/framework

v1.63.5 - Yildun

Released: June 27, 2026

The webhook management API is now fully typed in OpenAPI. 1.63.4 added operation summaries to WebhookController; this fills in the schemas — query parameters, request bodies, and response shapes — so an application that mounts the controller gets a precise spec (and a typed client) for subscriptions and deliveries, not just path stubs. Patch — documentation metadata only (new doc-only DTOs + attributes), no behavioral change, no new env, no migrations.

Key Highlights

Typed query params, bodies, and responses for webhooks

Migration Notes

  • Nothing required. Documentation metadata only. After composer update, re-run generate:openapi (and your client codegen) to pick up the fully-typed webhook endpoints.
composer update glueful/framework

v1.63.4 - Yildun

Released: June 27, 2026

The webhook management API is now self-documenting. The framework ships a complete WebhookController (subscription + delivery management), but its methods carried no OpenAPI attributes — so an application that mounts these routes got working endpoints that were invisible to generate:openapi and the typed client. All 11 endpoints now carry #[ApiOperation]/#[ApiResponse]. Patch — documentation metadata only, no behavioral change, no new env, no migrations.

Key Highlights

WebhookController endpoints appear in generated docs

Migration Notes

  • Nothing required. Documentation metadata only. After composer update, re-run generate:openapi (and your client codegen) to surface the webhook endpoints in your spec.
composer update glueful/framework

v1.63.3 - Yildun

Released: June 26, 2026

Blob writes are now auditable. BlobRepository was constructed without an ApplicationContext, so its create/update/delete never dispatched entity events — blob uploads emitted no EntityCreatedEvent and silently couldn't be audited. It's now built with the context, so uploads emit events an audit/activity consumer can record. Bugfix patch — no new env, no migrations.

Migration Notes

  • Nothing required. Bugfix only.
composer update glueful/framework

v1.63.2 - Yildun

Released: June 26, 2026

Image-variant caching fix. Serving a resized blob variant (GET /blobs/{uuid}?width=…) with the variant cache enabled returned a 500: UploadController cached the rendered image as raw bytes, which a JSON-based cache serializer (e.g. the Redis driver's SecureSerializer) can't encode — raw bytes aren't valid UTF-8 — so every cached resize threw Malformed UTF-8. The un-resized original was unaffected. Bugfix patch — no new env, no migrations.

Key Highlights

Resized image variants are cached correctly

Migration Notes

  • Nothing required. Bugfix only; no env or config changes, no migrations.
composer update glueful/framework

v1.63.1 - Yildun

Released: June 25, 2026

Resilient event dispatch + dead auth events. Auth/security events (logins, logouts, failed logins, security violations) were silently not reaching their listeners: ActivityLoggingSubscriber — the first listener on every auth/security event — was unresolvable (it required a LogManager the container never registers), so it threw; and the dispatcher didn't isolate listener failures, so that one throw aborted the whole dispatch before any later listener ran. The session dispatcher swallowed the error, so logins succeeded with nothing logged. Bugfix patch — no new env, no migrations.

Key Highlights

A throwing listener no longer starves the rest of the chain

ActivityLoggingSubscriber is resolvable again

Failed logins now emit AuthenticationFailedEvent

Migration Notes

  • Nothing required. Both are bugfixes; no env or config changes, no migrations.
composer update glueful/framework

v1.63.0 - Yildun

Released: June 25, 2026

Entity-deletion event + subclass domain-event dispatch. BaseRepository now emits an EntityDeletedEvent on a successful delete — completing the create/update/delete triplet so audit, cache-invalidation and notification consumers can react to deletes, not just writes. And the repository's event-dispatch helper is now protected, so repository subclasses (including those in extensions) can emit their own domain events through the same best-effort path. Additive — a new event (fires only if subscribed) plus a visibility widening; no env, no migrations.

Key Highlights

EntityDeletedEvent completes the entity CRUD event triplet

Repository subclasses can emit their own domain events

Migration Notes

  • Nothing required. Both changes are additive; behavior is unchanged unless you subscribe to the new event or emit one from a subclass.
composer update glueful/framework

v1.62.0 - Xuange

Released: June 24, 2026

User-record enrichment seam. A new core contract lets an authorization extension attach fields — like a user's roles — to the records an identity store returns (/users, /users/{uuid}, /me), without the two extensions depending on each other. The read-side symmetric of the existing login-time identity.claims_provider seam. Additive — nothing changes unless an extension registers an enricher; no env, no migrations.

Key Highlights

UserRecordEnricherInterface + the users.record_enricher tag

Migration Notes

  • Nothing required. The contract is additive; behavior is unchanged until an extension registers an enricher.
composer update glueful/framework

v1.61.2 - Wezen

Released: June 23, 2026

Permission gate fail-closed fix. Every #[RequiresPermission] / gate_permissions route returned 403 for fully authorized users — the auth.user principal the gate reads was never populated because AuthMiddleware's enricher lookup used a container id that never matched, so the enricher silently never ran. Routes guarded by attribute permissions (admin/RBAC/i18n endpoints) were unreachable. Bugfix patch — no new env, no migrations.

Key Highlights

#[RequiresPermission] routes no longer 403 authorized users

File / Memcached cache drivers accept colon-namespaced keys

Migration Notes

  • Nothing required. Bugfix only.
composer update glueful/framework

v1.61.1 - Wezen

Released: June 22, 2026

CORS on every response. Cross-origin error and regular responses (422, 401, …) now carry Access-Control-Allow-Origin, so a separately-served frontend (e.g. a Vite dev SPA on another origin) can finally read their bodies. Previously only the OPTIONS preflight got CORS headers, leaving regular and error bodies blocked by the browser. Bugfix patch — no new env, no migrations, no action required.

Key Highlights

CORS headers on regular and error responses

Migration Notes

  • Nothing required. Same-origin requests and disallowed origins are unchanged; allowed cross-origin requests now receive the CORS headers they should always have had on regular and error responses.
composer update glueful/framework

v1.61.0 - Wezen

Released: June 20, 2026

OpenAPI tag filtering. The doc generator can now drop operations from the generated spec by tag (documentation.options.tags.include / .exclude, env-driven), so a consumer-facing spec can hide infrastructure groups (Health, Documentation, Security) without turning off whole route sources. Additive and off by default (empty lists = no filtering) — no breaking changes, no migrations.

Key Highlights

Tag allow/deny for the OpenAPI spec

Doc-config cleanup

Migration Notes

  • Nothing required. Filtering is off by default (both lists empty). To use it, set e.g. API_DOCS_EXCLUDE_TAGS="Health,Documentation,Security" and regenerate the spec.
  • The removed route_definitions / extension_definitions config keys were already inert — safe to delete if you copied them into your app's config.
composer update glueful/framework

v1.60.0 - Vega

Released: June 19, 2026

Engine-agnostic installer + first-run setup seams. php glueful install now configures and migrates any database engine (MySQL/PostgreSQL/SQLite) — not just SQLite — and a new Glueful\Installer\ toolkit lets an app drive first-run setup from CLI or a UI without shelling out. Additive (no breaking API changes, no new env, no migrations) — but install is now interactive, so non-interactive callers should pass --quiet.

Key Highlights

install works with any database engine

Glueful\Installer\ seams (CLI or UI, no shelling out)

Safer .env + correct PostgreSQL DSN

Migration Notes

  • php glueful install is now interactive. It prompts for the database engine + credentials by default. Non-interactive callers (CI, post-create-project-cmd, scripts) should pass --quiet to use the existing .env without prompts, or --skip-database to skip DB setup/migrations. The api-skeleton's post-create-project-cmd is updated accordingly.
  • No env, config, or migration changes.
composer update glueful/framework

v1.59.0 - Unukalhai

Released: June 19, 2026

First-party frontend serving. A new ServiceProvider::serveFrontend() seam serves a built SPA or static bundle at any literal path (e.g. /admin) — with secure asset serving, an index.html deep-link fallback, and a content-hash-aware cache split. It replaces and removes mountStatic() (which only mounted at /extensions/{mount} and had no SPA fallback). One small migration if you used mountStatic(); everything else is additive.

Key Highlights

serveFrontend() — serve a SPA at any literal path

OpenAPI: less boilerplate per endpoint

HEAD requests to file responses no longer 500

Migration Notes

  • mountStatic() is removed. Replace $this->mountStatic('foo', $dir) (served at /extensions/foo) with $this->serveFrontend('/foo', $dir) (any literal path + index.html fallback). For a plain bundle that 404s on a miss, use $this->serveFrontend('/foo', $dir, ['spaFallback' => false]). serveFrontend() no-ops with a warning if the bundle has no index.html (when spaFallback is on).
  • The unused SpaManager / StaticFileDetector / SpaProvider are removed (dead code, no callers). No config, env, or migrations.
composer update glueful/framework

v1.58.1 - Thuban

Released: June 15, 2026

OpenAPI response-schema fidelity. Three additive reflect-generator fixes so typed ResponseData DTOs document response bodies accurately — the success envelope marks its keys required, and #[ArrayOf] now resolves array items in response mode. Fully additive: no behavior change for request DTOs, no config/env changes, nothing to migrate.

Key Highlights

#ArrayOf now works on response DTOs

Success envelope marks its keys required

Request-DTO safety preserved

Migration Notes

  • Nothing to migrate. Fully additive — no behavior change for request DTOs, no config or env changes.
composer update glueful/framework

v1.58.0 - Thuban

Released: June 15, 2026

Typed request-DTO hydration v2. RequestData DTOs now handle arrays, nested DTOs, and path/query inputs — closing the v1 "flat-scalars, JSON-body-only" boundaries from 1.57.0. Fully additive: flat scalar v1 DTOs are byte-identical, there are no config or env changes, and nothing to migrate.

Key Highlights

Arrays & nested DTOs — no more TypeError sharp edge

Path & query sources via #FromRoute / #FromQuery

Cross-field validation & custom rules

Migration Notes

  • Nothing to migrate. Fully additive — existing flat-scalar RequestData DTOs behave identically, and there are no config or env changes.
composer update glueful/framework

v1.57.0 - Sargas

Released: June 14, 2026

A types-first I/O convention and a single code-first OpenAPI generator. Controllers can now express request/response shapes as typed DTOs that drive both the runtime envelope and the generated spec; the OpenAPI generator is consolidated to the code-first reflect engine and the legacy docblock-parsing comments generator is removed. Mostly additive, but it ships as a minor for one breaking change. If you used the comments OpenAPI generator or documented routes with @route/@response docblocks, read the Migration Notes.

Key Highlights

Types-first request & response DTOs

One code-first OpenAPI generator

Reference adoption across core controllers

Migration Notes

  • The comment-based OpenAPI generator has been removed; reflect is now the only OpenAPI generator.
  • documentation.generator and API_DOCS_GENERATOR are no longer supported — remove them from config/env (the value is ignored).
  • Route @route, @summary, @requestBody, @response, and related docblock annotations are no longer read.
  • Document endpoints with typed DTOs plus #[ApiOperation], #[QueryParam], #[ApiRequestBody], and #[ApiResponse]. See the OpenAPI reflect guide.
  • No migrations.
composer update glueful/framework

v1.56.0 - Rastaban

Released: June 13, 2026

The second wave of the June 2026 security & correctness hardening pass: queue/scheduler payload signing, SSRF-safe HTTP with validated-DNS pinning, unified sensitive-parameter redaction, fail-closed CORS/image defaults, and JWT temporal-claim enforcement. Almost entirely fixes, but several change defaults or add config/env vars (CORS credentials off by default; remote image fetch opt-in; queue/scheduler payloads signed by default; JWT requires exp) -- so it ships as a minor. Read the Migration Notes before upgrading.

Key Highlights

Queue & scheduler payloads are signed and gated

SSRF-safe HTTP + unified redaction

Fail-closed defaults + JWT temporal claims

Migration Notes

  • CORS fails closed. The standalone handler no longer allows all origins by default, and CORS_SUPPORTS_CREDENTIALS now defaults to false. Set CORS_ALLOWED_ORIGINS (and CORS_SUPPORTS_CREDENTIALS=true only if you genuinely need credentialed cross-origin requests).
  • Remote image fetching is opt-in. With no image.security config, external image URLs are disabled and the allow-list is empty. Configure image.security.allowed_domains or install/configure glueful/media.
  • Queue & scheduler payloads are signed by default. QUEUE_PAYLOAD_SIGNING / QUEUE_REQUIRE_SIGNED_PAYLOADS default on (inert without APP_KEY). To drain legacy unsigned rows, temporarily set QUEUE_REQUIRE_SIGNED_PAYLOADS=false. Custom queue/scheduler handlers must implement JobInterface.
  • JWT requires exp. Tokens without exp (or with expired/non-numeric exp, future nbf/iat) are rejected.
  • Memcached cache format changed. Flush the cache when upgrading a Memcached-backed deployment -- raw legacy string values that aren't valid serialized data now throw on read.
  • Set TRUSTED_PROXIES behind a load balancer so client IPs resolve correctly. New optional http.safe_fetch.max_redirects (default 3). No migrations.
composer update glueful/framework

v1.55.0 - Peacock

Released: June 11, 2026

A security & correctness hardening release: a focused pass over routing/permissions, auth, storage paths, the database write-path, deserialization, and the container/extension boundary, from a five-part framework review. Mostly bug fixes, but several change behavior or defaults (permission attributes now enforce; API-key query param off by default; signed URLs fail closed without a secret; extensions fail loud at boot) and one adds a feature (range UPDATE/DELETE predicates) -- so it ships as a minor. Read the Migration Notes before upgrading.

Key Highlights

Route permission attributes now actually enforce

Auth & storage hardening

Database integrity + injection hardening

Container/extension boundary fails loud

Migration Notes

  • Permission attributes now enforce. Routes using #[RequiresPermission]/#[RequiresRole] without a permission provider bound will now 403. Bind a provider (e.g. glueful/aegis), grant the permissions, or remove the attribute from open routes.
  • API key query string is off by default. Move clients to the X-API-Key header, or set security.api_keys.allow_query_param = true.
  • Signed URLs require a secret. Configure uploads.signed_urls.secret / SIGNED_URL_SECRET (or app.key / APP_KEY) -- a distinct value per environment. Generation/validation throws otherwise.
  • Extensions fail loud at boot (non-prod). A previously-silent extension wiring failure will now surface; fix the binding (a bare interface id needs ['class' => Concrete::class] or a factory).
  • New optional config keys security.api_keys.allow_query_param / security.csrf.rate_limit_fail_closed (both default false). No new env vars, no migrations.
composer update glueful/framework

v1.54.0 - Okab

Released: June 10, 2026

A coordinated release in three movements: a container-precedence fix that makes every "core default + extension override" seam genuinely overridable; the new Glueful\Entitlements core seam (contract-only — commercial capability gates for the forthcoming glueful/subscriptions); and a storage driver registry with the s3/gcs/azure factories extracted to first-party provider packs (breaking — lean core, same playbook as 1.52). glueful/storage-s3 ships alongside (covers R2/MinIO/Spaces/Wasabi via presets); gcs/azure packs follow shortly.

Key Highlights

Extension definitions now override core defaults (container precedence fix)

Entitlement seam (Glueful\Entitlements) — contract only

Storage driver registry + provider packs (breaking)

Migration Notes

  • Cloud storage disks need their provider pack: composer require glueful/storage-s3 for s3 disks (its presets cover R2, MinIO, Spaces, Wasabi). gcs/azure users should hold the upgrade until those packs publish (following shortly). local/memory-only apps need nothing.
  • On deploy: php glueful commands:cache (new storage:test command) and php glueful di:container:compile --force (the precedence fix only takes effect in a freshly compiled container).
  • Extension authors: your services() definitions now genuinely override core defaults for the same id (previously dropped silently). Audit for unintentional core-id collisions.
  • Optional env: UPLOADS_NATIVE_MAX_PRIVATE_TTL (default 900). No core migrations; no required env changes.
composer update glueful/framework
composer require glueful/storage-s3   # only if a disk uses driver: s3 / R2 / MinIO / Spaces / Wasabi

v1.53.0 - Nunki

Released: June 8, 2026

A backward-compatible release that adds two generic, chainable database extension seams — so extensions can enforce scopes, narrow queries, or veto statements without patching core — and folds in four bug fixes uncovered while building the upcoming glueful/tenancy extension. Both seams are no-ops on a plain install (zero behavior change). No env vars, no migrations, no breaking changes; composer update glueful/framework suffices.

Key Highlights

Chainable DB Extension Seams (interceptors + table hooks)

Four Bug Fixes (queue deserialization, write-path, container)

Migration Notes

  • No action required. composer update glueful/framework picks up 1.53.0. No new env vars, no migrations, no API breaks; the seams are opt-in and inert unless an extension registers a hook.
  • The api-skeleton ^1.52.0 constraint already permits 1.53.0 — no skeleton changes ship in this release.
composer update glueful/framework

v1.52.0 - Mizar

Released: June 7, 2026

A coordinated breaking release that makes core lean: four subsystems move out of the framework into standalone, opt-in glueful/* extensions, each behind a narrow seam core consumes only if bound. Archiveglueful/archive, CDN / edge-cacheglueful/cdn, queue operations (supervision / autoscaling / worker-metrics) → glueful/queue-ops, and rich media (image processing / thumbnails / metadata) → glueful/media. A plain core install boots, serves uploads, runs a lean single-worker queue:work, and caches responses with none of these subsystems' heavy dependencies present — intervention/image and james-heinrich/getid3 are removed from core. Every subsystem is restored with a single composer require. See the migration notes.

Key Highlights

Archive & CDN / Edge-Cache Extracted (seam-backed)

Queue Ops Extracted; Core Ships a Lean Worker

Rich Media Extracted; Uploads Stay in Core

Migration Notes

  • Restore any subsystem with one composer require (auto-discovered via extra.glueful): glueful/archive, glueful/cdn, glueful/queue-ops, glueful/media. Run php glueful migrate:run for those that ship schema (archive).
  • Refresh the production command manifest on deploy. This release removes the core archive:manage, cache:purge, and queue:autoscale commands; a storage/cache/glueful_commands_manifest.php generated before the upgrade still references them and breaks CLI boot. Run php glueful commands:cache --clearphp glueful cache:clear does not clear the command manifest.
  • No-extension behavior is graceful, not fatal. Seams degrade to no-ops/defaults: NullEdgeCache (response caching still emits surrogate keys), lean queue:work, type-only media metadata + original-served variants. Removed helpers/commands (image(), queue:autoscale, the queue:work sub-actions) are absent (function/command-not-found), not error-printing stubs.
  • Namespace maps (when restoring an extension and updating app code): Glueful\Services\ImageProcessorGlueful\Extensions\Media\ImageProcessor; Glueful\Cache\EdgeCacheServiceGlueful\Extensions\Cdn\EdgeCachePurger; Glueful\Queue\Monitoring\WorkerMonitorGlueful\Extensions\QueueOps\Monitoring\WorkerMonitor; Glueful\Services\Archive\*Glueful\Extensions\Archive\*. Full maps in the framework UPGRADE.md.
  • No new framework env vars, no core migrations. The api-skeleton is bumped to ^1.52.0 and ships lean (extensions are opt-in; its published config/image.php, cache.edge, queue.workers.* ops blocks, and capabilities.archive were removed).
composer update glueful/framework
# then, to restore what you use:
composer require glueful/media glueful/queue-ops glueful/cdn glueful/archive
php glueful commands:cache --clear

v1.51.0 - Larawag

Released: June 6, 2026

A five-part refinement of the core notification subsystem. The framework now ships a real in-app database channel (the default ['database'] channel resolves end-to-end instead of failing as channel_not_found), validates channels at dispatch rather than construction, makes persistence optional and safe (NOTIFICATIONS_DATABASE_STORE=false), abstracts async queue dispatch behind an injectable seam, adds structured channel results (NotificationResult), and routes all channel registration through one extension boot() path. Mostly additive — but two deliberate breaking changes land in channel registration/dispatch. See the migration notes.

Key Highlights

Real database Channel + Dispatch-Time Validation

Optional, Safe Persistence + Injectable Async Queue

Structured Results + Extension-Driven Registration

Migration Notes

  • Breaking: ChannelManager channel-name methods renamed (no aliases). Replace getAvailableChannels() with getRegisteredChannelNames(); for only the currently-available channels' names, use the new getActiveChannelNames(). getActiveChannels() (returning channel objects) is unchanged.
  • Breaking: notification jobs/commands require an ApplicationContext. DispatchNotificationChannels, SendNotification, ProcessRetriesCommand, and NotificationRetryTask resolve the shared container dispatcher and throw NotificationContextRequiredException if constructed without a context — they no longer build ad-hoc managers or hardcode the EmailNotification provider. The queue worker and console kernel already provide a context.
  • Channel packages register from boot(). Custom or not-yet-migrated channel extensions must register their channel/hooks via the new registerNotificationChannel() / registerNotificationExtension() helpers; until they do, that channel won't auto-wire into the shared dispatcher used by the async jobs.
  • Retry config key moved from the emailnotification namespace to channel-agnostic notifications.retry (built-in defaults otherwise).
  • No new env vars, no migrations. The notifications capability default stays true; set NOTIFICATIONS_DATABASE_STORE=false to run without a database store.
composer update glueful/framework

v1.50.2 - Kochab

Released: June 5, 2026

Route docblocks can now document query parameters with an editor-clean @queryParam name:type="…" tag that the OpenAPI generator actually parses. The old approach overloaded the reserved @param tag (@param page query integer false "…"), which IDEs/Intelephense mis-read as undefined PHPDoc types (P1133 warnings). A latent doc-gen bug is also fixed: routes that declared a query parameter alongside a {id} path segment silently lost the path parameter from their spec. Framework-only — no env vars, no migrations, no API breaks.

Key Highlights

  • @queryParam route-doc tag. CommentsDocGenerator parses @queryParam name:type="description" [{required}] as an in: query OpenAPI parameter — no more reserved-@param false positives in your editor. The legacy positional @param … query … form still parses, so existing route docblocks are unaffected.
  • Path params no longer dropped. URL {name} path parameters were auto-derived only when no parameters were documented at all; a route with a query param plus a {id} lost its path param from the generated spec. Path params are now always derived from the URL and merged with documented params (de-duplicated by name; an explicit docblock still wins).
  • routes/resource.php migrated to @queryParam for the /data/{table} list endpoint's page/limit/sort/order params (they now actually appear in the spec).

Migration Notes

composer update glueful/framework is sufficient — the api-skeleton ^1.50.1 constraint already permits 1.50.2. No action required; the new tag is opt-in and the legacy @param form continues to work.


v1.50.1 - Kochab

Released: June 5, 2026

Two extension points that silently did nothing are now fixed. ServiceProvider::mergeConfig() delegated to a config.manager service that was never registered, so an extension's config/*.php defaults never reached config() — every first-party extension ran on empty/hardcoded fallbacks unless the app shipped its own copy. And LoginResponseBuildingEvent listeners' changes were discarded by the login-response shaper. Both now work as documented. Framework-only: no env vars, no migrations, no API breaks.

Key Highlights

  • mergeConfig() actually merges now. Backed by the new ApplicationContext::mergeConfigDefaults(), extension config defaults are merged under framework/app/env config files (your app's config/*.php still wins) and persist across clearConfigCache(). Affected extensions: glueful/aegis, conversa, email-notification, entrada, meilisearch, notiva, payvia, runiva.
  • LoginResponseBuildingEvent listeners affect the response. LoginResponseShaper::shape() now reads $event->getResponse() back, so a listener can add fields (e.g. organization/department context) to the login response.

Migration Notes

composer update glueful/framework is sufficient — the api-skeleton ^1.50.0 constraint already permits 1.50.1. Behavioral note: enabled first-party extensions now receive their declared config defaults (previously ignored); review those defaults if you relied on the prior empty behavior.


v1.50.0 - Kochab

Released: June 4, 2026

The concrete user store is extracted to the first-party glueful/users extension, leaving a provider-agnostic core that talks to identity through UserProviderInterface + the canonical UserIdentity. In parallel, the framework now owns the database schema for its own subsystems — the auth security spine plus DB-backed platform capabilities (queue, scheduler, notifications, metrics, locks, uploads, archive) — as first-class, config-gated, source-tracked migrations, replacing lazy runtime DDL. Breaking (shipped as a minor per the pre-public policy): apps must enable a user store. See the migration notes.

Key Highlights

Provider-Agnostic Identity

Core Owns Its Schema

Ordered, Package-Scoped Migrations

Migration Notes

  • Breaking: enable a user store. Core no longer ships Glueful\Models\User / Glueful\Repository\UserRepository, and AuthenticatedUser is removed. Install and enable glueful/users (the api-skeleton does so by default). Without a store, auth fails closed. See docs/IDENTITY.md.
  • api_keys.user_iduser_uuid. The column (and ApiKeyService input / ApiKey model field) is renamed; it remains an indexed UUID with no FK.
  • Schema is migration-owned. Run php glueful migrate:run; capability tables install per config/capabilities.php + driver config (queue.default, lock.default, uploads.enabled). See docs/MIGRATIONS_AND_CAPABILITIES.md.
composer require glueful/users
php glueful migrate:run

Older releases (v1.49.1 and earlier) live in the Release Archive. The version table at the top links every release; for the full machine-readable history see the CHANGELOG.