App

in package

• ZealPHP

Table of Contents

Constants

KNOWN_METHODS  : array<int, string> = [ 'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'OPTI...

Methods ZealPHP recognises. A request whose method is outside this set gets 501 Not Implemented (Apache: M_INVALID → HTTP_NOT_IMPLEMENTED, server/protocol.c:1253). Standard RFC 9110 methods plus the common WebDAV verbs Apache registers in ap_method_registry_init(). A recognised method that has no matching route still flows through to 404/405/fallback.

REASON_PHRASES  : mixed = [ // 1xx Informational 100 => 'Continue', 101 =...

IANA-registered HTTP status reason phrases (RFC 9110 §15).

Properties

$access_log_format  : string

Apache LogFormat "...". Format string used by access_log() to render each request line. Tokens (Apache mod_log_config subset):

$admin_checker  : callable|null

$allow_encoded_slashes  : bool

Apache AllowEncodedSlashes — when false (default, matching Apache), a request whose RAW (pre-decode) path contains an encoded slash (%2F/%2f) is refused with 404 before route matching. Apache's unescape_url() forbids AP_SLASHES by default; we mirror that. Set true to permit encoded slashes (they are then decoded to / like any other octet).

$auth_checker  : callable|null

Auth-hook callbacks consulted by ZealAPI::isAuthenticated(), ::isAdmin(), and ::getUsername() so the framework's built-in file-based API layer can delegate auth questions to whatever auth system the app uses (Symfony Security, Auth0, the SelfMadeNinja stack, a custom $_SESSION['user'] check, etc.) without subclassing or monkey-patching ZealAPI itself.

$block_dotfiles  : bool

Block any path containing a dotfile component (.git, .env, .htaccess, etc.). Apache convention.

$canonical_name  : string|null

Apache ServerName www.example.com:443. The canonical host the server advertises in absolute redirects (and other absolute URL builders) when $use_canonical_name is true. Include scheme-port if relevant; the raw value is returned as-is by App::canonicalHost().

$cgi_backends  : array<string, array{mode: string, interpreter?: string|null, address?: string, fcgi_params?: array}>

Per-extension CGI backend registry. Apache AddHandler/ProxyPassMatch + nginx fastcgi_pass-per-location parity.

$cgi_mode  : string

How a process-isolated legacy include is dispatched, when processIsolation() is on:

$cgi_timeout  : int

Maximum seconds to wait for a CGI subprocess (proc mode) to produce its metadata line on stderr. After this deadline the child receives SIGTERM; if it does not exit within 5 s it receives SIGKILL. Matches Apache's CGIScriptTimeout directive. Default 60 s.

$coproc_implicit_request_handler  : bool

$cwd  : string

$default_charset  : string

Apache AddDefaultCharset. Stored here for consumers (e.g. a future CharsetMiddleware) that want a server-wide default charset to append to text-ish Content-Type headers.

$default_mimetype  : string

Apache DefaultType / PHP default_mimetype. The Content-Type applied by CharsetMiddleware to a response that doesn't set one itself (mod_php sends text/html by default). Set to '' to leave untyped responses untouched.

$default_php_self  : string|null

$directory_index  : array<int, string>

Apache DirectoryIndex — file names tried in order when a directory is requested.

$directory_slash  : bool

Apache DirectorySlash equivalent — redirect /foo → /foo/ when foo is a directory.

$display_errors  : bool

$document_root  : string

Apache DocumentRoot equivalent. Relative values (the default) are resolved against App::$cwd; absolute values are used as-is. Drives App::include() path resolution and the implicit /{file}/{dir/uri} routes.

$enable_coroutine_override  : bool|null

OpenSwoole enable_coroutine server-setting override. null means "follow !$superglobals" (true → coroutine-per-request, false → one synchronous request at a time per worker). Set via App::enableCoroutine(bool). Combining true with $superglobals=true is unsafe — process-wide $_GET/$_POST/$_SESSION will race across concurrent coroutines; the helper warns at run() time.

$fcgi_address  : string

FastCGI backend address used when App::cgiMode() === 'fcgi'.

$file_etag  : bool

Apache FileETag. When false, ETagMiddleware emits no ETag header and never returns 304 (equivalent to FileETag None). Default true.

$hook_all_override  : bool|int|null

OpenSwoole\Runtime::enableCoroutine($flags) override. Same shape as App::hookAll() input: null → follow !$superglobals (HOOK_ALL when coroutine mode, 0 in superglobals mode); true → HOOK_ALL; false → 0; int → explicit bitmask. PDO is intentionally NOT hooked in OpenSwoole 22.1 / 26.2 regardless of this flag.

$hostname_lookups  : bool

Apache HostnameLookups On|Off. When true, the framework populates $g->server['REMOTE_HOST'] via gethostbyaddr($g->server['REMOTE_ADDR']) on each request. **WARNING**: this performs a blocking reverse-DNS lookup per request (mitigated by OpenSwoole's coroutine hook converting it to a non-blocking async resolve, but still a measurable per-request cost). Off by default — Apache's own default since 1.3.

$ignore_php_ext  : bool

$initial_error_reporting  : int

Initial error_reporting level captured at boot — referenced by the per-coroutine override.

$limit_request_field_size  : int

Apache LimitRequestFieldSize — maximum byte length of a single request header line. **NOT enforced by ZealPHP.** OpenSwoole's C-layer HTTP parser owns all wire-level framing; ZealPHP only sees the already-parsed $request->header array. The http_header_buffer_size option was explicitly NOT passed to OpenSwoole (its option validator rejects it at boot — see App::run() ~line 3748). Changing this value has no effect on the actual per-header byte limit, which is governed by OpenSwoole's global header-buffer size (~8 KiB default). This property is retained for documentation and future compatibility only.

$limit_request_fields  : int

Apache LimitRequestFields — maximum number of request header fields a single request may carry. Enforced at the PHP application layer: requests carrying more than this many headers are rejected with 400 before route dispatch. Set to 0 to disable the check (unlimited). Default 100 matches Apache's compiled-in default.

$limit_request_line  : int

Apache LimitRequestLine — maximum byte length of the HTTP request line (method + URI + protocol). **NOT enforced by ZealPHP.** OpenSwoole's C parser reads the request line before any PHP code runs; there is no per-request-line cap that ZealPHP can apply after the fact. OpenSwoole's global http_header_buffer_size governs this limit at the wire level.

$middleware_stack  : StackHandler|null

$middleware_wait_stack  : array<int, MiddlewareInterface>

$path_info  : bool

Apache PATH_INFO — when /script.php/extra/path, expose /extra/path as PATH_INFO.

$process_isolation  : bool|null

Per-include CGI process-isolation override. null means "follow $superglobals" (true → CGI subprocess via cgi_worker.php; false → in-process via executeFile()), which preserves today's default coupling. Set via App::processIsolation(bool) — see that method for the trade-offs. App::run() resolves this into the backing $coproc_implicit_request_handler flag right before the server starts.

$sapi_name  : string|null

mod_php-parity SAPI identity for the php_sapi_name() override. Default null returns the real PHP_SAPI ("cli") — no behavior change. Set to a web SAPI string (e.g. 'apache2handler', 'fpm-fcgi') so legacy code branching on php_sapi_name() takes its web path. The PHP_SAPI *constant* is unaffected (uopz cannot redefine it). Configure via App::sapiName() before App::init().

$server  : Server|Server|null

$server_admin  : string|null

Apache ServerAdmin webmaster@example.com. When set, the framework's default 500/error page mentions this contact. null disables the contact line.

$server_tokens  : string

Apache ServerTokens. Controls how much detail the X-Powered-By response header advertises: 'Full' (default) → ZealPHP + OpenSwoole 'Prod' / 'Major' / 'Minor' / 'Min' / 'OS' → ZealPHP 'None' (or '') → header omitted entirely (info-leak hardening) Set via App::serverTokens() before App::init().

$session_lifecycle  : bool

Whether ZealPHP's per-request session lifecycle runs. Default true: the SessionManager / CoSessionManager OnRequest wrapper reads the PHPSESSID cookie, calls zeal_session_start(), optionally emits the Set-Cookie header, and closes the session at request end. Set to false when another framework (e.g. Symfony's NativeSessionStorage via the zealphp-symfony bridge) owns the session lifecycle — ZealPHP then skips the session-specific work but still does request-context setup ($g->openswoole_request, $g->zealphp_response, error-stack reset, etc.).

$static_handler_locations  : array<int, string>

Static handler URL-prefix whitelist. Empty = serve any path under document_root (Apache default).

$strip_trailing_slash  : bool

Apache RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^(.+)/$ /$1 [R=301,L].

$superglobals  : bool

$trace_enabled  : bool

Apache TraceEnable — defaults to OFF for security. When false (default) ResponseMiddleware refuses HTTP TRACE with 405 regardless of any matching route definition. Set to true only if you know you need TRACE.

$trusted_proxies  : array<int, string>

CIDR list of proxy IPs whose X-Forwarded-For / X-Real-IP headers App::clientIp() will trust. Empty (the default) means no proxies trusted — App::clientIp() always returns REMOTE_ADDR. Critical for production deploys behind Traefik/Caddy/nginx; without it rate limiters and access logs see the proxy IP instead of the real client.

$use_canonical_name  : bool

Apache UseCanonicalName On|Off. When true and $canonical_name is set, App::canonicalHost() returns the canonical name; otherwise it returns the request Host header. Default false (Apache's default since 2.0).

$username_provider  : callable|null

$host  : string

$port  : int

$routes  : array<int, array{path: string, pattern: string, methods: array, handler: callable|null, param_map: array>, raw: bool}>

$routes_by_exact_method  : array<string, array<string, array{path: string, pattern: string, methods: array, handler: callable|null, param_map: array>, raw: bool}>>

$routes_by_method  : array<string, array<int, array{path: string, pattern: string, methods: array, handler: callable|null, param_map: array>, raw: bool}>>

$workerStartedAt  : float

$workerStartHooks  : array<int, callable>

$workerStopHooks  : array<int, callable>

$ws_routes  : array<string, array{message: callable, open: callable|null, close: callable|null}>

$access_log_format_compiled  : array<int, array{kind: string, arg?: string}>|null

Parsed format spec cache (token list). Filled lazily by formatAccessLogLine() the first time it sees a given format string. Resets when accessLogFormat() is reassigned via the fluent setter.

$error_handlers  : array<int, array{handler: callable, param_map: array, raw: bool}>

Status -> custom error handler registry (key 0 = catch-all).

$fallback_handler  : array<string, mixed>|null

$instance  : self|null

Methods

__wakeup()  : mixed

accessLogFormat()  : string

Apache LogFormat. Resets the compiled-spec cache on set.

addMiddleware()  : void

adminChecker()  : callable|null

Register a callback that ZealAPI::isAdmin() consults.

after()  : int

One-shot timer: calls $fn once after $ms milliseconds.

authChecker()  : callable|null

Register a callback that ZealAPI::isAuthenticated() consults.

blockDotfiles()  : bool

buildCgiEnv()  : array<string, string>

Build the OS-level environment array passed to the CGI subprocess.

canonicalHost()  : string

Canonical host for absolute URL building. Returns $canonical_name when useCanonicalName() is on AND $canonical_name is set; otherwise returns the request Host header (falling back to SERVER_NAME, then ''). Used by absolute-redirect builders that need to decide between the configured server name and the client-provided Host.

canonicalName()  : string|null

Apache ServerName. Canonical host advertised in absolute redirects when useCanonicalName() is on. Pass null/'' to clear.

cgiMode()  : string

Select how a process-isolated legacy include is dispatched: 'proc' (default) — fresh PHP per request via proc_open (full WordPress/Drupal compat).

clearTimer()  : void

Cancel a timer returned by tick() or after().

clientIp()  : string

Resolve the real client IP for the current request, honouring the $trusted_proxies allow-list. Behaviour:

coerceStatusCode()  : int

Coerce a handler's int return value to a valid HTTP status code.

decodeUntilStable()  : string

Percent-decode a path repeatedly until it stops changing.

defaultCharset()  : string

Apache AddDefaultCharset. Server-wide default.

defaultMimeType()  : string

Apache DefaultType / PHP default_mimetype. The Content-Type CharsetMiddleware applies to responses that don't set one. Pass '' to disable. No-arg call returns the current value.

directoryIndex()  : array<int, string>

directorySlash()  : bool

display_errors()  : void

displayErrors()  : bool

documentRoot()  : string

Apache DocumentRoot equivalent. Relative path → resolved against cwd; absolute path → used as-is. Drives App::include() resolution and the implicit-route file lookups.

emitStatus()  : void

Set the response status via OpenSwoole's two-arg form so codes its native list doesn't recognise still emit correctly on the wire.

enableCoroutine()  : bool

OpenSwoole's enable_coroutine server setting — whether each inbound HTTP request is auto-wrapped in its own coroutine. When false, requests run synchronously one at a time per worker (a worker handling request N blocks any other inbound request until N completes). When true, requests can yield on hooked I/O and other requests dispatched on the same worker make progress.

fcgiAddress()  : string

FastCGI backend address for App::cgiMode('fcgi') dispatch.

fileETag()  : bool

Apache FileETag. false ⇒ ETagMiddleware emits no ETag and never 304s (FileETag None). No-arg call returns the current value.

formatAccessLogLine()  : string

Render one access-log line for the current request using App::$access_log_format.

fragment()  : void

Declare a named region inside a template — the htmx-essay "template fragment" pattern. The same template renders the full page when called via App::render('page', $args), and just the named region when called via App::render('page', ['fragment' => $name] + $args). One file, two responses — no separate partial file required.

getCurrentFile()  : string

Returns the current executing script name without extenstion

getErrorHandler()  : array{handler: callable, param_map: array, raw: bool}|null

getFallback()  : array<string, mixed>|null

getServer()  : Server|Server|null

hookAll()  : int

OpenSwoole\Runtime::enableCoroutine($flags) — process-wide PHP I/O hooks that make blocking calls (fopen, fread, curl, mysqli, etc.) yield to the coroutine scheduler instead of blocking the worker. PDO is intentionally NOT hooked in OpenSwoole 22.1 / 26.2 regardless of this flag — Doctrine queries always block.

hostnameLookups()  : bool

Apache HostnameLookups. Default false — blocking DNS is a perf cost.

ignorePhpExt()  : bool

include()  : mixed

Run a public/ file with Apache document-root parity and the framework's universal return contract.

includeCheck()  : bool

Checks if the given file path is safe to serve/execute from the document root. Apache ap_directory_walk / resolve_symlink parity:

includeFile()  : mixed

init()  : App

Initializes the application.

instance()  : App|null

isEnotdir()  : bool

ENOTDIR detection for Apache parity (request.c:1244-1250 — "deny rather than assume not found"). When a path component that should be a directory is actually a regular file (e.g. /home.php/extra), Apache returns 403, not 404, deliberately refusing to leak whether the deeper path exists.

limitRequestFields()  : int

Apache LimitRequestFields.

limitRequestFieldSize()  : int

Apache LimitRequestFieldSize. Maps to OpenSwoole http_header_buffer_size.

limitRequestLine()  : int

Apache LimitRequestLine. Advisory; OpenSwoole's header buffer covers it.

middleware()  : StackHandler|null

normalizeRequestPath()  : string

Normalise a request path the way Apache's ap_normalize_path() does (server/util.c): collapse runs of // to a single / (MergeSlashes, on by default), drop /./ segments, and unwind /segment/../ back over the preceding segment. A .. that would climb above root is dropped (clamped at /), matching Apache's behaviour for the routing path.

nsPathRoute()  : void

nsPathRoute: Define a route under a namespace but allow the last parameter to capture everything (including slashes).

nsRoute()  : void

nsRoute: Define a route under a specific namespace.

onWorkerStart()  : void

Register a callback to run inside every worker's workerStart event.

onWorkerStop()  : void

Register a per-worker shutdown hook. Runs inside the worker process when it exits (max_request recycle, graceful shutdown, or reload), BEFORE the process terminates — the reliable place to flush per-worker state (counters, buffered I/O, coverage dumps). Unlike register_shutdown_function, this fires on OpenSwoole's signal-driven worker stop.

parseCss()  : array<string, array<string, string>>

Parses the given CSS file.

pathInfo()  : bool

pathWithinRoot()  : bool

Boundary-aware containment test: is $candidate the same path as $root, or a descendant of it?

patternRoute()  : void

patternRoute: Allow full control of the pattern without {param} placeholders.

poweredByHeader()  : string|null

Resolve the X-Powered-By header value for the current ServerTokens setting, or null when the header should be omitted. Consumed at the response-emission boundary; exposed for introspection/testing.

processIsolation()  : bool

Per-include CGI process isolation (Apache mod_php-style fresh process per file). When true (the default in superglobals mode), App::include() dispatches each .php file through cgi_worker.php via proc_open() — global state (defined classes, constants, ini_set, output handlers) is contained inside the subprocess. When false, runs in-process via executeFile() — saves the ~30-50ms proc_open + PHP startup + autoloader cost per call, but every include shares the worker's PHP arena.

reasonPhrase()  : string

Look up an IANA reason phrase for the given status code. Used by emitStatus() to pass an explicit reason to OpenSwoole's two-arg $response->status($code, $reason) — required because the native one-arg form silently rejects codes missing from its internal C list (notably 451, even on ext 26.x), and the request emits HTTP 200 instead.

registerCgiBackend()  : void

Register a per-extension CGI backend. Apache AddHandler/ProxyPassMatch + nginx fastcgi_pass-per-location parity.

render()  : mixed

Render a template with the provided data.

renderError()  : ResponseInterface

Render the response for an error status. Dispatches a user-registered handler if one exists (status-specific takes precedence over catch-all); otherwise returns the framework's default body (HTML or JSON per Accept).

renderStream()  : Generator

Render a template as a Generator. Streaming templates (return-a-Closure or return-a-Generator) yield directly; echo-style templates yield their buffered output once.

renderToString()  : string

Render a template and return the result as a string. Generators are consumed; Closures are invoked with param injection; arrays/objects are JSON-encoded.

resolveCgiBackend()  : array{mode: string, interpreter?: string|null, address?: string, fcgi_params?: array}

Resolve the CGI backend config for a given file path.

resolveDocumentRoot()  : string

Resolve App::$document_root to an absolute path. Relative values are treated as ${App::$cwd}/$document_root; absolute values pass through.

route()  : void

Registers a route with the application.

routes()  : array<int, array{path: string, pattern: string, methods: array, handler: callable|null, param_map: array>, raw: bool}>

routesByExactMethod()  : array<string, array<string, array{path: string, pattern: string, methods: array, handler: callable|null, param_map: array>, raw: bool}>>

routesByMethod()  : array<string, array<int, array{path: string, pattern: string, methods: array, handler: callable|null, param_map: array>, raw: bool}>>

run()  : void

Runs the ZealPHP application.

sapiName()  : string|null

mod_php-parity SAPI name reported by the php_sapi_name() override.

serveDirectory()  : mixed

Apache DirectorySlash + DirectoryIndex behavior.

serverAdmin()  : string|null

Apache ServerAdmin. Contact email/identifier embedded in the framework's default error pages. Pass null (or '') to clear.

serverTokens()  : string

Apache ServerTokens. Controls the X-Powered-By header detail.

sessionLifecycle()  : bool

Toggle ZealPHP's per-request session lifecycle. When disabled, the SessionManager / CoSessionManager OnRequest wrapper skips session_start / cookie emission / session write-close — request-context init (openswoole_request, zealphp_response, error-stack reset) still runs unconditionally. Use this when another framework (e.g. Symfony's NativeSessionStorage via the zealphp-symfony bridge) owns sessions and you don't want ZealPHP racing it for the PHPSESSID cookie. The zeal_session_* uopz overrides remain installed and callable from user code either way.

setErrorHandler()  : void

Register a custom error page handler — Apache's ErrorDocument equivalent.

setFallback()  : void

Register a fallback handler for unmatched routes (like Apache's RewriteRule . /index.php [L]).

staticHandlerLocations()  : array<int, string>

stripTrailingSlash()  : bool

Apache RewriteCond %{REQUEST_FILENAME} !-d; RewriteRule ^(.+)/$ /$1 [R=301,L].

superglobals()  : void

tick()  : int

Recurring timer: calls $fn every $ms milliseconds in this worker.

traceEnabled()  : bool

Apache TraceEnable. Default OFF for security (XST attack vector).

trustedProxies()  : array<int, string>

Trusted proxy CIDRs consulted by App::clientIp().

tryInclude()  : mixed

Like App::include() but returns null instead of 403 when the requested file does not exist under the document root. Use for "try this file, fall through to something else if missing" patterns:

useCanonicalName()  : bool

Apache UseCanonicalName. See $use_canonical_name docblock.

usernameProvider()  : callable|null

Register a callback that ZealAPI::getUsername() consults.

ws()  : void

Register a WebSocket endpoint.

wsRoutes()  : array<string, array{message: callable, open: callable|null, close: callable|null}>

isExactRoutePath()  : bool

parseCliArgs()  : array<string, mixed>

__clone()  : mixed

__construct()  : mixed

buildParamMap()  : array<int, array{name: string, has_default: bool, default: mixed}>

cgiFcgi()  : mixed

Dispatch a legacy include to a FastCGI backend (e.g. php-fpm) via the FCGI binary protocol. Used when App::cgiMode() === 'fcgi'.

cgiFork()  : mixed

Warm-fork variant of cgiSubprocess(): instead of proc_open()-ing a fresh PHP interpreter per request, OpenSwoole\Process forks the already-booted worker (copy-on-write — the interpreter, Composer autoloader, and opcache are inherited, so PHP startup + autoload are NOT re-paid). ~5× faster than 'proc' mode on a trivial file.

cgiSubprocess()  : mixed

Run a PHP file in a separate process at true global scope (CGI-style).

cidrContains()  : bool

Does $ip fall within $cidr? Supports IPv4 and IPv6. A bare IP without /prefix is treated as a single-host range (/32 v4, /128 v6). Returns false on any parse failure rather than throwing — defensive for header- sourced input.

claimOrphanIfAny()  : bool

Recover from an orphaned-daemon situation: pid file missing or stale but the port is still held. If the listener is a ZealPHP process, graceful-then-force kill it. Returns true when an orphan was cleaned up, false when there's nothing to do (port free, or held by something that isn't ours).

clearHandlerHeaders()  : void

Clear previously-accumulated response headers from a handler that then failed, keeping only the headers that Apache preserves across an error response (ap_send_error_response: apr_table_clear(r->headers_out) then re-instate headers required by HTTP protocol for specific status codes).

cliHelp()  : void

cliLogs()  : void

cliStatus()  : void

cliStatusOne()  : void

cliStop()  : void

cliStopAuto()  : void

coerceToStream()  : Generator

Coerce an executeFile() result to a Generator. Strings/scalars yield once; Generators yield-from; null yields nothing.

coerceToString()  : string

Coerce an executeFile() result to a string. Generators are consumed and concatenated; arrays/objects are JSON-encoded; null becomes ''.

compileAccessLogFormat()  : array<int, array{kind: string, arg?: string}>

Compile an Apache LogFormat string into a flat token list. Supported directive families (Apache mod_log_config subset): %h %l %u %t %r %s %>s %b %B %D %T %m %U %q %H %v %{NAME}i %{NAME}o %{NAME}e Unknown directives are passed through verbatim (Apache compatibility: mod_log_config logs '-' for unknown but compatibility matters less than surfacing typos to the operator).

defaultErrorResponse()  : ResponseInterface

Default error body. Honors Accept: application/json for JSON envelope, otherwise emits HTML. Stack trace included only when App::$display_errors.

executeFile()  : mixed

Run a PHP file with the framework's universal return contract.

extractPortFromPidFile()  : int

Pull the port number from a default-shaped pid file path like /tmp/zealphp/zealphp_8080.pid. Returns 0 when the caller passed a --pid-file override that doesn't match the convention.

findPortOwnerPid()  : int|null

Returns the PID listening on $port, or null when nothing's listening or it can't be determined (non-Linux, /proc unreadable). Linux-only: /proc/net/tcp + tcp6 give the LISTEN-state socket inode; /proc/[pid]/fd/* resolves inode → owner pid. We deliberately avoid stream_socket_server / socket_bind here — those are intercepted by OpenSwoole's runtime hook (HOOK_ALL) and become coroutine-only, which would crash this CLI path.

forkStartupReporter()  : void

For daemonized start/restart: fork so the terminal-attached parent polls for the new daemon's PID file and prints a confirmation line BEFORE the shell prompt returns, while the child goes on to boot the (self-daemonizing) server. The parent never touches OpenSwoole — it only watches the PID file and exits, so the confirmation is always the last thing written to the terminal (fixes the issue #17 race where the prompt returned first and the message overlapped the next command).

getFragmentState()  : array{wanted: string, matched: bool, result: mixed}|null

Read and narrow the current fragment-extraction state from $g->memo.

invokeFallbackOrNotFound()  : ResponseInterface

normalizeMethods()  : array<int, string>

Normalize a methods array (any shape) into a list of uppercase strings.

peerInTrustedProxies()  : bool

Match $ip against every entry in App::$trusted_proxies. Wrapper so the CIDR walk lives in one place; callers pass user-controlled input here so the per-entry guard inside cidrContains() is the only validation needed.

prependToStreamable()  : Generator

Combine a pre-yield buffered chunk with a Generator so the wire order is "echo first, then stream". Returns a new Generator that yields the buffered chunk before delegating to the original.

processIsZealphp()  : bool

True when /proc/$pid/cmdline looks like a ZealPHP daemon: argv[0] is a real php binary (php, php8.3, etc.) AND the args reference app.php.

renderAccessLogToken()  : string

Render one compiled access-log token. Kept separate from the tokenizer so the hot path (per-request) only does the table-lookup half; the tokenize path runs once per format-string change.

requestIsHttps()  : bool

Detect whether the request arrived over TLS, for deriving REQUEST_SCHEME / HTTPS in the $_SERVER builder. Mirrors the session-cookie secure detection (src/Session/utils.php): a direct HTTPS=on, an X-Forwarded-Proto: https from a proxy, or SERVER_PORT 443.

resolveClosureParams()  : array<int, mixed>

Resolve a Closure's parameters by name from $args, using each parameter's default value when the name is absent. Reflection is cached per file path so repeated calls (e.g. streaming templates yielded in a loop) pay only one reflection cost per worker.

resolvePidFile()  : string

resolveTemplatePath()  : string

Resolve a template-file name to an absolute path.

restoreFragmentState()  : void

Restore $g->memo['_fragment'] to its prior state. Called by executeFile() to undo fragment-mode setup for nested renders and on error paths. null means "no fragment mode was active before" — drop the slot entirely so the next App::fragment() call falls into the normal inline-render branch.

validateLifecycleCombination()  : void

Refuse to start with lifecycle combinations that race process-wide superglobals across concurrent coroutines.

App::authChecker(fn() => !empty($_SESSION['user_id']));
App::authChecker(fn() => MyAuth::status() === MyAuth::LOGGED_IN);

// template/contacts/list.php
<ul>
  <?php foreach ($contacts as $contact): ?>
    <?php App::fragment("contact-{$contact->id}", function() use ($contact) { ?>
      <li id="contact-<?= $contact->id ?>"><?= htmlspecialchars($contact->name) ?></li>
    <?php }); ?>
  <?php endforeach; ?>
</ul>

$app->nsPathRoute('api', ['methods' => ['GET']], function($path) {
    return "Full path under /api: $path";
});

return (function() {
    yield from App::renderStream('shell-open', ['title' => 'Users']);
    yield from App::renderStream('users/list', ['users' => $users]);
    yield from App::renderStream('shell-close');
})();