🔄 Request Lifecycle

Every Request Starts at `index.php`

Define constants (ROOT, APP, CONFIG)
Load helper functions
Check if installed (does config/database.php exist?)
If not installed → redirect to /install/
Load DB config + helpers, start session
Compute request path (handles subdirectory installs)
Dispatch via app/router.php

The Router

app/router.php is a flat pattern-matching dispatch table. Patterns are compiled to regex and matched against the request path. Capture groups are passed as controller method arguments.

Authentication

Most controllers call require_auth() which redirects unauthenticated users to /login. Admin-only endpoints use require_admin() which returns 403 JSON.

Sessions are populated on login with user_id, workspace_id, role, and regenerated to prevent session fixation.

Database Connection

PDO connection is created lazily on first query (singleton). Uses ERRMODE_EXCEPTION and real prepared statements (EMULATE_PREPARES = false).

Response Formats

HTML Pages: Controller sets $page and includes layout.php
JSON APIs: json_response() sets Content-Type, echoes JSON, exits
SSE Stream: Persistent loop with text/event-stream, ping every 2s, exits after 55s

Every Request Starts at index.php​

The Router​

Authentication​

Database Connection​

Response Formats​

Every Request Starts at `index.php`

The Router

Authentication

Database Connection

Response Formats