Release Notes
This page is a curated layer over the raw authoritative
CHANGELOG.md. For complete detail (including every Added/Changed/Removed/Fix line) consult the full changelog.
v1.61.1 - Wezen
Released: June 22, 2026
CORS on every response. Cross-origin error and regular responses (422, 401, …) now carry Access-Control-Allow-Origin, so a separately-served frontend (e.g. a Vite dev SPA on another origin) can finally read their bodies. Previously only the OPTIONS preflight got CORS headers, leaving regular and error bodies blocked by the browser. Bugfix patch — no new env, no migrations, no action required.
Key Highlights
CORS headers on regular and error responses
Migration Notes
- Nothing required. Same-origin requests and disallowed origins are unchanged; allowed cross-origin requests now receive the CORS headers they should always have had on regular and error responses.
composer update glueful/framework
v1.61.0 - Wezen
Released: June 20, 2026
OpenAPI tag filtering. The doc generator can now drop operations from the generated spec by tag (documentation.options.tags.include / .exclude, env-driven), so a consumer-facing spec can hide infrastructure groups (Health, Documentation, Security) without turning off whole route sources. Additive and off by default (empty lists = no filtering) — no breaking changes, no migrations.
Key Highlights
Tag allow/deny for the OpenAPI spec
Doc-config cleanup
Migration Notes
- Nothing required. Filtering is off by default (both lists empty). To use it, set e.g.
API_DOCS_EXCLUDE_TAGS="Health,Documentation,Security"and regenerate the spec. - The removed
route_definitions/extension_definitionsconfig keys were already inert — safe to delete if you copied them into your app's config.
composer update glueful/framework
v1.60.0 - Vega
Released: June 19, 2026
Engine-agnostic installer + first-run setup seams. php glueful install now configures and migrates any database engine (MySQL/PostgreSQL/SQLite) — not just SQLite — and a new Glueful\Installer\ toolkit lets an app drive first-run setup from CLI or a UI without shelling out. Additive (no breaking API changes, no new env, no migrations) — but install is now interactive, so non-interactive callers should pass --quiet.
Key Highlights
install works with any database engine
Glueful\Installer\ seams (CLI or UI, no shelling out)
Safer .env + correct PostgreSQL DSN
Migration Notes
php glueful installis now interactive. It prompts for the database engine + credentials by default. Non-interactive callers (CI,post-create-project-cmd, scripts) should pass--quietto use the existing.envwithout prompts, or--skip-databaseto skip DB setup/migrations. The api-skeleton'spost-create-project-cmdis updated accordingly.- No env, config, or migration changes.
composer update glueful/framework
v1.59.0 - Unukalhai
Released: June 19, 2026
First-party frontend serving. A new ServiceProvider::serveFrontend() seam serves a built SPA or static bundle at any literal path (e.g. /admin) — with secure asset serving, an index.html deep-link fallback, and a content-hash-aware cache split. It replaces and removes mountStatic() (which only mounted at /extensions/{mount} and had no SPA fallback). One small migration if you used mountStatic(); everything else is additive.
Key Highlights
serveFrontend() — serve a SPA at any literal path
OpenAPI: less boilerplate per endpoint
HEAD requests to file responses no longer 500
Migration Notes
mountStatic()is removed. Replace$this->mountStatic('foo', $dir)(served at/extensions/foo) with$this->serveFrontend('/foo', $dir)(any literal path +index.htmlfallback). For a plain bundle that 404s on a miss, use$this->serveFrontend('/foo', $dir, ['spaFallback' => false]).serveFrontend()no-ops with a warning if the bundle has noindex.html(whenspaFallbackis on).- The unused
SpaManager/StaticFileDetector/SpaProviderare removed (dead code, no callers). No config, env, or migrations.
composer update glueful/framework
v1.58.1 - Thuban
Released: June 15, 2026
OpenAPI response-schema fidelity. Three additive reflect-generator fixes so typed ResponseData DTOs document response bodies accurately — the success envelope marks its keys required, and #[ArrayOf] now resolves array items in response mode. Fully additive: no behavior change for request DTOs, no config/env changes, nothing to migrate.
Key Highlights
#ArrayOf now works on response DTOs
Success envelope marks its keys required
Request-DTO safety preserved
Migration Notes
- Nothing to migrate. Fully additive — no behavior change for request DTOs, no config or env changes.
composer update glueful/framework
v1.58.0 - Thuban
Released: June 15, 2026
Typed request-DTO hydration v2. RequestData DTOs now handle arrays, nested DTOs, and path/query inputs — closing the v1 "flat-scalars, JSON-body-only" boundaries from 1.57.0. Fully additive: flat scalar v1 DTOs are byte-identical, there are no config or env changes, and nothing to migrate.
Key Highlights
Arrays & nested DTOs — no more TypeError sharp edge
Path & query sources via #FromRoute / #FromQuery
Cross-field validation & custom rules
Migration Notes
- Nothing to migrate. Fully additive — existing flat-scalar
RequestDataDTOs behave identically, and there are no config or env changes.
composer update glueful/framework
v1.57.0 - Sargas
Released: June 14, 2026
A types-first I/O convention and a single code-first OpenAPI generator. Controllers can now express request/response shapes as typed DTOs that drive both the runtime envelope and the generated spec; the OpenAPI generator is consolidated to the code-first reflect engine and the legacy docblock-parsing comments generator is removed. Mostly additive, but it ships as a minor for one breaking change. If you used the comments OpenAPI generator or documented routes with @route/@response docblocks, read the Migration Notes.
Key Highlights
Types-first request & response DTOs
One code-first OpenAPI generator
Reference adoption across core controllers
Migration Notes
- The comment-based OpenAPI generator has been removed;
reflectis now the only OpenAPI generator. documentation.generatorandAPI_DOCS_GENERATORare no longer supported — remove them from config/env (the value is ignored).- Route
@route,@summary,@requestBody,@response, and related docblock annotations are no longer read. - Document endpoints with typed DTOs plus
#[ApiOperation],#[QueryParam],#[ApiRequestBody], and#[ApiResponse]. See the OpenAPI reflect guide. - No migrations.
composer update glueful/framework
v1.56.0 - Rastaban
Released: June 13, 2026
The second wave of the June 2026 security & correctness hardening pass: queue/scheduler payload signing, SSRF-safe HTTP with validated-DNS pinning, unified sensitive-parameter redaction, fail-closed CORS/image defaults, and JWT temporal-claim enforcement. Almost entirely fixes, but several change defaults or add config/env vars (CORS credentials off by default; remote image fetch opt-in; queue/scheduler payloads signed by default; JWT requires exp) -- so it ships as a minor. Read the Migration Notes before upgrading.
Key Highlights
Queue & scheduler payloads are signed and gated
SSRF-safe HTTP + unified redaction
Fail-closed defaults + JWT temporal claims
Migration Notes
- CORS fails closed. The standalone handler no longer allows all origins by default, and
CORS_SUPPORTS_CREDENTIALSnow defaults tofalse. SetCORS_ALLOWED_ORIGINS(andCORS_SUPPORTS_CREDENTIALS=trueonly if you genuinely need credentialed cross-origin requests). - Remote image fetching is opt-in. With no
image.securityconfig, external image URLs are disabled and the allow-list is empty. Configureimage.security.allowed_domainsor install/configureglueful/media. - Queue & scheduler payloads are signed by default.
QUEUE_PAYLOAD_SIGNING/QUEUE_REQUIRE_SIGNED_PAYLOADSdefault on (inert withoutAPP_KEY). To drain legacy unsigned rows, temporarily setQUEUE_REQUIRE_SIGNED_PAYLOADS=false. Custom queue/scheduler handlers must implementJobInterface. - JWT requires
exp. Tokens withoutexp(or with expired/non-numericexp, futurenbf/iat) are rejected. - Memcached cache format changed. Flush the cache when upgrading a Memcached-backed deployment -- raw legacy string values that aren't valid serialized data now throw on read.
- Set
TRUSTED_PROXIESbehind a load balancer so client IPs resolve correctly. New optionalhttp.safe_fetch.max_redirects(default3). No migrations.
composer update glueful/framework
v1.55.0 - Peacock
Released: June 11, 2026
A security & correctness hardening release: a focused pass over routing/permissions, auth, storage paths, the database write-path, deserialization, and the container/extension boundary, from a five-part framework review. Mostly bug fixes, but several change behavior or defaults (permission attributes now enforce; API-key query param off by default; signed URLs fail closed without a secret; extensions fail loud at boot) and one adds a feature (range UPDATE/DELETE predicates) -- so it ships as a minor. Read the Migration Notes before upgrading.
Key Highlights
Route permission attributes now actually enforce
Auth & storage hardening
Database integrity + injection hardening
Container/extension boundary fails loud
Migration Notes
- Permission attributes now enforce. Routes using
#[RequiresPermission]/#[RequiresRole]without a permission provider bound will now 403. Bind a provider (e.g.glueful/aegis), grant the permissions, or remove the attribute from open routes. - API key query string is off by default. Move clients to the
X-API-Keyheader, or setsecurity.api_keys.allow_query_param = true. - Signed URLs require a secret. Configure
uploads.signed_urls.secret/SIGNED_URL_SECRET(orapp.key/APP_KEY) -- a distinct value per environment. Generation/validation throws otherwise. - Extensions fail loud at boot (non-prod). A previously-silent extension wiring failure will now surface; fix the binding (a bare interface id needs
['class' => Concrete::class]or a factory). - New optional config keys
security.api_keys.allow_query_param/security.csrf.rate_limit_fail_closed(both defaultfalse). No new env vars, no migrations.
composer update glueful/framework
v1.54.0 - Okab
Released: June 10, 2026
A coordinated release in three movements: a container-precedence fix that makes every "core default + extension override" seam genuinely overridable; the new Glueful\Entitlements core seam (contract-only — commercial capability gates for the forthcoming glueful/subscriptions); and a storage driver registry with the s3/gcs/azure factories extracted to first-party provider packs (breaking — lean core, same playbook as 1.52). glueful/storage-s3 ships alongside (covers R2/MinIO/Spaces/Wasabi via presets); gcs/azure packs follow shortly.
Key Highlights
Extension definitions now override core defaults (container precedence fix)
Entitlement seam (Glueful\Entitlements) — contract only
Storage driver registry + provider packs (breaking)
Migration Notes
- Cloud storage disks need their provider pack:
composer require glueful/storage-s3fors3disks (its presets cover R2, MinIO, Spaces, Wasabi).gcs/azureusers should hold the upgrade until those packs publish (following shortly).local/memory-only apps need nothing. - On deploy:
php glueful commands:cache(newstorage:testcommand) andphp glueful di:container:compile --force(the precedence fix only takes effect in a freshly compiled container). - Extension authors: your
services()definitions now genuinely override core defaults for the same id (previously dropped silently). Audit for unintentional core-id collisions. - Optional env:
UPLOADS_NATIVE_MAX_PRIVATE_TTL(default 900). No core migrations; no required env changes.
composer update glueful/framework
composer require glueful/storage-s3 # only if a disk uses driver: s3 / R2 / MinIO / Spaces / Wasabi
v1.53.0 - Nunki
Released: June 8, 2026
A backward-compatible release that adds two generic, chainable database extension seams — so extensions can enforce scopes, narrow queries, or veto statements without patching core — and folds in four bug fixes uncovered while building the upcoming glueful/tenancy extension. Both seams are no-ops on a plain install (zero behavior change). No env vars, no migrations, no breaking changes; composer update glueful/framework suffices.
Key Highlights
Chainable DB Extension Seams (interceptors + table hooks)
Four Bug Fixes (queue deserialization, write-path, container)
Migration Notes
- No action required.
composer update glueful/frameworkpicks up 1.53.0. No new env vars, no migrations, no API breaks; the seams are opt-in and inert unless an extension registers a hook. - The api-skeleton
^1.52.0constraint already permits 1.53.0 — no skeleton changes ship in this release.
composer update glueful/framework
v1.52.0 - Mizar
Released: June 7, 2026
A coordinated breaking release that makes core lean: four subsystems move out of the framework into standalone, opt-in glueful/* extensions, each behind a narrow seam core consumes only if bound. Archive → glueful/archive, CDN / edge-cache → glueful/cdn, queue operations (supervision / autoscaling / worker-metrics) → glueful/queue-ops, and rich media (image processing / thumbnails / metadata) → glueful/media. A plain core install boots, serves uploads, runs a lean single-worker queue:work, and caches responses with none of these subsystems' heavy dependencies present — intervention/image and james-heinrich/getid3 are removed from core. Every subsystem is restored with a single composer require. See the migration notes.
Key Highlights
Archive & CDN / Edge-Cache Extracted (seam-backed)
Queue Ops Extracted; Core Ships a Lean Worker
Rich Media Extracted; Uploads Stay in Core
Migration Notes
- Restore any subsystem with one
composer require(auto-discovered viaextra.glueful):glueful/archive,glueful/cdn,glueful/queue-ops,glueful/media. Runphp glueful migrate:runfor those that ship schema (archive). - Refresh the production command manifest on deploy. This release removes the core
archive:manage,cache:purge, andqueue:autoscalecommands; astorage/cache/glueful_commands_manifest.phpgenerated before the upgrade still references them and breaks CLI boot. Runphp glueful commands:cache --clear—php glueful cache:cleardoes not clear the command manifest. - No-extension behavior is graceful, not fatal. Seams degrade to no-ops/defaults:
NullEdgeCache(response caching still emits surrogate keys), leanqueue:work, type-only media metadata + original-served variants. Removed helpers/commands (image(),queue:autoscale, thequeue:worksub-actions) are absent (function/command-not-found), not error-printing stubs. - Namespace maps (when restoring an extension and updating app code):
Glueful\Services\ImageProcessor→Glueful\Extensions\Media\ImageProcessor;Glueful\Cache\EdgeCacheService→Glueful\Extensions\Cdn\EdgeCachePurger;Glueful\Queue\Monitoring\WorkerMonitor→Glueful\Extensions\QueueOps\Monitoring\WorkerMonitor;Glueful\Services\Archive\*→Glueful\Extensions\Archive\*. Full maps in the frameworkUPGRADE.md. - No new framework env vars, no core migrations. The api-skeleton is bumped to
^1.52.0and ships lean (extensions are opt-in; its publishedconfig/image.php,cache.edge,queue.workers.*ops blocks, andcapabilities.archivewere removed).
composer update glueful/framework
# then, to restore what you use:
composer require glueful/media glueful/queue-ops glueful/cdn glueful/archive
php glueful commands:cache --clear
v1.51.0 - Larawag
Released: June 6, 2026
A five-part refinement of the core notification subsystem. The framework now ships a real in-app database channel (the default ['database'] channel resolves end-to-end instead of failing as channel_not_found), validates channels at dispatch rather than construction, makes persistence optional and safe (NOTIFICATIONS_DATABASE_STORE=false), abstracts async queue dispatch behind an injectable seam, adds structured channel results (NotificationResult), and routes all channel registration through one extension boot() path. Mostly additive — but two deliberate breaking changes land in channel registration/dispatch. See the migration notes.
Key Highlights
Real database Channel + Dispatch-Time Validation
Optional, Safe Persistence + Injectable Async Queue
Structured Results + Extension-Driven Registration
Migration Notes
- Breaking:
ChannelManagerchannel-name methods renamed (no aliases). ReplacegetAvailableChannels()withgetRegisteredChannelNames(); for only the currently-available channels' names, use the newgetActiveChannelNames().getActiveChannels()(returning channel objects) is unchanged. - Breaking: notification jobs/commands require an
ApplicationContext.DispatchNotificationChannels,SendNotification,ProcessRetriesCommand, andNotificationRetryTaskresolve the shared container dispatcher and throwNotificationContextRequiredExceptionif constructed without a context — they no longer build ad-hoc managers or hardcode theEmailNotificationprovider. The queue worker and console kernel already provide a context. - Channel packages register from
boot(). Custom or not-yet-migrated channel extensions must register their channel/hooks via the newregisterNotificationChannel()/registerNotificationExtension()helpers; until they do, that channel won't auto-wire into the shared dispatcher used by the async jobs. - Retry config key moved from the
emailnotificationnamespace to channel-agnosticnotifications.retry(built-in defaults otherwise). - No new env vars, no migrations. The
notificationscapability default staystrue; setNOTIFICATIONS_DATABASE_STORE=falseto run without a database store.
composer update glueful/framework
v1.50.2 - Kochab
Released: June 5, 2026
Route docblocks can now document query parameters with an editor-clean @queryParam name:type="…" tag that the OpenAPI generator actually parses. The old approach overloaded the reserved @param tag (@param page query integer false "…"), which IDEs/Intelephense mis-read as undefined PHPDoc types (P1133 warnings). A latent doc-gen bug is also fixed: routes that declared a query parameter alongside a {id} path segment silently lost the path parameter from their spec. Framework-only — no env vars, no migrations, no API breaks.
Key Highlights
@queryParamroute-doc tag.CommentsDocGeneratorparses@queryParam name:type="description" [{required}]as anin: queryOpenAPI parameter — no more reserved-@paramfalse positives in your editor. The legacy positional@param … query …form still parses, so existing route docblocks are unaffected.- Path params no longer dropped. URL
{name}path parameters were auto-derived only when no parameters were documented at all; a route with a query param plus a{id}lost its path param from the generated spec. Path params are now always derived from the URL and merged with documented params (de-duplicated by name; an explicit docblock still wins). routes/resource.phpmigrated to@queryParamfor the/data/{table}list endpoint'spage/limit/sort/orderparams (they now actually appear in the spec).
Migration Notes
composer update glueful/framework is sufficient — the api-skeleton ^1.50.1 constraint already permits 1.50.2. No action required; the new tag is opt-in and the legacy @param form continues to work.
v1.50.1 - Kochab
Released: June 5, 2026
Two extension points that silently did nothing are now fixed. ServiceProvider::mergeConfig() delegated to a config.manager service that was never registered, so an extension's config/*.php defaults never reached config() — every first-party extension ran on empty/hardcoded fallbacks unless the app shipped its own copy. And LoginResponseBuildingEvent listeners' changes were discarded by the login-response shaper. Both now work as documented. Framework-only: no env vars, no migrations, no API breaks.
Key Highlights
mergeConfig()actually merges now. Backed by the newApplicationContext::mergeConfigDefaults(), extension config defaults are merged under framework/app/env config files (your app'sconfig/*.phpstill wins) and persist acrossclearConfigCache(). Affected extensions:glueful/aegis,conversa,email-notification,entrada,meilisearch,notiva,payvia,runiva.LoginResponseBuildingEventlisteners affect the response.LoginResponseShaper::shape()now reads$event->getResponse()back, so a listener can add fields (e.g. organization/department context) to the login response.
Migration Notes
composer update glueful/framework is sufficient — the api-skeleton ^1.50.0 constraint already permits 1.50.1. Behavioral note: enabled first-party extensions now receive their declared config defaults (previously ignored); review those defaults if you relied on the prior empty behavior.
v1.50.0 - Kochab
Released: June 4, 2026
The concrete user store is extracted to the first-party glueful/users extension, leaving a provider-agnostic core that talks to identity through UserProviderInterface + the canonical UserIdentity. In parallel, the framework now owns the database schema for its own subsystems — the auth security spine plus DB-backed platform capabilities (queue, scheduler, notifications, metrics, locks, uploads, archive) — as first-class, config-gated, source-tracked migrations, replacing lazy runtime DDL. Breaking (shipped as a minor per the pre-public policy): apps must enable a user store. See the migration notes.
Key Highlights
Provider-Agnostic Identity
Core Owns Its Schema
Ordered, Package-Scoped Migrations
Migration Notes
- Breaking: enable a user store. Core no longer ships
Glueful\Models\User/Glueful\Repository\UserRepository, andAuthenticatedUseris removed. Install and enableglueful/users(the api-skeleton does so by default). Without a store, auth fails closed. Seedocs/IDENTITY.md. api_keys.user_id→user_uuid. The column (andApiKeyServiceinput /ApiKeymodel field) is renamed; it remains an indexed UUID with no FK.- Schema is migration-owned. Run
php glueful migrate:run; capability tables install perconfig/capabilities.php+ driver config (queue.default,lock.default,uploads.enabled). Seedocs/MIGRATIONS_AND_CAPABILITIES.md.
composer require glueful/users
php glueful migrate:run
Older releases (v1.49.1 and earlier) live in the Release Archive. The version table at the top links every release; for the full machine-readable history see the CHANGELOG.