v0.20.0

[0.20.0] - 2026-05-26

Security

• Add extension denylist + allowlist filtering for static file serving in `StaticFilesMiddleware` (#235)
• Fix TOCTOU race in `SchedulerWorker` PID file handling — uses exclusive flock with strict permissions (#240)
• Add zip-slip protection to `SfxDownloader::extractZip` — validates entry paths against destination (#252)
• Block cross-scheme redirects and require SHA-256 checksum for SFX downloads (#433)

Performance

• Add LRU cache and conditional `If-Modified-Since` / `If-None-Match` support to `StaticFilesMiddleware` (#254)
• Shard `PollingMonitorWatcher` directory scan across ticks with `MAX_FILES_PER_TICK` (#246)
• Defer `gc_collect_cycles` and use single `memory_get_usage` call in `MemoryRebootStrategy` (#250, #272)
• Replace 10-year `DatePeriod` with O(1) `DateTime::add()` in `PeriodicalTrigger` (#239)

Added

• New `ListenScheme` enum for type-safe listen scheme (#305)
• New `BuildPathResolver` consolidating duplicated `resolveXxxPath` helpers (#242)
• New `ServiceMethod` value object replacing stringly-typed concatenation (#258)
• New `SfxSourceResolver` extracted from `BuildBinCommand::resolveSfx` (#238)
• New `e2e/README.md`

Changed

• Moved PHAR stub from HEREDOC to `resources/phar-stub.tpl` (#234)
• Split `ServicesConfigurator::configure()` into per-domain methods (#249)
• Split `SfxDownloader::extractZip` into staged methods (#251)
• `SchedulerWorker::$handler` now readonly on final class (#262)
• `SupervisorWorker` now `final` (#265)

Tests

• `KernelFactoryTest` (#224)
• `RuntimeTest` (#228)
• `ResolverTest` (#230)
• `ByteFormatterTest` (#241)
• `TaskErrorListenerTest` and `ProcessErrorListenerTest` (#237)

Docs

• Add `UPGRADE.md` covering 0.12–0.17 (#256)
• Document `build.sfx.sha256` and `build.sfx.allow_insecure` (#267)
• Document `workerman:server` connections output columns (#269)
• Clean up stale README 'What's new' section (#268)