v1.39.0 - Framework 1.56.0

v1.39.0 — Framework 1.56.0

Tracks framework 1.56.0 "Rastaban" and lands the production-readiness polish.

Framework

• Bumps glueful/framework from ^1.55.0 to ^1.56.0 (the Rastaban security
  hardening wave — queue/scheduler payload signing, SSRF-safe HTTP, fail-closed
  CORS/image defaults, JWT temporal-claim enforcement).
• Surfaces the new operator knobs in .env.example with safe defaults:
  • CORS_SUPPORTS_CREDENTIALS=false — credentialed cross-origin off by default;
    never combined with a * origin.
  • TRUSTED_PROXIES= — set behind a load balancer so client IP / HTTPS detection
    resolve correctly.
  • QUEUE_PAYLOAD_SIGNING=true / QUEUE_REQUIRE_SIGNED_PAYLOADS=true — persisted
    queue/scheduler payloads are HMAC-signed when APP_KEY is set.

Production readiness

• Deploying To Production checklist added to the README — APP_ENV/APP_DEBUG/
  FORCE_HTTPS, secret generation, off-sync/off-file drivers, cache warming
  (commands:cache, route:cache:status/clear), opcache + optimized autoloader,
  logs out of public/, and keeping /docs disabled unless intentionally public.
• glueful CLI wrapper now catches \Throwable (not just Exception) and the
  indentation is fixed, so a fatal during boot exits cleanly instead of dumping a
  stack trace.
• Fresh, app-scoped CHANGELOG.md replacing the inherited 90 KB framework-era
  history — the template no longer hands generated apps someone else's changelog.
• .gitignore composer-lock comment corrected (create-project template, not a
  library), and local cruft (.DS_Store, .idea, :memory:, stale logs) removed.

Upgrade

composer update glueful/framework

Review the framework 1.56.0 Upgrade Notes — CORS now fails closed, remote image
fetching is opt-in, queue/scheduler payloads are signed by default, JWT requires
exp, and Memcached deployments should flush the cache on upgrade.

---