v1.2.33-beta2

XMF v1.2.33-beta2

Includes all changes from Phases 1–6 (PRs #124–#129).

Bug Fixes

• Fix Request::getInt(), getFloat(), getBool() return types via explicit casts
• Fix Language using unqualified XOOPS_ROOT_PATH constant; add defined() guard
• Fix Migrate::getTargetDefinitions() checking null instead of false for Yaml::read() failure
• Fix Tables::executeQueue() passing potentially non-string $ddl to execSql()
• Fix Tables::fetch() collapsing query-failure and no-rows into same outcome
• Fix JsonWebToken::create() passing ArrayObject to JWT::encode()
• Fix FilterInput hex entity decode producing null bytes on PHP 7+
• Fix Metagen::html2text() discarding numeric entity callback result
• Fix IPAddress::normalize() passing false to inet_ntop()
• Fix Request::setVar() writing to literal 'name' for ENV/SERVER

Security

• Harden Key\FileStorage::save() with var_export() instead of string interpolation
• Add allowed_classes => false to unserialize() in Session::get()
• Harden Language::loadFile() with realpath() and directory boundary validation
• Add 2MB file size limit to Yaml::read() and Yaml::readWrapped()
• Preserve Jwt\JsonWebToken::decode() object|false API contract
• Remove dead get_magic_quotes_gpc() calls from Request

Infrastructure

• Add PHPStan at level max with ~546 baseline errors for incremental cleanup
• Add PHPStan stub files for XOOPS framework classes, constants, and functions
• Add GitHub Actions CI: PHPStan, PHPCS, and code coverage jobs
• Simplify .scrutinizer.yml to analysis-only with dependency_paths for stubs
• Add composer baseline script with backup/restore safety
• Modernize README with badges, feature table, and component overview
• Add GitHub Copilot custom instructions and reusable XOOPS template
• Add CHANGELOG.md at repo root

Tests

• New unit tests for Request::setVar(), FilterInput entities, Metagen::html2text(), IPAddress::normalize(), Yaml file size limits

Full Changelog: v1.2.33-beta1...v1.2.33-beta2