Add GitHub community files: SECURITY.md, issue/PR templates, PHP lint workflow, FUNDING.yml

Author: elightsys

.github/FUNDING.yml

@@ -0,0 +1,13 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,40 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: '[BUG] '
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Environment (please complete the following information):**
+ - OS: [e.g. Ubuntu 20.04]
+ - PHP Version: [e.g. 8.2.0]
+ - MySQL/MariaDB Version: [e.g. MySQL 8.0]
+ - Web Server: [e.g. Apache 2.4, Nginx 1.18]
+ - Browser: [e.g. chrome, safari]
+
+**Error Logs**
+Please include any relevant error logs from:
+- PHP error log
+- Apache/Nginx error log
+- Browser console
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,25 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: '[FEATURE] '
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
+
+**Would you like to implement this feature?**
+- [ ] Yes, I'd like to submit a PR
+- [ ] No, but I can help with testing
+- [ ] No, just suggesting

.github/pull_request_template.md

@@ -0,0 +1,42 @@
+## Description
+Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context.
+
+Fixes # (issue)
+
+## Type of change
+
+Please delete options that are not relevant.
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation update
+- [ ] Code refactoring
+- [ ] Performance improvement
+
+## How Has This Been Tested?
+
+Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.
+
+- [ ] Test A
+- [ ] Test B
+
+**Test Configuration**:
+* PHP version:
+* MySQL version:
+* Web Server:
+
+## Checklist:
+
+- [ ] My code follows the style guidelines of this project (PSR-12)
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+- [ ] My changes generate no new warnings
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests pass locally with my changes
+- [ ] Any dependent changes have been merged and published
+
+## Screenshots (if applicable):
+
+## Additional Notes:

.github/workflows/php-lint.yml

@@ -0,0 +1,40 @@
+name: PHP Linting
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  php-lint:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      matrix:
+        php-versions: ['7.4', '8.0', '8.1', '8.2']
+    
+    name: PHP ${{ matrix.php-versions }} Syntax Check
+    
+    steps:
+    - uses: actions/checkout@v3
+    
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: ${{ matrix.php-versions }}
+        extensions: mbstring, pdo, pdo_mysql
+        coverage: none
+    
+    - name: Validate composer.json (if exists)
+      run: |
+        if [ -f composer.json ]; then
+          composer validate --strict
+        fi
+    
+    - name: Check PHP syntax errors
+      run: |
+        find . -type f -name '*.php' ! -path './vendor/*' -exec php -l {} \; | (! grep -v "No syntax errors detected" )
+    
+    - name: Display PHP version
+      run: php -v

SECURITY.md

@@ -0,0 +1,134 @@
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of PHP MVC Framework seriously. If you believe you have found a security vulnerability, please report it to us as described below.
+
+### Please do the following:
+
+**DO NOT** create a public GitHub issue for security vulnerabilities.
+
+Instead, please report security vulnerabilities by emailing:
+
+📧 **elightsysl@gmail.com**
+
+### What to include in your report:
+
+- Type of issue (e.g. SQL injection, XSS, authentication bypass, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit it
+
+### What to expect:
+
+- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours.
+- **Communication**: We will send you regular updates about our progress.
+- **Disclosure**: Once the vulnerability is fixed, we will publicly disclose it (giving you credit if desired).
+
+## Security Best Practices for Users
+
+When deploying this application in production:
+
+1. **Configuration Security**
+   - Never commit `app/config/config.php` with real credentials
+   - Use strong, unique database passwords
+   - Generate a new `__UNIQID__` value using `md5(uniqid(rand(), true))`
+
+2. **File Permissions**
+   - Set proper file permissions (755 for directories, 644 for files)
+   - Restrict write access to sensitive directories
+   - Keep `storage/logs/` and `storage/cache/` writable but not web-accessible
+
+3. **Database Security**
+   - Use separate database users with minimal privileges
+   - Enable MySQL's `strict mode`
+   - Regularly backup your database
+
+4. **Web Server Configuration**
+   - Use HTTPS (SSL/TLS) in production
+   - Configure proper security headers
+   - Disable directory listing
+   - Keep PHP and MySQL up to date
+
+5. **Application Security**
+   - Change default admin credentials immediately
+   - Regularly update dependencies
+   - Monitor error logs for suspicious activity
+   - Implement rate limiting for login attempts
+
+6. **Session Security**
+   - Use secure session cookies (`session.cookie_secure = 1`)
+   - Enable HttpOnly cookies (`session.cookie_httponly = 1`)
+   - Set appropriate session timeout values
+
+## Known Security Considerations
+
+### Current Implementation
+
+- **Password Hashing**: Uses PHP's `password_hash()` with bcrypt
+- **SQL Injection Prevention**: Uses PDO prepared statements
+- **CSRF Protection**: Token-based validation in forms
+- **XSS Prevention**: Output escaping in views
+- **Session Management**: Secure session handling with regeneration
+
+### Areas for Enhancement (Production)
+
+- Implement rate limiting for authentication
+- Add two-factor authentication (2FA)
+- Implement security headers (CSP, HSTS, etc.)
+- Add input validation library
+- Implement comprehensive logging and monitoring
+- Add brute force protection
+
+## Security Updates
+
+We will notify users of security updates through:
+
+- GitHub Security Advisories
+- Release notes
+- Email (for critical vulnerabilities)
+
+## Third-Party Dependencies
+
+This project uses several third-party libraries:
+
+- jQuery 3.5.1
+- Bootstrap 4.5.2
+- DataTables 1.10.24
+
+Please ensure you keep these dependencies updated to their latest secure versions.
+
+## Scope
+
+This security policy applies to:
+
+- The core MVC framework
+- Bundled controllers, models, and views
+- Database abstraction layer
+- Authentication system
+
+It does not apply to:
+
+- Custom modifications or extensions
+- Third-party plugins not included in this repository
+- Server configuration (Apache/Nginx/PHP)
+
+## Comments on This Policy
+
+If you have suggestions on how this process could be improved, please submit a pull request or open an issue.
+
+---
+
+**Thank you for helping keep PHP MVC Framework and its users safe!** 🔒