fix: apply updates from the framework

app/Config/App.php

@@ -14,21 +14,20 @@ class App extends BaseConfig
      * URL to your CodeIgniter root. Typically, this will be your base URL,
      * WITH a trailing slash:
      *
-     *    http://example.com/
+     * E.g., http://example.com/
      */
     public string $baseURL = 'http://localhost:8080/';
 
     /**
      * Allowed Hostnames in the Site URL other than the hostname in the baseURL.
      * If you want to accept multiple Hostnames, set this.
      *
-     * E.g. When your site URL ($baseURL) is 'http://example.com/', and your site
-     *      also accepts 'http://media.example.com/' and
-     *      'http://accounts.example.com/':
-     *          ['media.example.com', 'accounts.example.com']
+     * E.g.,
+     * When your site URL ($baseURL) is 'http://example.com/', and your site
+     * also accepts 'http://media.example.com/' and 'http://accounts.example.com/':
+     *     ['media.example.com', 'accounts.example.com']
      *
-     * @var string[]
-     * @phpstan-var list<string>
+     * @var list<string>
      */
     public array $allowedHostnames = [];
 
@@ -37,9 +36,9 @@ class App extends BaseConfig
      * Index File
      * --------------------------------------------------------------------------
      *
-     * Typically this will be your index.php file, unless you've renamed it to
-     * something else. If you are using mod_rewrite to remove the page set this
-     * variable so that it is blank.
+     * Typically, this will be your `index.php` file, unless you've renamed it to
+     * something else. If you have configured your web server to remove this file
+     * from your site URIs, set this variable to an empty string.
      */
     public string $indexPage = 'index.php';
 
@@ -49,17 +48,41 @@ class App extends BaseConfig
      * --------------------------------------------------------------------------
      *
      * This item determines which server global should be used to retrieve the
-     * URI string.  The default setting of 'REQUEST_URI' works for most servers.
+     * URI string. The default setting of 'REQUEST_URI' works for most servers.
      * If your links do not seem to work, try one of the other delicious flavors:
      *
-     * 'REQUEST_URI'    Uses $_SERVER['REQUEST_URI']
-     * 'QUERY_STRING'   Uses $_SERVER['QUERY_STRING']
-     * 'PATH_INFO'      Uses $_SERVER['PATH_INFO']
+     *  'REQUEST_URI': Uses $_SERVER['REQUEST_URI']
+     * 'QUERY_STRING': Uses $_SERVER['QUERY_STRING']
+     *    'PATH_INFO': Uses $_SERVER['PATH_INFO']
      *
      * WARNING: If you set this to 'PATH_INFO', URIs will always be URL-decoded!
      */
     public string $uriProtocol = 'REQUEST_URI';
 
+    /*
+    |--------------------------------------------------------------------------
+    | Allowed URL Characters
+    |--------------------------------------------------------------------------
+    |
+    | This lets you specify which characters are permitted within your URLs.
+    | When someone tries to submit a URL with disallowed characters they will
+    | get a warning message.
+    |
+    | As a security measure you are STRONGLY encouraged to restrict URLs to
+    | as few characters as possible.
+    |
+    | By default, only these are allowed: `a-z 0-9~%.:_-`
+    |
+    | Set an empty string to allow all characters -- but only if you are insane.
+    |
+    | The configured value is actually a regular expression character group
+    | and it will be used as: '/\A[<permittedURIChars>]+\z/iu'
+    |
+    | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
+    |
+    */
+    public string $permittedURIChars = 'a-z 0-9~%.:_\-';
+
     /**
      * --------------------------------------------------------------------------
      * Default Locale
@@ -95,7 +118,7 @@ class App extends BaseConfig
      *
      * IncomingRequest::setLocale() also uses this list.
      *
-     * @var string[]
+     * @var list<string>
      */
     public array $supportedLocales = ['en'];
 
@@ -107,7 +130,8 @@ class App extends BaseConfig
      * The default timezone that will be used in your application to display
      * dates with the date helper, and can be retrieved through app_timezone()
      *
-     * @see https://www.php.net/manual/en/timezones.php for list of timezones supported by PHP.
+     * @see https://www.php.net/manual/en/timezones.php for list of timezones
+     *      supported by PHP.
      */
     public string $appTimezone = 'UTC';
 
@@ -131,7 +155,7 @@ class App extends BaseConfig
      * If true, this will force every request made to this application to be
      * made via a secure connection (HTTPS). If the incoming request is not
      * secure, the user will be redirected to a secure version of the page
-     * and the HTTP Strict Transport Security header will be set.
+     * and the HTTP Strict Transport Security (HSTS) header will be set.
      */
     public bool $forceGlobalSecureRequests = false;
 

app/Config/Cache.php

@@ -61,7 +61,7 @@ class Cache extends BaseConfig
      *    ['q'] = Enabled, but only take into account the specified list
      *            of query parameters.
      *
-     * @var bool|string[]
+     * @var bool|list<string>
      */
     public $cacheQueryString = false;
 
@@ -158,8 +158,7 @@ class Cache extends BaseConfig
      * This is an array of cache engine alias' and class names. Only engines
      * that are listed here are allowed to be used.
      *
-     * @var array<string, string>
-     * @phpstan-var array<string, class-string<CacheInterface>>
+     * @var array<string, class-string<CacheInterface>>
      */
     public array $validHandlers = [
         'dummy'     => DummyHandler::class,

app/Config/ContentSecurityPolicy.php

@@ -45,28 +45,28 @@ class ContentSecurityPolicy extends BaseConfig
     /**
      * Will default to self if not overridden
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $defaultSrc;
 
     /**
      * Lists allowed scripts' URLs.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $scriptSrc = 'self';
 
     /**
      * Lists allowed stylesheets' URLs.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $styleSrc = 'self';
 
     /**
      * Defines the origins from which images can be loaded.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $imageSrc = 'self';
 
@@ -75,36 +75,36 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * Will default to self if not overridden
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $baseURI;
 
     /**
      * Lists the URLs for workers and embedded frame contents
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $childSrc = 'self';
 
     /**
      * Limits the origins that you can connect to (via XHR,
      * WebSockets, and EventSource).
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $connectSrc = 'self';
 
     /**
      * Specifies the origins that can serve web fonts.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $fontSrc;
 
     /**
      * Lists valid endpoints for submission from `<form>` tags.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $formAction = 'self';
 
@@ -114,48 +114,48 @@ class ContentSecurityPolicy extends BaseConfig
      * and `<applet>` tags. This directive can't be used in
      * `<meta>` tags and applies only to non-HTML resources.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $frameAncestors;
 
     /**
      * The frame-src directive restricts the URLs which may
      * be loaded into nested browsing contexts.
      *
-     * @var array|string|null
+     * @var list<string>|string|null
      */
     public $frameSrc;
 
     /**
      * Restricts the origins allowed to deliver video and audio.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $mediaSrc;
 
     /**
      * Allows control over Flash and other plugins.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $objectSrc = 'self';
 
     /**
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $manifestSrc;
 
     /**
      * Limits the kinds of plugins a page may invoke.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $pluginTypes;
 
     /**
      * List of actions allowed.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $sandbox;
 

app/Config/Database.php

@@ -23,6 +23,8 @@ class Database extends Config
 
     /**
      * The default database connection.
+     *
+     * @var array<string, mixed>
      */
     public array $default = [
         'DSN'          => '',
@@ -48,6 +50,8 @@ class Database extends Config
     /**
      * This database connection is used when
      * running PHPUnit database tests.
+     *
+     * @var array<string, mixed>
      */
     public array $tests = [
         'DSN'         => '',

app/Config/Exceptions.php

@@ -2,15 +2,12 @@
 
 namespace Config;
 
-use Throwable;
-
 use CodeIgniter\Config\BaseConfig;
 use CodeIgniter\Debug\ExceptionHandler as BaseExceptionHandler;
 use CodeIgniter\Debug\ExceptionHandlerInterface;
 use CodeIgniter\Exceptions\HTTPExceptionInterface;
 use Psr\Log\LogLevel;
-
-use App\Libraries\HTTPExceptionHandler;
+use Throwable;
 
 /**
  * Setup how the exception handler works.
@@ -34,6 +31,8 @@ class Exceptions extends BaseConfig
      * --------------------------------------------------------------------------
      * Any status codes here will NOT be logged if logging is turned on.
      * By default, only 404 (Page Not Found) exceptions are ignored.
+     *
+     * @var list<int>
      */
     public array $ignoreCodes = [404];
 
@@ -55,6 +54,8 @@ class Exceptions extends BaseConfig
      * Any data that you would like to hide from the debug trace.
      * In order to specify 2 levels, use "/" to separate.
      * ex. ['server', 'setup/password', 'secret_token']
+     *
+     * @var list<string>
      */
     public array $sensitiveDataInTrace = [];
 
@@ -82,6 +83,25 @@ class Exceptions extends BaseConfig
      */
     public string $deprecationLogLevel = LogLevel::WARNING;
 
+    /*
+     * DEFINE THE HANDLERS USED
+     * --------------------------------------------------------------------------
+     * Given the HTTP status code, returns exception handler that
+     * should be used to deal with this error. By default, it will run CodeIgniter's
+     * default handler and display the error information in the expected format
+     * for CLI, HTTP, or AJAX requests, as determined by is_cli() and the expected
+     * response format.
+     *
+     * Custom handlers can be returned if you want to handle one or more specific
+     * error codes yourself like:
+     *
+     *      if (in_array($statusCode, [400, 404, 500])) {
+     *          return new \App\Libraries\MyExceptionHandler();
+     *      }
+     *      if ($exception instanceOf PageNotFoundException) {
+     *          return new \App\Libraries\MyExceptionHandler();
+     *      }
+     */
     public function handler(int $statusCode, Throwable $exception): ExceptionHandlerInterface
     {
         if ($exception instanceof HTTPExceptionInterface) {

app/Config/Filters.php

@@ -19,8 +19,8 @@ class Filters extends BaseConfig
      * Configures aliases for Filter classes to
      * make reading things nicer and simpler.
      *
-     * @var array<string, string>
-     * @phpstan-var array<string, class-string>
+     * @var array<string, class-string|list<class-string>> [filter_name => classname]
+     *                                                     or [filter_name => [classname1, classname2, ...]]
      */
     public array $aliases = [
         "csrf"             => CSRF::class,
@@ -37,8 +37,7 @@ class Filters extends BaseConfig
      * List of filter aliases that are always
      * applied before and after every request.
      *
-     * @var array<string, array<string, array<string, string>>>|array<string, array<string>>
-     * @phpstan-var array<string, list<string>>|array<string, array<string, array<string, string>>>
+     * @var array<string, array<string, array<string, string>>>|array<string, list<string>>
      */
     public array $globals = [
         "before" => [
@@ -68,11 +67,13 @@ class Filters extends BaseConfig
      * particular HTTP method (GET, POST, etc.).
      *
      * Example:
-     * "post" => ["foo", "bar"]
+     * 'post' => ['foo', 'bar']
      *
      * If you use this, you should disable auto-routing because auto-routing
      * permits any HTTP method to access a controller. Accessing the controller
      * with a method you don't expect could bypass the filter.
+     *
+     * @var array<string, list<string>>
      */
     public array $methods = [];
 
@@ -81,7 +82,9 @@ class Filters extends BaseConfig
      * before or after URI patterns.
      *
      * Example:
-     * "isLoggedIn" => ["before" => ["account/*", "profiles/*"]]
+     * 'isLoggedIn' => ['before' => ['account/*', 'profiles/*']]
+     *
+     * @var array<string, array<string, list<string>>>
      */
     public array $filters = [
         "auth-rates" => [

app/Config/Format.php

@@ -22,7 +22,7 @@ class Format extends BaseConfig
      * These formats are only checked when the data passed to the respond()
      * method is an array.
      *
-     * @var string[]
+     * @var list<string>
      */
     public array $supportedResponseFormats = [
         'application/json',