docs: update README.md to align with DEVELOPER_GUIDE.md

cakmoel · cakmoel · commit f4162fdc09ed · 2026-04-07T18:06:54.000+07:00
- Updated PHP requirements and extensions
- Added installation wizard steps (21 tables)
- Added config.php structure with  fallbacks and SMTP config
- Added running URLs for Public/Admin/API
- Updated directory structure to match guide
- Added architecture flow table (Bootstrap → Dispatcher → etc.)
- Added feature layering pattern for new features
- Added user levels and security features table
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE.md)
 [![PHP Version](https://img.shields.io/badge/PHP-7.4%2B-777BB4.svg)](https://www.php.net/)
-[![MySQL Version](https://img.shields.io/badge/MySQL-5.6%2B-4479A1.svg)](https://www.mysql.com/)
+[![MySQL Version](https://img.shields.io/badge/MySQL-5.7%2B-4479A1.svg)](https://www.mysql.com/)
 [![MariaDB Version](https://img.shields.io/badge/MariaDB-10.3%2B-003545.svg)](https://mariadb.org/)
 [![PSR-12](https://img.shields.io/badge/PSR--12-Compliant-2C2C2C.svg)](https://www.php-fig.org/psr/psr-12/)
 [![Tests](https://github.com/cakmoel/Scriptlog/workflows/Tests/badge.svg)](https://github.com/cakmoel/Scriptlog/actions/workflows/tests.yml)
@@ -19,98 +19,211 @@ Scriptlog is not designed to replace full-scale CMS frameworks. Instead, it is m
 ### Core Technologies
 - **Backend:** PHP 7.4+ (PSR-12 compliant)
 - **Database:** MySQL 5.7+ / MariaDB 10.3+
-- **Architecture:** Multi-layered MVC-like (`Request` → `Controller` → `Service` → `DAO` → `Database`)
+- **Architecture:** Multi-layered MVC-like (`Request` → `Bootstrap` → `Dispatcher` → `Controller` → `Service` → `DAO` → `Database`)
 - **Security:** Laminas (Escaper, Crypt), Defuse PHP Encryption, voku Anti-XSS, HTMLPurifier.
 
 ## Requirements
 
 Ensure your hosting environment meets the following requirements:
-- **PHP:** 7.4.33 or higher
+- **PHP:** 7.4+ (with extensions: `pdo`, `pdo_mysql`, `json`, `mbstring`, `curl`)
 - **Web Server:** Apache (with `mod_rewrite` enabled) or Nginx
-- **Database:** MySQL 5.6+ or MariaDB 10.3+
-- **Extensions:** `pdo`, `mysqli`, `curl`, `gd`, `mbstring`, `fileinfo`, `zip`, `exif`
+- **Database:** MySQL 5.7+ or MariaDB 10.3+
+- **Composer:** Latest (for dependency management)
 
 ## Installation
 
-1. **Download & Extract**
-   Unzip the package into your web root directory.
+1. **Clone the Repository**
+   ```bash
+   git clone https://github.com/ScriptLog/scriptlog.git
+   cd scriptlog
+   ```
 
 2. **Install Dependencies**
-   Scriptlog uses Composer for dependency management.
    ```bash
    composer install
    ```
 
 3. **Set Permissions**
-   Ensure the following directories are writeable by the web server user:
-   - `install/`
-   - `public/log/`
-   - `public/cache/`
-   - `public/themes/`
-   - `admin/plugins/` (if present)
+   ```bash
+   chmod -R 755 public/
+   chmod -R 777 public/cache/ public/log/
+   ```
 
 4. **Database Setup**
    Create a new empty database (use `utf8mb4_general_ci` collation).
 
 5. **Run the Installer**
-   Navigate to `/install/` in your web browser (e.g., `http://your-site.com/install/`) and follow the wizard:
-   - Requirement Check
-   - Database Configuration
-   - Administrator Account Setup
+   Navigate to `/install/` in your web browser and follow the wizard:
+   - Step 1: System Requirements Check (`install/index.php`)
+   - Step 2: Database Setup (`install/setup-db.php`) - creates 21 tables
+   - Step 3: Complete Setup (`install/finish.php`)
 
 6. **Cleanup (Critical)**
    For security purposes, **delete the `install/` directory** immediately after installation is complete.
 
+### Configuration Files
+
+After installation, two configuration files are generated:
+
+| File | Purpose |
+|------|---------|
+| `config.php` | Main configuration with `$_ENV` fallbacks |
+| `.env` | Environment variables (auto-generated) |
+| `lib/utility/.lts/lts.txt` | Defuse encryption key for authentication cookies |
+
 ## Configuration
 
-If the installer cannot write the configuration file, rename `config.sample.php` to `config.php` and update it manually:
+Scriptlog supports both `.env` and `config.php` files for configuration. During installation, both files are automatically generated and kept in sync.
+
+### config.php Structure
 
 ```php
+<?php
 return [
     'db' => [
-         'host' => 'localhost',
-         'user' => 'your_db_user',
-         'pass' => 'your_db_password',
-         'name' => 'your_db_name'
-      ],
+        'host' => $_ENV['DB_HOST'] ?? 'localhost',
+        'user' => $_ENV['DB_USER'] ?? '',
+        'pass' => $_ENV['DB_PASS'] ?? '',
+        'name' => $_ENV['DB_NAME'] ?? '',
+        'port' => $_ENV['DB_PORT'] ?? '3306',
+        'prefix' => $_ENV['DB_PREFIX'] ?? ''
+    ],
     'app' => [
-         'url'   => 'http://your-site.com',
-         'email' => 'admin@example.com',
-         'key'   => 'generated-app-key' 
-     ]
+        'url'   => $_ENV['APP_URL'] ?? 'http://example.com',
+        'email' => $_ENV['APP_EMAIL'] ?? '',
+        'key'   => $_ENV['APP_KEY'] ?? '',
+        'defuse_key' => 'lib/utility/.lts/lts.txt'
+    ],
+    'mail' => [
+        'smtp' => [
+            'host' => $_ENV['SMTP_HOST'] ?? '',
+            'port' => $_ENV['SMTP_PORT'] ?? 587,
+            'encryption' => $_ENV['SMTP_ENCRYPTION'] ?? 'tls',
+            'username' => $_ENV['SMTP_USER'] ?? '',
+            'password' => $_ENV['SMTP_PASS'] ?? '',
+        ],
+        'from' => [
+            'email' => $_ENV['MAIL_FROM_ADDRESS'] ?? '',
+            'name' => $_ENV['MAIL_FROM_NAME'] ?? 'Blogware'
+        ]
+    ],
 ];
 ```
 
+## Running the Application
+
+| Environment | URL |
+|-------------|-----|
+| **Public Site** | `http://your-domain/` |
+| **Admin Panel** | `http://your-domain/admin/` |
+| **API Endpoint** | `http://your-domain/api/v1/` |
+
 ## Directory Structure
 
-- `admin/`: Administrator panel logic and UI.
-- `lib/`: Core application logic (Controllers, Services, DAOs).
-- `public/`: Web root for assets, themes, and user uploads.
-  - `themes/`: Frontend templates.
-  - `files/`: User uploads.
-- `tests/`: PHPUnit test suite.
-- `docs/`: Developer guides and API documentation.
+```
+ScriptLog/
+|-- index.php                    # Public front controller
+|-- config.php                   # Application configuration
+|-- .env                         # Environment variables
+|
+|-- admin/                      # Admin panel
+|   |-- index.php               # Admin entry point
+|   |-- login.php               # Login page
+|   +-- ...                     # Other admin pages
+|
+|-- api/                        # RESTful API
+|   +-- index.php               # API entry point
+|
+|-- lib/                       # Core library
+|   |-- main.php               # Application bootstrap
+|   |-- common.php             # Constants and functions
+|   +-- core/                  # Core classes (Bootstrap, Dispatcher, DbFactory, etc.)
+|       +-- dao/               # Data Access Objects
+|       +-- service/           # Business logic layer
+|       +-- controller/        # Request controllers
+|       +-- model/             # Data models
+|       +-- utility/           # Utility functions (100+ files)
+|       +-- vendor/           # Composer dependencies
+|
+|-- public/                    # Web root
+|   +-- themes/              # Theme templates
+|       +-- blog/            # Default theme
+|   +-- files/               # User uploads (pictures, audio, video, docs)
+|   +-- cache/               # Cache directory
+|   +-- log/                 # Log directory
+|
+|-- install/                  # Installation wizard
+|   +-- include/             # Installation includes
+|
+|-- docs/                    # Developer guides
+    +-- DEVELOPER_GUIDE.md
+    +-- TESTING_GUIDE.md
+    +-- PLUGIN_DEVELOPER_GUIDE.md
+    +-- API_DOCUMENTATION.md
+    +-- API_OPENAPI.yaml
+    +-- API_OPENAPI.json
+|
++-- tests/                  # PHPUnit test suite
+```
+
+For detailed architecture and component documentation, see [DEVELOPER_GUIDE.md](src/docs/DEVELOPER_GUIDE.md).
 
 ## Development
 
 Scriptlog adheres to **PSR-12** coding standards and uses **Conventional Commits**.
 
-### Key Commands
-- **Run Tests:** `vendor/bin/phpunit`
-- **Setup Test DB:** `php tests/setup_test_db.php`
+### Architecture
+
+Scriptlog uses a **multi-layer architecture** designed for maintainability and scalability:
+
+```
+Request → Front Controller → Bootstrap → Dispatcher → Controller → Service → DAO → Database
+```
+
+| Step | Component | Location |
+|------|-----------|----------|
+| 1 | **Front Controller** | `index.php` |
+| 2 | **Bootstrap** | `lib/core/Bootstrap.php` |
+| 3 | **Dispatcher** | `lib/core/Dispatcher.php` |
+| 4 | **Controller** | `lib/controller/*` |
+| 5 | **Service** | `lib/service/*` |
+| 6 | **DAO** | `lib/dao/*` |
+| 7 | **View** | `lib/core/View.php` |
+
+### Adding New Features
 
-### Architecture Pattern
 When adding features, follow the layered implementation pattern:
-1. **DAO:** `lib/dao/` (Database interactions)
-2. **Service:** `lib/service/` (Business logic)
-3. **Controller:** `lib/controller/` (Request handling)
+1. **Database Table:** Add to `install/include/dbtable.php`
+2. **DAO:** Create in `lib/dao/` (Database interactions)
+3. **Service:** Create in `lib/service/` (Business logic)
+4. **Controller:** Create in `lib/controller/` (Request handling)
+5. **Routes:** Add to `lib/core/Bootstrap.php`
+
+> **WARNING:** Never bypass the DAO layer when accessing the database. Always use prepared statements to prevent SQL injection.
+
+### Key Commands
+- **Run Tests:** `vendor/bin/phpunit`
+- **Static Analysis:** `vendor/bin/phpstan` (see [TESTING_GUIDE.md](src/docs/TESTING_GUIDE.md))
 
 ## Security Features
 
-- **Authentication:** Custom secure session handler (`SessionMaker`).
-- **CSRF:** Protected via `CSRFGuard` and `csrf_defender`.
-- **XSS:** Multi-layered prevention using `Anti-XSS` and `HTMLPurifier`.
-- **Encryption:** Sensitive data encrypted using `defuse/php-encryption`.
+- **Authentication:** Custom secure session handler (`SessionMaker`) with remember-me tokens and session fingerprinting.
+- **CSRF:** Protected via `csrf_defender` and form security utilities.
+- **XSS:** Multi-layered prevention using `Anti-XSS` (voku) and `HTMLPurifier`.
+- **Encryption:** Sensitive data encrypted using `defuse/php-encryption` with auto-generated keys.
+- **Password Hashing:** Uses PHP's built-in `password_hash()` with bcrypt.
+- **Access Control:** Role-based user levels with granular permissions.
+
+### User Levels
+
+| Level | Permissions |
+|-------|-------------|
+| **administrator** | Full access - PRIVACY, USERS, IMPORT, PLUGINS, THEMES, CONFIGURATION, PAGES, NAVIGATION, TOPICS, COMMENTS, MEDIALIB, REPLY, POSTS, DASHBOARD |
+| **manager** | PLUGINS, THEMES, CONFIGURATION, PAGES, NAVIGATION, TOPICS, COMMENTS, MEDIALIB, REPLY, POSTS, DASHBOARD |
+| **editor** | TOPICS, COMMENTS, MEDIALIB, REPLY, POSTS, DASHBOARD |
+| **author** | COMMENTS, MEDIALIB, REPLY, POSTS, DASHBOARD |
+| **contributor** | POSTS, DASHBOARD |
+| **subscriber** | DASHBOARD only |
 
 ## Contributing
 
