Skip to main content

Version 2.0 — now available

TiCore v2 — a secure, SEO-first PHP framework v2.0

Tuxxin Integrated Core

TiCore v2 pairs a modern router — route parameters, HTTP-method routing, named routes, nestable groups, and a dependency-free middleware pipeline — with a drop-in addon ecosystem of ten installable features (auth, payments, blog CMS, a REST API kit, and more), a first-class bin/ticore CLI, and a complete SEO suite: canonical URLs, Open Graph, Twitter/X cards, and config-driven Schema.org JSON-LD — all secure by default and PHP 8.4+ native, with near-zero dependencies.

Read the Docs Browse Addons Security Model View on GitHub Current environment: DEVELOPMENT

What’s New in TiCore v2

Modern Router

Pattern params {slug}, constrained {id:\d+}, optional {x?}, and catch-all {path:.*} at any depth. Verb helpers (GET/POST/PUT/PATCH/DELETE/ANY) with a clean 405 on method mismatch — and HTML forms reach PUT/PATCH/DELETE via a POST-gated _method field or X-HTTP-Method-Override header. Named routes give reverse route() URLs.

Routing docs →

Middleware Pipeline

A dependency-free onion-model Pipeline — implement MiddlewareInterface::handle(), return a Response to short-circuit or call $next($req) to continue. Attach per route or per group, register global middleware that runs on every matched route, or add named aliases with aliasMiddleware().

Middleware docs →

10-Addon Ecosystem

Ten drop-in addons — auth, payments, blog CMS, contact mailer, admin dashboard, REST API kit, IndexNow, Analytics + GSC, ecommerce, and schema generator — kept separate from the base and pulled from the public repo with bin/ticore addon add <slug>. Each registers its own routes, middleware aliases, and views.

Addon catalog →

bin/ticore CLI

A first-class command-line tool: addon list, addon add <slug>, addon remove <slug>, key:generate (a 32-byte hex secret for .env), secrets:scan, migrate, and help.

CLI reference →

REST API Kit

Ship a real API fast: hashed API keys (SHA-256, shown once, verified by prefix lookup + hash_equals), the apikey middleware with header-only X-Api-Key auth (no query fallback), per-IP token-bucket rate limiting (429 + Retry-After; local IPs exempt), a versioned /api/v2 group (ping/whoami), and a server-side proxy console so keys never reach the browser.

REST API Kit addon →

Auth & Payments

The auth addon adds register/login/logout/account flows, roles, and the guest/auth middleware aliases — SQLite-backed and self-migrating (it creates its own tables on first boot, requires_db: false). The payments addon accepts Stripe + PayPal via dependency-free REST clients (no SDK), with Stripe webhooks, PayPal orders, a GA4 purchase event, and configurable currency — all keyed from .env.

Auth & payments addons →

Secure by Default

Base security headers on every dispatch — X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy: geolocation=(), microphone=(), camera=(). Plus CSRF tokens, hardened sessions, traversal-guarded routing, PDO prepared statements, a Cloudflare-aware Request::ip(), and .env kept outside the web root.

Security model →

SEO-First, by Design

The layout ships canonical URLs, Open Graph, Twitter/X cards, and the config-driven JSON-LD SchemaBuilder (WebSite + Organization + WebPage, plus per-page Product/Article/FAQ via $ctx['extra']) with an auto-generating sitemap that carries a real lastmod. Four SEO addons go further — below.

SEO docs →

Zero-Config Pages

Backward-compatible auto-discovery is still here: drop a .php view into templates/default/ and it is live instantly — no controller or route required. The traversal-guarded view fallback sits behind the new explicit router as a safe last tier before a clean 404.

Zero-config pages docs →

Four Addons That Earn the “SEO-First” Tag

Beyond the layout’s built-in canonical/OG/Twitter tags and the JSON-LD SchemaBuilder, TiCore v2 ships dedicated SEO addons — each installable with bin/ticore addon add <slug>.

IndexNow

Instant indexing: serves /indexnow-key.txt and submits your URLs — including the sitemap — to the IndexNow API.

Analytics + Search Console

A read-only dashboard pulling 28-day GSC clicks/impressions and GA4 sessions via a hand-rolled RS256 service-account JWT — no Google SDK.

Google Ecommerce

A Merchant Center product feed (RSS 2.0 + g: namespace) for Shopping/SEO surfaces, with a sample provider so it renders out of the box.

Schema Generator

A stateless hosted form that outputs an escaped <script type="application/ld+json"> block plus the matching SITE_* PHP config — nothing stored, written, or logged.

What is TiCore?

TiCore is a lightweight, security-first, SEO-first PHP MVC micro-framework that keeps your application logic entirely outside the public web root. The browser can only reach www/; everything else — controllers, routes, templates, addons, logs, credentials — lives in TiCore/ where the web server cannot serve it directly.

v2 adds an explicit, expressive router and a drop-in addon ecosystem without giving up what made v1 simple: there are no magic globals, no auto-wiring surprises, and near-zero dependencies. Every piece of the stack is readable and replaceable.

Five-tier dispatch — explicit, with a zero-config fallback

Requests hit www/index.php, which bootstraps the framework and hands off to the Router. Declare routes explicitly in routes/web.php and routes/api.php — with parameters, methods, names, groups, and middleware — or rely on the backward-compatible cascade:

  1. Pattern routes — parameterized, method-aware mappings with constraints, optional and catch-all params.
  2. Legacy add() routes — exact ANY-method mappings, preserved unchanged from v1.
  3. Auto-discovered controllers — a URI of /login maps to LoginController if the file exists.
  4. View fallback — if no controller exists but a matching, traversal-checked view file does, PageController renders it.
  5. 404 — served cleanly via view('404') if nothing matches.

Read the full walkthrough in the documentation, see the server features, or compare TiCore to other frameworks on the comparison page.

# Directory layout (v2)

project/
├── TiCore/               ← private
│   ├── .env
│   ├── .v                ← version
│   ├── config.php
│   ├── routes/           ← web.php, api.php
│   ├── src/
│   │   ├── Core/         ← Router, Http, Middleware, Seo
│   │   └── Controllers/
│   ├── templates/
│   │   └── default/
│   ├── addons/           ← installed drop-ins
│   ├── database/         ← sqlite
│   └── logs/
├── bin/ticore            ← CLI
└── www/                  ← public
    ├── .htaccess
    ├── index.php
    └── assets/

Routing in v2 — params, methods, names, groups & middleware

// TiCore/routes/web.php
$router->get('/', 'HomeController@index')->name('home');
$router->get('/blog/{slug}', 'BlogController@show')->name('blog.show');
$router->get('/post/{id:\d+}', 'PostController@show');     // constrained
$router->get('/docs/{path:.*}', 'DocsController@show');    // catch-all, any depth
$router->post('/contact', 'ContactController@submit', ['csrf']);
$router->match(['PUT','PATCH'], '/post/{id:\d+}', 'PostController@update', ['auth']);

// Groups share a prefix + middleware (nestable)
$router->group(['prefix' => 'admin', 'middleware' => ['auth']], function ($router) {
    $router->get('/dashboard', 'Admin\DashboardController@index');
    $router->post('/posts', 'Admin\PostController@store', ['csrf']);
});

// Named route -> reverse URL
echo route('blog.show', ['slug' => 'hello']);             // /blog/hello

Custom Middleware — implement, alias, attach

use TiCore\Core\Middleware\MiddlewareInterface;
use TiCore\Core\Http\Request;
use TiCore\Core\Http\Response;

final class EnsureJson implements MiddlewareInterface
{
    public function handle(Request $request, callable $next): Response
    {
        if (!$request->wantsJson()) {
            return Response::json(['error' => 'JSON only'], 406); // short-circuit
        }
        $response = $next($request);                    // continue the onion
        return $response->withHeader('X-Api', 'TiCore'); // act on the way out
    }
}

// Register an alias, then attach per route (or globally):
$router->aliasMiddleware('json', EnsureJson::class);
$router->get('/api/v2/data', 'DataController@index', ['json']);

Core Features

  • Modern router — params, methods, named routes, groups
  • Dependency-free middleware pipeline (csrf / auth / global aliases)
  • Addon ecosystem — 10 drop-in addons
  • bin/ticore CLI (addons, keys, migrations, secret scan)
  • Secure by default — CSRF, sessions, named base headers
  • PDO prepared statements + .env outside web root
  • Full SEO suite + config-driven JSON-LD SchemaBuilder
  • Zero-config page auto-discovery (fallback)

Stop secrets before they ship

bin/ticore secrets:scan recursively scans the project for committable credentials and exits non-zero on any hit — so a leak fails the push instead of landing in your history. It detects GitHub PATs, Stripe sk_live_/whsec_ keys, AWS AKIA keys, Google AIza keys, GCP/PEM private keys, AdSense ca-pub ids, and inline credentials, while skipping vendor/, .git/, logs and database files. A matching gitleaks CI workflow backs it up in your pipeline.

Read the full security model →

Get Started with TiCore v2

Clone the repository, point your web server’s document root at www/, and drop in a view or controller — or declare routes explicitly in routes/web.php. Then pull in the features you need with the ticore CLI and keep credentials out of commits with secrets:scan.

Share: 𝕏 Twitter Facebook LinkedIn
Proton VPN — 10 device connections, audited no-logs
Recommended: Proton Unlimited
VPN, encrypted Drive, encrypted Mail, password manager — one bundle. See the full review →