auth
User accounts, login/register/logout, hardened sessions, roles, and the guest/auth middleware aliases. Self-creates its SQLite tables on first boot.
How TiCore v2 (Tuxxin Integrated Core) stacks up against the most widely-used PHP frameworks and bare PHP on what matters in production: its explicit router, onion middleware, drop-in addon ecosystem, first-party CLI, secure-by-default posture, and config-driven structured-data / SEO layer.
Status key: Built in | Partial / setup required | Not included (package / manual). The TiCore v2.0 column is shown bold and shaded as the subject of each table.
TiCore v2 ships an explicit, expressive router with a five-tier dispatch:
pattern routes → legacy add() routes → controller auto-discovery →
traversal-guarded view fallback → 404. You get full parameter, constraint, catch-all,
HTTP-verb, named-route and group support without giving up zero-config conventions.
| Routing capability | TiCore v2.0 | Laravel | Symfony | CodeIgniter | Slim | Bare PHP |
|---|---|---|---|---|---|---|
Required single-segment param ({slug}) |
Built in. | Built in | Built in | Built in | Built in | Not included. manual |
Optional param ({id?}) |
Built in. | Built in | Built in | Built in | Built in | Not included. manual |
Constrained param ({id:\d+}, regex) |
Built in. | Built in | Built in | Built in | Built in | Not included. manual |
Catch-all / unlimited depth ({path:.*}) |
Built in. | Built in | Built in | Partial — setup required. | Built in | Not included. manual |
HTTP-verb helpers + 405 (get/post/put/patch/delete/any/match) |
Built in. | Built in | Built in | Built in | Built in | Not included. manual |
Method override (_method / X-HTTP-Method-Override, POST→PUT/PATCH/DELETE) |
Built in. | Built in | Built in | Partial — setup required. | Partial — setup required. | Not included. |
Named routes + reverse URLs (route() / url()) |
Built in. | Built in | Built in | Built in | Partial — setup required. | Not included. |
| Nestable route groups (prefix + middleware) | Built in. | Built in | Built in | Built in | Built in | Not included. |
| Global middleware on every matched route | Built in. | Built in | Built in | Built in | Built in | Not included. |
| Five-tier dispatch (pattern → legacy → auto-discovery → view → 404) | Built in. | Not included. | Not included. | Partial — setup required. auto-routing | Not included. | Not included. |
| Zero-config controller / view auto-discovery | Built in. | Not included. | Not included. | Partial — setup required. auto-routing | Not included. | Not included. |
Traversal-guarded view fallback (segment whitelist + realpath) |
Built in. | Not included. | Not included. | Not included. | Not included. | Not included. |
Nuances unique to v2: get() maps both GET and HEAD; the
_method/X-HTTP-Method-Override override only ever upgrades a
POST to PUT/PATCH/DELETE (a safe GET can’t be spoofed into a write);
and a path that matches with the wrong verb returns 405 Method Not Allowed
rather than falling through to a 404.
Middleware in TiCore implements a single-method onion contract. A
MiddlewareInterface::handle(Request $request, callable $next): Response can run
logic before, call $next($request) to continue, act on the way out, or return a
Response to short-circuit — all in one method.
| Middleware capability | TiCore v2.0 | Laravel | Symfony | CodeIgniter | Slim | Bare PHP |
|---|---|---|---|---|---|---|
| Onion pipeline (before + after in one method) | Built in. | Built in | Built in | Partial — setup required. Filters | Built in PSR-15 | Not included. |
Short-circuit by returning a Response |
Built in. | Built in | Built in | Partial — setup required. | Built in | Not included. |
Named middleware aliases (csrf / auth / guest / apikey) |
Built in. | Built in | Partial — setup required. | Partial — setup required. | Not included. | Not included. |
| Per-route, per-group and global ordering (merge order defined) | Built in. | Built in | Built in | Built in | Built in | Not included. |
| Dependency-free runner (no Composer middleware lib) | Built in. | Not included. | Not included. | Partial — setup required. | Partial — setup required. PSR-15 lib | Not included. |
Resolution order for a matched route:
global middleware (run on every route) → group middleware
(merged ahead) → the route’s own middleware. The csrf
alias enforces tokens only on POST/PUT/PATCH/DELETE; auth gates the session and
returns 401 JSON or a redirect; apikey guards the /api/v2 group.
<?php /** @var \TiCore\Core\Router $router */
use TiCore\Core\Http\Request;
use TiCore\Core\Http\Response;
// Required param + named route (reverse URLs via route('blog.show', [...]))
$router->get('/blog/{slug}', 'BlogController@show')->name('blog.show');
// Constrained param ({id:\d+}); optional param; catch-all of any depth
$router->get('/post/{id:\d+}', fn(Request $r) => Response::json(['id' => (int) $r->param('id')]));
$router->get('/users/{id?}', 'UserController@show');
$router->get('/docs/{path:.*}', 'DocsController@show');
// HTTP verbs + middleware alias array; match() for an arbitrary verb list
$router->post('/contact', 'ContactController@submit', ['csrf']);
$router->match(['PUT', 'PATCH'], '/post/{id:\d+}', 'PostController@update', ['auth']);
// Nestable group: shared prefix + middleware
$router->group(['prefix' => 'admin', 'middleware' => ['auth']], function ($router) {
$router->get('/dashboard', 'Admin\DashboardController@index')->name('admin.dashboard');
$router->post('/posts', 'Admin\PostController@store', ['csrf']);
});
// Runs on EVERY matched route (merged before per-route middleware)
$router->globalMiddleware(['csrf']);
TiCore v2 ships 10 drop-in addons installed with one CLI command
(bin/ticore addon add <slug>), pulled straight from the public repo into
TiCore/addons/<slug>. Auth and payments are first-party addons, not
third-party SDKs.
| Capability | TiCore v2.0 | Laravel | Symfony | CodeIgniter | Slim | Bare PHP |
|---|---|---|---|---|---|---|
| First-party CLI tool | Built in. bin/ticore | Built in artisan | Built in console | Built in spark | Not included. | Not included. |
| Drop-in addon installer (fetch & register a feature) | Built in. 10 addons | Partial — setup required. packages | Partial — setup required. bundles | Not included. | Not included. | Not included. |
| Built-in auth (accounts / login / roles) | Built in. auth addon | Built in | Built in | Built in Shield | Not included. | Not included. |
| Self-creating auth tables (no migration step) | Built in. | Not included. | Not included. | Not included. | Not included. | Not included. |
| Built-in payments — Stripe + PayPal, webhooks, GA4 purchase event | Built in. payments addon | Partial — setup required. Cashier (Stripe) | Not included. | Not included. | Not included. | Not included. |
| Dependency-free payment clients (no Stripe/PayPal SDK) | Built in. | Not included. SDK-based | Not included. | Not included. | Not included. | Not included. |
REST API kit: hashed keys + per-IP rate limiting + /api/v2 |
Built in. rest-api-kit | Partial — setup required. Sanctum | Not included. | Not included. | Not included. | Not included. |
authUser accounts, login/register/logout, hardened sessions, roles, and the guest/auth middleware aliases. Self-creates its SQLite tables on first boot.
paymentsStripe + PayPal checkout, subscriptions and webhooks via dependency-free REST clients, plus a GA4 purchase event.
blog-cmsSQLite blog: public listing, single post and category pages, with an auth-protected, CSRF-guarded admin and safe markdown rendering.
contact-mailerContact form with honeypot anti-spam and CSRF, delivering through the MailerSend REST API and degrading gracefully when unconfigured.
admin-dashboardDark admin shell listing the logged-in user, PHP version and installed addons, with a reusable layout for other admin pages.
rest-api-kitHashed API keys (shown once), an apikey header-auth middleware with per-IP token-bucket rate limiting, a versioned /api/v2 group and a server-side proxy console.
indexnowServes /indexnow-key.txt and submits URLs (including the sitemap) to the IndexNow API for instant indexing.
google-analytics-gscRead-only SEO dashboard pulling 28-day Search Console clicks/impressions + GA4 sessions via a service-account RS256 JWT (no SDK).
google-ecommerceGoogle Merchant Center product feed (RSS 2.0 + g: namespace) with a sample provider and a setup guide.
schema-generatorStateless hosted form that outputs an escaped JSON-LD block plus the matching SITE_* PHP config snippet SchemaBuilder consumes.
Install any addon with bin/ticore addon add <slug> — browse them all on
the addons page.
bin/ticore)
Where competitors ship artisan, console or spark,
TiCore ships bin/ticore — command-for-command:
| Command | What it does |
|---|---|
ticore addon list |
List installed addons (slug, version, description) read from each addon.json. |
ticore addon add <slug> |
Fetch an addon from the public repo into TiCore/addons/<slug> using its files[] manifest. |
ticore addon remove <slug> |
Delete an installed addon directory (DB tables, if any, are left intact). |
ticore key:generate |
Print a fresh 32-byte cryptographically-random hex secret for .env. |
ticore secrets:scan |
Scan the project for committable secrets (GitHub/Stripe/AWS/Google/GCP/PEM/AdSense/inline); exits non-zero on any hit. |
ticore migrate |
Glob and list addon migration files; many addons self-migrate on first boot. |
ticore help |
Print the CLI usage summary (the default when no command is given). |
See the full CLI reference for usage and examples.
Security isn’t a checklist you remember to bolt on. Every dispatch emits defensive
headers, routing is traversal-guarded, sessions are hardened, and a
secrets:scan CLI plus gitleaks CI keep credentials out of commits. See the full
security model.
| Security posture | TiCore v2.0 | Laravel | Symfony | CodeIgniter | Slim | Bare PHP |
|---|---|---|---|---|---|---|
| CSRF middleware (constant-time, 419) | Built in. csrf | Built in | Partial — setup required. Bundle | Built in | Not included. | Not included. |
| XSS output escaping helper | Built in. e() | Built in Blade | Built in Twig | Partial — setup required. | Not included. | Not included. |
| Security headers on every dispatch (frame/nosniff/referrer/permissions) | Built in. | Not included. | Not included. | Not included. | Not included. | Not included. |
Traversal-guarded routing (segment whitelist + realpath) |
Built in. | Partial — setup required. | Partial — setup required. | Partial — setup required. | Not included. | Not included. |
| Hardened sessions (HttpOnly / Secure / SameSite + regeneration) | Built in. | Built in | Built in | Partial — setup required. | Not included. | Not included. |
| PDO prepared statements throughout | Built in. | Built in | Built in | Built in | Partial — setup required. | Not included. |
| Application code outside the public web root | Built in. www/ | Built in | Built in | Partial — setup required. | Not included. | Not included. |
| Secret scanning CLI + gitleaks CI | Built in. secrets:scan | Not included. | Not included. | Not included. | Not included. | Not included. |
Cloudflare-aware client IP (CF-Connecting-IP) |
Built in. | Not included. | Not included. | Not included. | Not included. | Not included. |
| License | MIT | MIT | MIT | MIT | MIT | — |
TiCore is the only one of these frameworks to ship a complete, config-driven
SEO layer in its default layout. SchemaBuilder emits a schema.org
@graph (WebSite + Organization + WebPage) and reads optional SITE_*
config constants to enrich it — everywhere else you reach for a Composer package or
manage tags by hand.
| SEO capability | TiCore v2.0 | Laravel | Symfony | CodeIgniter | Slim | Bare PHP |
|---|---|---|---|---|---|---|
| Canonical URLs in the default layout | Built in. | Partial — setup required. Package | Partial — setup required. Manual | Partial — setup required. Manual | Not included. | Not included. |
| Open Graph (title / description / url / image) | Built in. | Partial — setup required. Package | Partial — setup required. Manual | Partial — setup required. Manual | Not included. | Not included. |
| Twitter / X card | Built in. | Partial — setup required. Package | Partial — setup required. Manual | Partial — setup required. Manual | Not included. | Not included. |
JSON-LD @graph (WebSite + Org + WebPage) |
Built in. SchemaBuilder | Not included. | Not included. | Not included. | Not included. | Not included. |
| Per-page nodes (Product / Article / FAQ / Breadcrumb) | Built in. $ctx['extra'] | Not included. | Not included. | Not included. | Not included. | Not included. |
Config-constant schema model (SITE_*) |
Built in. | Not included. | Not included. | Not included. | Not included. | Not included. |
| Hosted JSON-LD generator addon | Built in. schema-generator | Not included. | Not included. | Not included. | Not included. | Not included. |
| Google Analytics 4 in the layout | Built in. | Not included. | Not included. | Not included. | Not included. | Not included. |
| Auto-generating sitemap | Built in. | Partial — setup required. Package | Partial — setup required. Bundle | Partial — setup required. Package | Not included. | Not included. |
| IndexNow instant indexing | Built in. indexnow addon | Not included. | Not included. | Not included. | Not included. | Not included. |
| Merchant Center product feed | Built in. google-ecommerce | Not included. | Not included. | Not included. | Not included. | Not included. |
| SEO packages required | 0 | Not included. package | Not included. manual | Not included. manual | Not included. manual | Not included. manual |
The schema-generator addon outputs an escaped
<script type="application/ld+json"> block and the matching
SITE_* PHP config snippet, so the Organization, sameAs,
ContactPoint, PostalAddress and AggregateRating details
flow straight into SchemaBuilder.
TiCore v2 pulls together what most PHP stacks scatter across packages and bespoke base
templates: an explicit five-tier router with params, constraints,
catch-all, named routes and nestable groups; a dependency-free
onion middleware pipeline with csrf/auth/guest/apikey
aliases; 10 drop-in addons installed by a first-party
bin/ticore CLI; and first-party auth and
payments (Stripe + PayPal) with no SDKs.
It is secure by default — security headers on every dispatch,
traversal-guarded routing, hardened sessions, and a secrets:scan CLI plus
gitleaks CI — and ships a config-driven SEO layer (canonical,
Open Graph, Twitter card, GA4, and the SchemaBuilder JSON-LD
@graph) that other frameworks treat as an afterthought.