update

Author: mevdschee

03-docs.md

@@ -20,6 +20,11 @@ And there is more information available about specific topics:
 * [Cache](/docs/cache)
 * [Session](/docs/session)
 * [Authentication](/docs/authentication)
+
+Advanced topics:
+
+* [Webservers](/docs/webservers)
 * [Totp](/docs/totp)
 * [Firewall](/docs/firewall)
-* [Webservers](/docs/webservers)
+* [Analyzer](/docs/analyzer)
+* [Template](/docs/template)

04-api.md

@@ -140,3 +140,15 @@ This is a reference of all global variables and functions.
 | Function                                    | Location      | Purpose              |
 | ------------------------------------------- | ------------- | -------------------- | 
 | `Firewall::start():void                   ` | *.php         | Start rate limiting  |
+
+## Analyzer
+
+| Function                                    | Location      | Purpose              |
+| ------------------------------------------- | ------------- | -------------------- | 
+| `Analyzer::execute():void                 ` | *.php         | Check code quality   |
+
+## Template
+
+| Function                                       | Location      | Purpose              |
+| ---------------------------------------------- | ------------- | -------------------- | 
+| `Template::render($tpl,$data,$fns=[]):string` | *.php         | Render template      |

docs/analyzer.md

@@ -0,0 +1,201 @@
+---
+layout: page
+title: Analyzer
+permalink: /docs/analyzer/
+---
+
+The "Analyzer" class checks PHP files for disallowed output functions to ensure proper separation between logic (actions) and presentation (views), maintaining clean MVC architecture.
+
+## Execute
+
+```
+Analyzer::execute(): void
+```
+
+Execute the analyzer to check all action and view files in the current request. This is automatically called by the framework when debug mode is enabled.
+
+The analyzer checks:
+- Template actions
+- Page actions  
+- Views
+- Template views
+
+For disallowed functions that could break the MVC pattern.
+
+Example:
+
+```
+if (Debugger::$enabled) {
+    Analyzer::execute();
+}
+```
+
+## What It Checks
+
+The Analyzer looks for these disallowed functions in your code:
+
+### In Actions (*.php files)
+
+Actions should not directly output content. These functions are not allowed:
+- `echo` - Use variables instead
+- `print` - Use variables instead
+- `exit` - Use `Router::redirect()` instead
+- `die` - Use `Router::redirect()` instead
+- `var_dump` - Use `d()` function instead
+- `eval` - Security risk, avoid entirely
+
+### In Views (*.phtml files)
+
+Views should use the `e()` function for safe output. These are not allowed:
+- `echo` - Use `e()` function instead
+- `print` - Use `e()` function instead
+- `<?= ?>` short tags - Use `<?php e($var); ?>` instead
+- `exit`, `die` - Should not be in views
+- `var_dump` - Use `d()` function instead
+- `eval` - Security risk, avoid entirely
+
+## Why This Matters
+
+The analyzer enforces MintyPHP's clean separation of concerns:
+
+**Actions (*.php)** handle logic:
+```php
+<?php
+// Good: Store data in variables
+$users = DB::select('SELECT * FROM users');
+$total = count($users);
+
+// Bad: Direct output in action
+echo "Total users: " . $total;  // Will trigger warning
+```
+
+**Views (*.phtml)** handle presentation:
+```php
+<?php
+// Good: Use e() function for safe output
+<h1>Users</h1>
+<p>Total: <?php e($total); ?></p>
+
+// Bad: Use of echo
+<p>Total: <?php echo $total; ?></p>  // Will trigger warning
+```
+
+## Example Warnings
+
+When the analyzer detects violations, it triggers warnings like:
+
+```
+Warning: MintyPHP action "pages/users/list().php" should not use "echo". Error raised in...
+```
+
+```
+Warning: MintyPHP view "pages/users/list(default).phtml" should not use "echo". Error raised in...
+```
+
+## Best Practices
+
+### In Actions
+
+✅ **Good:**
+```php
+<?php
+use MintyPHP\DB;
+use MintyPHP\Router;
+
+// Fetch data
+$users = DB::select('SELECT * FROM users');
+
+// Process data
+$activeUsers = array_filter($users, fn($u) => $u['active']);
+
+// Handle redirects properly
+if (empty($activeUsers)) {
+    Router::redirect('error/not_found');
+}
+```
+
+❌ **Bad:**
+```php
+<?php
+// Don't output directly
+echo "<h1>Users</h1>";
+print_r($users);
+
+// Don't use exit/die
+if (empty($users)) {
+    die('No users found');
+}
+
+// Don't use var_dump
+var_dump($users);
+```
+
+### In Views
+
+✅ **Good:**
+```php
+<?php
+use MintyPHP\Session;
+
+<form method="post">
+    <input name="username" />
+    <button type="submit">Login</button>
+    <?php Session::getCsrfInput(); ?>
+</form>
+
+<?php foreach ($users as $user): ?>
+    <p><?php e($user['name']); ?></p>
+<?php endforeach; ?>
+```
+
+❌ **Bad:**
+```php
+<!-- Don't use short echo tags -->
+<p><?= $user['name'] ?></p>
+
+<!-- Don't use echo directly -->
+<p><?php echo $user['name']; ?></p>
+
+<!-- Don't use print -->
+<?php print $message; ?>
+```
+
+## Debugging Output
+
+Instead of `var_dump()` or `print_r()`, use the `d()` function which integrates with the debugger:
+
+```php
+<?php
+// In actions
+$user = DB::selectOne('SELECT * FROM users WHERE id = ?', $userId);
+d($user); // Outputs to debugger panel, not page
+
+// Multiple values
+d($user, $permissions, $settings);
+```
+
+The `d()` function:
+- Only works when debugger is enabled
+- Logs to the "Logging" panel in the debugger
+- Includes file and line number information
+- Limits output to prevent memory issues
+
+## Configuration
+
+The Analyzer runs automatically when the debugger is enabled. Enable it in `config/config.php`:
+
+```php
+use MintyPHP\Debugger;
+
+Debugger::$enabled = true; // Analyzer runs automatically
+```
+
+## When It Runs
+
+The Analyzer is executed automatically:
+1. After routing is complete
+2. Before actions and views are loaded
+3. Only when `Debugger::$enabled` is true
+
+This means violations are caught during development but don't affect production performance.
+

docs/firewall.md

@@ -0,0 +1,96 @@
+---
+layout: page
+title: Firewall
+permalink: /docs/firewall/
+---
+
+The "Firewall" class provides rate limiting and request concurrency control to protect your application from abuse by limiting the number of concurrent requests from the same IP address.
+
+## Start
+
+```
+Firewall::start(): void
+```
+
+Start the firewall to protect against concurrent request floods. This uses a spin-lock mechanism with Memcached to ensure requests wait rather than fail immediately.
+
+The firewall counts concurrent requests per IP address and enforces a configurable limit. When the limit is reached, additional requests are delayed using a spin-lock.
+
+Example:
+
+```
+Firewall::start();
+// Application continues only after acquiring a slot
+```
+
+This is typically called at the beginning of your application, right before starting the session:
+
+```
+// Start the firewall
+Firewall::start();
+
+// Start the session
+Session::start();
+```
+
+## Configuration
+
+The Firewall can be configured by setting static properties in `config/config.php`:
+
+```
+Firewall::$concurrency = 10;           // Max concurrent requests per IP
+Firewall::$spinLockSeconds = 0.15;     // Time to wait between retry attempts
+Firewall::$intervalSeconds = 300;      // Time window for rate limiting
+Firewall::$cachePrefix = 'fw_concurrency_'; // Cache key prefix
+Firewall::$reverseProxy = false;       // Set true if behind reverse proxy
+```
+
+### Concurrency
+
+The maximum number of concurrent requests allowed from a single IP address. Default is 10.
+
+```
+Firewall::$concurrency = 5; // Only allow 5 concurrent requests
+```
+
+### Spin Lock Seconds
+
+The time in seconds to wait between retry attempts when the concurrency limit is reached. Default is 0.15 seconds (150ms).
+
+```
+Firewall::$spinLockSeconds = 0.2; // Wait 200ms between retries
+```
+
+### Interval Seconds
+
+The time window in seconds for tracking concurrent requests. Default is 300 seconds (5 minutes).
+
+```
+Firewall::$intervalSeconds = 600; // Track over 10 minute window
+```
+
+### Cache Prefix
+
+The prefix used for cache keys to avoid collisions. Default is 'fw_concurrency_'.
+
+```
+Firewall::$cachePrefix = 'my_firewall_';
+```
+
+### Reverse Proxy
+
+Set to true if your application is behind a reverse proxy (like nginx or Apache) to correctly identify client IP addresses. Default is false.
+
+```
+Firewall::$reverseProxy = true; // Trust X-Forwarded-For header
+```
+
+## How It Works
+
+1. When a request arrives, the firewall checks how many concurrent requests are currently being processed from that IP
+2. If below the limit, the request proceeds and a counter is incremented
+3. If at the limit, the firewall enters a spin-lock, waiting briefly and checking again
+4. Once the request completes, the counter is decremented
+5. IP addresses are identified using `REMOTE_ADDR` or `HTTP_X_FORWARDED_FOR` (if `$reverseProxy` is enabled)
+
+This prevents denial-of-service attacks where many requests flood the server simultaneously, while still allowing legitimate concurrent requests within reasonable limits.