Render the article id on detail/view pages, the numeric-anchor links (search, voting) and the voting list with the sl-card-id badge so they match the list cards, instead of the pager sl-pnum pill. Drop the redundant inline-flex meta rule group; the badge styling is self-contained.
These meta files are not needed in the repository; ignore them so they are not re-added. The widget bundle (altcha.min.js) keeps its inline license banner.
getAdminInfo() now resolves and creates help files as .md exclusively. The per-language BBCode .html help files under admin/info/ and modules/*/admin/info/ are removed in favour of the ru.md etalon (to be translated per language). Missing translations show _NO_INFO; index.html directory guards are kept.
A list line (*, +, - or an ordered list starting at 1) placed directly after a paragraph with no blank line was swallowed into the paragraph and rendered as literal text, so unordered and nested lists did not render. Break the paragraph on such lines (CommonMark behaviour); ordered lists only interrupt when starting at 1 to keep prose like "... 1990. ..." intact. Update the ul-nested fixture to the corrected nested output.
preg_replace() with the /u flag returns null on malformed UTF-8 (e.g. bots sending CP1251 query parameters), which violated the string return type and raised a TypeError. Coalesce the result to an empty string.
Update the getCaptcha() stub to the string action signature and drop the obsolete gfx_chk mock key from the admin login flow test.
Add frontend widget strings and admin captcha/secret settings constants; remove the obsolete Google reCAPTCHA constants (_CAPSEC, _CAPKEY, _CAPQUALITY*, _CAPSECKEY). Move the captcha help from the general config info to the security info and correct it: the master secret lives in config/security.php, with ephemeral data in storage/captcha. RU/UK use "Капча".
Bundle the self-hosted ALTCHA widget (plugins/altcha/altcha.min.js, v3.0.11, MIT) so end users need no Composer, npm or CDN. Add the captcha-altcha template fragment to the lite and admin themes and the .sl-captcha / .sl-captcha-hp (off-screen honeypot) rules to both themes' theme.css.
Add a neutral captcha service (core/classes/captcha.php) with Null and ALTCHA providers plus a dependency-free verifier (SHA-256 proof-of-work + HMAC). Captcha settings move into the security config (name=security&op=config) under $conf['security']['captcha']; legacy gfx_chk/capkey/capsec/quality are removed.
A single CSPRNG master secret in config/security.php is derived per purpose via getSecret() for CSRF tokens, ALTCHA signatures and field-name obfuscation, replacing the weak mt_rand 'sitekey'. getPass() is renamed to getRandomString() and hardened to random_int().
Adds honeypot, minimum form time, rate limiting and login captcha after failed attempts; serves a token-free JSON challenge at index.php?go=captcha. The file store (replay markers + counters) lives in storage/captcha/.
Resolve a page-cache path bug and an htmx XPath corruption in the JS minifier, fix the lite theme YouTube link, and drop the tracked prompt copy that now lives locally.
Core changes:
- Page cache and JS minifier (core/system.php):
Append the missing slash to the cache directory base path
- Page-cache writes now match the read path instead of landing in the storage root
- Stops filemtime()/unlink() warnings from the cache cleanup loop
Skip non-files in the cache cleanup sweep
- Guards against unlink() on cache subdirectories such as view and templates
Fix the JS minifier bracket regex (\] -> \))
- Preserves the htmx XPath literal and fixes the createExpression SyntaxError in the console
- Lite theme social links (templates/lite/layouts/app.html, home.html):
- Point the YouTube link to the @SLAED-CMS channel handle
- Docs cleanup (docs/LITE_THEME_CSS_SIMPLIFICATION_PROMPT.md):
- Remove the tracked prompt copy; it now lives in the local .prompts directory
Benefits:
- Working page cache and a clean PHP error log
- htmx interactions no longer break on invalid XPath
- Correct outbound social link
Technical notes:
- With $conf['cache'] enabled, page caching becomes functional (was effectively a no-op before)
- No backward-incompatible changes