diff --git a/docs/IMPLEMENTATION-TRACKER.md b/docs/IMPLEMENTATION-TRACKER.md
index ee27c32..f0b4b62 100644
--- a/docs/IMPLEMENTATION-TRACKER.md
+++ b/docs/IMPLEMENTATION-TRACKER.md
@@ -6,30 +6,67 @@
|------|--------|-------------|
| php-aegis Handover | ✅ Complete | Send to php-aegis team |
| sanctify-php Roadmap | ✅ Complete | Begin Phase 1 |
-| Binary Releases | 🔲 Not Started | Create CI workflow |
+| Standalone Requirements | ✅ Complete | See STANDALONE.md |
+| Binary Releases | 🔲 Not Started | **CRITICAL** - Create CI workflow |
+| Composer Plugin | 🔲 Not Started | **CRITICAL** - Enable `composer require` |
+| GitHub Action | 🔲 Not Started | High priority |
| Docker Container | 🔲 Not Started | Create Dockerfile |
+| Incremental Analysis | 🔲 Not Started | Cache for performance |
| Semantic Support | 🔲 Not Started | Design AST extensions |
---
+## Critical Path: Adoption Blockers
+
+> **Key Insight**: The biggest barrier to adoption is the Haskell dependency.
+> PHP developers expect `composer require` installation with no external runtime.
+
+### sanctify-php Critical Items
+
+| Item | Priority | Blocks |
+|------|----------|--------|
+| Pre-built binaries | **CRITICAL** | Everything else |
+| Composer plugin wrapper | **CRITICAL** | PHP dev adoption |
+| GitHub Action | High | CI/CD adoption |
+| Incremental analysis | Medium | Performance at scale |
+
+### php-aegis Critical Items
+
+| Item | Priority | Blocks |
+|------|----------|--------|
+| php-aegis-compat (PHP 7.4+) | **CRITICAL** | WordPress adoption |
+| WordPress adapter (snake_case) | High | WP dev experience |
+| Extended validators | Medium | Common use cases |
+
+---
+
## Immediate Actions
### For php-aegis Team
1. **Review handover document**: `docs/PHP-AEGIS-HANDOVER.md`
-2. **Priority implementation**:
- - `Aegis\Semantic\Turtle::escapeString()`
- - `Aegis\Semantic\Turtle::escapeIRI()`
- - SPDX headers on all files
+2. **Critical implementation** (adoption blockers):
+ - [ ] Create `php-aegis-compat` package for PHP 7.4+
+ - [ ] Add WordPress adapter with snake_case functions
+ - [ ] Extend `Validate` class: `int()`, `ip()`, `domain()`
+3. **Priority implementation** (unique value):
+ - [ ] `Aegis\Semantic\Turtle::escapeString()`
+ - [ ] `Aegis\Semantic\Turtle::escapeIRI()`
+ - [ ] SPDX headers on all files
### For sanctify-php Team
-1. **Phase 1 Priority**: Make tool accessible without Haskell
- - [ ] GitHub Actions for binary releases
+1. **Phase 1 CRITICAL**: Enable `composer require` installation
+ - [ ] GitHub Actions for binary releases (linux, darwin x86_64/arm64)
+ - [ ] Composer plugin that auto-downloads binary on install
+ - [ ] GitHub Action for CI/CD integration
- [ ] Dockerfile for container distribution
- - [ ] Update README with installation options
-2. **Phase 2 Priority**: Semantic web support
+2. **Phase 1 HIGH**: Performance
+ - [ ] Incremental analysis with file hash cache
+ - [ ] Only rescan changed files
+
+3. **Phase 2 Priority**: Semantic web support
- [ ] Create `Sanctify.Analysis.Semantic` module
- [ ] Extend taint sinks for Turtle/JSON-LD contexts
- [ ] Add WordPress semantic theme detection
diff --git a/docs/PHP-AEGIS-HANDOVER.md b/docs/PHP-AEGIS-HANDOVER.md
index 0f20053..edf6c9b 100644
--- a/docs/PHP-AEGIS-HANDOVER.md
+++ b/docs/PHP-AEGIS-HANDOVER.md
@@ -15,16 +15,244 @@ This document provides integration feedback from the wp-sinople-theme WordPress
| Issue | Severity | Impact |
|-------|----------|--------|
+| PHP 8.1+ blocks WordPress adoption | **Critical** | WordPress 6.4 supports PHP 7.4+, most hosts still on 7.4/8.0 |
+| No WordPress adapter | High | camelCase API vs snake_case WordPress conventions |
| Feature set too minimal | Medium | WordPress has equivalent functions already |
| No RDF/Turtle escaping | High | Semantic themes require W3C-compliant escaping |
+| Limited validators | Medium | Only email/url - missing int(), ip(), domain() |
| Missing SPDX license headers | Low | Compliance concern for FOSS projects |
-| No PHP 8.1+ features | Medium | Missing enums, union types, readonly properties |
---
## Detailed Recommendations
-### 1. Differentiate from WordPress Core Functions
+### 0. CRITICAL: PHP 7.4+ Compatibility Layer
+
+**Problem**: php-aegis requires PHP 8.1+, but WordPress ecosystem reality:
+- WordPress 6.4+ officially supports PHP 7.4+
+- Many shared hosts still run PHP 7.4 or 8.0
+- Plugin/theme developers must support the WordPress minimum
+
+**Solution**: Split into two packages:
+
+```
+php-aegis (PHP 8.1+) ← Modern API with enums, union types
+ │
+ └── php-aegis-compat (PHP 7.4+) ← Polyfill package for WordPress
+```
+
+**php-aegis-compat Implementation**:
+
+```php
+=7.4"
+ },
+ "conflict": {
+ "hyperpolymath/php-aegis": "*"
+ },
+ "autoload": {
+ "psr-4": { "Aegis\\": "src/" }
+ }
+}
+```
+
+**Usage in WordPress plugins**:
+```php
+// In plugin bootstrap
+if (PHP_VERSION_ID >= 80100) {
+ require_once __DIR__ . '/vendor/hyperpolymath/php-aegis/autoload.php';
+} else {
+ require_once __DIR__ . '/vendor/hyperpolymath/php-aegis-compat/autoload.php';
+}
+```
+
+### 1. WordPress Adapter (snake_case API)
+
+**Problem**: WordPress uses `snake_case` functions, php-aegis uses `CamelCase` methods.
+
+**Solution**: Provide WordPress adapter functions:
+
+```php
+ **The biggest barrier to sanctify-php adoption is the Haskell dependency.**
+> PHP developers expect `composer require` installation with no external runtime.
+> The solution is a Composer plugin that downloads pre-built binaries.
+
---
## Phase 1: Distribution & Accessibility
@@ -99,7 +108,247 @@ docker run --rm -v $(pwd):/src ghcr.io/hyperpolymath/sanctify-php analyze /src
docker run --rm -v $(pwd):/src ghcr.io/hyperpolymath/sanctify-php report /src --format=sarif
```
-### 1.3 Guix Package
+### 1.3 Composer Plugin Wrapper (Critical Path)
+
+PHP developers expect `composer require`. Provide a Composer plugin that:
+1. Detects platform (OS/arch)
+2. Downloads the appropriate pre-built binary
+3. Provides Composer scripts integration
+
+**Package Structure**:
+```
+sanctify-php-composer/
+├── composer.json
+├── src/
+│ ├── Plugin.php # Composer plugin hooks
+│ ├── BinaryInstaller.php # Platform detection & download
+│ └── ScriptHandler.php # Composer scripts integration
+└── bin/
+ └── sanctify-php # Wrapper script
+```
+
+**composer.json**:
+```json
+{
+ "name": "hyperpolymath/sanctify-php",
+ "description": "PHP security analysis and hardening tool",
+ "type": "composer-plugin",
+ "require": {
+ "php": ">=7.4",
+ "composer-plugin-api": "^2.0"
+ },
+ "require-dev": {
+ "composer/composer": "^2.0"
+ },
+ "autoload": {
+ "psr-4": { "Sanctify\\Composer\\": "src/" }
+ },
+ "extra": {
+ "class": "Sanctify\\Composer\\Plugin",
+ "sanctify-binaries": {
+ "linux-x86_64": "https://github.com/hyperpolymath/sanctify-php/releases/download/v{version}/sanctify-php-linux-x86_64",
+ "darwin-x86_64": "https://github.com/hyperpolymath/sanctify-php/releases/download/v{version}/sanctify-php-darwin-x86_64",
+ "darwin-arm64": "https://github.com/hyperpolymath/sanctify-php/releases/download/v{version}/sanctify-php-darwin-aarch64"
+ }
+ },
+ "scripts": {
+ "sanctify:analyze": "Sanctify\\Composer\\ScriptHandler::analyze",
+ "sanctify:fix": "Sanctify\\Composer\\ScriptHandler::fix",
+ "sanctify:report": "Sanctify\\Composer\\ScriptHandler::report"
+ },
+ "bin": ["bin/sanctify-php"]
+}
+```
+
+**BinaryInstaller.php**:
+```php
+write("Downloading sanctify-php for {$platform}...");
+
+ $binPath = self::BINARY_DIR . '/sanctify-php-bin';
+ self::download($url, $binPath);
+ chmod($binPath, 0755);
+
+ $io->write("sanctify-php installed successfully.");
+ }
+
+ private static function detectPlatform(): string
+ {
+ $os = PHP_OS_FAMILY === 'Darwin' ? 'darwin' : 'linux';
+ $arch = php_uname('m') === 'arm64' ? 'arm64' : 'x86_64';
+ return "{$os}-{$arch}";
+ }
+
+ private static function download(string $url, string $dest): void
+ {
+ $ch = curl_init($url);
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+ $binary = curl_exec($ch);
+ curl_close($ch);
+ file_put_contents($dest, $binary);
+ }
+}
+```
+
+**Usage after installation**:
+```bash
+# Install
+composer require --dev hyperpolymath/sanctify-php
+
+# Use via Composer scripts
+composer sanctify:analyze src/
+composer sanctify:fix src/ -- --policy=conservative
+composer sanctify:report src/ -- --format=sarif
+
+# Or directly
+vendor/bin/sanctify-php analyze src/
+```
+
+### 1.4 GitHub Action
+
+Official GitHub Action for CI/CD:
+
+```yaml
+# .github/actions/sanctify-php/action.yml
+name: 'Sanctify PHP'
+description: 'PHP security analysis and hardening'
+branding:
+ icon: 'shield'
+ color: 'green'
+
+inputs:
+ path:
+ description: 'Path to analyze'
+ required: true
+ default: 'src'
+ format:
+ description: 'Output format (text, json, sarif, html, markdown)'
+ required: false
+ default: 'sarif'
+ fail-on:
+ description: 'Fail on severity level (critical, high, medium, low, none)'
+ required: false
+ default: 'high'
+ upload-sarif:
+ description: 'Upload SARIF to GitHub Security tab'
+ required: false
+ default: 'true'
+
+outputs:
+ issues-found:
+ description: 'Number of security issues found'
+ value: ${{ steps.analyze.outputs.issues }}
+
+runs:
+ using: 'composite'
+ steps:
+ - name: Download sanctify-php
+ shell: bash
+ run: |
+ curl -LO https://github.com/hyperpolymath/sanctify-php/releases/latest/download/sanctify-php-linux-x86_64
+ chmod +x sanctify-php-linux-x86_64
+ sudo mv sanctify-php-linux-x86_64 /usr/local/bin/sanctify-php
+
+ - name: Run analysis
+ id: analyze
+ shell: bash
+ run: |
+ sanctify-php analyze ${{ inputs.path }} \
+ --format=${{ inputs.format }} \
+ --output=sanctify-results.${{ inputs.format }} \
+ --fail-on=${{ inputs.fail-on }}
+ echo "issues=$(sanctify-php analyze ${{ inputs.path }} --format=json | jq '.issues | length')" >> $GITHUB_OUTPUT
+
+ - name: Upload SARIF
+ if: inputs.upload-sarif == 'true' && inputs.format == 'sarif'
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: sanctify-results.sarif
+```
+
+**Usage in workflows**:
+```yaml
+name: Security
+on: [push, pull_request]
+
+jobs:
+ sanctify:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: hyperpolymath/sanctify-php-action@v1
+ with:
+ path: src/
+ fail-on: high
+```
+
+### 1.5 Incremental Analysis
+
+Cache analysis results and only rescan changed files:
+
+```haskell
+-- src/Sanctify/Cache.hs
+-- SPDX-License-Identifier: AGPL-3.0-or-later
+
+module Sanctify.Cache
+ ( AnalysisCache(..)
+ , loadCache
+ , saveCache
+ , getChangedFiles
+ ) where
+
+import qualified Data.Map.Strict as Map
+import Crypto.Hash (SHA256, hash)
+
+data AnalysisCache = AnalysisCache
+ { cacheVersion :: Text
+ , fileHashes :: Map FilePath Text -- path -> SHA256
+ , cachedResults :: Map FilePath [SecurityIssue]
+ }
+ deriving (Generic, FromJSON, ToJSON)
+
+-- Determine which files need re-analysis
+getChangedFiles :: AnalysisCache -> [FilePath] -> IO [FilePath]
+getChangedFiles cache files = do
+ filterM (hasChanged cache) files
+ where
+ hasChanged c f = do
+ currentHash <- hashFile f
+ pure $ Map.lookup f (fileHashes c) /= Just currentHash
+```
+
+**CLI usage**:
+```bash
+# First run: full analysis, creates .sanctify-cache.json
+sanctify-php analyze src/
+
+# Subsequent runs: only analyze changed files
+sanctify-php analyze src/ --incremental
+
+# Force full rescan
+sanctify-php analyze src/ --no-cache
+```
+
+### 1.6 Guix Package
Proper Guix package definition for reproducible builds:
diff --git a/docs/STANDALONE.md b/docs/STANDALONE.md
new file mode 100644
index 0000000..1672438
--- /dev/null
+++ b/docs/STANDALONE.md
@@ -0,0 +1,292 @@
+# Standalone vs Combined Capabilities
+
+This document defines what each tool must provide independently and the enhanced capabilities when used together.
+
+---
+
+## Philosophy
+
+Each tool should be **fully functional standalone**. Integration provides **enhanced capabilities**, not basic functionality.
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ Standalone Operation │
+├─────────────────────────────────────────────────────────────────┤
+│ │
+│ sanctify-php (alone) php-aegis (alone) │
+│ ┌─────────────────┐ ┌─────────────────┐ │
+│ │ Static Analysis │ │ Runtime Library │ │
+│ │ Auto-transform │ │ Escaping/Sanit. │ │
+│ │ Uses WP funcs │ │ Works anywhere │ │
+│ └─────────────────┘ └─────────────────┘ │
+│ │
+├─────────────────────────────────────────────────────────────────┤
+│ Combined Operation │
+├─────────────────────────────────────────────────────────────────┤
+│ │
+│ ┌─────────────────────────────────────────────────┐ │
+│ │ sanctify-php + php-aegis │ │
+│ │ │ │
+│ │ • sanctify detects → inserts php-aegis calls │ │
+│ │ • php-aegis provides runtime protection │ │
+│ │ • Semantic escaping (Turtle, JSON-LD) │ │
+│ │ • IndieWeb protocol security │ │
+│ │ • Deeper taint analysis with Aegis sinks │ │
+│ └─────────────────────────────────────────────────┘ │
+│ │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## sanctify-php: Minimum Viable Standalone
+
+### Must Have (MVP)
+
+| Capability | Status | Notes |
+|------------|--------|-------|
+| Detect missing `strict_types` | ✅ | Core feature |
+| Detect SQL injection | ✅ | Taint tracking |
+| Detect XSS vulnerabilities | ✅ | Output escaping |
+| Detect CSRF missing nonces | ✅ | WordPress-aware |
+| Auto-add `strict_types` | ✅ | Transform |
+| Auto-add WordPress escaping | ✅ | Uses `esc_html()` etc. |
+| SARIF output for CI | ✅ | GitHub integration |
+| **Pre-built binaries** | ❌ → Priority | Adoption blocker |
+| **Composer install** | ❌ → Priority | Adoption blocker |
+
+### Standalone Behavior (Without php-aegis)
+
+When php-aegis is not installed, sanctify-php must:
+
+1. **Use WordPress functions for escaping**:
+ ```php
+ // sanctify-php auto-fix output (standalone)
+ echo esc_html($user_input); // NOT Aegis\Escape::html()
+ ```
+
+2. **Use WordPress functions for sanitization**:
+ ```php
+ // sanctify-php auto-fix output (standalone)
+ $clean = sanitize_text_field($_POST['field']);
+ ```
+
+3. **Warn about missing semantic escaping**:
+ ```
+ WARNING: Turtle output detected at semantic.php:45
+ No semantic escaping library found.
+ Consider installing php-aegis for proper Turtle escaping.
+ Using esc_html() as fallback (may break RDF syntax).
+ ```
+
+### Installation Requirements (Standalone)
+
+```bash
+# MUST work without Haskell
+composer require --dev hyperpolymath/sanctify-php
+
+# Binary auto-downloads on install
+# No manual steps required
+```
+
+---
+
+## php-aegis: Minimum Viable Standalone
+
+### Must Have (MVP)
+
+| Capability | Status | Notes |
+|------------|--------|-------|
+| HTML escaping | ✅ | `Escape::html()` |
+| Attribute escaping | ✅ | `Escape::attr()` |
+| URL validation | ✅ | `Validate::url()` |
+| Email validation | ✅ | `Validate::email()` |
+| **PHP 7.4+ compatibility** | ❌ → Critical | Adoption blocker |
+| **WordPress adapter** | ❌ → Priority | snake_case functions |
+| **Int/IP/Domain validators** | ❌ → Priority | Common needs |
+| **Turtle escaping** | ❌ → Priority | Unique value |
+
+### Standalone Behavior (Without sanctify-php)
+
+When sanctify-php is not used, php-aegis must:
+
+1. **Work with any PHP framework**:
+ ```php
+ // Generic PHP usage
+ use Aegis\Escape;
+ echo Escape::html($userInput);
+ ```
+
+2. **Provide WordPress helpers**:
+ ```php
+ // WordPress plugin/theme usage
+ require_once 'vendor/autoload.php';
+ // Functions auto-registered if ABSPATH defined
+ echo aegis_escape_html($userInput);
+ ```
+
+3. **Not require static analysis**:
+ - Library is purely runtime
+ - Developer chooses where to use escaping
+ - No build step needed
+
+### Installation Requirements (Standalone)
+
+```bash
+# MUST work on PHP 7.4+
+composer require hyperpolymath/php-aegis-compat # PHP 7.4-8.0
+# OR
+composer require hyperpolymath/php-aegis # PHP 8.1+
+```
+
+---
+
+## Combined Capabilities
+
+When both tools are used together, additional capabilities unlock:
+
+### 1. Aegis-Aware Auto-Fix
+
+sanctify-php inserts php-aegis calls instead of WordPress functions:
+
+```php
+// Before
+echo $user_input;
+
+// After (with php-aegis)
+echo \Aegis\Escape::html($user_input);
+
+// After (without php-aegis)
+echo esc_html($user_input);
+```
+
+### 2. Semantic Context Detection
+
+sanctify-php detects Turtle/JSON-LD output and suggests correct Aegis escaping:
+
+```php
+// sanctify-php detects Turtle context
+header('Content-Type: text/turtle');
+echo "<{$subject}> <{$predicate}> \"{$object}\" .";
+
+// Recommends:
+echo "<" . \Aegis\Semantic\Turtle::escapeIRI($subject) . "> "
+ . "<" . \Aegis\Semantic\Turtle::escapeIRI($predicate) . "> "
+ . "\"" . \Aegis\Semantic\Turtle::escapeString($object) . "\" .";
+```
+
+### 3. Deep Taint Analysis
+
+sanctify-php recognizes Aegis sanitizers as safe sinks:
+
+```php
+// sanctify-php knows this is safe
+$content = \Aegis\IndieWeb\Micropub::sanitizeContent($_POST['content']);
+echo $content; // No warning - recognized as sanitized
+```
+
+### 4. Configuration Alignment
+
+Both tools share configuration:
+
+```json
+// sanctify.json
+{
+ "runtime_library": "php-aegis",
+ "semantic_contexts": ["turtle", "jsonld"],
+ "transforms": {
+ "use_aegis": true,
+ "fallback": "wordpress"
+ }
+}
+```
+
+---
+
+## Feature Matrix
+
+| Feature | sanctify-php alone | php-aegis alone | Combined |
+|---------|-------------------|-----------------|----------|
+| Detect XSS | ✅ | ❌ | ✅ |
+| Fix XSS | ✅ (WP funcs) | ❌ | ✅ (Aegis) |
+| Runtime escaping | ❌ | ✅ | ✅ |
+| Turtle escaping | ⚠️ Warning only | ✅ | ✅ Auto-insert |
+| JSON-LD escaping | ⚠️ Warning only | ✅ | ✅ Auto-insert |
+| IndieWeb sanitization | ⚠️ Warning only | ✅ | ✅ Auto-insert |
+| Taint tracking | ✅ | ❌ | ✅ Enhanced |
+| CI/CD integration | ✅ SARIF | ❌ | ✅ SARIF |
+| WordPress integration | ✅ | ✅ | ✅ Seamless |
+| PHP 7.4 support | ✅ (binary) | ⚠️ (compat pkg) | ✅ |
+
+---
+
+## Adoption Path
+
+### Path A: Start with sanctify-php (Static Analysis First)
+
+```bash
+# 1. Install and run analysis
+composer require --dev hyperpolymath/sanctify-php
+vendor/bin/sanctify-php analyze src/
+
+# 2. Apply auto-fixes (uses WordPress functions)
+vendor/bin/sanctify-php fix src/
+
+# 3. Later: Add php-aegis for semantic escaping
+composer require hyperpolymath/php-aegis
+
+# 4. Re-run sanctify to upgrade to Aegis calls
+vendor/bin/sanctify-php fix src/ --use-aegis
+```
+
+### Path B: Start with php-aegis (Runtime Library First)
+
+```bash
+# 1. Install runtime library
+composer require hyperpolymath/php-aegis
+
+# 2. Manually add escaping where needed
+# Use Aegis\Escape::html(), Aegis\Semantic\Turtle::escapeString(), etc.
+
+# 3. Later: Add sanctify-php for automated detection
+composer require --dev hyperpolymath/sanctify-php
+
+# 4. Find missed spots
+vendor/bin/sanctify-php analyze src/
+```
+
+### Path C: Install Both (Recommended)
+
+```bash
+# Install both together
+composer require hyperpolymath/php-aegis
+composer require --dev hyperpolymath/sanctify-php
+
+# Analyze and fix in one step
+vendor/bin/sanctify-php fix src/ --use-aegis
+```
+
+---
+
+## Minimum Implementation Checklist
+
+### sanctify-php v0.2.0 (Standalone-Ready)
+
+- [ ] Pre-built binaries (linux-x86_64, darwin-x86_64, darwin-arm64)
+- [ ] Composer plugin that auto-downloads binary
+- [ ] GitHub Action
+- [ ] Standalone mode: use WordPress functions when Aegis not found
+- [ ] Warning mode: alert when semantic escaping needed but Aegis missing
+
+### php-aegis v0.2.0 (Standalone-Ready)
+
+- [ ] php-aegis-compat package (PHP 7.4+)
+- [ ] WordPress adapter (snake_case functions)
+- [ ] Extended validators: `int()`, `ip()`, `domain()`, `uuid()`, `slug()`
+- [ ] Turtle escaping: `Semantic\Turtle::escapeString()`, `escapeIRI()`
+- [ ] Works without sanctify-php or any build step
+
+---
+
+*SPDX-License-Identifier: MIT OR AGPL-3.0-or-later*
+*SPDX-FileCopyrightText: 2024-2025 hyperpolymath*