This commit introduces the `Trimmed` validator that ensures a string
cannot start or end with a list of specific values.
The default values used are a selected list of Unicode invisible
characters.
To support this change, the StartsWith and EndsWith validators were
modified so they can also support multiple values to check for.
While StartsWith and EndsWith are more generic, and also perform
start-of-array and end-of-array kinds of checks, Trimmed is more
focused on string inputs, which tailors to a more specific use
case.
This change introduces a new command to `@TheRespectPanda` bot,
allowing him to dispatch the ci-perf.yml workflow benchmarks for
a pull request.
Initially, the bot will just trigger it and return the workflow
run URL for manual inspection. Future iterations on this feature
could then grab the benchmark results and update the comment.
- Parce PSL ICANN section into structured sections (rules,
wildcards, exceptions) according to the format.
- Updates PublicSuffix semantics for complete application of
the rules.
- Includes private domain suffixes now.
- Refreshes the existing data.
- Fixes the update-regionals.yml workflow, set it to run
twice a week.
References: https://github.com/publicsuffix/list/wiki/Format#format
The "protected" isValid() method didn't work, threw an exception sying it needs to be "public".
Also the registration didn't work that way. I was unable to fix it but found an alternate way which works. Maybe it's not the right one but I'm indicating it here.
Includes a basic bot workflow that just answers "pong" to ping
requests, includes a help message and ignores invalid commands.
This is the minimum feature that exercises token access, non
recursive comments (answering to its own pong) and so on.
Integrate FormatterModifier into the validation message modifier chain,
enabling StringFormatter formatters to be used as pipe modifiers in
message templates (e.g., {{input|uppercase}}, {{input|mask:1-4:X}}).
This requires bumping respect/string-formatter to ^1.7.
Add feature tests for both the Formatted validator (uppercase, lowercase,
trim, number, date, creditCard, secureCreditCard, chained formatters) and
the FormatterModifier in templates (all major formatters, custom parameters,
multi-argument modifiers, and chained modifiers).
Assisted-by: Claude Code (Claude Opus 4.6)
Some systems and tools (e.g., certain archive extractors, Windows
environments, or CI pipelines) do not properly handle non-ASCII
characters in file paths. The public suffix data files for
internationalized TLDs (such as ישראל, СРБ, 香港, and ไทย) were stored
using their native Unicode names, which caused installation failures
on those systems.
This commit converts those filenames to their Punycode equivalents
(e.g., XN--4DBRK0CE.php instead of ישראל.php) using `idn_to_ascii()`.
Both the data generation command (`UpdateDomainSuffixesCommand`) and the
runtime validator (`PublicDomainSuffix`) are updated to use the same
Punycode-based file lookup, ensuring consistency. A polyfill dependency
(`symfony/polyfill-intl-idn`) is added so that `idn_to_ascii()` is
available even when the `intl` PHP extension is not installed.
Assisted-by: Claude Code (Claude Opus 4.6)
Co-authored-by: Henrique Moody <henriquemoody@gmail.com>
Previously aliases.php was incorrectly excluded from the package export due to
improper gitattributes configuration. This change ensures aliases.php is
included in the distributed package by using the correct -export-ignore syntax.
Assisted-by: OpenCode (ollama-cloud/glm-4.7)
- Updated respect/string-formatter from ^1.0 to ^1.6
- Removed manual 'f' alias for FormatterBuilder as the package now handles it
- Simplified aliases.php by delegating aliasing to the dependency itself
Assisted-by: OpenCode (ollama-cloud/glm-4.7)
Before this change, querying validation results required knowing the
exact path to a specific result node—including numeric indices for
array elements (e.g., `items.1.email`). This made it impractical to
locate the first failing result in dynamic collections where the
failing index is not known ahead of time.
Wildcard segments (`*`) allow matching any single path component, so
patterns like `items.*`, `*.email`, or `data.*.value` will traverse
the result tree and return the first node whose path matches. This is
particularly valuable when validating arrays of items with `each()`,
because consumers can now ask "give me the first failure under items"
without iterating manually.
The implementation replaces the previous flat `array_find` lookup with
a recursive depth-first traversal that, when a wildcard is present,
compares each node's full path against the pattern using segment-level
matching. Non-wildcard lookups continue to use exact array equality,
so there is no behavioral change for existing callers.
Assisted-by: Claude Code (claude-opus-4-6)
The Masked validator was a proxy for what the new Formatted validator
already does, so it is being removed to reduce redundancy. All tests and
documentation have been updated accordingly.
Assisted-by: OpenCode (ollama-cloud/glm-4.7)
The Formatted validator decorates another validator to transform how
input values appear in error messages, while still validating the
original unmodified input.
This is useful for improving the readability of error messages by
displaying values in a user-friendly formatd.
The validator accepts any Respect\StringFormatter\Formatter implementation,
allowing direct use of StringFormatter's fluent builder. As StringFormatter
expands with more formatters in future releases, users will automatically
benefit from the full range of formatting options.
Assisted-by: Claude Code (Opus 4.5)
Rename the Composite class to LogicalComposite to more accurately reflect
its purpose as a validator that combines child validators using logical
operations (AND, OR, NAND, XOR).
This better naming also opens the door for additional composite patterns
beyond logical operations, enabling future validator compositions.
Assisted-by: OpenCode (GLM 4.5)
The documents on translation were updated to feature symfony with
an array provider. Duplicated container notes were extracted to
a single configuration.md file.
An API for accessing the messages, so users don't have to copy
and paste them from the source or docs, was provided and
TemplateResolver was refactored to use it.
This commit introduces a mechanism for validators to return early once
the validation outcome is determined, rather than evaluating all child
validators.
The ShortCircuit validator evaluates validators sequentially and stops
at the first failure, similar to how PHP's && operator works. This is
useful when later validators depend on earlier ones passing, or when
you want only the first error message.
The ShortCircuitCapable interface allows composite validators (AllOf,
AnyOf, OneOf, NoneOf, Each, All) to implement their own short-circuit
logic.
Why "ShortCircuit" instead of "FailFast":
The name "FailFast" was initially considered but proved misleading.
While AllOf stops on failure (fail fast), AnyOf stops on success
(succeed fast), and OneOf stops on the second success. The common
behavior is not about failing quickly, but about returning as soon as
the outcome is determined—which is exactly what short-circuit
evaluation means. This terminology is familiar to developers from
boolean operators (&& and ||), making the behavior immediately
understandable.
Co-authored-by: Alexandre Gomes Gaigalas <alganet@gmail.com>
Assisted-by: Claude Code (Opus 4.5)
Due to the continuous increase in the number of companies and the
imminent exhaustion of available CNPJs (Brazilian taxpayer
identification numbers), the Brazilian Federal Revenue Service is
instituting the alphanumeric CNPJ. The initiative aims to
facilitate the identification of all companies and improve the
business environment, contributing to the economic and social
development of Brazil.
The alphanumeric CNPJ will be assigned, starting in July 2026,
exclusively to new registrations.
Changes:
- Add support for alphanumeric CNPJ validation
- Format code according to PHPCS standards
- Simplify CNPJ conversion to uppercase character array
- Add documentation about CNPJ structure
- Follows up on the rename from library/ to src/
- Includes required files for proper SBOM
- Don't show diffs for generated files
- Include aliases.php
I ran the `bin/console spdx --fix` with different strategies for
different files. For most of the core classes, since they've been
drastically rebuilt, I've run it with the `git-blame` strategy, for for
the `src/Validators`, in which the API changed completely but the logic
remains the same, I use the `git-log` strategy.
Improves SPDX header linting to ensure consistent license metadata across
the codebase.
Key changes:
- Enforce deterministic tag ordering (License-Identifier, FileCopyrightText,
FileContributor) to ensure consistency, prevent merge conflicts, and
simplify code reviews
- Add contributor alias mapping to consolidate contributors with multiple
emails or name variations (e.g., "nickl-" → "Nick Lombard")
- Add --contributions-strategy option with "blame" (current code authors)
and "log" (all historical contributors) to support different attribution
philosophies
- Add optional path argument to lint specific files or directories
- Add --fix option to automatically correct header issues
Assisted-by: Claude Code (claude-opus-4-5-20251101)
See #1668 for more info.
There is a new test "Deep name collision" on AllOfTest that
exemplifies the kind of collision this change solves.
Some extra `__root__` keys needed to be added to a select few
other scenarios for consistency.
The previous name was confusing as it focused on the implementation
detail (calling a callable) rather than what the validator actually
does. The new name "After" better conveys the validator's purpose:
validating the input after applying a transformation.
Assisted-by: Claude Code (Opus 4.5)
The previous name was confusing as it focused on the implementation
detail (receiving a callback) rather than what the validator actually
does. The new name "Satisfies" better conveys the validator's purpose:
checking whether the input satisfies a given condition.
Assisted-by: Claude Code (Opus 4.5)
The name "Factory" better conveys the validator's purpose: dynamically
creating a validator at runtime based on the input value. "Lazy" was
misleading as it suggested simple deferred evaluation rather than
input-dependent validator construction.
Also renamed the constructor argument from `$validatorCreator` to
`$factory` for improved expressiveness.
Assisted-by: Claude Code (Opus 4.5)
Previously, the URL validator accepted all kinds of URLs.
Combining it with other validators like `Domain` and `Ip` manually
is clumbersome, since the rules are extensive and require small
tweaks such as understanding bracketed IP addresses.
This change makes that composition built-in. The validator still
uses the FILTER_VALIDATE_URL from PHP, but now it also goes deeper
and validate portions of the URL that other validators support.
Changes to `Call` were made so that it can be serialized under
certain circumstances (when invoking a static method call), making
it more flexible.
A static internal method helper for trimming the IP was added to
the Url validator class and marked as internal, as it cannot be
both private, serializable and accessible to the `Call` instance
all at the same time. The `@internal` annotation should advise
users that it's not a public API according to phpdoc conventions.
- Added `composer docs-serve` to preview documentation locally.
- Improved `ValidatorRelatedLinter` to not include invalid related
entries.
- Updated `CONTRIBUTING.md`
The phrase "granularity control for advanced reporting" is not
accurate anymore. Although we offer much better exception handling
now, we are currently not offering granularity control at a global
level (previously implemented by the check() interface).
If that were to be changed, we can restore that headline. I instead
replaced with the phrase "Advanced exception handling", which
accurately describes what we offer.
I also removed the `concrete-api.md`, which was a document
describing how we don't rely on static calls. We do, in fact,
recommend some of them, such as `ValidatorBuilder::init`, and
although they can be avoided, it relies on setting up a custom
container which we do not offer full documentation for yet.
The Prefix transformer had many loops that could be avoided. This
change replaces them for a compiled PCRE regex, taking advantage
of recent PCRE JIT capabilities introduced in PHP.
These changes offer no performance trade-offs, improving lookup
for all categories of prefixes (property/key with shift, ignore
list and fallback to simple rule).
The most affected is the simple rule (no prefix or no conflict
with any kind of prefix rule), yielding the most gains.
- Changed Property so it doesn't have an unreachable line anymore.
- Rename ValidatorTest to ValidatorBuilderTest to better reflect
the source.
- Added missing tests for KeyExists's ArrayAccess support.
- Added tests for using custom exceptions.
This change makes the ramsey/uuid optional dependency testable
by using the ContainerRegistry to acquire an instance to its factory
instead of relying on `class_exists` directly.
With PHP's promoted properties, there is little reason to have an
abstract class that only provides a constructor and a proxy method.
The greater part of the classes that extended Wrapper had their own
implementation of evaluate(), hence it made very little sense to keep
Wrapper in the codebase.
Assisted-by: Claude Code (Opus 4.5)
Now empty values are again allowed in FilteredArray-style
validators.
To solve the issue with negation, a Result attribute was
added to signal indeciseveness (when a result cannot be
reliably inverted). On such cases, we consider that result
to be valid.
For example, `v::not(v::min(v::equals(10)))` says "The
lowest value of the iterable input should not be equal 10".
If the input is empty, we cannot decide whether its minimum
is equal to 10 or not, so the validator essentially becomes
a null-op.
Users that want to ensure these validators have a valid
decidable target must use it in combination with `Length`
or other similar validators to achieve the same result.
The Masked validator decorates other validators to mask sensitive input
values in error messages while still validating the original unmasked
data.
This validator is essential for applications handling sensitive
information such as passwords, credit cards, or email addresses. Without
it, users would need to implement a custom layer between Validation and
the end user to prevent PII from appearing in error messages or logs.
With Masked, sensitive data protection is built directly into the
validation workflow with no additional abstraction required.
Assisted-by: Claude Code (Opus 4.5)
