Phase 1 sub-commit 6: skeleton wiring — make dev runs end-to-end

Symfony app under framework/skeleton/symfony/: minimal bin/console,
public/index.php, MicroKernel-based src/Kernel.php, services.yaml,
framework/security/mercure config, and a demo App\Controller\PingController
that GETs /api/ping (returning JSON pong) and republishes the same
payload to the Mercure topic app://ping. composer.json uses a path
repository to symlink the bundle from ../../php so local edits are
picked up live.

QML app under framework/skeleton/qml/: top-level CMake that
add_subdirectory's framework/qml, a main.cpp that creates the Qt
process, runs SingleInstance.acquireOrForward before any QML loads,
exposes SingleInstance via context property, and loadFromModule's
Skeleton.Main. Main.qml uses BackendConnection / RestClient /
MercureClient from PhpQml.Bridge and renders status dots, a Ping
button, and an event log.

Caddyfile binds 127.0.0.1:8765, enables in-memory Mercure with a
256-bit dev JWT (matches symfony/.env, lcobucci/jwt requires this).
Makefile wraps build / dev / doctor / clean; scripts/dev.sh starts
FrankenPHP --watch and the Qt host together with explicit PID-based
teardown (process-group `kill 0` proved unreliable when frankenphp's
watch fork reparented).

Bug fixes uncovered in this sub-commit:
- SingleInstance.acquireOrForward: probe-first, then removeServer +
  retry-listen. The original loop-with-removeServer-after-failed-bind
  silently exited on stale sockets from prior runs.
- Main.qml: MercureClient does NOT inherit BackendConnection.token —
  Mercure subscribes anonymously in dev (Caddyfile), and forwarding
  the bridge bearer made it 401-loop.
- /api/ping was 500ing because the dev MERCURE_JWT_SECRET was 144 bits;
  bumped to 64-char (>=256 bit) to satisfy lcobucci/jwt.
- Linked the framework lib (php_qml_bridge) explicitly in addition to
  the QML plugin so SingleInstance.h resolves.
- Auto-generated config/reference.php gitignored.

Smoke verified offscreen: /healthz 200, /api/ping 200, 1 publish, 1
subscriber, zero 401s, clean shutdown with no zombies.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

framework/skeleton/symfony/.env

@@ -0,0 +1,17 @@
+APP_ENV=dev
+APP_DEBUG=1
+APP_SECRET=dev-secret-not-for-production-use
+
+# Mercure hub (FrankenPHP-built-in). Both URLs are typically the same in
+# dev mode where the hub and the app are colocated.
+MERCURE_URL=http://127.0.0.1:8765/.well-known/mercure
+MERCURE_PUBLIC_URL=http://127.0.0.1:8765/.well-known/mercure
+# Used by mercure-bundle to mint publisher JWTs. Must match the
+# publisher_jwt secret in ../Caddyfile. lcobucci/jwt requires HMAC
+# secrets to be at least 256 bits, so the dev value here is 64 chars.
+MERCURE_JWT_SECRET=dev_php_qml_bridge_jwt_secret_at_least_256_bits_long_for_lcobucci
+MERCURE_PUBLISHER_JWT_KEY=dev_php_qml_bridge_jwt_secret_at_least_256_bits_long_for_lcobucci
+MERCURE_SUBSCRIBER_JWT_KEY=dev_php_qml_bridge_jwt_secret_at_least_256_bits_long_for_lcobucci
+
+# Bearer token the Qt host sends on /api/* requests.
+BRIDGE_TOKEN=devtoken

framework/skeleton/symfony/bin/console

@@ -0,0 +1,17 @@
+#!/usr/bin/env php
+<?php
+
+use App\Kernel;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+
+if (!is_file(dirname(__DIR__).'/vendor/autoload_runtime.php')) {
+    fwrite(STDERR, "Vendor autoload missing. Run `composer install` in the skeleton/symfony dir first.\n");
+    exit(1);
+}
+
+require_once dirname(__DIR__).'/vendor/autoload_runtime.php';
+
+return function (array $context): Application {
+    $kernel = new Kernel($context['APP_ENV'], (bool) $context['APP_DEBUG']);
+    return new Application($kernel);
+};

framework/skeleton/symfony/composer.json

@@ -0,0 +1,39 @@
+{
+    "type": "project",
+    "license": "proprietary",
+    "minimum-stability": "stable",
+    "require": {
+        "php": "^8.3",
+        "symfony/framework-bundle": "^8.0",
+        "symfony/runtime": "^8.0",
+        "symfony/dotenv": "^8.0",
+        "symfony/yaml": "^8.0",
+        "symfony/security-bundle": "^8.0",
+        "symfony/mercure-bundle": "^0.4",
+        "php-qml/bridge": "@dev"
+    },
+    "autoload": {
+        "psr-4": {
+            "App\\": "src/"
+        }
+    },
+    "config": {
+        "allow-plugins": {
+            "symfony/runtime": true
+        }
+    },
+    "extra": {
+        "runtime": {
+            "class": "Symfony\\Component\\Runtime\\SymfonyRuntime"
+        }
+    },
+    "repositories": [
+        {
+            "type": "path",
+            "url": "../../php",
+            "options": {
+                "symlink": true
+            }
+        }
+    ]
+}

framework/skeleton/symfony/config/bundles.php

@@ -0,0 +1,8 @@
+<?php
+
+return [
+    Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
+    Symfony\Bundle\SecurityBundle\SecurityBundle::class => ['all' => true],
+    Symfony\Bundle\MercureBundle\MercureBundle::class => ['all' => true],
+    PhpQml\Bridge\BridgeBundle::class => ['all' => true],
+];

framework/skeleton/symfony/config/packages/framework.yaml

@@ -0,0 +1,9 @@
+framework:
+    secret: '%env(APP_SECRET)%'
+    http_method_override: false
+    handle_all_throwables: true
+    php_errors:
+        log: true
+    router:
+        utf8: true
+    test: false

framework/skeleton/symfony/config/packages/mercure.yaml

@@ -0,0 +1,9 @@
+mercure:
+    hubs:
+        default:
+            url: '%env(MERCURE_URL)%'
+            public_url: '%env(MERCURE_PUBLIC_URL)%'
+            jwt:
+                secret: '%env(MERCURE_JWT_SECRET)%'
+                publish: ['*']
+                subscribe: ['*']

framework/skeleton/symfony/config/packages/security.yaml

@@ -0,0 +1,18 @@
+security:
+    providers:
+        bridge_provider:
+            memory:
+                users:
+                    bridge: { roles: ['ROLE_BRIDGE'] }
+    firewalls:
+        unauth:
+            pattern: ^/(healthz|\.well-known/mercure)
+            security: false
+        api:
+            pattern: ^/api
+            stateless: true
+            provider: bridge_provider
+            custom_authenticators:
+                - PhpQml\Bridge\SessionAuthenticator
+    access_control:
+        - { path: ^/api, roles: ROLE_BRIDGE }

framework/skeleton/symfony/config/routes.yaml

@@ -0,0 +1,11 @@
+php_qml_bridge:
+    resource:
+        path: ../vendor/php-qml/bridge/src/Controller/
+        namespace: PhpQml\Bridge\Controller
+    type: attribute
+
+app_controllers:
+    resource:
+        path: ../src/Controller/
+        namespace: App\Controller
+    type: attribute

framework/skeleton/symfony/config/services.yaml

@@ -0,0 +1,11 @@
+parameters:
+
+services:
+    _defaults:
+        autowire: true
+        autoconfigure: true
+
+    App\:
+        resource: '../src/'
+        exclude:
+            - '../src/Kernel.php'

framework/skeleton/symfony/public/index.php

@@ -0,0 +1,9 @@
+<?php
+
+use App\Kernel;
+
+require_once dirname(__DIR__).'/vendor/autoload_runtime.php';
+
+return function (array $context): Kernel {
+    return new Kernel($context['APP_ENV'], (bool) $context['APP_DEBUG']);
+};

framework/skeleton/symfony/src/Controller/PingController.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller;
+
+use PhpQml\Bridge\Publisher;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Routing\Attribute\Route;
+
+/**
+ * Demo endpoint: returns a JSON pong AND republishes it on the Mercure
+ * topic `app://ping`. Lets the skeleton's QML window prove both
+ * transport channels (HTTP + SSE) round-trip end-to-end.
+ *
+ * Removed once Phase 2's reactive models supersede the demo.
+ */
+final class PingController
+{
+    public function __construct(
+        private readonly Publisher $publisher,
+    ) {
+    }
+
+    #[Route('/api/ping', name: 'app_ping', methods: ['GET'])]
+    public function __invoke(): JsonResponse
+    {
+        $payload = ['pong' => true, 'now' => date('c')];
+        $this->publisher->publish('app://ping', $payload);
+        return new JsonResponse($payload);
+    }
+}

framework/skeleton/symfony/src/Kernel.php

@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App;
+
+use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
+use Symfony\Component\HttpKernel\Kernel as BaseKernel;
+
+final class Kernel extends BaseKernel
+{
+    use MicroKernelTrait;
+}