Phase 1 sub-commit 2: Symfony bundle internals

Bundle code for php-qml/bridge: BridgeBundle (AbstractBundle, autoloads
config/services.yaml), Publisher (thin wrapper over Mercure HubInterface
that enforces envelope-as-JSON), SessionAuthenticator (bearer-token
custom Symfony authenticator with problem+json failures), and
HealthController (GET /healthz readiness probe).

Composer constraints bumped to Symfony ^8.0 across the board (per user
request); mercure component to ^0.7. PHPUnit 11 suite covers Publisher
publish + private flag and SessionAuthenticator support/auth/failure
paths — 8 tests, 22 assertions, all green.

PLAN.md §13 updated to record the Symfony 8 minimum.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

framework/php/src/BridgeBundle.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpQml\Bridge;
+
+use Symfony\Component\Config\Definition\Configurator\DefinitionConfigurator;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
+use Symfony\Component\HttpKernel\Bundle\AbstractBundle;
+
+final class BridgeBundle extends AbstractBundle
+{
+    public function loadExtension(array $config, ContainerConfigurator $container, ContainerBuilder $builder): void
+    {
+        $container->import(__DIR__ . '/../config/services.yaml');
+    }
+
+    public function configure(DefinitionConfigurator $definition): void
+    {
+        // Bundle config tree gains nodes when bridge:doctor and the
+        // skeleton's wiring need settable knobs (Phase 1 sub-commits 3 & 6).
+    }
+}

framework/php/src/Controller/HealthController.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpQml\Bridge\Controller;
+
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Routing\Attribute\Route;
+
+/**
+ * Readiness probe used by the Qt host to detect when the backend is up.
+ * See PLAN.md §3 (*Startup*, step 4).
+ */
+final class HealthController
+{
+    #[Route('/healthz', name: 'php_qml_bridge_healthz', methods: ['GET'])]
+    public function __invoke(): JsonResponse
+    {
+        return new JsonResponse(['status' => 'ok']);
+    }
+}

framework/php/src/Publisher.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpQml\Bridge;
+
+use Symfony\Component\Mercure\HubInterface;
+use Symfony\Component\Mercure\Update;
+
+/**
+ * Publishes envelopes onto the bridge's Mercure hub.
+ *
+ * Topic conventions and envelope shape are defined in PLAN.md §4.
+ * Reactive-model-aware helpers (publishModelUpdate, etc.) arrive with
+ * the model layer in Phase 2.
+ */
+final readonly class Publisher
+{
+    public function __construct(
+        private HubInterface $hub,
+    ) {
+    }
+
+    /**
+     * @param array<string, mixed> $envelope
+     */
+    public function publish(string $topic, array $envelope, bool $private = false): string
+    {
+        return $this->hub->publish(new Update(
+            $topic,
+            json_encode($envelope, JSON_THROW_ON_ERROR),
+            $private,
+        ));
+    }
+}

framework/php/src/SessionAuthenticator.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpQml\Bridge;
+
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+
+/**
+ * Validates the per-session bearer token shared between the Qt host
+ * and the Symfony backend.
+ *
+ * In dev mode the token is read from `.env.local`; in bundled mode the
+ * Qt host generates it per session and passes it to FrankenPHP via env.
+ * See PLAN.md §3 (*Run modes*, *Edge cases — Per-session secret rotation*).
+ */
+final class SessionAuthenticator extends AbstractAuthenticator
+{
+    public function __construct(
+        #[\SensitiveParameter]
+        private readonly string $expectedToken,
+    ) {
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        return $request->headers->has('Authorization');
+    }
+
+    public function authenticate(Request $request): Passport
+    {
+        $header = (string) $request->headers->get('Authorization', '');
+        if (!str_starts_with($header, 'Bearer ')) {
+            throw new AuthenticationException('Bearer token missing.');
+        }
+
+        $token = substr($header, 7);
+        if ($this->expectedToken === '' || !hash_equals($this->expectedToken, $token)) {
+            throw new AuthenticationException('Bearer token invalid.');
+        }
+
+        // Single-session model — there is one bridge "user", not per-end-user auth.
+        return new SelfValidatingPassport(new UserBadge('bridge'));
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return null;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        return new JsonResponse(
+            [
+                'type'   => 'about:blank',
+                'title'  => 'Unauthorized',
+                'status' => Response::HTTP_UNAUTHORIZED,
+                'detail' => $exception->getMessage(),
+            ],
+            Response::HTTP_UNAUTHORIZED,
+            ['Content-Type' => 'application/problem+json'],
+        );
+    }
+}