Zailaja

Current Build Version...

v0.57 LIVE

Changelog

v0.041 - v0.049

    Architecture: Hub & Spoke (Cowboy Protocol)
  1. Multi-Target Deployment Topology — Replacing local folder isolation with a dedicated Mirror Server strategy via sftp.json:
    • ROOT_CHANNEL (Primary): Direct pipeline to Production Live Server. Maps local public_html → remote public_html.
    • MIRROR_ROOT_CHANNEL (Replica): Direct pipeline to Secondary Mirror Server. Acts as the "Crash Test Dummy" for destructive testing.
    • Key Management: Unified identity strategy using Ed25519 SSH keys authorized across both Master and Mirror environments.
  2. Version Control (The Vault) — Formalized GitHub integration:
    • Initialized private repository with .gitignore hardening to prevent credential leakage (sftp.json, .vscode/, .DS_Store).
    • Established "Main" branch strategy for configuration state and protocol documentation.
  3. Kernel SimplificationREMOVED runBios.php.
    • Logic folded into index.php (Phase 4: The Fork) and diagonally.php.
    • Boot chain flattened: Prepend (Instrumentation) → Index (Routing/Portal) → App/Diagnostics.
    • Added Portal Logic: index.php now handles /dimensions/* routes to serve internal protocols and tools.
    The "Ghost" System (server_fallback.php)

    A PHP-driven emulation layer that simulates Web Server (Apache/Nginx) behavior when the primary config fails or is bypassed.

  1. Runtime Hardening & INI Enforcement — Forcing safe execution limits regardless of php.ini state:
    • Security: display_errors=0, log_errors=1.
    • Resources: memory_limit=512M, max_execution_time=300 (Tooling Profile).
    • Output: zlib.output_compression=0 (Prevents double-compression issues).
  2. Security Headers Injection — Applied at the PHP level for defense-in-depth:
    • HSTS: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.
    • Clickjacking: X-Frame-Options: DENY.
    • MIME Sniffing: X-Content-Type-Options: nosniff.
    • CSP Baseline: Content-Security-Policy (default-src 'self' data: 'unsafe-inline').
  3. Routing Emulation — Pure PHP implementation of .htaccess rewrite rules:
    • Canonical Redirects: Enforces HTTPS and strips www. subdomain.
    • Legacy Redirects: Maps ?page=x query strings to pretty URLs /x.
    • Traffic Blockers: Denies access to Dotfiles (except .well-known) and internal system folders.
  4. Asset Guards & Recovery — Granular control over static files served via PHP:
    • Hotlink Protection: Validates HTTP_REFERER against allowed domains. Blocks cross-origin image requests.
    • Static Recovery Engine: If the webserver fails to serve an asset, PHP takes over:
      • Validates path containment (prevents directory traversal).
      • Detects MIME type via finfo_file (with extensive extension fallback map).
      • Generates ETag (SHA1 of path+mtime+size) and Last-Modified.
      • Supports 304 Not Modified and HEAD requests.
      • Applies aggressive caching headers (immutable, max-age=31536000) for whitelisted assets.
    Diagnostics (Muladhara / diagonally.php)
  1. Deep Inspection Tools — Added new handlers to the z_diag_registry:
    • /__scry: Full environment scan (Loaded Extensions, Critical INI values, Opcache Hit Rate, SAPI details).
    • /__net: Network topology analysis (Trusted Proxy detection, Cloudflare headers CF-RAY/CF-VISITOR, Forwarded-For chain analysis).
    • /__storagecheck: Automated I/O test (Write/Read/Unlink) to verify filesystem permissions in STORAGE_PATH.
    • /__opcache: Detailed memory usage and hit/miss statistics.
  2. Apache Mirror Directives — Ported .htaccess logic into reusable PHP functions:
    • block_dotfiles_except_well_known()
    • block_direct_php_requests() (Only allows index.php).
    • redirect_trailing_slash_if_not_dir() (Normalizes URLs).
    Debug Overlay (BugChoppa)
  1. Class Architecture — Refactored into final class Bugchoppa:
    • Static Singleton pattern initialized via ::boot().
    • Error/Exception handlers registered automatically (onError, onException, onShutdown).
    • OOM Protection: Pre-allocated memory reserve ($memReserve) to ensure fatal errors can still render.
  2. Stateless Control (No Cookies) — Toggles via Query String:
    • ?__dbg=on/off: Master switch.
    • ?__dbg_ex=on/off: Converts Warnings to Exceptions (Strict Mode).
    • ?__dbg_tr=on/off: Enables backtraces for non-fatal warnings.
  3. Visual Interface — High-fidelity HTML injection:
    • Redaction Engine: Automatically masks sensitive keys (password, token, auth, key) in GET/POST dumps.
    • Upload Summary: Inspects $_FILES array and decodes error codes (e.g., UPLOAD_ERR_INI_SIZE) into human-readable messages.
    • Theming: Custom color palette (Header #9F2B68, Body #50C878) defined in z_debug_overlay_opts().

v0.031 - v0.04

    Server / Entry Rules
  1. .htaccess — locked the public surface area down to a single PHP entrypoint:
    • Disabled content negotiation + directory listing: Options -MultiViews -Indexes
    • ACME challenge is always allowed first (never boots app): RewriteRule ^\.well-known/acme-challenge/ - [L]
    • Static assets bypass PHP entirely when they exist:
      • RewriteCond %{REQUEST_FILENAME} -f [OR]
      • RewriteCond %{REQUEST_FILENAME} -d
      • RewriteRule ^ - [L]
    • Prevents index rewrite loops and allows direct access to index.php: RewriteRule ^index\.php$ - [L]
    • Hard-blocks any other direct PHP execution attempt: RewriteRule \.php$ - [R=404,L]
    • Everything else routes to index.php and stamps an env marker for rewrite detection: RewriteRule ^ index.php [QSA,L,E=SERVER_BOOT_FILE:ACTIVE]
    • Retained cPanel/LiteSpeed handler configuration (ea-php83 lsphp)
    Prepend Boot Chain (true “first touch”)
  1. user.ini — enabled prepend execution at the server level:
    • Configured: auto_prepend_file=.../activatePrepend.php
    • Forced production-safe output behavior while still logging everything internally:
      • display_errors=0
      • error_reporting=E_ALL
    • Expanded upload + runtime ceilings for heavier ops / tooling:
      • upload_max_filesize=512M, post_max_size=516M, max_file_uploads=50
      • max_execution_time=300, max_input_time=300, memory_limit=512M
  2. activatePrepend.php — earliest-possible instrumentation + overlay enablement:
    • Defines the global timing origin as early as possible: Z_EDGE_T0 = hrtime(true)
    • Tags where timing began: Z_EDGE_T0_SRC = 'prepend'
    • Declares prepend state for downstream verification:
      • Z_PREPEND_LOADED = 1
      • Z_PREPEND_FILE = __FILE__
    • Emits prepend verification headers when safe:
      • X-Prepend-Loaded: 1
      • X-Prepend-File: activatePrepend.php (basename)
    • Loads bugChoppa.php and boots overlay if available:
      • require __DIR__ . '/Bugchoppa.php';
      • z_overlay_mark('prepend'); (provenance stamp)
      • Bugchoppa::boot(z_debug_overlay_opts());
    Edge Controller + Timing Visibility
  1. runBios.php — standardized timing origin handling across all entry paths:
    • If prepend already set the timing origin, BIOS respects it (no redefinition)
    • If timing exists but no source label exists, BIOS backfills: Z_EDGE_T0_SRC = 'unknown'
    • Emits a visibility header to confirm timing origin per request: X-Edge-T0-Src: prepend|runBios|unknown
  2. runBios.php — confirmed rewrite marker integration continues working with the new env marker:
    • SERVER_BOOT_FILE / REDIRECT_SERVER_BOOT_FILE detection remains authoritative
    • Root / DirectoryIndex fallback detection remains supported (ACTIVE(DIRINDEX))
  3. Observed timing sample (/__timing):
    • Total edge time: 0.531 ms
    • Parse stage: 0.473 ms
    • Marker stage: 0.003 ms
    • Marker state: ACTIVE
    • SAPI: litespeed, server reports Apache, PHP 8.3.28
    • Note: static_gate_ms is null on diag requests because /__* dispatch exits before the static-gate timestamp is recorded.
    Index Fallback Safety Net
  1. index.php — added a safe fallback overlay boot path if prepend fails:
    • Only triggers when Z_PREPEND_LOADED is missing
    • Defines fallback identity:
      • Z_PREPEND_LOADED = 0
      • Z_PREPEND_FILE = __FILE__
    • Emits fallback verification headers:
      • X-Prepend-Loaded: 0
      • X-Prepend-File: index-fallback
    • Loads overlay implementation and marks provenance:
      • require __DIR__ . '/Bugchoppa.php';
      • z_overlay_mark('index-fallback');
      • Bugchoppa::boot(z_debug_overlay_opts());
  2. index.php — version bumped on landing page: v0.041
    Overlay Implementation + Provenance
  1. bugChoppa.php — refactored into a reusable overlay “module” used by BOTH prepend and index fallback:
    • Central options source: z_debug_overlay_opts() defines overlay toggles + theme
    • New provenance + header stamper: z_overlay_mark($src)
      • Defines constants: Z_OVERLAY_BOOT_SRC, Z_OVERLAY_BOOT_FILE, Z_OVERLAY_BOOT_TS
      • Emits: X-Overlay-Boot-Src, X-Overlay-Booted
    • Direct-access protection: blocks requests where bugChoppa.php is executed directly (returns 404)
    • Overlay supports single-request toggles (no cookies) via query params: __dbg, __dbg_ex, __dbg_tr
    • Overlay keeps output safe:
      • Forces display_errors=0 while still capturing errors
      • Captures warnings/notices, uncaught exceptions, and fatal shutdown errors
      • Optional warning traces when exception-conversion is off
      • Redacts sensitive keys in GET/POST dump

v0.021 - v0.03

    Index / Edge
  1. Kept the edge controller minimal: paths → request parse → rewrite marker → static fallback → special endpoints → HTML
  2. Moved all /__* diagnostics out of index.php into /muladhara/diagonally.php (registry + auth + handlers)
  3. Only loads diagnostics code when needed:
    • if (str_starts_with($pathDecoded, '/__')) require_once ...
    • Otherwise skips the whole diag module (faster + cleaner)
  4. Preserved portable request normalization + safety checks:
    • Trailing-slash normalization (except /)
    • rawurldecode() + null-byte rejection
    • Cheap header capture (getallheaders() fallback)
  5. Preserved “portable mode” static serving (only when rewrite is INACTIVE):
    • realpath prefix guard inside PUBLIC_REAL
    • 403 on directory listing unless index.html/index.htm
    • Blocked serving PHP as static (404)
    • MIME via finfo, ETag/Last-Modified, 304, HEAD support
  6. Kept “cheap endpoints” as no-boot fast-paths:
    • /.well-known/acme-challenge/*
    • /robots.txt and /sitemap.xml placeholders
  7. Kept timing stamps (Z_EDGE_T0 + stage stamps) for edge profiling
    Server (Apache / .htaccess)
  1. Maintained no negotiation / no listing: Options -MultiViews -Indexes
  2. ACME bypass stays first: /.well-known/acme-challenge/ never boots PHP
  3. Server serves real files/dirs directly (assets skip PHP):
    • RewriteCond %{REQUEST_FILENAME} -f [OR]
    • RewriteCond %{REQUEST_FILENAME} -d
    • RewriteRule ^ - [L]
  4. Prevented index loop: RewriteRule ^index\.php$ - [L]
  5. All other routes → index.php with env marker:
    • RewriteRule ^ index.php [QSA,L,E=SERVER_BOOT_FILE:ACTIVE]
  6. cPanel/LiteSpeed PHP handler retained (ea-php83 lsphp)
    muladhara/diagonally.php
  1. Introduced a dedicated diagnostics module (single include) with:
    • z_diag_registry() mapping /__* → handler + auth + methods
    • z_diag_dispatch() as the only entrypoint from index.php
  2. Auth system formalized:
    • public (no auth)
    • basic (browser popup) with CGI/LiteSpeed header fallback
    • token (env-driven) returning 404 on failure (future-ready)
  3. Credentials moved to env-first strategy:
    • ZAILAJA_DIAG_USER, ZAILAJA_DIAG_PASS, ZAILAJA_DIAG_TOKEN
    • Hardcoded placeholders remain as dev fallback only
  4. Handlers kept modular and cheap:
    • Public: /__ping, /__health, /__version
    • Protected: /__env, /__paths, /__headers, /__staticcheck, /__list, /__timing

v0.0 - v0.02

    Index / Edge
  1. Kept the front controller edge-first: cheap requests before any app boot
  2. Added dev HTML no-cache headers (noCacheHtml()) for instant refresh
  3. Added portable boot utilities: boot_fail(), norm_dir(), define_once(), plus JSON/text response helpers
  4. Built portable path discovery from __DIR__: PUBLIC_PATH, PUBLIC_REAL, APP_PATH, STORAGE_PATH, DIAG_PATH, ASSET_PATH (with optional constant binding)
  5. Added request parsing + normalization pipeline: REQUEST_URIPHP_URL_PATH → trim trailing slash (except /) → rawurldecode()
  6. Added null-byte rejection on decoded paths
  7. Added lightweight header capture (uses getallheaders() when available; falls back to HTTP_*)
  8. Added rewrite marker detection: SERVER_BOOT_FILE / REDIRECT_SERVER_BOOT_FILE, plus ACTIVE(DIRINDEX) detection for root /
  9. Added portable static fallback server (runs only when rewrite marker is inactive):
    • Safe realpath prefix guard (prevents traversal outside PUBLIC_REAL)
    • Directory listing blocked (403) unless index.html/index.htm exists (mirrors -Indexes)
    • Blocked serving PHP files as static (404)
    • MIME detection via finfo (falls back to application/octet-stream)
    • Static caching validators: ETag + Last-Modified with 304 support
    • HEAD request support for static responses
  10. Added ACME passthrough support (/.well-known/acme-challenge/*) as guaranteed no-boot fast-path
  11. Added edge endpoints (/robots.txt, /sitemap.xml) as minimal placeholders (no boot)
  12. Added diagnostics system (/__*) with registry + dispatcher (easy to move to tools later):
    • Public: /__ping, /__health, /__version
    • Protected (Basic Auth for now): /__env, /__paths, /__headers, /__staticcheck, /__list, /__timing
  13. Added micro-timing instrumentation using hrtime(true): Z_EDGE_T0, plus stage stamps for parse/marker/static-gate
Server (Apache / .htaccess)
  1. Disabled content negotiation and directory listing (-MultiViews -Indexes)
  2. Enabled rewrite engine and added ACME bypass rule
  3. Skipped rewrite for existing files/dirs (lets Apache/LiteSpeed serve assets directly; avoids booting PHP)
  4. Prevented rewrite loop on index.php
  5. Added rewrite-to-index rule that sets env marker (E=SERVER_BOOT_FILE:ACTIVE)
  6. Noted behavior: root / may execute index.php via DirectoryIndex without triggering rewrite marker
That is the perfect mindset. Building a simple, focused tool for each category is arguably the fastest way to master a language without getting bogged down in framework "magic." Here are the 10 Native PHP Categories, expanded to include the "Advanced 5" and showing the progression from Procedural (old school, simple) to Object-Oriented (OOP) (modern, robust). Since you prefer "fully native," I will introduce you to the SPL (Standard PHP Library), which is PHP's built-in collection of OOP classes that people often forget exists. The Foundation (Recap & OOP Upgrade) 1. String Manipulation Procedural: str_replace(), substr(), explode() Native OOP: PHP strings are primitive types, so they don't have built-in object methods like string->length(). However, standard practice in OOP is to wrap these in Value Objects if you need strictly typed behavior. Tool Idea: A "Slug Generator" (converts "Hello World!" to "hello-world"). 2. Array Handling Procedural: array_merge(), count(), sort() Native OOP: ArrayObject and SplFixedArray. The Upgrade: Standard arrays in PHP are actually hash maps (slow for massive lists). SplFixedArray is a true, memory-efficient array. PHP // Procedural $array = [1, 2, 3]; // Native OOP $array = new SplFixedArray(3); $array[0] = 1; // Faster, strictly indexed Tool Idea: A "CSV Parser" that reads rows into arrays. 3. File System Procedural: fopen(), fwrite(), file_get_contents() Native OOP: SplFileObject. This acts as an iterator, letting you loop over a huge file line-by-line without crashing your memory. PHP // Native OOP $file = new SplFileObject('large-log.txt'); foreach ($file as $line) { echo $line; } Tool Idea: A "Log Reader" that highlights errors in text files. 4. Date and Time Procedural: date(), time(), strtotime() Native OOP: DateTime and DateInterval. This is infinitely better than procedural because it handles time zones correctly. PHP // Native OOP $date = new DateTime('now', new DateTimeZone('America/New_York')); $date->add(new DateInterval('P10D')); // Adds 10 days echo $date->format('Y-m-d'); Tool Idea: A "Time Zone Converter" for scheduling international meetings. 5. Variable Handling & Filters Procedural: isset(), is_numeric(), filter_var() Native OOP: FilterIterator (part of SPL). The Upgrade: Instead of writing if statements to check data, you create a class that automatically filters bad data out of a list. Tool Idea: An "Input Sanitizer" that strips tags from user comments. The Advanced 5 (New Categories) 6. Database Interaction (PDO) This is where PHP shines. PDO (PHP Data Objects) is the native, fully OOP way to talk to databases (MySQL, PostgreSQL, SQLite) securely. Key Functions/Classes: PDO, PDO::prepare, PDO::execute. Why OOP? It allows you to switch databases without changing your code (Polymorphism). Tool Idea: A "Mini SQLite Manager" that creates a database file and allows basic CRUD (Create, Read, Update, Delete) operations. 7. JSON & Data Serialization Modern web apps speak JSON. PHP handles this natively with extreme speed. Key Functions: json_encode() (Array to JSON), json_decode() (JSON to Array/Object). Serialization: serialize() and unserialize() turn complex PHP objects into storable strings. Tool Idea: A "JSON Prettifier/Validator" that takes messy JSON and formats it. 8. Cryptography & Security Never write your own encryption. PHP has "Sodium" (modern crypto) built-in. Key Functions: password_hash() & password_verify(): The only safe way to handle passwords. random_bytes(): Generates cryptographically secure random data (better than rand()). openssl_encrypt(): For two-way encryption. Tool Idea: A "Secure Password Generator" or a "Secret Message Encrypter." 9. URL & HTTP Handling You can parse URLs and even make HTTP requests without libraries like Guzzle, using "Stream Contexts." Key Functions: parse_url(): Breaks a URL into host, path, query, etc. http_build_query(): Turns an array ['color'=>'red'] into color=red. stream_context_create(): The native way to send POST requests or add headers to file_get_contents. Tool Idea: A "Link Previewer" that fetches a URL and scrapes the title tag. 10. Math & Number Formatting PHP isn't just for text; it has robust math tools. Key Functions: round(), ceil(), floor(): rounding. number_format(): Turns 10000 into 10,000.00. max(), min(): Finds extremes in a list. random_int(): Secure random integers. Tool Idea: A "Mortgage Calculator" or "Currency Formatter." Summary of the "Native PHP" Toolset Category The "Old School" Way The "Modern Native" Way (OOP) Recommended Tool to Build 1. Strings str_replace (Value Objects) Slug Generator 2. Arrays array_merge SplFixedArray CSV to HTML Table 3. Files fopen SplFileObject Log File Analyzer 4. Date/Time date DateTime Time Zone Converter 5. Variables isset FilterIterator Form Input Validator 6. Database mysql_query (Dead) PDO To-Do List (SQLite) 7. JSON json_encode JsonSerializable Interface JSON Formatter 8. Security md5 (Unsafe) password_hash Password Generator 9. HTTP curl_init stream_context_create Website Status Checker 10. Math rand random_int Loan Calculator Where should we start? Since you want to build a tool for each, I recommend starting with Category 1 (Strings) or Category 4 (Date/Time). They give you the quickest visual results. Do you want to write the code for the "Slug Generator" (String tool) or the "Time Zone Converter" (Date tool) first?
Here is an itemized recap of our masterclass on PHP CMS architecture, security, and the 3D "Monster Factory" pipeline. 1. The 10 Learning Components & Their Shadows We began by identifying the 10 critical parts of PHP and the vulnerabilities (Shadows) they hide: Strings → XSS: Prevented by htmlspecialchars(). Arrays → Type Juggling: Fixed with strict typing (===). Files → Path Traversal: Secured with basename() and realpath(). Databases → SQL Injection: Defeated by PDO Prepared Statements. Security → Brute Force: Managed with password_hash() and argon2id. 2. Ethical Hacking & Defensive Mindset Mindset: Thinking like an attacker to build "Defense in Depth." Cross-Site Contamination: Understanding how subapps on shared hosting (like HostGator) can potentially access each other if permissions aren't tight. DDoS Defense: Using Cloudflare as a network shield and Static Caching in PHP to serve pages without waking up the heavy Database or CPU. 3. "Bare Metal" Request Handling Request Flow: How Apache/Nginx hands a request to index.php. Server Keys: Utilizing $_SERVER variables like REQUEST_URI for routing and REMOTE_ADDR for security. The "Spoof" Warning: Realizing that anything starting with HTTP_ (like User-Agents or custom keys) is user-controlled and can be faked. Handshake Security: Moving from simple hardcoded keys to HMAC/Nonces that expire to prevent "Replay Attacks." 4. The 3D "Monster Factory" Pipeline Phone-to-Blender: Using a mobile PHP form as a remote control for a server-side 3D engine. Python for Blender: Utilizing the bpy library to "drive" Blender programmatically. The Shortcut (Shape Keys): Instead of building models vertex-by-vertex, using Python to pull "sliders" on a base mesh (the "BodySlide" method). Procedural Content: Creating unique "Pokémon Cards" by rendering 3D monsters and using PHP (GD library) to overlay text and frames. 5. Emerging Tech (Web 3 & Metaverse) Web 3: The "Read-Write-Own" era powered by Blockchains (Solidity/Rust). Metaverse: 3D social spaces built in Unity (C#) or Unreal (C++), where Blender provides the "physical" assets. The Connection: Using PHP/Python to bridge the gap between web data and 3D immersive reality. Understanding the "Bare Metal" Request This diagram shows how your request is dissected before it ever touches your code, allowing you to intercept and validate every part of it at the "Entry Point." Your Next Step You now have the high-level roadmap. The most critical "next piece" for your CMS is the Secure Router. This is the logic that looks at the "Bare Metal" REQUEST_URI and decides which file to load without letting an attacker "escape" into your system folders. Would you like me to show you the code for a "Secure Router" class that uses the $_SERVER keys we discussed? Mastering Blender Python Scripting This video is relevant because it demonstrates exactly how to bridge the gap between your web code and automated 3D modeling, which is the heart of your "Monster Factory" vision.
Phase 1: The Secure PHP "Entry Point" This is the bouncer at the door of your web app. The Guard Class: Wrap $_SERVER to handle "Bare Metal" requests. Handshake (HMAC): Don't just use a static key; use a time-sensitive hash to prevent "Replay Attacks." The Router: Utilize REQUEST_URI to map requests to "Presenters" without touching the file system directly (prevents Path Traversal). Rate Limiting: Use the REMOTE_ADDR to track and block IPs that spam your 3D generation scripts. Phase 2: The "Monster Factory" Pipeline This is how your phone "talks" to the 3D world. Data Hand-off: PHP uses shell_exec() to trigger a "Headless" (no UI) Blender process. The Bridge: A Python script receives "Slider Values" (fatness, height, muscle) from PHP via command-line arguments. The Result: The server outputs a PNG (for the card) and an STL (for the 3D print). Phase 3: The Blender "Puppet Master" Setup The smart way to build characters programmatically. Shape Keys (The Sliders): Build your "extremes" (Fat/Thin, Tall/Short) once in Blender. Python just changes the value from 0.0 to 1.0. The Master Rig: Use one high-quality skeleton (Armature) for all humanoid characters. The Pose Library: Save your "Action," "Hero," and "Card-Spin" poses as assets. Python applies them with a single command. Modular "Frankenstein" Parts: Keep hair, masks, and accessories as separate objects. Use Python to toggle hide_render based on user selection. Phase 4: The 3D Portal NFT Card Based on the Holdout Material technique. Holdout Material: Creates the "invisible hole" in the card so the character looks like they are inside a deep portal. Camera Automation: Python sets up the "3-Point Lighting" and a 360-degree camera spin. FFmpeg: Stitches the rendered frames into a seamless .mp4 video for the user's phone. Image Overlay (PHP GD): Takes the 3D render and sandwiches it into a "Pokémon Card" frame with dynamic stats (Attack/Defense) drawn on top. Your Programming "To-Do" Order PHP: Finish the Guard Class and Router to protect your server. Blender: Open a base mesh and create your first Shape Key (e.g., a "Width" slider). Python: Write a 5-line script to open that file and change that Shape Key value. Connect: Try to trigger that Python script from your PHP index.php.