Public presentation
PHP templates render titles, descriptions, canonical URLs, navigation, structured data, curated persona pages, and accessible fallbacks.
Architecture & quality
Server-rendered discovery. Browser-side creation. Explicit movement of data.
Spiralist AI uses a lightweight PHP presentation layer, versioned JSON catalogs, custom CSS, and vanilla JavaScript modules. The architecture keeps public content crawlable while persona creation, sharing preparation, and export remain inspectable in the browser.
System boundaries
Each layer has a narrow responsibility and a reviewable contract.
Catalog repository
Same-origin JSON files provide 1,000 starting types, curated Persona Passports, configuration axes, recipes, and the local search index.
Creation state
The active form lives in browser memory. One share-safe summary is written to local storage only after the user selects Save.
Private sharing
A limited Persona Passport object is encoded in the URL fragment. Memory, notes, prompts, and export files are excluded.
Export service
Copy, text, ZIP, and .uaix outputs are generated from current browser state with review guidance and package metadata.
Consent-gated measurement
Google Analytics loads only after opt-in and accepts only allowlisted events and non-content properties.
Design patterns
Composition root
includes/header.php centralizes configuration, helpers, security headers, metadata, navigation, and route-specific script flags.
Shared routing helpers
includes/functions.php normalizes clean and legacy routes, escapes output, builds canonical URLs, loads JSON once per request, and creates structured data.
Progressive disclosure
The default creator exposes goal, working style, candidate reveal, and Passport. The legacy builder, wizard, axis matrix, and package controls remain inside Expert mode.
Share-safe data transfer object
The viral module explicitly selects fields for serialization and constrains lengths, arrays, numeric ranges, lineage depth, and identifiers during decoding.
Allowlisted analytics
Only named funnel events and named parameters can reach the analytics API. Free text is never copied into event payloads.
Defense in depth
The PHP shell accepts only GET and HEAD, adds CSP and security headers, and the Apache configuration blocks hidden project metadata and canonicalizes legacy routes.
Release quality gates
A package is not complete until its public routes, interactions, exports, and privacy claims agree.
Static checks
PHP lint, JavaScript syntax, JSON parsing, XML parsing, asset references, and forbidden-route checks.
HTTP checks
Clean routes, curated persona routes, canonical tags, redirects, noindex private share page, and security headers.
Browser checks
Navigation, search, creator progression, Passport reveal, private link opening, remix, local save, quiz, comparison, and consent controls.
Export checks
Text content, ZIP integrity, .uaix compatibility, filenames, manifest entries, and exclusion of private share-only assumptions.
Architecture supports review; it does not replace it.
Destination runtimes can still change behavior. Inspect the persona, the share boundary, and the exported files before external use.