Prepare 3.1.1 release polish

Author: jturbide

CHANGELOG.md

@@ -15,6 +15,22 @@ history, the old changelog, and committed file changes. Older Zemit-era entries
 are summarized where the commit history is too granular to be useful as
 release notes.
 
+## 3.1.1 - 2026-06-11
+
+### Added
+
+- Added dispatcher security regression coverage confirming that
+  `acl.attributes=false` disables controller attribute scanning and leaves
+  config-only ACL applications on the legacy permission path.
+
+### Changed
+
+- Raised Composer suggested and development dependency floors for
+  `aws/aws-sdk-php`, `guzzlehttp/guzzle`, and `phalcon/ide-stubs` to the latest
+  compatible patch/minor releases validated against the `3.1.x` line.
+- Refocused the active roadmap on the next REST controller scaffold-readiness
+  block after the `3.1.0` REST ergonomics and policy-attribute work shipped.
+
 ## 3.1.0 - 2026-06-11
 
 ### Added

ROADMAP.md

@@ -32,24 +32,21 @@ guidance in the relevant guide or shipped skill reference.
 
 ## Current Focus
 
-Target: `3.1.0` REST API ergonomics, controller policy attributes, and scaffold
-readiness
+Target: `3.2.0` REST controller scaffold readiness
 
-Theme: keep REST controller declarations concise and predictable, then continue
-the scaffold work with a clear generated-file ownership contract.
+Theme: turn the now-stable REST controller policy surface into a cautious,
+tested scaffold contract without overwriting app-owned decisions.
 
 Decision:
 
 - Completed `3.0.4` coverage and maintenance work belongs in the changelog, not
   active roadmap blocks.
-- REST policy declaration ergonomics start the `3.1.0` development line:
-  collection-backed setters should accept arrays while storing normalized
-  collections internally.
-- Controller/action policy declarations can live beside controller code through
-  optional attributes, while the runtime still compiles them into the existing
-  permission config and ACL enforcement path.
+- The `3.1.x` REST policy ergonomics and controller-attribute work is shipped;
+  durable usage guidance belongs in the REST and identity guides.
 - The next schedulable block is REST controller scaffold readiness. Start with
   generated-file ownership before adding public scaffolding behavior.
+- Attribute and array-policy regressions should still be covered when scaffolded
+  controllers begin emitting those declarations.
 
 Release principles:
 
@@ -66,7 +63,7 @@ Release principles:
 
 Status: Next
 
-Target: `3.1.0`
+Target: `3.2.0`
 
 Why:
 

tests/Unit/Dispatcher/DispatcherTest.php

@@ -274,6 +274,18 @@ public function testMvcSecurityAllowsControllerAttributeRolePolicy(): void
 
         $this->assertTrue($security->checkAcl($event, $dispatcher));
     }
+
+    public function testMvcSecuritySkipsControllerAttributesWhenDisabled(): void
+    {
+        [$security, $event, $dispatcher] = $this->createAttributeMvcSecurityFixture(['admin'], false);
+
+        $dispatcher->setActionName('findWith');
+
+        $this->withoutPhpWarnings(function () use ($security, $event, $dispatcher): void {
+            $this->assertFalse($security->checkAcl($event, $dispatcher));
+        });
+        $this->assertSame('not-found', $dispatcher->getActionName());
+    }
 
     public function testToArray(): void
     {
@@ -412,7 +424,7 @@ public function getAclRoles(): array
      *     2: \PhalconKit\Mvc\Dispatcher
      * }
      */
-    private function createAttributeMvcSecurityFixture(array $roles): array
+    private function createAttributeMvcSecurityFixture(array $roles, bool $attributes = true): array
     {
         $dispatcher = new \PhalconKit\Mvc\Dispatcher();
         $dispatcher->setNamespaceName('PhalconKit\\Tests\\Unit\\Mvc\\Controller\\Traits\\Fixtures');
@@ -421,6 +433,9 @@ private function createAttributeMvcSecurityFixture(array $roles): array
 
         $di = new \Phalcon\Di\Di();
         $di->set('config', new Config([
+            'acl' => [
+                'attributes' => $attributes,
+            ],
             'permissions' => [],
             'router' => [
                 'notFound' => [