Every application we build comes with access to enterprise-grade capabilities. Everything is built from scratch with zero external dependencies β integrated into the Shinobi framework that powers your custom software.
WAF, threats, honeypots, GeoIP
Audit log, DSAR, ROPA, anonymization
NIS2 incident response, CERT.hr
AI system registry, Annex III
11 AI agents, human-in-the-loop
BYOK chat, SSE streaming
APM, N+1, memory leak detection
Benchmarking 10 components
Push notifications, badge polling
Telegram bot, webhook, AI chat
Smart tables, Excel export
Gmail, Calendar, reminders
AI-Powered Web Application Firewall
Production-grade WAF with threat scoring, behavioral bot detection, honeypot traps, and AI-powered threat analysis. Protects your application from OWASP Top 10 and sophisticated attacks.
244 security rules score each request 0-100. Configurable thresholds: 75 for anonymous, 95 for authenticated users. No false positives on legitimate traffic.
15+ indicators: mouse movements, scroll patterns, timing analysis, JavaScript fingerprinting. Catches sophisticated bots that pass pattern matching.
163 fake endpoints: /wp-admin, /phpmyadmin, /.env, /config.json, etc. Instant permanent ban for anyone accessing these. Early warning system.
First offense: 1 hour block. Second: 24 hours. Third: permanent ban. Configurable escalation. IP and fingerprint tracking.
Country-based scoring. Block or allow specific regions. Detect VPN/proxy usage. Coordinated attack detection across IPs.
Webhook integration with Slack, Discord, Teams. Immediate notification on high-severity threats. Daily summary reports.
GDPR Admin Panel
Admin UI for GDPR compliance, auto-generated from GdprRegistry manifests. Each module registers its own PII declarations β the panel adapts dynamically without any hardcoding.
GdprRegistry collects manifests from all modules. The personal data inventory is generated automatically β no manual entry, no stale data.
Printable Register of Processing Activities β all tables with personal data, legal basis, retention period. Print and submit to your DPA.
Search all tables by name/email/ID. JSON export of all personal data (Art. 15) or anonymization (Art. 17). Erasure requires master role.
AuditLogger records every CREATE, UPDATE, DELETE, VIEW on personal data. Browser with filters by user, table, action, and date.
DataAnonymizer applies manifest rules: scramble (vowel replacement), fake_email, fake_oib, fake_date, static value, NULL.
Printable Data Protection Impact Assessment β auto-generated from manifests flagged as high-risk processing activities.
Each module registers its own manifest with: tables, personal and sensitive fields, anonymization rules, legal basis, and retention period.
Mandatory cyber incident reporting for NIS2 entities
EU NIS2 Directive requires entities to report significant cybersecurity incidents to CERT within 24h, 72h, and 1 month. Shinobi IR manages the full reporting pipeline β from detection to CERT.hr JSON export.
First report to CERT.hr within 24h of incident detection. Dashboard countdown shows time remaining. One-click status transition with auto-timestamp and audit entry.
72h detailed notification with incident classification (unauthorized access, malware, DoS, data breach, ransomware, insider threat, supply chain). JSON per CERT.hr/ENISA format.
Complete post-incident analysis with attack vector, estimated impact, and mitigation measures. Every stage downloadable as NIS2-compliant JSON (Art. 23(4)).
Machine-readable JSON reports per NIS2 Art. 23(4) β one per stage. Deadline tracking built in: overdue incidents highlighted automatically.
BORNAsecurity detects critical/high threats β NIS2 incident draft created automatically. Operator reviews and sends early warning β no manual incident creation needed.
Every status change, edit, and action logged with user and timestamp. Incidents cannot be deleted β only closed. Regulatory evidence preserved permanently.
Compliance registry for AI systems per EU AI Act (2024/1689)
EU AI Act (full application from Aug 2, 2026) requires organizations using high-risk AI systems to maintain documentation, register in the EU database, and prove human oversight. Shinobi AI Act is the compliance registry β built and production-ready today.
Classify each AI system: Prohibited, High-risk (Annex III), Limited, or Minimal. Applicable legal obligations shown automatically per category.
All 8 Annex III high-risk categories: biometric ID, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.
One-click Art. 11/13 compliant transparency report per AI system β applicable obligations, data types, use cases, human oversight description. Machine-readable JSON.
ApprovalGateway ensures no AI agent applies changes without human approval. Every run logged with input/output/iterations/tokens β Art. 12/14 compliance by design.
Register, edit, and decommission AI systems. Track deployment dates, scheduled review dates, and compliance status across all AI in your organisation.
High-risk AI (Annex III) must comply from Aug 2, 2026. Fine up to β¬35M or 7% of revenue β highest in EU law. Registry built and production-ready now.
Multi-Agent AI Platform
11 specialized AI agents with human-in-the-loop approvals. Agents analyze code, generate patches, create invoices, orchestrate projects, manage legal cases and documentation. Every patch goes to a separate git branch β never directly to main.
KIK (orchestrator), LUK (performance), BORN (security), VajbCoder (code generation), Reviewer (code review), TestAgent (tests), DocAgent (documentation), FiskAgent (invoicing), MojOdvjetnik (legal), PMAgent (project management), BlogWriterAgent (blog writing).
Every patch goes to Telegram with inline Approve / Reject / View Diff buttons. No agent can apply changes without explicit approval β an AI Act requirement.
PatchApplier creates an autofix/ git branch for every patch. Merge only after approval. One-click rollback. No direct commits to main.
Agents can delegate: BORNβLUK (find vulnerability β generate fix), LUKβReviewer (patch β review), VajbCoderβTestAgent. DelegationChain prevents loops.
Per-execution, daily, and monthly token limits with MySQL advisory locking. Path restrictions block Shinobi/, config/, vendor/.
AgentScheduleManager β cron-like schedules for automated agent runs: hourly, daily, weekly, monthly. Run Now button for immediate execution.
KIKAgent
Central orchestrator β routes all requests
LUKAgent
Performance β analyzes and fixes issues
BORNAgent
Security β scans code for vulnerabilities
VajbCoderAgent
Code generation β module scaffolding from chat
ReviewAgent
Code review β analysis without modification
TestAgent
Writing and fixing PHPUnit tests
DocAgent
Documentation generation for code
FiskAgent
Invoicing β create invoices from chat
MojOdvjetnik
Legal cases β case management
PMAgent
Projects β creation, tracking and orchestration
BlogWriterAgent
Blog post and content writing
BYOK AI Chat & Analysis
AI chat interface with BYOK (Bring Your Own Key) support β Claude, DeepSeek, OpenAI, Groq. Deterministic hints for LUKA/BORNA events with zero AI tokens. SSE streaming with real-time tool-call progress.
Supports Claude (Anthropic), DeepSeek, OpenAI, and Groq. Use your own API key β pay the provider directly. No intermediary needed.
Chat automatically detects intent: @lukagent, @vajbcoder, @bornagent, @reviewer, @testagent, @docagent. Agent routing works even WITHOUT an active AI provider.
Server-Sent Events streaming shows responses in real time. Displays agent loop tool progress: tool name, iteration, elapsed time.
LUKA and BORNA events are handled by BornaHintGenerator and LukaHintGenerator β deterministic, zero AI tokens, instant. AI chat is optional; hints are always free.
WebhookDispatcher sends notifications to Slack, Discord, Microsoft Teams. Webhook management from the admin interface.
Deterministic hints are completely free. AI chat uses your own API key. No hidden fees, no vendor lock-in.
LUKA/BORNA detects anomaly
Deterministic hint β instant, zero AI tokens
AI chat on demand with code context
Agent routing to specialist agent
Application Performance Monitoring
Production-safe APM that tracks every query, detects N+1 problems, identifies memory leaks, and provides actionable insights. Sampling-based for minimal overhead.
Pattern-based detection, not threshold-based. Catches N+1 problems even when individual queries are fast. Source code context included.
Tracks all queries (not just slow ones). Identifies patterns, missing indexes, unoptimized joins. AI suggests specific optimizations.
Instant alerts when requests exceed 128MB. Trend analysis detects memory leaks over time. Identifies problematic endpoints before crashes.
Response times, throughput, error rates per endpoint. Error spike detection alerts when endpoints start failing (>10% error rate).
100% sampling in development, 10% in production. Configurable per environment. Minimal performance impact.
Every issue includes file:line from debug_backtrace(). Jump directly to problematic code. No guessing where problems originate.
Queries
Endpoints
Memory
Logs
Performance Testing Suite
Sub-microsecond precision benchmarking for individual components. Compare your performance against industry standards. Track improvements over time.
Uses PHP's hrtime() for nanosecond accuracy. Multiple iterations with statistical analysis. Eliminates noise and outliers.
P50, P95, P99 percentiles. Standard deviation. Confidence intervals. Professional-grade statistical accuracy.
Compare against mainstream framework benchmarks from 2024. Know where you stand vs. industry standards.
Track performance over time. Detect regressions before they hit production. Visual charts and trend analysis.
A+ to F grades for each component. Weighted scoring based on importance. Overall platform health score.
Autoloader, Router, Container, Database, ORM, Template engine, Validation, Sessions, and more.
Push Notification System
Telegram-first notification system with real-time push delivery to all devices. Lightweight polling for badge updates and event-driven architecture.
Real-time delivery via Telegram Bot API. Works on desktop and mobile Telegram apps. Markdown formatting for readable messages.
Badge count updates every 60 seconds. Pauses when tab is hidden. Telegram handles real-time delivery, polling just keeps counts in sync.
Users link their Telegram accounts via verification code. Notifications delivered to all Telegram devices simultaneously.
Pin important notifications that won't disappear. Require explicit acknowledgment. Perfect for critical alerts.
Notifications tagged by source module. Filter by type (tasks, projects, system). User-configurable preferences.
Triggered by application events (task.created, comment.added, etc.). Easy integration with any module via event system.
Database
(persistence)
Telegram
(real-time push)
Polling
(badge sync)
Telegram Bot Integration
Push notifications via Telegram Bot API. Users link their Telegram accounts via a secure verification code and receive all notifications directly in the Telegram app.
Notifications delivered in real-time to all Telegram devices - mobile, desktop, and web. No delays, no missed messages.
Users generate a verification code in the app (e.g., SH-A7X9K2) and send it to the bot. Code expires in 10 minutes. Secure and simple process.
/start to begin linking, /status to check status, /unlink to disconnect, /help for assistance. Intuitive user experience.
Full integration with the notification system. All notifications automatically go to Telegram with emoji formatting by type.
Telegram sends updates to your server in real-time. No polling, minimal overhead. Fast response to user actions.
Uses only PHP cURL for Telegram API communication. No external libraries.
User clicks "Generate Code" in settings
Receives code like SH-A7X9K2
Sends code to the bot on Telegram
Bot confirms and accounts are linked
Advanced Data Tables
Smart data tables built on Tabulator.js with automatic client/server mode switching, cascading filters, inline editing, and native Excel export. Included FREE with Tasks or PM modules.
<1000 rows: client-side processing. >1000 rows: automatic switch to server-side with AJAX pagination. Zero configuration needed.
Dropdown filters that depend on each other. Select "Category" β "Subcategory" options update automatically. Multi-level filtering.
Edit cells directly in the table. Automatic validation. CSRF-protected AJAX saves. Configurable per column.
Native .xlsx export via SheetJS. Formatted headers, proper column widths. One-click download of current view or full dataset.
Request queuing prevents concurrent requests with stale tokens. Auto-retry on 403. Fresh token per request.
Remember column widths, sort order, filter selections. Stored in localStorage. Restored on page reload.
Personal AI Assistant
AI assistant for personal life management β encrypted memory system, reminders, HTTP client, Gmail and Google Calendar integration. AES-256-GCM encryption for all sensitive data.
AES-256-GCM encrypted personal memory. Plaintext searchable keys, encrypted values. Agent retains context between conversations.
One-time and recurring reminders with Telegram notifications. Daily morning brief at 07:00 with schedule overview.
Read, send, search emails, spam detection and auto-unsubscribe. OAuth2 authentication with encrypted tokens.
View and manage calendar events. Meeting preparation with automated dossiers and follow-up tracking.
Integrated HTTP client for accessing external APIs and web services. Agent can fetch data from the internet on demand.
ReminderNotify, MorningBrief, TokenRefresh, MeetingPrep, PostMeeting, FollowUpTracker, InboxMonitor β fully automated personal assistant.
Every application we build includes access to these capabilities. Book a consultation and let's define what your project needs.