Shinobi β custom PHP 8.3 framework built from scratch. Every line of code under full control. This page explains what's under the hood.
The philosophy behind our architecture decisions
No npm left-pad incidents. No malicious package injections. Your application's security doesn't depend on thousands of unknown maintainers.
No surprise breaking changes from package updates. We control when and how things change. Updates are deliberate, tested, and backwards-compatible.
No hidden costs from abstraction layers. <strong>A+ grade (9.9/10)</strong> on component benchmark β DI container 0.1ΞΌs, config 0.15ΞΌs, autoload 0.19ΞΌs. Measured with KIKAbenchmarking addon against SitePoint/Kinsta 2024 industry thresholds.
No black boxes. When something goes wrong, you can trace it to the exact line. No hunting through node_modules or vendor folders.
No composer install, no npm build step. Upload files and configure. Runs on any PHP 8.3+ server with Apache/Nginx.
Every component exists because we need it. No bloat from generic solutions. Lean, focused, no compromises.
Built into the core framework β not as an external integration
AgentManager as central registry. AgentExecutor runs the tool-calling loop to completion. Each addon registers its own agents.
Each agent has an approval mode: auto, chat, Telegram, web, or any. Critical actions wait for human approval.
Unified interface for Claude, OpenAI, DeepSeek, Groq, or custom providers. Swap models without changing code. Strategy pattern.
read_file, grep_codebase, database_schema, generate_patch, write_file, delegate_agent, shared_context, run_tests and more. All path-restricted.
Agent delegates subtasks to another agent (max depth 3). SharedContextStore shares knowledge between agents through DB.
Per-execution, daily, and monthly limits with MySQL advisory locking to prevent overruns in concurrent requests.
Everything needed for enterprise applications with built-in EU compliance and AI infrastructure
BYOK AI provider (Claude, OpenAI, DeepSeek, Groq, custom). Strategy pattern, unified interface, token tracking.
Multi-agent runtime: AgentManager, AgentExecutor, ToolRegistry, ApprovalGateway, TokenBudget, DelegationChain.
GdprRegistry, GdprManifest, AuditLogger β GDPR infrastructure built into the framework.
PDO wrapper, fluent QueryBuilder, Active Record ORM with relationships. LRU prepared statement cache.
CSRF (grace period + request queuing), RBAC, rate limiting, CSP nonce, ApiAuth, InputSanitizer.
Request, Response, HttpKernel with pre-resolution of routes before middleware pipeline.
Router with cached routes, named params, RESTful resource routes, URL generator.
DI container, singleton/request scope, autowiring via reflection, circular dependency detection.
EventDispatcher with pub/sub pattern for decoupling modules and addons.
Job queue, Scheduler with cron expressions, background processing. Emails and webhooks async.
Multi-platform webhook dispatcher (Slack, Discord, Teams, Generic). Add a new platform in one class.
File/DB drivers, IP + User-Agent fingerprinting, auto-regeneration every 30 min, max 5 sessions.
Custom directives, production caching (OPcache compatible), auto XSS escaping.
Validator with 15+ rules: required, email, regex, min/max, unique, array, confirmed.
PSR-3 logger (8 levels), sensitive data masking, X-Request-ID tracing, daily log rotation.
File-based CacheManager + FileCache for routes, autoload maps, and app data. No Redis required.
PSR-4 style with cached class map. No filesystem scanning on every request.
5-stage initialization with timing tracking and lazy loading at every stage.
DotenvLoader + dot notation access. env_config.php as central config with $_ENV overrides.
EmailService (SMTP), PdfService, ExportService (CSV/Excel), DateFormatter.
AssetManager, StaticAssetHandler, ResourceManager with production sync and CDN detection.
5-step web wizard for first installation. Configures DB, migrates tables, creates admin.
Optimized initialization with timing tracking and lazy loading at every stage
Load env_config.php, parse .env file, create Config singleton with dot notation access.
Logger, Database, Cache, Session, Template, Router, HttpKernel, Security, AI, AgentManager β all 22 subsystems.
Load MiddlewareRegistry with priority ordering and lazy instantiation of each middleware.
Load base_dependencies.php + dependencies of all 12 addons and 8 modules into the DI container.
Compile and cache all routes from base, addons, and modules. Next request loads them in microseconds.
Security built into every layer, not bolted on afterwards
CSP with per-request nonce support, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. All configurable.
Role-based access control with DB roles. Middleware-based route protection. Bearer token API auth.
Token rotation every 30 min with 10-minute grace period. Request queuing prevents race conditions with stale tokens.
Regeneration every 30 min. IP + User-Agent fingerprinting. Max 5 sessions per user. HttpOnly, Secure, SameSite.
Per-IP sliding window per endpoint. Different limits for authenticated vs anonymous users. Automatic blocking.
InputSanitizer + Validator on every input. Prepared statements for all DB queries. Auto XSS escaping in templates.
Every commit runs PHPStan + Psalm + PHPUnit checks locally
43,000+ lines of tests. Pre-commit hook and scripts/run-checks.sh run PHPStan + Psalm + PHPUnit locally β no cloud CI costs, no waiting.
Real numbers from production environment
Why It's Fast
Schedule a technical demo. We'll walk you through the codebase, answer architecture questions, and discuss how Shinobi fits your requirements.