Laravel Shield

Just released a new project: Laravel Shield

While working with Laravel, I noticed that many developers only think about security after something goes wrong. I wanted to change that by building a tool that encourages a more proactive approach.

Laravel Shield is a package that scans Laravel applications to help identify potential security issues early in development.

What it offers:

Scans your codebase for common security risks
Highlights insecure patterns and bad practices
Provides output in both console and JSON formats
Helps developers understand and improve application security

The goal is simple: make security awareness part of the development process, not an afterthought.

This project is especially useful for developers who are learning Laravel security or building production-ready applications.

Repository:
https://github.com/Mana007777/Laravel-Shield

Feedback, suggestions, and contributions are welcome.

https://redd.it/1sy0923
@r_php

AI rewards strict APIs

I wrote a blog post about why AI agents struggle with loose APIs (magic strings, untyped hooks, unvalidated configuration) more than humans do.

The post uses Drupal and WordPress as examples, but the argument applies to any framework on the strict-to-loose spectrum.


https://dri.es/ai-rewards-strict-apis

https://redd.it/1sy1vke
@r_php

PHP & Laravel: The Best Stack in the World?
https://youtu.be/C_0XBmrubsY?si=jzgesY59hcJvNjXI

https://redd.it/1sy4gqy
@r_php

I spent 30 days building a high-load task orchestrator on PHP 8.4 + Swoole + NATS to kill the "PHP is slow" myth. Live demo included.

Hey Reddit,

I've been writing PHP for 25 years, and I'm tired of the "PHP is slow / only for CRUD" myth. So I built [Fast Atomic Flow](https://fast.af.l3373.xyz) — an atomic task orchestrator that combines PHP 8.4 (Swoole), NATS JetStream, and a Go WebSocket proxy.

**The Tech Stack:**

* Backend: PHP 8.4 + Swoole (coroutines, shared memory, atomics for global semaphores)
* Static Analysis: PHPStan Level 10 — maximum strictness
* Broker: NATS JetStream (guaranteed delivery, zero message loss)
* Proxy: Go WebSocket proxy (handling thousands of connections)
* Protocol: Custom 13-byte binary protocol
* UI: Real-time Canvas-based "Worker Heatmap" with LOD (Level of Detail) rendering

**Why?**

I wanted to prove that PHP can be predictable, memory-leak-free, and blazing fast — if you know how to handle the engine. No race conditions. No overhead. Just pure flow.

**The story:**

Built solo, 30 days of actual commit time contributed. After a brutal divorce and job loss, I moved to the countryside and rebuilt my life — and my code — from scratch.

**Secret Ingredient:** Two-Hooved Programming

Was it really solo? Technically yes. But I had a digital sidekick — an AI (DeepSeek). We worked side-by-side. I architected the system, it wrote the boilerplate. We argued, we joked, we fixed deadlocks at 4 AM together. This is the result.

**Live Demo:** [https://fast.af.l3373.xyz](https://fast.af.l3373.xyz)

(Note: Server is in Europe; US users may experience network latency. You can switch between different UI themes in the footer).

🎮 **The Demo Game:**

Spammers: Can fire a payload of up to 1,500 tasks, 20 times per minute.

Concurrency: Adjustable from 1 to 255.

Cleaners: Can purge the queue up to 5 times per 5 minutes.

The Rules: Max queue capacity is 32,768 tasks. New tasks are simply discarded if the queue is full.

Semaphore & Retry Tuning:

* Lock timeout: 5 seconds;
* Retry delay: 1 second;
* Max retries: 3.

If a task can't acquire a semaphore slot, it retries up to 3 times, then gets discarded. No deadlocks, no infinite loops.

Let's see if the semaphore holds the line!

>⚠️ Note: The UI works on mobile (tested on iPhone 13), but it's not responsive. For the best "horse-power" experience, please use a desktop browser.

**GitHub:** [https://github.com/shmandalf/fast-atomic-flow](https://github.com/shmandalf/fast-atomic-flow)

License: KBL v3.0 (Horses don't abandon horses.)

Would love your feedback on the semaphore implementation and the binary protocol!

https://redd.it/1sy50xl
@r_php

Introducing Laravel AI Evaluation, a package to evaluate your AI agents and their responses.
https://ai-evals.larswiegers.nl/

https://redd.it/1sy8x9t
@r_php

statgrab 2.2: cross-platform system stats for PHP, picking up the 2005 PECL extension

A while back I pushed a small PECL extension that wrapped libstatgrab and exposed CPU, memory, disk I/O, network, and process statistics to PHP. It sat untouched for most of the PHP 5/7 era and stopped building cleanly on PHP 8 a few years back. I shipped 2.2 today, a full modernization of the binding for PHP 8.0 through 8.5 against libstatgrab 0.92+.

The reason to revive it: nothing on the PHP side has replaced it. If you need system stats from PHP, you are typically choosing between three options.

- Shell out to w, vmstat, df, ps. The output format drifts between OS releases, and you end up writing a per-tool parser.
- Parse /proc by hand. Linux-only, every file (meminfo, loadavg, diskstats, net/dev) has its own format and edge cases.
- Run a separate stats daemon and hit it over a socket. Adds a daemon to deploy and keep running.

libstatgrab itself is the right primitive: a cross-platform C library that handles /proc on Linux, kvm on FreeBSD, and the Mach host_* APIs on macOS, and exposes one typed surface. It just needed a PHP binding that worked on a current interpreter.

The 2005 procedural API is preserved (sg_cpu_percent_usage, sg_memory_stats, etc.) for drop-in compatibility, with a new OO surface (Statgrab::cpu(), ::memory(), ::processes()) on top.

While running ASan on the new test suite I caught a memory leak in libstatgrab's shutdown path. Patch submitted upstream; pending review. The repo carries a vendored libstatgrab 0.92.1 with the local fix in the meantime. Build with --with-statgrab=bundled to get a single .so with no runtime dependency on libstatgrab.so. Useful in any deployment where you don't want to require libstatgrab as a system package.

Install:

pie install iliaal/statgrab

Or pecl install statgrab if you are still on the legacy installer. Source build and the bundled-libstatgrab path are in the README.

Repo: https://github.com/iliaal/statgrab
Full write-up: https://ilia.ws/blog/its-alive-statgrab-returns-after-20-years

https://redd.it/1sycnhm
@r_php

I just released my first open source project - Spectacular - a functional specification tool built in Laravel

Like most side projects, this was born out of frustration. As a developer, I hated getting vague requirements scattered over Basecamp, Jira, Slack and emails. Oftentimes, it was lazy project managers using agile as an excuse for not planning. So I made a tool for building detailed yet readable functional specifications (not just UML weirdos!).

I've noticed recently that specifications are cool again but for the wrong reasons. People write specs primarily for LLMs rather than for other people. Spectacular is aimed at making specifications accessible to everyone: project managers, developers, stakeholders as well as AI coding agents. It has worked great for my clients over the years and I'm pleased to have had time in the last few months to prepare it for public release.

So here it is: **Specacular - an open source specification tool built in Laravel and Vue**. You can install it locally or just use the hosted version: [https://spec.tacul.ar](https://spec.tacul.ar)

I hope many of you find it a worthy addition to your workflows.

\---

Sales pitch over, let's talk code.

It's pretty standard Laravel and Vue (with a few exceptions). The API uses [Laravel Actions](https://www.laravelactions.com/) instead of controllers so any future extensions like MCP services don't need to duplicate code.

The [SharesRelation](https://github.com/syntheticminds/spectacular/blob/main/app/Rules/SharesRelation.php) rule is a nifty way to check two models are related via a common ancestor (a User and a Feature belong to the same Project via User->Project->Feature).

'user_id' => [new SharesRelation(User::class, 'feature_id', 'project.features')],

Some might be interested in how a "solo" mode disengages authorisation; [Sanctum config](https://github.com/syntheticminds/spectacular/blob/main/config/sanctum.php) takes an array of guards so it will fall back to [a custom guard](https://github.com/syntheticminds/spectacular/blob/main/app/Providers/AppServiceProvider.php) that returns an ephemeral default user and opens the Gate for them.

Sqids (the new version of Hashids) are encoded using an attribute on the trait and [a castable](https://github.com/syntheticminds/spectacular/blob/main/app/Casts/AsSqid.php) is used for foreign keys. The decoding is done in route binding and at the [middleware](https://github.com/syntheticminds/spectacular/blob/main/app/Http/Middleware/DecodeSqids.php) level for input. I found this to be tider than prepareForValidation().

$router->post('requirements/add', static::class) ->middleware('sqids:feature_id,actor_ids.*');

On the Vue side: when I migrated this project from Vue 2 to Vue 3 years ago, Pinia ORM was a bit buggy so I implemented my own lightweight ORM that uses [Collect.js](https://collect.js.org/usage.html). I actually really like it because it works like [a very basic Eloquent](https://github.com/syntheticminds/spectacular/tree/main/resources/js/stores).

This is my first time releasing a project like this so I'm looking forward to hearing your thoughts. It's getting pretty late so I'll check back in the morning.

https://redd.it/1syed4f
@r_php

Quo is now live. A new free open source variable debugging tool
https://github.com/Protoqol/Quo

https://redd.it/1syj10e
@r_php

When One Worker Can’t Keep Up: Scaling Projections
https://medium.com/@dariuszgafka/when-one-worker-cant-keep-up-scaling-projections-16a7de72f95f

https://redd.it/1syrck9
@r_php

When One Worker Can’t Keep Up: Scaling Projections
https://medium.com/@dariuszgafka/when-one-worker-cant-keep-up-scaling-projections-16a7de72f95f

https://redd.it/1syrcex
@r_php

Academic feedback needed
/r/learnprogramming/comments/1syttau/academic_feedback_needed/

https://redd.it/1syuok3
@r_php

Announcing laravel-sluggable v4 with self-healing URLs
https://freek.dev/3112-announcing-laravel-sluggable-v4-with-self-healing-urls

https://redd.it/1sz0xj3
@r_php

Technical debt is not malice
https://phpunit.expert/articles/technical-debt-is-not-malice.html

https://redd.it/1sz1eue
@r_php

Aimeos e-commerce framework 2026.04 – PHP 9 ready, Laravel 13, Symfony 8, security hardening and more

We just released Aimeos 2026.04, the PHP e-commerce framework for custom online shops, market places, complex B2B apps and #gigacommerce:

Ready for PHP 9: Minimum raised to PHP 8.1, all deprecations removed across core and 30+ extensions, fully tested on PHP 8.5. PHPStan static analysis added at level 4 with zero errors.
Laravel 13 & Symfony 8: Day-one support for the latest framework versions. The stand-alone shop and headless distributions ship on Laravel 13 out of the box.
Customer CSV import: Full import pipeline with address/property support, regex validation, group filtering and admin UI upload — rounding out CSV import for products, catalogs, suppliers and now customers.
- Product feed extension: New extension for generating Google Merchant and Idealo product feeds. Includes several configuration options to customize the exported products and details.
Security hardening: XSS prevention via HTML sanitization in the CMS, GraphQL query depth/complexity limits, and tighter permission checks in the admin API.
PHPUnit 12: Stricter test isolation and deprecation handling across the entire test suite.

For those who haven't come across Aimeos before — it's an open-source e-commerce framework (LGPLv3) built for PHP developers who want full control over their shop without being locked into a monolithic platform. A few things that set it apart:

Framework-native: Integrates directly into Laravel, Symfony or TYPO3 as a composer package. You use your framework's routing, auth, middleware and tooling — Aimeos plugs into it rather than replacing it.
Headless-first: Full JSON:API and GraphQL APIs out of the box. Use any frontend you want — Vue, React, mobile apps, or the included server-side rendered HTML client.
Multi-tenant / multi-site: Built-in support for running multiple shops from a single installation with separate catalogs, pricing, languages and currencies per site.
Scales from small to large: The same architecture powers single-product shops and marketplaces with millions of products. ElasticSearch and Solr integrations are available for high-volume search.
Extensible, w/o forking: 30+ extensions for payments, shipping, CMS, feeds, caching (Redis), search engines and more. Custom extensions follow the same pattern without touching core code.
No SaaS lock-in: You host it yourself, own your data, and can switch or extend anything.

GitHub: https://github.com/aimeos/aimeos
Docs: [https://aimeos.org/docs](https://aimeos.org/docs)
Demo: https://demo.aimeos.org

If you like Aimeos, give it a star :-)

https://redd.it/1szxlit
@r_php

What's New in Laravel 13.7: JSON Assertions, @fonts & Worker Signals
https://youtu.be/EC3UYLyggBQ

https://redd.it/1szxa31
@r_php

Aimeos: Laravel e-commerce 2026.04 released – now on Laravel 13 with PHP 9 readiness, security hardening and more
https://redd.it/1szxtvp
@r_php

Microsoft Drivers 5.13.1 for PHP for SQL Server released - security fix for connection pooling

5.13.1 is out with several fixes for the sqlsrv and pdo\_sqlsrv extensions:

* **Access token leak in pooled connections** \- Connections with different access tokens could share the same pool entry, causing identity cross-contamination and use-after-free. Fixed by incorporating the token into the pool key.
* **Silent INSERT failure** \- Prepared INSERTs could silently fail when triggers or `SET NOCOUNT OFF` produce extra result sets, causing implicit rollback with MARS enabled.
* **Fatal error re-executing prepared statements** \- Re-executing a prepared statement returning multiple result sets with different column layouts could crash. Metadata is now properly freed between executions.
* **sqlsrv\_errors() returning null** \- After a failed connection with no ODBC diagnostic records, `sqlsrv_errors()` returned null instead of the actual error.
* **Stream invalidation** \- Binary streams became invalid when the originating statement went out of scope.

Drop-in upgrade from 5.13.0, no API changes. Supports PHP 8.3/8.4/8.5.

Install: `pecl install sqlsrv` / `pecl install pdo_sqlsrv`

Full blog post: [https://techcommunity.microsoft.com/blog/sqlserver/announcing-microsoft-drivers-5-13-1-for-php-for-sql-server/4516258](https://techcommunity.microsoft.com/blog/sqlserver/announcing-microsoft-drivers-5-13-1-for-php-for-sql-server/4516258)

GitHub: [https://github.com/microsoft/msphpsql](https://github.com/microsoft/msphpsql)

Docs: [https://learn.microsoft.com/sql/connect/php/microsoft-php-driver-for-sql-server](https://learn.microsoft.com/sql/connect/php/microsoft-php-driver-for-sql-server)

https://redd.it/1t03vwb
@r_php

Terminal is Super Slow

For some reason my terminal is super slow. e.g. something as simple as composer require laravel/reverb in a new Laravel project can take up to 10 minutes to complete. It seems like it hangs/freezes midway, and sometimes it finishes the job and other times it crashes.

I tried disabling all extensions, clearing cache, and setting "disable-hardware-acceleration": true, but nothing helps.

I'm on a Dell Precision 7670, 64gb ram, i9, Win 11.

Any ideas?

https://redd.it/1t05sng
@r_php

Google Gen AI SDK has no official PHP SDK — Google asked for stars and use cases

Google Gen AI SDK currently supports Python, Node.js, Go, Java, and .NET/C#, but there is no official PHP SDK.



I opened a public Google Issue Tracker request for official PHP support:



https://issuetracker.google.com/issues/507647520



Google Cloud replied that, according to their Public Issue Tracker process, feature requests usually need a handful of stars and comments from several users before the engineering team works on them.



So if official PHP support for Gemini / Vertex AI GenAI SDK matters to you, please consider starring the issue or commenting there with your real use case.



Existing PHP options such as `google/apiclient`, `google-cloud-php`, and GAPIC-generated clients do not provide the same unified GenAI SDK developer experience as the official SDKs for other languages.



Useful comments would probably include things like:



\- whether you need Gemini Developer API,

\- whether you need Gemini API on Vertex AI,

\- whether you need both through one unified SDK,

\- whether you use Symfony, Laravel, or another PHP stack,

\- whether streaming, tool calling, multimodal input, structured output, or file upload support matters to you.



This is not about asking for a framework wrapper. The missing piece is an official PHP SDK equivalent to `python-genai`, `js-genai`, `go-genai`, `java-genai`, and `dotnet-genai`.

https://redd.it/1t05rx8
@r_php

Join Us for PHPverse 2026 on June 9
https://blog.jetbrains.com/phpstorm/2026/04/join-us-for-phpverse-2026-on-june-9/

https://redd.it/1t02lol
@r_php

Reli 0.12.0 is released with major expansions in tracing, memory analysis, monitoring, and runtime inspection
https://github.com/reliforp/reli-prof/releases/tag/0.12.0

https://redd.it/1szzaxu
@r_php