PHP 8.4+ native property hooksPSR-7 / 11 / 14 / 15 / 16 / 17182 tests / 440 assertionsMIT licensed26 packages🤖 AI Orchestration Engine

The attribute-first PHP framework built for PHP 8.4.

MonkeysLegion is a modular, PSR-compliant framework that leverages PHP 8.4 property hooks, a compiled DI container, and 26 focused packages to deliver the speed of a micro-framework with the batteries of a full-stack one — without runtime magic.

Get started →View on GitHub

Terminal

$▊

Everything changed. Nothing feels heavy.

v2.0 is a full architectural pass across the entire ecosystem. Every package is pinned to v2.0+ for API consistency, the DI container compiles to zero-overhead resolution, and PHP 8.4 property hooks replace magic across the board.

⚡

PHP 8.4 Property Hooks

Native getters/setters as engine hooks — not reflection, not magic methods. Validation and formatting run at C speed.

🎯

Attribute-First Architecture

Routes, validation rules, service providers, and CLI commands are discovered via PHP 8 attributes. No giant route files, no YAML config graveyards.

📦

Compiled DI Container

Production builds compile definitions to a PHP array written atomically to disk. Zero runtime reflection on the hot path.

⚙️

MLC Configuration

A clean, typed config format with environment interpolation, cascading (.env → .env.local → .env.{APP_ENV}), and compiled production caching.

🛡️

PSR-15 Security Pipeline

OWASP security headers, CORS, rate limiting, CSRF, trusted proxies, and request IDs — all as standard middleware, on by default.

🤖

Apex — Built-in AI Orchestration

Not a wrapper. A complete AI infrastructure layer with multi-provider routing, declarative pipelines, guardrails, agent crews, and cost management.

Three promises. Kept by design.

⚡

Fast

Measured in millions of ops per second.

Zero-magic architecture means entities, DTOs, and enums are plain PHP objects. No Doctrine proxies, no Eloquent __get() chains, no framework metaclass layer.

🔐

Secure

Defaults that would take weeks to bolt on elsewhere.

Argon2id password hashing, built-in TOTP 2FA, JWT with rotation and blacklisting, rate limiting per route, OWASP headers middleware, CSRF, trusted-proxy awareness, and maintenance mode with IP/secret bypass.

🧩

Modular

26 packages. Use all of them, or use two.

Every capability lives in its own Composer package with its own semver. The meta-package wires them together, but you can swap any of them for your own implementation via the PSR contract.

Benchmarked, not marketed.

All numbers produced on Apple Silicon with PHP 8.5.3, no opcache preloading, warm JIT, identical test harnesses.

Operation	MonkeysLegion Ops/sec	vs Laravel	vs Symfony
Entity creation	0.0M	~140× faster	~114× faster
DTO construction	0.0M	~60× faster	~54× faster
Resource serialization	0.0K	~5.5× faster	~3.6× faster
Enum operations	0.0M	~25× faster	~22× faster
Property hooks (email)	0.0M	N/A	N/A
Computed properties	0M	N/A	N/A
Peak memory (cold boot)	0MB	≈ 22 MB	≈ 14 MB

Why we win

01Zero-magic architecture — Entities, DTOs, and enums are plain PHP objects.
02PHP 8.4 property hooks — Validation and formatting run as native engine hooks.
03No ORM hydration overhead — Entities are POPOs. No Doctrine or Eloquent proxies.
04Attribute routing — Compiled once at cache time. No regex matching at runtime.
05Lean PSR-15 pipeline — ~12.5K req/s HTTP throughput vs Laravel's ~2.1K req/s.

Great frameworks, different trade-offs

Laravel built an incredible ecosystem — Forge, Vapor, Nova, Cashier — and the largest PHP community. If you need a batteries-included SaaS starter, it's hard to beat.

Symfony powers some of the most mission-critical enterprise systems on earth. Its profiler, debug toolbar, and rigorous release cycle are best-in-class.

MonkeysLegion is built for a different moment: when you need raw throughput, zero-magic PHP 8.4+ code, and a framework that gets out of your way. No 22 MB boot. No runtime proxies. Just your code.

Secure by default — not “secure once you install five packages.”

A direct, feature-by-feature comparison of what ships in the box versus what requires additional packages, configuration, or third-party bundles.

Security Feature	MonkeysLegion v2.0	Laravel 11	Symfony 7
Password hashing: Argon2id default	✅	⚠️bcrypt default	⚠️Configurable
JWT authentication	✅	❌Requires Sanctum/Passport	❌Requires LexikJWT
OAuth2 (Google, GitHub)	✅	❌Requires Socialite	❌Requires KnpUOAuth2
TOTP 2FA with QR generation	✅	❌Requires Fortify + pkg	❌Requires scheb/2fa
API keys + rotation	✅	⚠️Partial via Sanctum	❌Not core
RBAC + Policy system	✅	✅Policies	✅Voters
Token blacklisting	✅	❌3rd party	❌3rd party
Rate limiting (per route)	✅	⚠️throttle (opt-in)	⚠️throttle (opt-in)
OWASP security headers	✅	❌Requires package	⚠️NelmioSecurityBundle
CORS	✅	⚠️Fruitcake/CORS pkg	⚠️NelmioCorsBundle
CSRF	✅	✅	✅
Trusted proxy handling	✅	✅	✅
Request ID correlation	✅	❌	❌
Maintenance mode w/ bypass	✅	✅	✅
Compiled container (no reflection)	✅	⚠️Partial cache	✅
Remember-me with rotation	✅	⚠️Basic	⚠️Basic

Every ⚠️ or ❌ in Laravel or Symfony is a decision your team has to make: which package, which version, who maintains it, does it still work after the next major release, who reviewed its CVE history. MonkeysLegion removes those decisions from your backlog.

First in PHP · monkeyslegion-apex@1.0.1

The first PHP framework with an AI orchestration engine built in.

Not a wrapper. A complete AI infrastructure layer with multi-model routing, declarative pipelines, guardrails, and cost optimization.

🔀

Multi-provider routing

Anthropic · OpenAI · Google (AI Studio + Vertex) · Ollama — same API, zero code change.

🧩

Declarative pipelines

pipe() · when() · loop() · parallel() · transform() — composable workflows with trace and timing.

👥

Multi-agent crews

Sequential, Parallel, Hierarchical, Conversational — with lifecycle hooks and handoff tracking.

🛡️

Guardrails engine

PII detection, prompt-injection defense, toxicity, regex, word count — with Block / Redact / Warn actions.

📐

Structured output

Schema-based extraction to type-safe PHP classes with retries and JSON Schema generation.

🎯

Smart model router

CostOptimized · QualityFirst · LatencyFirst · RoundRobin strategies for tiered routing.

💰

Cost management

Per-request tracking, pricing registry for 20+ models, budget enforcement, scoped reports.

🔌

MCP server + client

First-class Model Context Protocol support — serve tools and resources, or consume them.

🔁

Fallback chains

Ordered provider failover for high availability.

🌊

Streaming (SSE)

Token streaming, pipe-to-stream, SSE endpoints.

🧠

Six memory strategies

Conversation · Sliding · Summary · Vector · Persistent · Per-agent.

🔧

Tool calling

#[Tool] + #[ToolParam] attributes, multi-step autonomous loops.

Apex ships with 363 tests across 705 assertions.

What used to take 5 packages

Capability	Apex	Python	Node.js	Laravel
Multi-provider LLM routing	✅ Core	litellm	Manual wrapper	Manual / OpenAI SDK
Declarative pipelines	✅ Core	langchain	langchain-js	❌ Custom code
Structured output	✅ Core	instructor / pydantic-ai	zod + custom	❌ Custom code
Guardrails (PII, injection)	✅ Core (6 validators)	guardrails-ai	Manual	Manual
Multi-agent orchestration	✅ Core (4 modes)	crewai / autogen	Manual	❌ Custom code
Cost tracking + budgets	✅ Core	helicone / custom	helicone / custom	Custom
MCP server + client	✅ Core	mcp-python-sdk	@modelcontextprotocol/sdk	❌ Not available
Packages required	1	5–7	4–6	3–5 + custom

Read the Apex docs →View on GitHub →

Nineteen capabilities. One composer install.

🎯

PSR Compliant

PSR-7, 11, 14, 15, 16, 17

🔐

Auth Suite

JWT, OAuth2, 2FA, RBAC, API keys, remember-me

🗄️

Database Layer

QueryBuilder, migrations, entity scanner

🎨

Template Engine

Custom engine with caching and layouts

🌐

Attribute Routing

Auto-discovered, grouped, middleware-aware

⚡

Compiled DI

PSR-11 container with zero-overhead builds

📝

Validation

Attribute-based with automatic DTO binding

🌍

I18n

File + database loaders, pluralization

📧

Mail

SMTP and API delivery with DKIM

📊

Telemetry

OpenTelemetry metrics, tracing, structured logs

🎪

Events

PSR-14 dispatcher with auto-discovery

💾

Cache

Redis, file, in-memory (PSR-16)

📨

Queue System

Background workers with retry and timeout

📁

File Management

Unified storage, image processing, GC

📚

OpenAPI v3

Auto-generated from route attributes

🤖

Apex AI

4 providers, pipelines, guardrails, crews

🔄

CLI Kernel

17+ make:* scaffolders

🛡️

Security Middleware

OWASP, CORS, rate limit, CSRF, maintenance

Show, don't tell.

Four representative patterns that define the v2.0 developer experience.

<?php
declare(strict_types=1);

namespace App\\Controller;

use MonkeysLegion\\Router\\Attribute\\{Route, Get, Post, Delete};
use Psr\\Http\\Message\\ResponseInterface;

#[Route('/api/users', name: 'users')]
final class UserController
{
    #[Get('/', name: 'index', tags: ['Users'])]
    public function index(): ResponseInterface
    {
        return json_response(['users' => []]);
    }
}

No route file. No registration step. Controllers under app/Controller are discovered automatically.

Seventeen scaffolders. One CLI.

Every major framework object has a make:* command.

Scaffolding

php ml make:controller Userphp ml make:entity Userphp ml make:middleware Authphp ml make:dto CreateUserRequestphp ml make:event UserRegisteredphp ml make:listener SendWelcomeEmailphp ml make:policy UserPolicyphp ml make:job SendEmailJobphp ml make:service PaymentServicephp ml make:command SyncDataphp ml make:test UserServiceTestphp ml make:factory UserFactoryphp ml make:seeder UserSeederphp ml make:enum UserRolephp ml make:observer UserObserverphp ml make:resource UserResourcephp ml make:mail WelcomeMail

Database

php ml make:migrationphp ml migratephp ml rollbackphp ml db:createphp ml db:seed

Operations

php ml config:cachephp ml config:clearphp ml cache:clearphp ml route:listphp ml queue:workphp ml schedule:runphp ml openapi:exportphp ml tinkerphp ml down / php ml upphp ml aboutphp ml ai:chatphp ml ai:costs

How a request flows.

Request Pipeline

ServerRequest::fromGlobals()

CoreRequestHandler (PSR-15)

├── SecurityHeadersMiddleware

├── TrustedProxyMiddleware

├── RequestIdMiddleware

├── CorsMiddleware

├── RateLimitMiddleware

├── MaintenanceModeMiddleware

├── SessionMiddleware

├── VerifyCsrfToken

├── AuthenticationMiddleware

└── Router → Controller → Response

SapiEmitter → Client

Boot Sequence

public/index.php

└── bootstrap/app.php

└── Application::create(basePath)

├── ENV cascade: .env → .env.local → .env.{APP_ENV}

├── MLC config: config/*.mlc → compiled in production

├── Service Providers: 19 auto-discovered

├── SAPI detection: HTTP → Kernel | CLI → CliKernel

└── run()

From zero to serving traffic in 90 seconds.

Install

composer create-project monkeyscloud/monkeyslegion-skeleton my-appcd my-app

Configure

cp .env.example .envphp ml key:generate

Serve

composer serve# → http://127.0.0.1:8000

Requirement	Version
PHP	8.4+ (property hooks required)
Composer	2.x
Database	MySQL / MariaDB / PostgreSQL / SQLite
Redis (optional)	6.x+ for caching, queues, rate limiting

Tested. Compiled. Ready.

Test Suite

Every package ships with its own PHPUnit 11 suite. The framework meta-test suite covers 182 tests across 440 assertions:

✓Compiled container cache (14 tests)
✓Attribute discovery and provider scanning (11 tests)
✓Maintenance mode middleware (7 tests)
✓MLC config loading and provider definitions (94+ tests)
✓Application boot lifecycle (13 tests)
✓Exception handling (10 tests)
✓Database user provider (15 tests)
✓PHPStan Level 9 static analysis across all source files

Production Checklist

php.ini + deploy
# Compile DI container
php ml config:cache

# Recommended php.ini
opcache.enable=1
opcache.validate_timestamps=0
opcache.jit=1255
opcache.jit_buffer_size=128M

Built for five kinds of teams.

🤖

AI-native products

Apex gives you multi-provider routing, pipelines, guardrails, agent crews, and cost management as one Composer package.

🚀

API-first startups

Attribute routing + DTO validation + OpenAPI auto-gen + JWT = full REST API in a day.

⚡

High-throughput services

6× the HTTP req/s of Laravel at 18% the boot memory — measurable infrastructure savings at scale.

🔒

Enterprise / compliance

Argon2id, OWASP headers, token blacklisting, PII redaction guardrails, trusted-proxy middleware — all first-party.

💎

Modern PHP shops

PHP 8.4 property hooks, strict types across all 26 packages, attribute-first everything — no more legacy __get() magic.

Where we're going.

✅

Shipped in v2.0

PHP 8.4 property hooks & attribute-first architecture

26-package ecosystem pinned to v2.0+

MLC configuration with env cascading and production compilation

Compiled DI container with atomic cache writes

PSR-15 middleware pipeline with OWASP security headers

Auth suite: JWT, OAuth2, 2FA, RBAC, remember-me, blacklisting

WebSocket server with real-time broadcasting

Apex AI orchestration: multi-provider, pipelines, guardrails, crews, MCP

OpenAPI v3 auto-generation

17 make:* scaffolders

182 tests / 440 assertions

🔜

Coming in v2.1

Notifications package (email, SMS, Slack, push)

Per-route rate limiting via attributes

API resource transformers and pagination helpers

Model factories for testing

🔮

v3.0 vision

GraphQL support with attribute-based schema

Admin panel generator (CRUD scaffolding)

Fibers-based async HTTP client

Native Swoole / FrankenPHP runtime support

Plugin marketplace

Join the build.

MonkeysLegion is MIT-licensed and actively developed in the open.

🧱Skeleton 📦Framework GitHub 🤖Apex (AI Orchestration)📚Documentation 💬Slack

Ready to ship?

$composer create-project monkeyscloud/monkeyslegion-skeleton my-app

Star on GitHub ⭐Read the docs →Open an issue Discussions