AUDIT.md

Core Agentic Framework Audit

Date: 2026-02-18

Scope: Core vs Laravel, Symfony, Slim, and Mezzio

Goal: Make Core the best PHP framework for agentic coding workflows

---

1) Executive Summary

Core is currently the strongest option in this set for an agentic coding centered workflow when weighted for:

The previous audit baseline was stale in important areas. This run confirms Core now includes built-in i18n, Schedule, Crypt, WebSocket, and a Redis cache adapter. Those categories are no longer "missing".

Core still lags in human-centric ecosystem parity (full PSR package compliance breadth, richer form-builder ergonomics, and broader generator bundles), and these now represent the main blockers to widening adoption without compromising its zero-dependency identity.

---

2) Methodology

Rating Scale

Agentic Weighted Score Model (100 total)

Evidence Rules

---

3) Corrections vs Previous Audit

CategoryPrevious StatusCurrent Source-Backed StatusCore Evidence
i18n / LocalizationMissingAdequateclasses/i18n.php, docs/classes/i18n.md
SchedulingMissingAdequateclasses/Schedule.php, docs/classes/Schedule.md
EncryptionMissingAdequateclasses/Crypt.php, docs/classes/Crypt.md
WebSocket / Real-timeMissingAdequateclasses/WebSocket.php, classes/WebSocket/Pusher.php, docs/classes/WebSocket.md
Redis cache supportMissingAdequateclasses/Cache/Redis.php, docs/classes/Cache.md
Query BuilderMissingBasicclasses/SQL.php, tests/SQLBuilderTest.php
MigrationsMissingAdequateclasses/Migration.php, tools/migrate.php, tests/MigrationTest.php
Testing UtilitiesMissingBasictests/support/AgentHttpHarness.php, tests/AgentHttpHarnessTest.php
PSR ComplianceMissingBasicclasses/Interop/*, tests/InteropTest.php, docs/guides/Interop.md
Form HandlingMissingAdequateclasses/Form.php, docs/classes/Form.md, tests/FormTest.php
Code GenerationMissingAdequatetools/codegen.php, tests/CodegenToolTest.php, docs/guides/Code-Generation.md

---

4) Capability Matrix (Framework Breadth)

CategoryCoreLaravelSymfonySlimMezzio
RoutingStrongStrongStrongStrongStrong
HTTP Request/ResponseStrongStrongStrongAdequateAdequate
AuthenticationAdequateStrongAdequateMissingMissing
AuthorizationAdequateStrongStrongMissingMissing
CSRFStrongStrongStrongAdequateAdequate
Rate LimitingStrongStrongAdequateMissingMissing
Security HeadersStrongBasicBasicMissingMissing
ORM / DatabaseBasicStrongStrongMissingMissing
Query BuilderBasicStrongStrongMissingMissing
MigrationsAdequateStrongStrongMissingMissing
CachingAdequateStrongStrongMissingMissing
EmailAdequateStrongAdequateMissingMissing
Template EngineBasicStrongStrongMissingMissing
ValidationAdequateStrongStrongMissingMissing
File StorageAdequateStrongAdequateMissingMissing
CLI / ConsoleAdequateStrongStrongMissingMissing
Queue / JobsAdequateStrongStrongMissingMissing
EventsStrongStrongStrongBasicAdequate
i18n / LocalizationAdequateStrongStrongMissingMissing
SchedulingAdequateStrongAdequateMissingMissing
Testing UtilitiesBasicStrongStrongBasicBasic
DI ContainerBasicStrongStrongAdequateStrong
Code GenerationAdequateStrongStrongMissingMissing
WebSocket / Real-timeAdequateAdequateAdequateMissingMissing
PSR ComplianceBasicAdequateStrongStrongStrong
Middleware PipelineBasicStrongStrongStrongStrong
Form HandlingAdequateAdequateStrongMissingMissing
EncryptionAdequateStrongStrongMissingMissing
API ResourcesAdequateStrongAdequateMissingMissing
Content NegotiationStrongBasicAdequateBasicAdequate
Performance / FootprintStrongAdequateAdequateStrongAdequate
Zero External Runtime DependenciesStrongMissingMissingMissingMissing

Notes:

---

5) Agentic Scorecard (Weighted)

Criterion (Weight)CoreLaravelSymfonySlimMezzio
Introspection and self-discovery (20)42311
Explicitness and deterministic behavior (15)42333
Runtime footprint and startup profile (15)41133
Automation ergonomics (15)34322
Security defaults for unattended execution (10)34422
Zero dependency portability (10)40011
Extensibility without hidden coupling (10)33333
Ecosystem interoperability for agents (5)13444

Weighted Totals (max = 100)

Result: Core is currently rank #1 for this agentic-first model, but with clear parity risks in interop and developer automation.

---

6) Core Strengths for Agentic Coding

1. Small, explicit API surface with predictable static classes.

2. Zero external runtime dependency baseline (composer.json requires only PHP).

3. Introspection primitives already present (Introspect::classes/methods/extensions/routes/capabilities, Schema::tables/describe, Model::schema/fields).

4. Built-in machine-readable error modes (Errors::JSON_VERBOSE) support unattended execution diagnostics.

5. Single-file distributable (dist/core.php) and preload story favor deterministic environments.

---

7) Core Gaps Blocking Clear Dominance

1. Form workflow gap:

2. Agent automation gap:

3. Interop gap:

4. Code generation depth gap:

---

7.1) Proof Table (Reproducible Claims)

ClaimCommandExpected ArtifactLast Verified
SQL query helper is availablevendor/bin/phpunit --filter SQLBuilderTestGreen test validating SQL::selectFrom()->whereEq()->orderBy()->limit()->toSQL()2026-02-18
Migration workflow is availablevendor/bin/phpunit --filter MigrationTestGreen test for apply/status/rollback and core_migrations tracking2026-02-18
Interop adapters are availablevendor/bin/phpunit --filter InteropTestGreen test for request/response/container/middleware adapters2026-02-18
HTTP harness utilities are availablevendor/bin/phpunit --filter AgentHttpHarnessTestGreen test validating deterministic dispatch envelope2026-02-18
Form handling is availablevendor/bin/phpunit --filter FormTestGreen tests for source binding, normalization, validation, CSRF, old-input flash2026-02-18
Code generation is availablevendor/bin/phpunit --filter CodegenToolTestGreen tests for scaffold create/skip/force + deterministic output envelope2026-02-18
Audit contract is machine-readablephp tools/agent-audit.php --format=json --prettyJSON payload with schema_version/framework/capabilities/counts2026-02-16
Contract snapshot is deterministicphp tools/agent-snapshot.php --type=contracts --fail-on-diff=tests/fixtures/snapshots/contracts.jsonExit code 0 if unchanged2026-02-16
Case-study output is machine-readablephp tools/agent-case-study.php --preset=baseline --out=docs/guides/agent-case-study.baseline.jsondocs/guides/agent-case-study.baseline.json2026-02-16
Proof freshness is enforceablecomposer proof-freshness-checkJSON report with artifact age in days2026-02-16

---

8) 6-Month Roadmap (3 Phases, Zero Runtime Deps Hard Rule)

Phase A (Weeks 1-8): Agent Observability and Determinism

A1. Expand Introspection Coverage

A2. Deterministic Machine-Readable Audit Export

A3. Error Envelope Stability Contract

Phase B (Weeks 9-16): Agent Productivity Primitives

B1. SQL Composition Helpers (Zero-Dep)

B2. Route and Schema Snapshot Utilities

B3. Agent Test Harness Basics

Phase C (Weeks 17-24): Interop and Competitive Proof

C1. PSR Bridge Layer (Optional, Internal)

C2. Agentic Benchmark Suite

C3. Publish Comparative Agentic TCO Section

---

9) Prioritized Backlog (Impact x Confidence / Cost)

ItemPriorityWhy
Expand Introspect::capabilities()P0Highest leverage for autonomous decision-making.
Add tools/agent-audit.php JSON exportP0Enables machine-driven audits and CI checks.
Add SQL composition helpersP1Reduces major friction without violating zero-dep rule.
Add route/schema/model snapshotsP1Makes regressions detectable by agents quickly.
Add minimal HTTP test harnessP1Improves agent reliability and shorter feedback loops.
Define PSR bridge docs/adaptersP2Improves ecosystem reach while preserving Core identity.

---

10) Sources

Core (repository evidence)

Laravel (official docs)

Symfony (official docs)

Slim (official docs)

Mezzio (official docs)

---

11) Re-Audit Trigger Conditions

Run this audit again when one of these changes:

1. Core adds/removes capability classes or major runtime contracts.

2. Core adds compatibility bridges (for example PSR adapters).

3. Major competitor versions change architecture defaults.

4. Agent benchmark methodology changes.