Develop and deploy secure PHP, fast.
An open toolkit for UserSpice developers who use AI coding assistants. Write framework-idiomatic code at AI speed, audit before merge, and scan before deploy — ship features faster, pass an audit, and keep the result maintainable for years.
# In a UserSpice project with ai_prompts installed: > /userspice-audit Auditing custom code against the 12 security rules… app: 42 PHP files plugins: 3 plugins ajax: 1 parsers/ folder Findings: 2 HIGH · 5 MEDIUM · 1 LOW Report written to _noupload/audit-reports/…
What AI codegen on UserSpice should be.
Speed without safety isn't a win — you're trading "ship today" for "rewrite next quarter." These tools are built so you don't have to choose.
Efficient
A one-paragraph idea turns into a working page. The prompts teach your assistant the framework's idioms; the page-scaffold skill stamps out boilerplate that's already wired correctly. You spend time on what you're building, not on undoing "almost right" code.
Secure
Direct $_POST access, missing CSRF, md5(uniqid()) tokens —
the failure modes AI codegen ships are the same ones developers ship under deadline
pressure. The prompts route around them; the audit skill catches what slips through;
the scanner verifies before you ship.
Built to last
UserSpice has an active maintenance lifecycle — security patches when CVEs land, helper updates as attack patterns evolve. Code that follows the framework's conventions keeps benefiting from that, instead of being a one-shot prototype frozen at the day it was written.
Open tools that work together.
Each piece works on its own — and they compound when used together. Pick what you need today; add more as the project grows.
AI Prompts plugin
A UserSpice plugin that ships agent-readable prompts for the framework's security model, override system, secure-page recipe, and common pitfalls. Drop it into usersc/plugins/ and your AI assistant reads from the same source of truth.
Three Claude Code skills
Slash commands that pair with the prompts plugin: /userspice-audit for security review, /userspice-helper-lookup for live helper signatures, and /userspice-page-scaffold for new pages that pass the audit on day one.
Security Scanner
Local Docker stack that runs Semgrep, Psalm, Trivy, Gitleaks, ZAP, and PHPStan against your project with UserSpice-aware rules and stubs. CLI or web UI; SARIF and CI gates included.
UserSpice Ansible
A web UI on UserSpice for running Ansible playbooks against your fleet — auth, audit logging, dry-run buttons, and parameter validation. Installs as a single LXC on Proxmox and onboards remote hosts with a CLI wizard.
One source of truth across the lifecycle.
Prompts feed the assistants.
The AI Prompts plugin sits in
usersc/plugins/ai_prompts/ on your install. Its 00_start_here.md.php
is the index your assistant reads first — it points at deeper prompts for security, page
patterns, debugging, and permissions.
Skills act on the live install.
The three Claude Code skills grep the live
users/ framework for canonical helper signatures, audit custom code against
the same 12-rule checklist, and scaffold new pages that match the patterns the prompts
describe.
Scanner verifies before you ship.
The security scanner runs the same rules at a tool level — Semgrep, Psalm, ZAP, and friends — with framework-aware rule packs so it doesn't flag legitimate UserSpice patterns.
Ansible deploys the result.
UserSpice Ansible is the web UI for pushing playbooks at the servers behind your fleet — same UserSpice auth model, plus audit logging, dry-run, and SSH-key wizards for onboarding hosts.
Have us set it up or build alongside you.
These tools are open. If you'd rather not roll up your sleeves — or you want a security audit, custom prompts for your team's conventions, or an Ansible playbook tailored to your fleet — get in touch.