How is this different from Google Analytics?

Google Analytics shows you traffic. Shadow shows you traffic, AI bot activity, what AI platforms say about your brand, AND tells you what to do about all of it. It's analytics + AI intelligence + action steps in one tool.

Do I need to install anything?

For basic monitoring (bot detection, AI perception, readiness score) — nope, just enter your URL. For full visitor analytics (clicks, behavior, sessions), add one script tag. One-click integrations for Vercel, Shopify, WordPress, and more.

Will it slow down my site?

No. The script is under 5KB and loads async. Zero impact on page speed or Core Web Vitals. External monitoring has literally no impact — it watches from the outside.

What AI bots does Shadow detect?

All of them. GPTBot, ClaudeBot, PerplexityBot, Google-Extended, Bytespider, Amazonbot, and dozens more. The Shadow Network means new bots get identified across all users instantly.

What do you mean by "actionable steps"?

Shadow doesn't just show you graphs. It says things like: "ChatGPT has your pricing wrong — add structured data to /pricing to fix it" or "Your bounce rate on /features is 68% — here's why and what to change." Specific, do-it-today recommendations.

Can Shadow block bots?

Shadow is a telescope, not a shield. It shows you who's visiting and what AI says about you. It generates block rules and robots.txt configs you can apply — but it doesn't intercept traffic.

Yes. Shadow never collects PII. IP addresses are hashed after classification. No cookies on your visitors. All Shadow Network data is anonymized. GDPR compliant by design.

How do I access the User-Agent header in Hyperf?

Use $request->getHeaderLine('User-Agent') — this is the PSR-7 method that returns a single header value as a string, or an empty string when the header is absent. Do not use $request->getHeader() which returns an array. The header name lookup is case-insensitive per PSR-7 (HTTP/1.1 spec), so 'User-Agent', 'user-agent', and 'USER-AGENT' all work.

Why must Hyperf middleware be stateless?

Hyperf runs on Swoole in persistent long-lived processes. Unlike traditional PHP where each request boots a fresh process, a Hyperf process serves thousands of requests. Middleware objects are instantiated once by the DI container and reused across concurrent coroutines. If you store request-specific data in class properties (e.g., $this->currentUser), it will leak between concurrent requests. Keep all state in local variables within the process() method.

How do I register global middleware in Hyperf?

Add the middleware class to config/autoload/middlewares.php under the 'http' key: return ['http' => [AiBotMiddleware::class]]. Middleware runs in array order — first entry runs first. For per-controller or per-route scoping, use the #[Middleware(AiBotMiddleware::class)] annotation on a controller class or method.

What is SwooleStream and why is it needed in Hyperf?

SwooleStream (Hyperf\HttpMessage\Stream\SwooleStream) is Hyperf's PSR-7 stream implementation optimised for the Swoole HTTP server. The response body in PSR-7 must be a StreamInterface. Standard PHP stream wrappers (like php://temp) work differently under Swoole's coroutine context. Use SwooleStream('body string') when constructing Response objects in Hyperf middleware.

How to Block AI Bots in PHP Hyperf

Hyperf is a high-performance PHP microservices framework built on Swoole (or Swow) — it runs as a persistent long-lived process rather than restarting on every request like traditional PHP-FPM. Middleware follows the PSR-15 standard: MiddlewareInterface::process() returns a ResponseInterface directly to block, or calls $handler->handle($request) to pass through. getHeaderLine() returns an empty string when the header is absent — no null check needed. The critical Hyperf-specific gotcha: middleware classes are instantiated once and reused across concurrent coroutines — never store request state in class properties.

1. Bot detection

Pure PHP 8.0+, no dependencies. str_contains() for literal substring matching — no regex. strtolower() normalises before comparison.

<?php
// BotUtils.php — AI bot detection, no external dependencies
declare(strict_types=1);

namespace App\Middleware;

class BotUtils
{
    private const AI_BOT_PATTERNS = [
        'gptbot',
        'chatgpt-user',
        'claudebot',
        'anthropic-ai',
        'ccbot',
        'google-extended',
        'cohere-ai',
        'meta-externalagent',
        'bytespider',
        'omgili',
        'diffbot',
        'imagesiftbot',
        'magpie-crawler',
        'amazonbot',
        'dataprovider',
        'netcraft',
    ];

    /**
     * Returns true if $ua matches a known AI crawler pattern.
     * str_contains() — literal substring match, no regex (PHP 8.0+).
     * strtolower() normalises before comparison.
     */
    public static function isAiBot(string $ua): bool
    {
        if ($ua === '') {
            return false;
        }
        $lower = strtolower($ua);
        foreach (self::AI_BOT_PATTERNS as $pattern) {
            if (str_contains($lower, $pattern)) {
                return true;
            }
        }
        return false;
    }
}

2. PSR-15 middleware — `MiddlewareInterface`

process() either returns a ResponseInterface (block) or calls $handler->handle($request) (pass). Use SwooleStream for response bodies — required under Swoole's coroutine context. The class must be stateless — it lives for the lifetime of the process, not the request.

<?php
// AiBotMiddleware.php — PSR-15 middleware for Hyperf
declare(strict_types=1);

namespace App\Middleware;

use Hyperf\HttpMessage\Stream\SwooleStream;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;

class AiBotMiddleware implements MiddlewareInterface
{
    /**
     * CRITICAL — this class is instantiated ONCE by Hyperf's DI container
     * and reused across many concurrent coroutines.
     * Never store request-scoped data in class properties ($this->...).
     * All state must live in local variables inside process().
     */

    public function process(
        ServerRequestInterface $request,
        RequestHandlerInterface $handler
    ): ResponseInterface {
        // Path guard: robots.txt must be reachable — bots read it for Disallow rules.
        $path = $request->getUri()->getPath();
        if ($path === '/robots.txt') {
            return $handler->handle($request);  // pass through
        }

        // PSR-7 getHeaderLine() returns '' when the header is absent — no null check needed.
        // Header name lookup is case-insensitive per PSR-7 / HTTP spec.
        // getHeaderLine() returns a single string; getHeader() returns an array.
        $ua = $request->getHeaderLine('User-Agent');

        if (BotUtils::isAiBot($ua)) {
            // Block: return a Response directly — do NOT call $handler->handle().
            // Calling handle() after returning a response would run the route handler
            // and cause a double-response error.
            // SwooleStream is required for Hyperf response bodies under Swoole.
            return (new \Hyperf\HttpMessage\Server\Response())
                ->withStatus(403)
                ->withHeader('X-Robots-Tag', 'noai, noimageai')
                ->withHeader('Content-Type', 'text/plain')
                ->withBody(new SwooleStream('Forbidden'));
        }

        // Pass: delegate to the next middleware or route handler.
        // Inject X-Robots-Tag on the outgoing response.
        $response = $handler->handle($request);
        return $response->withHeader('X-Robots-Tag', 'noai, noimageai');
    }
}

3. Global registration — `config/autoload/middlewares.php`

Add the middleware class to the 'http' array. Middleware runs in declaration order — first entry is outermost (runs first on request, last on response). Register the bot blocker first to short-circuit before auth or business logic.

<?php
// config/autoload/middlewares.php — global middleware registration
// Middleware runs in array order: first entry runs outermost (first in, last out).

declare(strict_types=1);

use App\Middleware\AiBotMiddleware;

return [
    'http' => [
        // AiBotMiddleware runs for every HTTP request.
        // Add before any auth, rate-limit, or route middleware.
        AiBotMiddleware::class,
    ],
];

4. Per-controller scoping — `#[Middleware]` annotation

Apply #[Middleware(AiBotMiddleware::class)] on a controller class (all routes) or a single method (one route). Annotation middleware stacks with global middleware — both run.

<?php
// Per-controller annotation — scopes middleware to a specific controller.
// Requires: use Hyperf\HttpServer\Annotation\Middleware;
//           use Hyperf\HttpServer\Annotation\Controller;

declare(strict_types=1);

namespace App\Controller;

use App\Middleware\AiBotMiddleware;
use Hyperf\HttpServer\Annotation\Controller;
use Hyperf\HttpServer\Annotation\GetMapping;
use Hyperf\HttpServer\Annotation\Middleware;

// Apply to all routes in this controller
#[Controller(prefix: '/api')]
#[Middleware(AiBotMiddleware::class)]
class ApiController extends AbstractController
{
    #[GetMapping(path: '/data')]
    public function data(): array
    {
        return ['data' => 'value'];
    }
}

// Or per-method — scopes to a single route only:
#[Controller(prefix: '/')]
class IndexController extends AbstractController
{
    #[GetMapping(path: '/')]
    #[Middleware(AiBotMiddleware::class)]  // only this route is protected
    public function index(): array
    {
        return ['message' => 'Hello'];
    }
}

5. robots.txt route

<?php
// app/Controller/RobotsController.php
// robots.txt handler — always accessible (guard in middleware passes it through)

declare(strict_types=1);

namespace App\Controller;

use Hyperf\HttpServer\Annotation\Controller;
use Hyperf\HttpServer\Annotation\GetMapping;
use Psr\Http\Message\ResponseInterface;

#[Controller(prefix: '/')]
class RobotsController extends AbstractController
{
    #[GetMapping(path: '/robots.txt')]
    public function robots(): ResponseInterface
    {
        $body = <<<TXT
User-agent: *
Allow: /

User-agent: GPTBot
Disallow: /

User-agent: ClaudeBot
Disallow: /

User-agent: CCBot
Disallow: /

User-agent: Google-Extended
Disallow: /
TXT;
        return $this->response
            ->withHeader('Content-Type', 'text/plain')
            ->withBody(new \Hyperf\HttpMessage\Stream\SwooleStream($body));
    }
}

6. Install and run

# Install Hyperf (requires PHP 8.1+ and Swoole extension)
composer create-project hyperf/hyperf-skeleton my-app
cd my-app

# Install Swoole extension (if not already installed)
pecl install swoole

# Start the server (persistent process — no PHP-FPM or Apache needed)
php bin/hyperf.php start

# Server starts on http://0.0.0.0:9501 by default
# Configure port in config/autoload/server.php

Key points

Middleware classes are singletons — keep them stateless: Hyperf's DI container instantiates each middleware once and reuses the same object across thousands of concurrent coroutines. Storing anything in $this properties will leak between requests. All data must be in local variables inside process().
getHeaderLine() returns '', not null: PSR-7 getHeaderLine() returns an empty string when the header is absent — safe to pass directly to BotUtils::isAiBot(). The lookup is case-insensitive per PSR-7 — 'User-Agent', 'user-agent', and 'USER-AGENT' all return the same value.
Do not call $handler->handle() after returning a response: In PSR-15, the middleware either returns a response or delegates to the handler — not both. Calling $handler->handle() after constructing a blocking response would execute the route handler and attempt to send two responses.
Use SwooleStream for response bodies: PSR-7 requires a StreamInterface for response bodies. Standard PHP stream wrappers behave differently under Swoole's coroutine scheduler. Hyperf\HttpMessage\Stream\SwooleStream is the correct implementation — wrap any string body with new SwooleStream('body').
Persistent process — no per-request bootstrap: Traditional PHP-FPM restarts the PHP runtime on every request, clearing all state. Hyperf + Swoole boots once. This means faster requests (no framework init overhead) but requires coroutine-safe code — avoid global variables, static mutable properties, and non-coroutine-safe extensions.
Global + annotation middleware both run: If AiBotMiddleware is in middlewares.php and also applied via #[Middleware], it will run twice. Use one approach for a given scope — global config for blanket protection, annotations for selective scoping.

Framework comparison — PHP middleware patterns

Framework	Middleware standard	Block	Process model
Hyperf	PSR-15 `MiddlewareInterface`	`return new Response()->withStatus(403)`	Swoole persistent (singleton middleware)
Slim 4	PSR-15 `MiddlewareInterface`	`return $response->withStatus(403)`	PHP-FPM (new instance per request)
Laravel	Laravel middleware (`handle()`)	`return response('Forbidden', 403)`	PHP-FPM or Octane (persistent)
Laminas	PSR-15 `MiddlewareInterface`	`return new HtmlResponse('Forbidden', 403)`	PHP-FPM (new instance per request)

Hyperf, Slim, and Laminas all implement PSR-15 — the process() signature is identical. The key difference is the process model: Hyperf runs in a Swoole persistent process (singleton middleware, coroutine context), while Slim and Laminas run under PHP-FPM where each request gets a fresh instance. Laravel with Octane is the closest PHP-FPM alternative to Hyperf's persistent model — the same stateless middleware rules apply.