The declarative backend. Define what's allowed — the rest is a brick wall.
Zero-dependency. Deploy and Forget. $1/month costs.
const data = await fetch("/myapp/query", { method: "POST", headers: { "Authorization": "<token>" }, body: JSON.stringify({ queries: [ { ref: "order", sql: "SELECT * FROM orders WHERE id = :id", params: { id: 42 } }, { ref: "items", sql: "SELECT * FROM items WHERE order_id = :oid", params: { oid: { ref: "order", value: "id" } } } ] }) }).then(r => r.json());
{
"results": [
{ "ref": "order", "meta": {...},
"rows": [[42, "2026-03-15", 1388.99]],
"count": 1 },
{ "ref": "items", "meta": {...},
"rows": [[1, "Fender Jazzmaster", 1299.99],
[2, "Tube Screamer", 89.00]],
"count": 2 }
]
}
Vibe Ruined
Cursor was spitting components like a beast. The UI was slick.
Then you needed data. Now you're staring at Docker containers, reading RLS documentation at 2 AM, and paying a $25/month invoice for a project with zero users. The vibe? Absolutely ruined.
Monthly Suffering Receipt
================================
CLOUD BACKEND CO.
"Enterprise-Grade Sadness"
================================
Cloud Database $25.00
Vercel Pro $20.00
Docker Desktop $9.00
Domain + SSL $4.00
--------------------------------
SUBTOTAL: $58.00
USERS: 0
VIBE: DESTROYED
================================
THANK YOU FOR YOUR SUFFERING
================================
The Cheat Code
GET /users/42/orders?status=completed&sort=-date GET /orders/101/items GET /orders/102/items GET /orders/103/items ← N+1 round trips Want SUM(price)? ← build a new endpoint Want GROUP BY category? ← build a new endpoint Want a cross-table JOIN? ← mass grave of controllers
SELECT o.id, o.date, SUM(i.price) AS total, COUNT(*) AS items FROM orders o JOIN items i ON i.order_id = o.id WHERE o.user_id = :uid AND o.status = 'completed' GROUP BY o.id ORDER BY o.date DESC LIMIT 10
Every REST API ends up reinventing a worse query language —
?filter[status]=active&sort=-date&include=items is just shittier SQL.
We skipped the middleman. SQL is the most expressive data language ever made,
and LLMs write it better than you do.
Bulletproof Security
Your backend is a config file, not a codebase. Query Mask DSL — a strict whitelist of what’s allowed. What you don’t explicitly allow doesn’t exist. SQL injection is physically impossible. No RLS gambles. No leaked tables.
One Request = Entire Screen
User profile, orders, and product details — one HTTP call. Batch queries with inter-query references. No waterfall. Just instant, streamed JSON.
AI-Native Backend
AI agents (Cursor, Claude) read your DB schema and configure masks themselves. You describe the app. The agent writes the backend config. You never touch PHP.
One File. Deploy Anywhere.
Zero dependencies on production. One punkbase.phar —
fire and forget onto any PHP 8.4+ hosting.
FTP, SFTP, file manager — whatever you’ve got.
No CI/CD. No Kubernetes. $1/month shared hosting will do.
Battle-Tested Since 2000
The great Y2K legacy. Built on PHP and MySQL — technology forged by the boomers who founded the internet, now battle-tested for the age of AI. This stack still runs most of the web. It powers the best things ever built on it while everything “modern” is busy rewriting itself every 18 months.
If Garbage Can Win…
The internet has a proven track record of mass-adopting things that are light years from the best available — yeah, JavaScript, we’re looking at you. If garbage can win, so can Punkbase.
Feature Freeze by Design
Most code rots, because ecosystem keeps changing. We build on a stack with 30 years of evolution. Punkbase is in closed beta now — once stable, it ships as v1.0 LTS. The last version you’ll ever need. No 2.0. No breaking changes. Only security fixes and compatibility with the ecosystem: PHP, JWT. If it works on release day, it will work in ten years.
How It Works
Upload the Phar
One file. Any PHP 8.4+ hosting. FTP, SFTP, file manager — whatever you've got.
Define Your Masks
Declare which queries are allowed. That's your entire backend — a declaration, not a program. Your AI agent can write it for you.
Call From Your Frontend
A single fetch() with a batch of named queries. That's your entire backend.
Full Batch Example
// Three related datasets. One HTTP call. Done. const screen = await fetch("https://your-hosting.com/myapp/query", { method: "POST", headers: { "Authorization": "<token>", "Content-Type": "application/json" }, body: JSON.stringify({ queries: [ { ref: "order", sql: "SELECT * FROM orders WHERE id = :id", params: { id: 42 } }, { ref: "items", sql: "SELECT * FROM items WHERE order_id = :oid", params: { oid: { ref: "order", value: "id" } } // ^ references order query result }, { ref: "stock", sql: "SELECT * FROM stock WHERE product_id IN :pids", params: { pids: { ref: "items", list: "product_id" } } // ^ list reference across results } ] }) }).then(r => r.json());
Response
{
"results": [
{ "ref": "order", "meta": {...},
"rows": [[42, "2026-03-15", 1388.99]],
"count": 1 },
{ "ref": "items", "meta": {...},
"rows": [[1, 42, 101, "Fender Jazzmaster", 1299.99],
[2, 42, 102, "Tube Screamer", 89.00]],
"count": 2 },
{ "ref": "stock", "meta": {...},
"rows": [[101, "Fender Jazzmaster", 3],
[102, "Ibanez Tube Screamer TS9", 12]],
"count": 2 }
]
}
The Vibecoding Manifesto
THE PUNKBASE WAY
Software isn't an animal. It doesn't grow.
Most code rots, because ecosystem keeps changing. We believe in Feature Freeze by Design. Punkbase ships as v1.0 LTS — and that's the last version you'll ever need. No 2.0. No breaking changes. Only security fixes and compatibility with the ecosystem around it: PHP, JWT, JavaScript. If it works on release day, it will work in ten years.
Backend is a declaration, not a program.
You don't write backend code. You declare what queries are allowed and the rest is a brick wall. Like CSS for styling, Query Masks are declarative for data access. Your backend is a config file — not a codebase.
Infrastructure at lunch money prices.
We refuse to pay cloud ransom for "serverless" magic that locks us into one platform. Freedom means your app runs on any PHP hosting from Austin to Tokyo. If you have FTP and MySQL, you're a king.
AI is your Senior Architect.
We don't code in PHP. We use PHP as an indestructible shell into which our AI agents pour our vision. We hold the wheel. AI shovels the coal.
No dependencies. No drama.
is-even depends on is-odd as a dependency. WTF? Punkbase has zero external dependencies.
One .phar file. No Composer in production.
No house of cards collapsing when someone unpublishes a package.
The Hosting Guardians
They don't sleep so your .phar can run.
While the world crumbles under the weight of unstable clouds and endless updates, these guardians quietly keep the old iron humming. Wrench in one hand, coffee in the other, making sure your SQL runs no matter what happens in Silicon Valley.
The Power of Sharing
Shared hosting isn't "cheap infrastructure for WordPress sites." It's a community garden. Rows of servers tended by people who chose stability over hype. Punkbase gives them a modern API engine. They give your app immortality.
Punk Hosting
Hosting provider? Let's talk. We bring you the next generation of developers.
partners@punkbase.dev
The Garage
We're underground (for now).
================================
BACKSTAGE PASS
================================
STATUS: Closed Beta
ROAD: Beta → RC → v1.0 LTS
ACCESS: Source code
CHANNEL: Discord (invite-only)
"Once it ships, it ships.
Security fixes only."
================================
ADMIT ONE VIBECODER
================================
Tell us what you're building and why your current backend makes you cry.