laravel-iam-contracts

Latest Version on Packagist
Tests
Total Downloads
PHP Version
License MIT

The shared contract layer of the Laravel IAM ecosystem.
Interfaces and immutable value objects that every padosoft/laravel-iam-* package implements or consumes — and nothing else. No implementations, no Laravel dependency, no runtime dependencies at all (just PHP 8.3+).

Depend on abstractions, not implementations

This package contains zero behaviour — only the seams the rest of the ecosystem agrees on. Swap the
PDP engine, the key custodian or the passkey verifier without touching a line of consuming code. That is
the whole point of shipping the contracts as a separate package.


What it is — in one minute

Laravel IAM is an Identity & Authorization Control Plane split across many packages: a server, a
client, governance/AI modules, a directory connector, migration bridges, and SDKs in three languages. They
all need to speak the same language:

laravel-iam-contracts is that language. It is the dependency root of the ecosystem: everything
depends on it, it depends on nothing.

In one line: one tiny, dependency-free package of interfaces and DTOs that makes the entire
platform pluggable — because consumers type against abstractions, never implementations.


Why a separate package of only contracts

Pluggability

Implement AuthorizationEngine against OpenFGA/SpiceDB, KeyProvider against AWS KMS or an HSM, or
FactorVerifier against an external SCA provider — and no consuming code changes.

Independent releases

Server, client and SDKs version on their own cadence; they only have to agree on the contract
version. The dependency graph is a DAG with this package at the root.

ABI stability

A method signature here is a promise to every implementor across the ecosystem. Changing one is a
breaking change — so the package is deliberately small, reviewed, and semver-disciplined.

Zero dependencies

require is php: ^8.3 only. It installs anywhere and drags nothing in — no illuminate/*, no
transitive surprises for the apps that consume it.

Read the full rationale →


The ecosystem at a glance

This package sits at the bottom of the dependency graph. The server implements the contracts; clients
and SDKs consume them.

flowchart TB C["laravel-iam-contracts<br/>interfaces + DTOs"] SRV["laravel-iam-server<br/>implements the contracts"] CLI["laravel-iam-client<br/>consumes the contracts"] AI["laravel-iam-ai"] DIR["laravel-iam-directory"] BR["laravel-iam-bridge-spatie-permission"] NODE["laravel-iam-node (SDK)"] RN["laravel-iam-react-native (SDK)"] RUST["laravel-iam-rust (SDK)"] SRV -->|depends on / implements| C CLI -->|depends on / consumes| C AI --> C DIR --> C BR --> C NODE -.->|mirrors the wire contract| C RN -.->|mirrors the wire contract| C RUST -.->|mirrors the wire contract| C
Package Role
laravel-iam-contracts (this repo) Shared interfaces & DTOs — the dependency root
laravel-iam-server The IAM server: identity, org, Application Registry, PDP (RBAC+ABAC+ReBAC), OAuth/OIDC, audit, governance, Admin API & panel
laravel-iam-client Client for apps consuming Laravel IAM: OIDC login, JWT/JWKS, introspection, iam.auth/iam.can middleware, Gate adapter
laravel-iam-ai Optional AI module: advisory-only governance (redaction + hallucination guard + audit)
laravel-iam-directory Optional directory module: LDAP / Active Directory (LdapRecord)
laravel-iam-bridge-spatie-permission Migration bridge from spatie/laravel-permission: scan, shadow mode, cutover, rollback
laravel-iam-node SDK client Node/TS (@padosoft/laravel-iam-node), thin + fail-closed
laravel-iam-react-native SDK client React Native (@padosoft/laravel-iam-react-native), thin + hooks
laravel-iam-rust SDK client Rust (crate laravel-iam), async + blocking, fail-closed

Install

composer require padosoft/laravel-iam-contracts

Requirements: PHP 8.3+. No Laravel required — this package is framework-agnostic and
dependency-free. Autoloading is PSR-4 under Padosoft\Iam\Contracts\.


Start here

Quickstart

Implement your first contract — a fail-closed authorization engine — in five minutes. Open →

Why contracts?

Decoupling, independent releases, ABI stability — the design argument for a contracts-only package. Read →

Contract reference

Every interface and DTO, grouped by namespace, with exact signatures and who implements / consumes each. Browse →

Package facts

Composer padosoft/laravel-iam-contracts · PHP ^8.3 · zero runtime dependencies · MIT ·
GitHub ·
Packagist