PHPackages chuxolab/laravel-fortress - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. chuxolab/laravel-fortress ActiveLibrary[Security](/categories/security) chuxolab/laravel-fortress ========================= 1,755 engineering checks for secure, correct, auditable Laravel applications — with git hooks and merge protection v1.2.0(2mo ago)02MITPHPPHP ^8.1 Since Mar 3Pushed 2mo agoCompare [ Source](https://github.com/oilmonegov/laravel-fortress)[ Packagist](https://packagist.org/packages/chuxolab/laravel-fortress)[ Docs](https://github.com/oilmonegov/laravel-fortress)[ RSS](/packages/chuxolab-laravel-fortress/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (2)Dependencies (3)Versions (3)Used By (0) The Laravel Fortress ==================== [](#the-laravel-fortress) [![License: MIT](https://camo.githubusercontent.com/08cef40a9105b6526ca22088bc514fbfdbc9aac1ddbf8d4e6c750e3a88a44dca/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d626c75652e737667)](LICENSE)[![PRs Welcome](https://camo.githubusercontent.com/dd0b24c1e6776719edb2c273548a510d6490d8d25269a043dfabbd38419905da/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5052732d77656c636f6d652d627269676874677265656e2e737667)](CONTRIBUTING.md)[![Checks](https://camo.githubusercontent.com/845596b244aaffae481e7287a73afdd28b1705cae8f0299d512fbd400b531aa9/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f636865636b732d312532433735352d6f72616e67652e737667)](#the-checklist) **1,755 engineering checks for building Laravel applications that are secure, correct, auditable, and maintainable.** Born from repeated production audits of a financial platform. Expanded into a universal standard for any Laravel project. [![Laravel Fortress Architecture — Defense in depth across Write, Commit, Push, and Merge stages](docs/fortress-architecture.svg)](docs/fortress-architecture.svg) Installation ------------ [](#installation) ``` composer require --dev chuxolab/laravel-fortress ``` Then run the interactive installer: ``` php artisan fortress:install ``` This walks you through setting up: - **AI rules** for your editor (Claude Code, Cursor, Windsurf, Copilot — auto-detected) - **Git hooks** — 10 safety hooks for catching debug statements, formatting issues, secret leaks, and AI auto-merge - **CI workflow** — GitHub Actions PR protection template - **Config** — `.fortress.yml` for per-project rule tuning You can also install components individually: ``` php artisan fortress:install --hooks # Git hooks only php artisan fortress:install --rules # AI rules only php artisan fortress:install --ci # CI workflow only php artisan fortress:install --all # Everything, no prompts ``` ### Non-Laravel PHP projects [](#non-laravel-php-projects) ``` curl -sL https://raw.githubusercontent.com/oilmonegov/laravel-fortress/main/install.sh | bash ``` --- What You Get ------------ [](#what-you-get) ### 1. The Checklist — 1,755 checks across 14 parts [](#1-the-checklist--1755-checks-across-14-parts) A comprehensive engineering reference. Every check is a `- [ ]` item you can tick off during code review, sprint planning, onboarding, or audit prep. PartFocusChecksFileIApplication Security179[`01-application-security.md`](parts/01-application-security.md)IICryptography & Data Protection109[`02-cryptography-data-protection.md`](parts/02-cryptography-data-protection.md)IIIAuthentication & Authorization110[`03-authentication-authorization.md`](parts/03-authentication-authorization.md)IVData Integrity & Concurrency84[`04-data-integrity-concurrency.md`](parts/04-data-integrity-concurrency.md)VFinancial & Monetary Correctness62[`05-financial-monetary-correctness.md`](parts/05-financial-monetary-correctness.md)VIPHP Language & Type Safety126[`06-php-language-type-safety.md`](parts/06-php-language-type-safety.md)VIIClean Code & Software Design128[`07-clean-code-software-design.md`](parts/07-clean-code-software-design.md)VIIILaravel Framework Mastery196[`08-laravel-framework-mastery.md`](parts/08-laravel-framework-mastery.md)IXDatabase Engineering158[`09-database-engineering.md`](parts/09-database-engineering.md)XFrontend Engineering153[`10-frontend-engineering.md`](parts/10-frontend-engineering.md)XITesting & Quality Assurance76[`11-testing-quality-assurance.md`](parts/11-testing-quality-assurance.md)XIIAPIs, Queues & Integration136[`12-apis-queues-integration.md`](parts/12-apis-queues-integration.md)XIIILogging, Monitoring & Audit30[`13-logging-monitoring-audit.md`](parts/13-logging-monitoring-audit.md)XIVInfrastructure & Operations208[`14-infrastructure-operations.md`](parts/14-infrastructure-operations.md)Read the full list in one file: [`checklist.md`](checklist.md) ### 2. AI Rules — Your editor enforces the checks automatically [](#2-ai-rules--your-editor-enforces-the-checks-automatically) The AI skill system teaches your coding assistant all 1,755 checks. It adapts to your project's PHP version, Laravel version, database, and installed packages at runtime. EditorWhat Gets InstalledHow It Works**Claude Code**14 modular skills + `CLAUDE.md`Deepest integration — skills activate per domain, works with `feature-dev` and Laravel Boost**Cursor**`.cursorrules`Inline review, Composer mode, MCP support**Windsurf**`.windsurfrules`Cascade flows, multi-step generation**GitHub Copilot**`.github/copilot-instructions.md`Chat, PR review, inline suggestions### 3. Git Hooks — Safety rails for AI-assisted development [](#3-git-hooks--safety-rails-for-ai-assisted-development) AI agents write code fast. These hooks catch mistakes at the git level before they reach your repository. HookWhat It Does**pre-commit**Blocks debug statements (`dd`, `dump`, `ray`), `.env` files, hardcoded secrets, Pint violations**commit-msg**Enforces conventional commits, length limits, blocks WIP on protected branches**pre-push**Runs tests, PHPStan, `composer audit` — blocks direct push to `main`/`master`/`production`**pre-merge-commit**Detects AI agents and blocks auto-merge to protected branches**prepare-commit-msg**Auto-adds `Co-Authored-By` tag when AI context detected**post-checkout**Warns when `composer.lock` or JS lock files changed between branches**post-merge**Same as post-checkout, plus detects migration changes**pre-rebase**Blocks rebase of protected branches**post-commit**Advisory: warns about missing `strict_types`, counts TODOs**applypatch-msg**Validates commit messages from `git am` patchesPlus **5 stub hooks** (server-side templates) installable with `--with-stubs`. See [`hooks/README.md`](hooks/README.md). ### 4. Compliance Scanner [](#4-compliance-scanner) ``` php artisan fortress:check ``` Scans your codebase for common violations: CheckRule IDWhat It Finds`strict_types`F-P06-001PHP files missing `declare(strict_types=1)`Debug statementsF-P07-012`dd()`, `dump()`, `ray()`, `var_dump()``.env` in gitF-P01-015Environment files tracked in version controlMissing `$fillable`F-P08-003Models without mass assignment protectionRaw `env()` callsF-P08-041`env()` used outside `config/` filesUnguarded modelsF-P01-010`Model::unguard()` callsAuto-fix what's fixable: ``` php artisan fortress:check --fix ``` ### 5. Deep Code Review [](#5-deep-code-review) ``` php artisan fortress:review ``` Runs **52 automated checks** across all 14 parts — far deeper than `fortress:check`. Every finding documents both the **problem** and the **recommended solution**, with code snippets. ``` php artisan fortress:review my-sprint # Named review php artisan fortress:review --part=P01 # Specific parts only php artisan fortress:review --part=P01 --part=P05 php artisan fortress:review --severity=critical # Only critical findings php artisan fortress:review --select # Interactive part selection php artisan fortress:review --format=console # Print findings to terminal ``` Reports are saved to `docs/fortress-reviews/review-{name}-{date}-{time}-{id}.md` with: - Summary table (findings by severity) - Findings grouped by part, then severity (critical first) - Each finding shows: rule ID, file:line, problem description, solution, code snippet PartFocusChecksP01Application Security8P02Cryptography3P03Auth & Authorization4P04Data Integrity3P05Financial Accuracy4P06PHP Language5P07Clean Code4P08Laravel Framework6P09Database4P10Frontend3P11Testing3P12APIs & Queues2P13Logging1P14Infrastructure2### 6. PR Merge Protection [](#6-pr-merge-protection) A GitHub Actions workflow template that: - Runs Pint, PHPStan, tests, and `composer audit` on every PR - Requires human approval before merge (blocks bot/AI auto-merge) - Verifies review count meets minimum threshold Installed to `.github/workflows/fortress-pr-protection.yml` — configure branch protection rules on GitHub to require these checks. --- Configuration ------------- [](#configuration) After installation, edit `.fortress.yml` in your project root: ``` fortress: version: "1.1.0" # Enable/disable parts and set enforcement levels parts: P01_application_security: enabled: true enforcement: strict # strict | standard | relaxed P05_financial_monetary: enabled: true enforcement: strict # Critical for fintech apps P10_frontend: enabled: false # Disable for API-only projects # Override specific rules # rules: # F-P08-042: # enabled: false # reason: "We use a custom ORM" minimum_severity: warning # critical | warning | info # Git hooks — all enabled by default, opt-out per hook git_hooks: enabled: true pre_commit: run_pint: true check_debug: true check_secrets: true max_file_size_kb: 500 pre_push: run_tests: true run_phpstan: true block_direct_push: true # AI merge protection — strongly recommended merge_protection: block_ai_auto_merge: true protected_branches: [main, master, production] ``` Full template: [`rules/.fortress.example.yml`](rules/.fortress.example.yml) --- Artisan Commands ---------------- [](#artisan-commands) CommandPurpose`fortress:install`Interactive installer — select components to install`fortress:install --all`Install everything without prompts`fortress:hooks install`Install git hooks`fortress:hooks install --select`Choose which hooks to install interactively`fortress:hooks install --with-stubs`Include server-side stub hooks`fortress:hooks list`Show installed fortress hooks`fortress:hooks uninstall`Remove fortress hooks, restore backups`fortress:hooks update`Re-copy hooks after `composer update``fortress:check`Run compliance scan`fortress:check --fix`Auto-fix issues where possible`fortress:check --select`Choose which check to run`fortress:check --part=P01`Scan a specific part`fortress:review`Run deep code review (52 checks, markdown report)`fortress:review my-sprint`Named review for organized reports`fortress:review --part=P01`Review specific parts`fortress:review --severity=critical`Filter by minimum severity`fortress:review --select`Interactive part selection`fortress:review --format=console`Print findings to terminal--- Using the Fortress ------------------ [](#using-the-fortress) ### During Code Review [](#during-code-review) 1. Map the PR's changed files to fortress Parts (controllers → P01/P03/P08, models → P09, money logic → P05) 2. Ask your AI assistant: *"Review this PR against fortress Parts P01 and P08. Flag violations with rule IDs."* 3. Reference findings as `[F-P01-003]` in PR comments — traceable and searchable ### During Sprint Planning [](#during-sprint-planning) Scan the relevant Parts before scoping a feature. Identify security, correctness, and testing requirements upfront — not as afterthoughts. ### For Onboarding [](#for-onboarding) Give new team members Parts VI–VIII (PHP, Clean Code, Laravel Mastery) as required reading. Faster than explaining conventions one PR at a time. ### As an Audit Checklist [](#as-an-audit-checklist) Walk through the full checklist systematically when preparing for a security audit, compliance review, or SOC 2 / ISO 27001 assessment. ### With Laravel Boost (recommended) [](#with-laravel-boost-recommended) [Laravel Boost](https://github.com/laravel/boost) gives your AI agent direct access to your running app — database schema, routes, config, logs, Artisan commands, and Tinker. This transforms fortress enforcement from static code reading to **live application verification**. ``` composer require laravel/boost --dev ``` With Boost installed, your AI agent can verify fortress rules against your actual database schema, route list, config values, and application state. See [`rules/README.md`](rules/README.md) for the full tool-to-fortress mapping. --- Scope ----- [](#scope) Laravel 9–12 · PHP 8.1–8.4 · MySQL / PostgreSQL · Vue / React / Blade · Tailwind CSS · Redis · Pest / PHPUnit The AI skill system is **version-agnostic** — it detects your project's actual versions and applies only the relevant rules. A PHP 8.1 project won't be told to use PHP 8.4 features. Not a Style Guide ----------------- [](#not-a-style-guide) This does not prescribe tabs vs spaces or where to put braces. It prescribes **engineering discipline**: how to handle money without rounding errors, how to prevent race conditions on financial records, how to structure authentication so privilege escalation is impossible, how to design migrations that don't cause downtime. Style is preference. Discipline is survival. Contributing ------------ [](#contributing) Contributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md). The bar: **"Would this have prevented a real bug, security vulnerability, or production incident?"** If yes, it belongs. If it's preference, it doesn't. License ------- [](#license) [MIT](LICENSE) --- Built with hard-won lessons from production. Maintained by the community. ### Health Score 36 — LowBetter than 82% of packages Maintenance86 Actively maintained with recent releases Popularity2 Limited adoption so far Community6 Small or concentrated contributor base Maturity43 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 70d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/d305ee270662e5046072839118f56d4cba82fd989b0224aa2e9671d758f8a127?d=identicon)[oilmonegov](/maintainers/oilmonegov) --- Top Contributors [![oilmonegov](https://avatars.githubusercontent.com/u/32074642?v=4)](https://github.com/oilmonegov "oilmonegov (8 commits)") --- Tags laravelsecuritycode qualityAuditgit-hookschecklistmerge-protection ### Code Quality TestsPest Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/chuxolab-laravel-fortress/health.svg) ``` [![Health](https://phpackages.com/badges/chuxolab-laravel-fortress/health.svg)](https://phpackages.com/packages/chuxolab-laravel-fortress) ``` ### Alternatives [ercsctt/laravel-file-encryption Secure file encryption and decryption for Laravel applications 642.6k](/packages/ercsctt-laravel-file-encryption)[enlightn/laravel-security-checker A Laravel package to scan your dependencies for known security vulnerabilities. 51173.4k](/packages/enlightn-laravel-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)