PHPackages                             codenzia/browser-console - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [CLI &amp; Console](/categories/cli)
4. /
5. codenzia/browser-console

ActiveLibrary[CLI &amp; Console](/categories/cli)

codenzia/browser-console
========================

A web-based Artisan console, shell terminal, log viewer, and debug tool for Laravel — accessible from your browser, no database required.

v0.3.0(1w ago)0157MITPHPPHP ^8.3CI failing

Since Feb 26Pushed 1w agoCompare

[ Source](https://github.com/Codenzia/browser-console)[ Packagist](https://packagist.org/packages/codenzia/browser-console)[ Docs](https://github.com/codenzia/browser-console)[ GitHub Sponsors](https://github.com/codenzia)[ RSS](/packages/codenzia-browser-console/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (17)Versions (12)Used By (0)

Browser Console — Web-based Artisan, shell, logs &amp; debug for Laravel
========================================================================

[](#browser-console--web-based-artisan-shell-logs--debug-for-laravel)

[![Latest Version](https://camo.githubusercontent.com/dfe9438212c728a2c2ca8a79438733b0b090f6f47ee3fa30ff6528bf1dcbc2db/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f636f64656e7a69612f62726f777365722d636f6e736f6c652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/codenzia/browser-console)[![PHP Version](https://camo.githubusercontent.com/2fe410a3d882ecea2d86241f72ce86928806f5be798bddf3cfb067225b856b93/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f636f64656e7a69612f62726f777365722d636f6e736f6c652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/codenzia/browser-console)[![Laravel](https://camo.githubusercontent.com/06b8e69143bdc79b83cc6856eace3dd368452c5bee12a333cced8d63705ef714/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d3131253230253743253230313225323025374325323031332d6566343434343f7374796c653d666c61742d737175617265)](https://laravel.com)[![Tests](https://camo.githubusercontent.com/6c642fd9f53ed0bb1f6640cf8e2c39326f4113af6954f8def767f2701edf08af/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f74657374732d5065737425323076332d3862356366363f7374796c653d666c61742d737175617265)](https://pestphp.com)[![License](https://camo.githubusercontent.com/4ccfc5fe71fb31fcb9052fdca81bc90ad33455b53bfb151aec66c812f818437f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f636f64656e7a69612f62726f777365722d636f6e736f6c652e7376673f7374796c653d666c61742d737175617265)](LICENSE.md)[![Sponsor](https://camo.githubusercontent.com/31e457eac7658fab189435f2ad270e605b43115ca7100a9fb69646dfa2319b7d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f53706f6e736f722d2545322539442541342d70696e6b3f7374796c653d666c61742d737175617265)](https://github.com/sponsors/codenzia)

A **web-based Artisan console, shell terminal, log viewer, and debug tool for Laravel** — accessible from your browser, no database required. Run artisan commands, tail logs, execute whitelisted shell commands (`git pull`, `composer install`, ...), and dump variables Ray-style via a `console()` helper — all from a single URL behind a password.

> **Why this exists.** Shared hosting and locked-down VPS deployments often have no SSH, broken Telescope, no Ray license, and no way to clear a stuck cache without a deploy. Browser Console gives you that escape hatch with secure cookie-based auth, no DB dependency (works in maintenance mode), and a standalone diagnostics page (`bcd.php`) that runs even when Laravel itself fails to boot.

> **Try it live:** A working integration is included in the [Codenzia plugins demo](https://github.com/Codenzia/plugins-demo) at `/admin/demo/browser-console`.

> **❤️ Sponsor this project** — If Browser Console saves you time, consider [sponsoring on GitHub](https://github.com/sponsors/codenzia) to support ongoing development.

Features
--------

[](#features)

- **Artisan Commands** — Run any artisan command with auto-complete reference panel
- **Shell Terminal** — Execute shell commands (git, composer, php, system tools) with real-time streaming output
- **Log Viewer** — Browse, filter, and download Laravel logs by level
- **Debug Tool** — Ray-like `console()` helper for inspecting variables with color coding, labels, and table views
- **Deployment Guide** — Step-by-step deployment reference panel with one-click command execution
- **No Database Required** — Cookie-based auth, works in maintenance mode
- **Secure** — Bcrypt password hashing, session timeout, rate limiting, IP whitelisting, custom auth gate
- **Runtime Kill Switch** — `/console` can be locked/unlocked via `php artisan browser-console:{enable,disable,status}`; strict mode returns an opaque 404 and auto-relocks after a configurable TTL (1–60 min)
- **Structured Audit Log** — Login attempts, command runs, and switch ops emit `ConsoleAudit` events to a configurable channel; password attempts and command output bodies are never logged
- **Zero Build Step** — Tailwind CSS via CDN, no npm/vite required

Requirements
------------

[](#requirements)

DependencyVersionPHP`^8.3`Laravel`^11.0 || ^12.0 || ^13.0`Livewire`^3.0 || ^4.0`Installation
------------

[](#installation)

```
composer require codenzia/browser-console
```

Publish the config file:

```
php artisan vendor:publish --tag=browser-console-config
```

Create your console credentials:

```
php artisan browser-console:create
```

Visit `/console` in your browser.

Configuration
-------------

[](#configuration)

After publishing, the config file is at `config/browser-console.php`:

```
return [
    // Credentials (set via browser-console:create command)
    'user' => env('BROWSER_CONSOLE_USER'),
    'password' => env('BROWSER_CONSOLE_PASSWORD'),

    // URL path (default: /console)
    'path' => env('BROWSER_CONSOLE_PATH', 'console'),

    // Rate limiting (requests per minute, 0 to disable)
    'throttle' => (int) env('BROWSER_CONSOLE_THROTTLE', 60),

    // IP whitelisting (comma-separated, empty = allow all)
    'allowed_ips' => env('BROWSER_CONSOLE_ALLOWED_IPS'),

    // Custom auth gate (bypasses password auth when set)
    'gate' => null,

    // Session inactivity timeout in seconds
    'session_timeout' => 1800,

    // Middleware to exclude from console routes
    'exclude_middleware' => [],

    // Kill switch — runtime on/off control for the /console route
    'killswitch' => [
        'default_state' => env('BROWSER_CONSOLE_DEFAULT_STATE', 'on'), // 'on' | 'off' | 'local'
        'default_ttl' => (int) env('BROWSER_CONSOLE_DEFAULT_TTL', 10), // minutes used when --ttl is omitted
        'max_ttl' => (int) env('BROWSER_CONSOLE_MAX_TTL', 60),         // hard cap on --ttl in off/local mode
        'cache_key' => 'browser-console:state',
    ],

    // Structured audit log for login attempts, command runs, and switch ops
    'audit' => [
        'enabled' => (bool) env('BROWSER_CONSOLE_AUDIT', true),
        'channel' => env('BROWSER_CONSOLE_AUDIT_CHANNEL', 'stack'),
    ],
];
```

### Environment Variables

[](#environment-variables)

Add these to your `.env` file (or use `browser-console:create`):

```
BROWSER_CONSOLE_USER=admin
BROWSER_CONSOLE_PASSWORD='$2y$12$...'

# Optional
BROWSER_CONSOLE_PATH=console
BROWSER_CONSOLE_THROTTLE=60
BROWSER_CONSOLE_ALLOWED_IPS=127.0.0.1,10.0.0.5

# Kill switch — defaults preserve existing behavior; flip to 'off' to harden.
BROWSER_CONSOLE_DEFAULT_STATE=on    # on | off | local
BROWSER_CONSOLE_DEFAULT_TTL=10
BROWSER_CONSOLE_MAX_TTL=60

# Audit log
BROWSER_CONSOLE_AUDIT=true
BROWSER_CONSOLE_AUDIT_CHANNEL=stack
```

Usage
-----

[](#usage)

### Artisan Tab

[](#artisan-tab)

Type any artisan command or click one from the reference panel:

```
migrate:status
route:list
optimize:clear
cache:clear

```

Commands run as isolated subprocesses — no risk of corrupting the web response.

`tinker` is disabled in Artisan mode (it would allow arbitrary PHP/OS execution, bypassing the shell allowlist), and shell operators and quotes are rejected.

### Shell Tab

[](#shell-tab)

Execute whitelisted shell commands:

```
git status
git pull
composer install --no-dev
php -v
ls -la

```

**Allowed commands:** composer, git, php, ls, pwd, whoami, readlink, cat, mkdir, chmod, ln, df, du, head, tail, wc, find, which

Shell operators (`;`, `&&`, `|`, `>`, etc.) are blocked for security.

> **Note:** Long-running shell commands (e.g. `composer install`, `git pull`) hold a PHP-FPM worker for the duration of the command — up to 5 minutes for composer. Running several long commands concurrently can exhaust the worker pool on shared hosting. Each command is hard-capped by a per-process timeout, but operators should avoid issuing many simultaneous long-running commands.

### Logs Tab

[](#logs-tab)

- Browse Laravel log entries with level filtering (debug, info, warning, error, critical)
- Configurable line count (50, 100, 200, 500)
- Download or clear log files

### Debug Tab

[](#debug-tab)

Add `console()` calls anywhere in your Laravel code:

```
// Simple dump
console('Hello World');

// With label and color
console($user)->label('Current User')->green();

// Table view for arrays/objects
console($settings)->table();

// Multiple values
console($request->all(), $response)->label('API Call')->blue();
```

**Available colors:** `->green()`, `->blue()`, `->orange()`, `->red()`, `->purple()`

**Available methods:** `->label(string)`, `->table()`, `->color(string)`

Debug entries are written to `storage/logs/console-debug.log` as NDJSON and auto-pruned at 500KB.

Security
--------

[](#security)

### Authentication

[](#authentication)

- **Bcrypt hashing** — Passwords are stored as bcrypt hashes (never plaintext)
- **Constant-time credential check** — Username and password are compared in constant time to avoid user-enumeration timing leaks
- **Login brute-force limiter** — A dedicated per-IP limiter caps login attempts at 5 per minute, independent of the route throttle
- **Session timeout** — Auto-logout after 30 minutes of inactivity (configurable)
- **Rate limiting** — 60 requests/minute by default (configurable)
- **CSRF protection** — Standard Laravel web middleware

### Production hardening (strongly recommended)

[](#production-hardening-strongly-recommended)

The console ships with `BROWSER_CONSOLE_DEFAULT_STATE=on`, which makes the `/console` route reachable as soon as a password is configured — including in production. For production deployments you should:

- Set `BROWSER_CONSOLE_DEFAULT_STATE=local` (or `off`) so the route is sealed by default and only unlocked on demand via `php artisan browser-console:enable --ttl=N`.
- Populate `BROWSER_CONSOLE_ALLOWED_IPS` with your operator IP(s).
- Remove `public/bcd.php` before going live — it is a standalone privileged diagnostics page that is **NOT** governed by the kill switch and survives `browser-console:disable`. Remove it with `php artisan browser-console:diagnose --remove`.

### IP Whitelisting

[](#ip-whitelisting)

Restrict console access to specific IPs:

```
BROWSER_CONSOLE_ALLOWED_IPS=127.0.0.1,10.0.0.5,192.168.1.100
```

Leave empty to allow all IPs.

### Custom Auth Gate

[](#custom-auth-gate)

Bypass the built-in password auth with your own logic:

```
// In AppServiceProvider::boot()
config(['browser-console.gate' => function ($request) {
    return $request->user()?->hasRole('super_admin');
}]);
```

When the gate returns `true`, the login form is skipped entirely.

### Middleware Exclusion

[](#middleware-exclusion)

Exclude app-specific middleware from console routes:

```
// config/browser-console.php
'exclude_middleware' => [
    \App\Http\Middleware\SetLocale::class,
    \App\Http\Middleware\TrackVisitors::class,
],
```

### Kill Switch

[](#kill-switch)

A cache-backed runtime switch controls whether `/console` is reachable. When the switch is off the route returns an opaque **404** (not 403 — scanners cannot infer the route exists) before any auth code or `web` middleware runs.

Three modes via `BROWSER_CONSOLE_DEFAULT_STATE`:

ModeRoute behavior`on` *(shipped default — backwards-compatible)*Reachable as long as the password is configured. `:disable` writes a sticky lockout that persists until `:enable`.`off` *(strict / recommended for hardened deployments)*404 by default. Operator runs `php artisan browser-console:enable --ttl=10` to unlock for N minutes. **Auto-locks** when the timer elapses.`local`Behaves like `on` when `app()->environment('local')`, else `off`.Inspect and control the switch:

```
# Show the current state, expiry, and config health
php artisan browser-console:status

# Unlock for 10 minutes (TTL required in off/local mode; range 1..max_ttl)
php artisan browser-console:enable --ttl=10 --actor=ops@example.com

# Lock immediately (in on mode this is a sticky lockout)
php artisan browser-console:disable --actor=ops@example.com
```

Defense in depth: even when the switch resolves to "enabled", `/console` still returns 404 if the password is unset or empty. A misconfigured deployment never accidentally opens an unauthenticated shell.

Programmatic access is available via the `Console` facade:

```
use Codenzia\BrowserConsole\Facades\Console;

Console::isEnabled();        // bool
Console::expiresAt();        // ?CarbonImmutable
Console::state();            // ['default_state' => ..., 'effective_state' => ..., ...]
Console::enable(10, 'ops@example.com');
Console::disable('ops@example.com');
```

### Audit Log

[](#audit-log)

When `audit.enabled=true` (default), structured records are emitted to the configured log channel **and** dispatched as `Codenzia\BrowserConsole\Events\ConsoleAudit` events so hosts can forward them to SIEM / Slack / Sentry / etc.

EventFired whenKey context`console.login.success`Password check passes`ip`, `user_agent`, `route``console.login.failed`Wrong password OR credentials not configured`reason` (`bad_password` / `not_configured`), `ip`, `user_agent`, `route``console.command.executed`After any artisan or shell command runs`mode`, `command`, `exit_code`, `duration_ms`, `ip``console.switch.enabled``:enable` (CLI or facade)`mode`, `ttl_minutes`, `expires_at`, `actor``console.switch.disabled``:disable` (CLI or facade)`mode`, `actor``console.switch.expired`A TTL elapses while reading state`expired_at`Subscribe in an `EventServiceProvider`:

```
use Codenzia\BrowserConsole\Events\ConsoleAudit;

protected $listen = [
    ConsoleAudit::class => [
        \App\Listeners\ForwardConsoleAuditsToSlack::class,
    ],
];
```

**Sensitive bits are never logged.** Password attempts, command output bodies, and any keys named `password`, `password_confirmation`, `output`, `output_body`, or `secret` are stripped before dispatch.

### Command Security

[](#command-security)

- **Input sanitization** — Both artisan and shell modes block shell operators (`;`, `&&`, `|`, `>`, backticks, `$()`, `${}`), control characters, and variable expansion (`$VAR`, `~`)
- **Allowlist-only (shell mode)** — Only whitelisted base commands can run
- **Dangerous pattern blocking** — `rm`, `git push`, `git reset --hard`, directory traversal, `/etc/`, etc.
- **Subprocess isolation** — Commands run as isolated subprocesses via `Symfony\Process`

Artisan Commands
----------------

[](#artisan-commands)

```
# Create or update console credentials
php artisan browser-console:create

# Show current username and verify password
php artisan browser-console:show
php artisan browser-console:show --verify

# Run deployment diagnostics from CLI
php artisan browser-console:diagnose

# Auto-fix detected issues (permissions, caches, missing files)
php artisan browser-console:diagnose --fix

# Force-refresh the web diagnostics page (public/bcd.php)
php artisan browser-console:diagnose --refresh

# Remove the diagnostics page from public/
php artisan browser-console:diagnose --remove

# Kill switch
php artisan browser-console:status                                 # show current state + config health
php artisan browser-console:enable --ttl=10 --actor=ops@example.com  # unlock for 10 minutes
php artisan browser-console:disable --actor=ops@example.com          # lock immediately
```

Upgrade Notes
-------------

[](#upgrade-notes)

This release adds a runtime kill switch and a structured audit log. **No existing behavior changes by default:** `BROWSER_CONSOLE_DEFAULT_STATE` ships as `on`, identical to prior versions where the route was reachable whenever a password was configured.

To harden a deployment:

1. Set `BROWSER_CONSOLE_DEFAULT_STATE=off` in `.env`.
2. Re-publish the config or add the `killswitch` / `audit` blocks manually (`php artisan vendor:publish --tag=browser-console-config --force`).
3. Run `php artisan browser-console:enable --ttl=10` whenever you need access; the route auto-locks back to 404 after the TTL elapses.

No DB migrations are required. All state is cache-backed and self-expiring.

Troubleshooting
---------------

[](#troubleshooting)

If `/console` returns a **500 error** or doesn't load after deploying, use the built-in diagnostics page (`bcd.php`) to find the exact cause.

### Diagnostics Page (bcd.php)

[](#diagnostics-page-bcdphp)

During installation (`php artisan browser-console:install`), you'll be asked whether to publish the diagnostics page to `public/bcd.php`. It works without Laravel — even when the framework itself fails to start.

Visit `https://your-domain.com/bcd.php` and authenticate with your console password.

The page checks:

- **PHP Environment** — Version, required extensions, `proc_open()` availability
- **Laravel Structure** — `.env`, `APP_KEY`, vendor directory, config/route caches
- **File Permissions** — `storage/`, `bootstrap/cache/`, `public/`, and all subdirectories
- **Browser Console Package** — Installation, config, credentials, Livewire, `.htaccess`
- **Laravel Boot Test** — Attempts to bootstrap Laravel and shows the exact exception

> **Authentication:** The diagnostics page requires the `BROWSER_CONSOLE_PASSWORD` from your `.env` file. If no password is set, the page is locked entirely.

### CLI Diagnostics

[](#cli-diagnostics)

If you have SSH access, run comprehensive diagnostics from the terminal:

```
php artisan browser-console:diagnose
```

This checks PHP environment, Laravel structure, file permissions, session &amp; CSRF configuration, middleware stack (global + web group), session file read/write, CSRF token roundtrip, PHP settings (post\_max\_size, gc\_maxlifetime, etc.), HTTPS &amp; reverse proxy detection, cookie encryption order, and OPcache settings.

Use `--fix` to auto-repair common issues (directory permissions, cache clearing, missing files):

```
php artisan browser-console:diagnose --fix
```

### Managing bcd.php

[](#managing-bcdphp)

```
# Force-refresh with the latest version from the package
php artisan browser-console:diagnose --refresh

# Remove from public/ when no longer needed
php artisan browser-console:diagnose --remove
```

To publish it later (or re-publish after removal):

```
php artisan browser-console:diagnose --refresh
```

Uninstalling
------------

[](#uninstalling)

Before removing the package, clean up published files:

```
php artisan browser-console:diagnose --remove
rm config/browser-console.php
composer remove codenzia/browser-console
```

You may also want to remove the `.env` variables (`BROWSER_CONSOLE_USER`, `BROWSER_CONSOLE_PASSWORD`, etc.).

How It Works
------------

[](#how-it-works)

The console uses **encrypted cookie-based auth** (`browser-console-auth`) instead of Laravel sessions. This means:

- Works without a database connection
- Works in maintenance mode
- Does not interfere with your main app's sessions, cookies, or cache
- Artisan commands run as isolated subprocesses via `Symfony\Process`
- The standalone diagnostics page (`bcd.php`) works even when Laravel fails to boot

Testing
-------

[](#testing)

```
composer test
```

License
-------

[](#license)

The MIT License (MIT). Please see [License File](LICENSE.md) for more information.

###  Health Score

39

—

LowBetter than 84% of packages

Maintenance89

Actively maintained with recent releases

Popularity11

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity43

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~13 days

Recently: every ~28 days

Total

10

Last Release

12d ago

PHP version history (2 changes)v0.1.0PHP ^8.2

v0.3.0PHP ^8.3

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/10361843?v=4)[Mohammad El-Haj](/maintainers/mh2x)[@mh2x](https://github.com/mh2x)

---

Top Contributors

[![mh2x](https://avatars.githubusercontent.com/u/10361843?v=4)](https://github.com/mh2x "mh2x (19 commits)")

---

Tags

consoleterminallaraveldebugshellartisanlogscodenziabrowser-console

###  Code Quality

TestsPest

Code StyleLaravel Pint

### Embed Badge

![Health badge](/badges/codenzia-browser-console/health.svg)

```
[![Health](https://phpackages.com/badges/codenzia-browser-console/health.svg)](https://phpackages.com/packages/codenzia-browser-console)
```

###  Alternatives

[nasirkhan/laravel-starter

A CMS like modular Laravel starter project.

1.4k2.7k](/packages/nasirkhan-laravel-starter)[mwguerra/web-terminal

A web-based terminal component for Filament/Laravel with command whitelisting and multiple connection types

296.1k](/packages/mwguerra-web-terminal)[team-nifty-gmbh/tall-datatables

Server-side rendered datatables for Laravel and Livewire

1320.9k4](/packages/team-nifty-gmbh-tall-datatables)[tomshaw/electricgrid

A feature-rich Livewire package designed for projects that require dynamic, interactive data tables.

119.4k](/packages/tomshaw-electricgrid)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
