PHPackages ejosterberg/opensalestax-bagisto - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. ejosterberg/opensalestax-bagisto ActiveBagisto-package[Utility & Helpers](/categories/utility) ejosterberg/opensalestax-bagisto ================================ Bagisto package — destination-based US sales tax via the self-hosted OpenSalesTax engine v0.3.0(3w ago)010[4 PRs](https://github.com/ejosterberg/opensalestax-bagisto/pulls)Apache-2.0PHPPHP ^8.2CI failing Since May 14Pushed 1w agoCompare [ Source](https://github.com/ejosterberg/opensalestax-bagisto)[ Packagist](https://packagist.org/packages/ejosterberg/opensalestax-bagisto)[ Docs](https://github.com/ejosterberg/opensalestax-bagisto)[ RSS](/packages/ejosterberg-opensalestax-bagisto/feed)WikiDiscussions main Synced 1w ago READMEChangelog (5)Dependencies (11)Versions (12)Used By (0) OpenSalesTax for Bagisto ======================== [](#opensalestax-for-bagisto) > **v0.1.0-alpha.1.** Installable; passes its unit-test suite; not yet validated against a live Bagisto storefront. The live cart integration test happens in the orchestrator project's VM 916 once this repo lands. A free, self-hostable [Bagisto](https://bagisto.com/) package that swaps Bagisto's flat tax-rate tables for the [OpenSalesTax engine](https://github.com/ejosterberg/opensalestax) on US-destination, USD checkouts. No per-transaction fees, no SaaS lock-in — merchants run both Bagisto and OpenSalesTax on their own infrastructure. > **Tax calculations are provided as-is for convenience. The merchant is solely responsible for tax-collection accuracy and remittance to the appropriate jurisdictions. Verify against your state Department of Revenue before remitting.** What this package does ---------------------- [](#what-this-package-does) - Registers a Laravel listener on Bagisto's `checkout.cart.collect.totals.after` event so the OpenSalesTax engine computes destination-based tax for the cart at every totals recalculation. - Falls back silently to Bagisto's built-in tax-rate tables when the destination is non-US, the currency is non-USD, the destination ZIP can't be resolved, or the engine is unreachable (default fail-soft behavior — configurable to fail-hard). - Caches engine responses keyed by ZIP-5 for the configured TTL (default 24 hours) via Laravel's cache layer, so a busy storefront makes one engine call per ZIP per day rather than one per cart recompute. - Exposes Composer / Laravel-native configuration via `config/opensalestax.php` (publishable) and standard env vars, with **SSRF defense** built into the URL validator (rejects private / loopback / link-local / CGNAT hosts unless the merchant explicitly opts in). What this package does NOT do ----------------------------- [](#what-this-package-does-not-do) - File or remit tax (calculation only — the merchant remits) - Validate addresses - Handle non-USD currencies or non-US destinations (passes those through to Bagisto's built-in tax) - Validate tax-exempt customer certificates against state DORs - Ship with the engine bundled — point it at your own [OpenSalesTax engine](https://github.com/ejosterberg/opensalestax) - Multi-vendor (Bagisto Marketplace) per-vendor tax allocation (v0.2 candidate) Requirements ------------ [](#requirements) ComponentMinimumTested withPHP8.28.2, 8.3Bagisto2.02.3Laravel11.x11.x, 12.xOpenSalesTax engine0.55.00.55.4Install ------- [](#install) ``` composer require ejosterberg/opensalestax-bagisto php artisan vendor:publish --provider="OpenSalesTax\\Bagisto\\Providers\\OpenSalesTaxServiceProvider" --tag=config ``` The package's `OpenSalesTaxServiceProvider` is auto-discovered by Laravel — no manual registration needed. Configure --------- [](#configure) Edit `config/opensalestax.php` or set the env vars below: SettingEnv varDefaultPurpose`base_url``OPENSALESTAX_BASE_URL`(none)Base URL of your OST engine, e.g. `https://ost.example.com``api_key``OPENSALESTAX_API_KEY`(none)Bearer token if your engine requires authentication. Use env-var storage; never commit.`timeout``OPENSALESTAX_TIMEOUT``10`HTTP timeout in seconds for engine requests.`cache_ttl``OPENSALESTAX_CACHE_TTL``86400`Cache TTL in seconds for engine responses, keyed by ZIP-5.`fail_hard``OPENSALESTAX_FAIL_HARD``false`When `true`, engine errors throw and surface to checkout. When `false` (default), engine errors fall back to Bagisto's built-in tax + log.`allow_private_nets``OPENSALESTAX_ALLOW_PRIVATE_NETS``false`When `true`, allows `base_url` to resolve to private / loopback / CGNAT hosts. Required when self-hosting OST on the same LAN as Bagisto.`tls_verify``OPENSALESTAX_TLS_VERIFY``true`Verify the engine's TLS certificate. Leave at `true` in production.`nexus_states``OPENSALESTAX_NEXUS_STATES`(empty)Per-state nexus filter (CP-3, v0.2.0). Comma-separated list of US 2-letter state codes (e.g. `MN,WI,IA`). When set, the listener short-circuits the engine call for carts shipping to states not in the list. Empty / unset = engine called for every US/USD cart (pre-v0.2 behavior). See below.Until `base_url` is set the package is inert — Bagisto's built-in tax calc handles every cart. ### Per-state nexus filter (CP-3, v0.2.0) [](#per-state-nexus-filter-cp-3-v020) Most US merchants only collect sales tax in a small set of states. Without a filter, every cart goes to the engine even when the merchant has no collection obligation for the destination. Set `nexus_states` (or `OPENSALESTAX_NEXUS_STATES`) to a comma-separated list of US 2-letter codes to restrict engine round-trips: ``` OPENSALESTAX_NEXUS_STATES=MN,WI,IA ``` Behavior with the filter enabled: - Cart shipping to MN, WI, or IA → engine called as usual. - Cart shipping to any other state → short-circuit. Bagisto's built-in tax tables (typically: no tax) take over. - Cart with missing / unresolvable destination state → fail-closed (also short-circuit). Safer default for a merchant who explicitly opted in. Empty / unset = filter disabled (engine called for every cart). Brings this connector in line with WooCommerce v0.5, Vendure v1.2, and Odoo v0.3, which already shipped this filter. How it works ------------ [](#how-it-works) 1. Bagisto's checkout pipeline fires `checkout.cart.collect.totals.after` after totals collection. 2. Our `CartTotalsListener` checks the gate (engine configured? cart currency is USD? shipping country is US? destination has a 5-digit ZIP?). If any check fails, control returns silently to Bagisto's tax tables. 3. With gates green, the listener builds an OST engine payload from the cart's line items, calls `POST /v1/calculate` via the [PHP SDK](https://github.com/ejosterberg/opensalestax-php), and writes the resulting tax onto the cart's `tax_total` / `base_tax_total` columns. 4. The response (per ZIP-5) is cached for the configured TTL via Laravel's cache abstraction. Cache key: `ost:rate:{zip5}`. 5. On engine error (timeout, 5xx, malformed body), behavior depends on `fail_hard`: `false` (default) — log a warning, leave Bagisto's tax intact; `true` — throw, surface to checkout. Logging ------- [](#logging) Every engine interaction logs structured metadata (cart id, line count, HTTP status, RTT in milliseconds) via Laravel's default `Log` facade. **Customer addresses and full payloads are never logged.** The API key, when configured via env var, is held in process memory only — never written to logs. Security -------- [](#security) See [`docs/SECURITY-REVIEW.md`](docs/SECURITY-REVIEW.md) for the v0.1 threat model and mitigation status. To report a vulnerability privately, email **** — see [`SECURITY.md`](SECURITY.md). Don't open a public GitHub issue for security reports. Development ----------- [](#development) ``` composer install composer check # phpunit + phpstan max + php-cs-fixer + composer audit ``` See [`CONTRIBUTING.md`](CONTRIBUTING.md) for branch model, DCO sign-off, and the quality gate. Related projects ---------------- [](#related-projects) RepoWhat it is[`ejosterberg/opensalestax`](https://github.com/ejosterberg/opensalestax)The engine (Python + FastAPI) — the merchant runs an instance[`ejosterberg/opensalestax-php`](https://github.com/ejosterberg/opensalestax-php)The PHP SDK this package depends on[`ejosterberg/opensalestax-magento`](https://github.com/ejosterberg/opensalestax-magento)Magento 2 module — same engine, Magento storefront[`ejosterberg/opensalestax-woocommerce`](https://github.com/ejosterberg/opensalestax-woocommerce)WooCom (WooCommerce) plugin — same engine, WordPress storefrontLicense ------- [](#license) Dual-licensed under your choice of [Apache-2.0](LICENSE-APACHE.txt) OR [GPL-2.0-or-later](LICENSE-GPL.txt). See [`LICENSE`](LICENSE). ### Health Score 40 — FairBetter than 86% of packages Maintenance97 Actively maintained with recent releases Popularity7 Limited adoption so far Community6 Small or concentrated contributor base Maturity42 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 7 Last Release 21d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/b647ae9c341fdf92c36cb479ba7535c2eff9ac92f8614965a3b5953f7b543152?d=identicon)[ejosterberg](/maintainers/ejosterberg) --- Top Contributors [![ejosterberg](https://avatars.githubusercontent.com/u/6363457?v=4)](https://github.com/ejosterberg "ejosterberg (7 commits)") --- Tags bagistolaravelopensalestaxphpsales-taxtax-calculationus-taxlaraveltaxtax calculationsales taxbagistoopensalestaxus-tax ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/ejosterberg-opensalestax-bagisto/health.svg) ``` [![Health](https://phpackages.com/badges/ejosterberg-opensalestax-bagisto/health.svg)](https://phpackages.com/packages/ejosterberg-opensalestax-bagisto) ``` ### Alternatives [psalm/plugin-laravel Psalm plugin for Laravel 3325.1M337](/packages/psalm-plugin-laravel)[laravel/pulse Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Laravel application. 1.7k14.1M120](/packages/laravel-pulse)[propaganistas/laravel-disposable-email Disposable email validator 6012.9M7](/packages/propaganistas-laravel-disposable-email)[roots/acorn Framework for Roots WordPress projects built with Laravel components. 9732.3M121](/packages/roots-acorn)[flarum/core Delightfully simple forum software. 261.4M2.2k](/packages/flarum-core)[aedart/athenaeum Athenaeum is a mono repository; a collection of various PHP packages 245.2k](/packages/aedart-athenaeum) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)