PHPackages laravel-chronicle/anchor-s3 - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [File & Storage](/categories/file-storage) 4. / 5. laravel-chronicle/anchor-s3 ActiveLibrary[File & Storage](/categories/file-storage) laravel-chronicle/anchor-s3 =========================== S3 Object Lock (WORM) anchoring adapter for the Chronicle audit ledger. 1.0.0(today)10MITPHPPHP ^8.2 Since Jun 9Pushed today1 watchersCompare [ Source](https://github.com/laravel-chronicle/anchor-s3)[ Packagist](https://packagist.org/packages/laravel-chronicle/anchor-s3)[ GitHub Sponsors](https://github.com/ntoufoudis)[ RSS](/packages/laravel-chronicle-anchor-s3/feed)WikiDiscussions main Synced today READMEChangelog (1)Dependencies (7)Versions (3)Used By (0) Chronicle S3 Object Lock Anchor =============================== [](#chronicle-s3-object-lock-anchor) An [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html)(WORM) anchoring adapter for [`laravel-chronicle/core`](https://github.com/laravel-chronicle/core). It writes each checkpoint's digest — `sha256(id . chain_hash . created_at)` — to a **locked, versioned** S3 object in an independent trust domain. Even an attacker who rewrites the ledger and re-signs every checkpoint with a valid key cannot alter the locked object, so `chronicle:verify --anchors` fails on the tampered checkpoint. Installation ------------ [](#installation) ``` composer require laravel-chronicle/anchor-s3 ``` The package auto-registers `AnchorS3ServiceProvider`, which binds a default `Aws\S3\S3Client` from `AWS_DEFAULT_REGION` / standard AWS credentials. Bucket setup (one-time) ----------------------- [](#bucket-setup-one-time) Object Lock requires a **versioned** bucket created with Object Lock enabled: ``` aws s3api create-bucket \ --bucket my-chronicle-anchors \ --object-lock-enabled-for-bucket \ --region eu-west-1 \ --create-bucket-configuration LocationConstraint=eu-west-1 # (Optional) a default retention rule; per-object retain-until still applies. aws s3api put-object-lock-configuration \ --bucket my-chronicle-anchors \ --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":3650}}}' ``` - **COMPLIANCE** (default): no one — not even the root account — can delete or shorten retention until it expires. Use for regulated/SOC 2 profiles. - **GOVERNANCE**: principals with `s3:BypassGovernanceRetention` can override. Registration ------------ [](#registration) Enable anchoring and register the provider in your published `config/chronicle.php`: ``` 'anchoring' => [ 'enabled' => true, 'providers' => [ 's3-object-lock' => [ 'provider' => \Chronicle\AnchorS3\S3ObjectLockAnchor::class, 'bucket' => env('CHRONICLE_S3_ANCHOR_BUCKET'), 'prefix' => 'chronicle/anchors', // optional (default 'chronicle/anchors') 'mode' => 'COMPLIANCE', // or 'GOVERNANCE' 'retain_days' => 3650, // optional ], ], ], ``` New checkpoints are then anchored automatically (queued); or anchor on demand with `php artisan chronicle:checkpoint --anchor`, retry with `chronicle:anchor:retry`, and attest stored anchors with `chronicle:anchor:verify` / `chronicle:verify --anchors`. Required IAM actions -------------------- [](#required-iam-actions) On the anchor bucket (`arn:aws:s3:::my-chronicle-anchors/*` and the bucket ARN): ActionUsed byWhy`s3:PutObject``anchor()`Write the digest object`s3:PutObjectRetention``anchor()`Apply per-object Object Lock retention`s3:GetObject``verify()`Re-read the exact object version`s3:GetObjectVersion``verify()`Read by `VersionId``s3:GetObjectRetention``verify()`Confirm lock metadataGrant **no** `s3:DeleteObject*` — anchors are write-once by design. How it works ------------ [](#how-it-works) - `anchor()` → `PutObject` of the digest with `ObjectLockMode` + `ObjectLockRetainUntilDate`. Receipt: `reference = "bucket/key@versionId"`, `proof = ETag`. - `verify()` → `GetObject` of that exact version; passes only if the stored bytes equal the recomputed digest **and** lock metadata is present **and** the ETag matches. `verify()` makes one S3 read; it is **not** offline (unlike the core RFC 3161 anchor), which is the deliberate trade for an independent, account-isolated trust domain. Testing ------- [](#testing) ``` composer test # Pest (mocked S3 — never touches a real bucket) composer analyse # PHPStan level 10 ``` ### Health Score 41 — FairBetter than 87% of packages Maintenance100 Actively maintained with recent releases Popularity2 Limited adoption so far Community7 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 0d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/9a0e4562d814e61aaa5dc698cc667c6d6c90c98516142b60c0924b337c418355?d=identicon)[ntoufoudis](/maintainers/ntoufoudis) --- Top Contributors [![ntoufoudis](https://avatars.githubusercontent.com/u/93659348?v=4)](https://github.com/ntoufoudis "ntoufoudis (9 commits)") --- Tags laravels3awsAuditchronicleWormanchoringobject-lock ### Code Quality TestsPest Static AnalysisPHPStan Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/laravel-chronicle-anchor-s3/health.svg) ``` [![Health](https://phpackages.com/badges/laravel-chronicle-anchor-s3/health.svg)](https://phpackages.com/packages/laravel-chronicle-anchor-s3) ``` ### Alternatives [aws/aws-sdk-php-laravel A simple Laravel 9/10/11/12/13 service provider for including the AWS SDK for PHP. 1.7k37.3M83](/packages/aws-aws-sdk-php-laravel)[league/flysystem-aws-s3-v3 AWS S3 filesystem adapter for Flysystem. 1.7k277.8M952](/packages/league-flysystem-aws-s3-v3)[vinelab/cdn Content Delivery Network (CDN) Package for Laravel 217242.9k1](/packages/vinelab-cdn)[kolay/xlsx-stream Streaming XLSX reader and writer for PHP and Laravel. Constant memory regardless of file size, direct S3 multipart streaming, optional born-indexed random access. 436.0k](/packages/kolay-xlsx-stream)[unisharp/s3-presigned An AWS S3 package for pre-signed upload purpose in Laravel and PHP. 141.8k](/packages/unisharp-s3-presigned) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)