PHPackages                             limenet/laravel-baseline - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Framework](/categories/framework)
4. /
5. limenet/laravel-baseline

ActiveLibrary[Framework](/categories/framework)

limenet/laravel-baseline
========================

A highly opinionated Laravel baseline.

2.3.0(4d ago)21.1k↓53.9%[2 PRs](https://github.com/limenet/laravel-baseline/pulls)MITPHPPHP ^8.3CI passing

Since Aug 22Pushed 5d agoCompare

[ Source](https://github.com/limenet/laravel-baseline)[ Packagist](https://packagist.org/packages/limenet/laravel-baseline)[ Docs](https://github.com/limenet/laravel-baseline)[ GitHub Sponsors]()[ RSS](/packages/limenet-laravel-baseline/feed)WikiDiscussions main Synced today

READMEChangelog (10)Dependencies (143)Versions (103)Used By (0)

Laravel Baseline
================

[](#laravel-baseline)

[![Latest Version on Packagist](https://camo.githubusercontent.com/f7ff00484e6926c20d4a2251146be424d0b3d071152e80b476033acb5e440253/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6c696d656e65742f6c61726176656c2d626173656c696e652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/limenet/laravel-baseline)[![run-tests](https://github.com/limenet/laravel-baseline/actions/workflows/run-tests.yml/badge.svg)](https://github.com/limenet/laravel-baseline/actions/workflows/run-tests.yml)[![Fix PHP code style issues](https://github.com/limenet/laravel-baseline/actions/workflows/fix-php-code-style-issues.yml/badge.svg)](https://github.com/limenet/laravel-baseline/actions/workflows/fix-php-code-style-issues.yml)[![codecov](https://camo.githubusercontent.com/168604e5d8e539fe3fa352e91bf5175bb73852e6b1623f4bb7d4eb94a30a36a1/68747470733a2f2f636f6465636f762e696f2f67682f6c696d656e65742f6c61726176656c2d626173656c696e652f67726170682f62616467652e7376673f746f6b656e3d5135374647314c323841)](https://codecov.io/gh/limenet/laravel-baseline)[![Total Downloads](https://camo.githubusercontent.com/c0bc0ff288ff93eb5db03c0d160267011c735dd9a2bbcc72ecf85f9a5408f95f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6c696d656e65742f6c61726176656c2d626173656c696e652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/limenet/laravel-baseline)

Checks your Laravel installation against a highly opinionated baseline.

Installation
------------

[](#installation)

You can install the package via composer:

```
composer require limenet/laravel-baseline
```

You can publish the config file with:

```
php artisan vendor:publish --tag="laravel-baseline-config"
```

Usage
-----

[](#usage)

Add to your `composer.json` to run checks (and auto-fix) after every `composer update`:

```
"post-update-cmd": [
    "@php artisan limenet:laravel-baseline:check --fix"
],
```

### Running checks

[](#running-checks)

```
# Check only — report issues without making changes
php artisan limenet:laravel-baseline:check

# Auto-fix — apply all safe automatic fixes, then report remaining issues
php artisan limenet:laravel-baseline:check --fix
```

**Checks marked 🔧** below support `--fix`. When `--fix` is used:

- Fully fixable checks: all conditions are applied automatically.
- Partially fixable checks *(requires package installed first)*: configuration/script entries are fixed once the package is installed via `composer require`.
- Non-fixable checks: report the issue with an actionable message.

### AI guidelines &amp; skills

[](#ai-guidelines--skills)

The package also ships [Laravel Boost](https://laravel.com/docs/boost) resources under `resources/boost/`: an always-on guideline (the dev loop — `ci-lint`, tests, DDEV-first conventions) and on-demand skills (e.g. `creating-a-release`). When a project that has `laravel/boost` installed runs `php artisan boost:install` or `php artisan boost:update --discover`, Boost discovers and publishes these to the consuming project's coding agents automatically.

Checks
------

[](#checks)

This package validates your Laravel installation against the following checks:

### Testing &amp; Quality Tools

[](#testing--quality-tools)

- **`usesPest()`** - Validates Pest testing framework is configured (not PHPUnit directly)
- 🔧 **`usesRector()`** - Validates Rector automated code modernization is installed *(partial: fixes ci-lint script if packages installed)*
- **`usesLarastan()`** - Validates Larastan static analysis tool is configured
- **`usesPhpstanExtensions()`** - Validates PHPStan extensions are installed
- **`phpstanLevelAtLeastEight()`** - Validates PHPStan is configured to at least level 8
- 🔧 **`usesPhpInsights()`** - Validates PHP Insights is configured: ci-lint scripts and `disable-security-check => true` in `config/insights.php` *(partial: fixes ci-lint scripts if package installed)*
- 🔧 **`checkPhpunit()`** - Validates PHPUnit configuration with coverage reports *(adds missing XML nodes and APP\_KEY)*
- 🔧 **`hasRectorConfigWithComposerBased()`** - Validates Rector `withComposerBased(phpunit, symfony, laravel)` is configured *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithConfiguredRules()`** - Validates Rector `withConfiguredRule()` calls are present for `RouteActionCallableRector` and `WhereToWhereLikeRector` *(appends calls to rector.php)*
- 🔧 **`hasRectorConfigWithPreparedSets()`** - Validates Rector `withPreparedSets(deadCode, codeQuality, codingStyle, typeDeclarations, privatization, instanceOf, earlyReturn)` is configured *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithImportNames()`** - Validates Rector `withImportNames(importShortClasses: false)` is configured *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithPhpSets()`** - Validates Rector `withPhpSets()` is called *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithAttributesSets()`** - Validates Rector `withAttributesSets()` is called *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithSetProviders()`** - Validates Rector `withSetProviders(LaravelSetProvider)` is configured *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithRules()`** - Validates Rector `withRules([AddGenericReturnTypeToRelationsRector, MinutesToSecondsInCacheRector, UseForwardsCallsTraitRector])` is configured *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithSets()`** - Validates Rector `withSets([LaravelBaselineSetList::REMOVE_DEFAULT_DOCBLOCKS, LaravelSetList::LARAVEL_*])` is configured with all required sets *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithPaths()`** - Validates Rector `withPaths([app, database, routes, tests])` is configured *(appends call to rector.php)*
- 🔧 **`hasRectorConfigWithSkip()`** - Validates Rector `withSkip()` contains required skipped rules (always: 6 Laravel rules; Laravel 13+: TablePropertyToTableAttributeRector; when server.php exists: ServerVariableToRequestFacadeRector) *(appends call to rector.php)*

### IDE &amp; Developer Tools

[](#ide--developer-tools)

- 🔧 **`hasEditorconfig()`** - Validates `.editorconfig` exists with required settings (`root = true`, `charset`, `end_of_line`, `indent_style`, `insert_final_newline`, `trim_trailing_whitespace`) *(creates `.editorconfig` with canonical content if missing or incomplete)*
- 🔧 **`hasClaudeSettingsWithLaravelSkills()`** - Validates Claude Code settings include the Laravel agent skills plugin and marketplace *(creates/merges `.claude/settings.json`)*
- 🔧 **`doesNotHaveLaravelSimplifierInClaudeSettings()`** - Fails if the deprecated `laravel-simplifier@laravel` plugin is still enabled in `.claude/settings.json` *(removes the entry)*
- 🔧 **`deniesEnvReadsInClaudeSettings()`** - Validates `.claude/settings.json` `permissions.deny` blocks reading `.env` plus every environment that ships an encrypted file (each `.env.{env}.encrypted` in the project root requires denying `.env.{env}`); `.env.example` stays readable *(merges the deny entries)*
- 🔧 **`allowsToolingInClaudeSettings()`** - Validates `.claude/settings.json` `permissions.allow` includes the DDEV dev-loop commands (`ddev composer run ci-lint`, `ddev composer test`, and safe artisan commands: `test`, `make:*`, `route:list`, `about`, `config:show`, `ide-helper`, `optimize:clear`, `cache:clear`, `config:clear`, `route:clear`, `view:clear`) so the dev loop runs without prompts *(merges the allow entries)*
- 🔧 **`runsCiLintHookInClaudeSettings()`** - Validates `.claude/settings.json` has a `Stop` hook running `ddev composer run ci-lint` *(appends the hook)*
- 🔧 **`usesIdeHelpers()`** - Validates Laravel IDE Helper is configured *(partial: adds post-update scripts if package installed)*
- **`usesLaravelAdminer()`** - Warns if Laravel Adminer database UI is missing (optional), validates TFA confirmation and configuration when installed
- 🔧 **`usesLaravelBoost()`** - Validates Laravel Boost AI development tool *(partial: fixes boost.json and post-update script if package installed)*
- 🔧 **`laravelBoostMcpUsesDdev()`** - Validates `.mcp.json` configures the `laravel-boost` MCP server to use `ddev artisan boost:mcp` *(creates/fixes `.mcp.json`; warns if `laravel/boost` not installed)*
- **`runsBoostUpdate()`** *(periodic, every 30 days)* - Warns if Laravel Boost is not installed; when installed, fails until a developer confirms running `php artisan boost:update --discover` via `limenet:laravel-baseline:periodic`
- **`followsModernLaravelIdioms()`** *(periodic, every 30 days)* - On Laravel ≥12.45, fails until a developer confirms (via `limenet:laravel-baseline:periodic`) that cache/session calls use typed getters (`Cache::string()` etc.) and pass BackedEnum cases directly as keys, by running the `auditing-laravel-idioms` skill
- 🔧 **`usesLimenetPintConfig()`** - Validates custom Laravel Pint formatting standards *(partial: adds post-update script if package installed)*

### Laravel Features &amp; Monitoring

[](#laravel-features--monitoring)

- 🔧 **`usesLaravelHorizon()`** - Validates Laravel Horizon Redis queue manager *(partial: adds ci-deploy-post script if package installed)*
- **`usesLaravelPennant()`** - Warns if Laravel Pennant feature flags are missing (optional)
- 🔧 **`usesLaravelPulse()`** - Validates Laravel Pulse application monitoring *(partial: adds PULSE\_ENABLED=false to phpunit.xml if package installed)*
- 🔧 **`usesLaravelTelescope()`** - Validates Laravel Telescope request debugging *(partial: adds post-update script and TELESCOPE\_ENABLED=false to phpunit.xml if package installed)*
- **`usesSpatieHealthSetup()`** - Validates Spatie Health packages, schedules, s3\_health disk, and result store configuration
- 🔧 **`usesSpatieHealthHasCoreChecks()`** - Validates core health checks (CacheCheck, CpuLoadCheck, DatabaseCheck, DatabaseConnectionCountCheck, DebugModeCheck, EnvironmentCheck, HorizonCheck, QueueCheck, RedisCheck, ScheduleCheck, UsedDiskSpaceCheck) are registered *(adds missing checks to Health::checks() in AppServiceProvider)*
- 🔧 **`usesSpatieHealthHasLaravelVersionCheck()`** - Validates LaravelVersionCheck is registered in Health::checks() *(adds to AppServiceProvider)*
- 🔧 **`usesSpatieHealthHasPhpVersionCheck()`** - Validates PhpVersionCheck is registered in Health::checks() *(adds to AppServiceProvider)*
- 🔧 **`usesSpatieHealthHasReleaseAgeCheck()`** - Validates ReleaseAgeCheck is registered in Health::checks() *(adds to AppServiceProvider)*
- **`usesSpatieHealthCacheCheckCacheStore()`** - Validates CacheCheck uses the dedicated 'health-checks' cache store via `->driver('health-checks')` in AppServiceProvider and config/cache.php
- **`usesSpatieHealthQueueCheckCacheStore()`** - Validates QueueCheck: DispatchQueueCheckJobsCommand is scheduled everyMinute(), uses the dedicated 'health-checks' file cache store in AppServiceProvider and config/cache.php
- **`usesSpatieHealthQueueCheckHorizonQueues()`** - Validates QueueCheck registers all queues from config/horizon.php via onQueue() (requires laravel/horizon)
- **`usesSpatieHealthScheduleCheckCacheStore()`** - Validates ScheduleCheck uses the dedicated 'health-checks' cache store in both AppServiceProvider and config/cache.php
- 🔧 **`usesSpatieHealthScheduleCheckHeartbeat()`** - Validates ScheduleCheck is configured with `heartbeatMaxAgeInMinutes(2)` to prevent false positives *(appends the call to ScheduleCheck in AppServiceProvider)*
- **`usesSpatieBackup()`** - Validates Spatie Backup database backups with comprehensive config validation

### Infrastructure &amp; Dependencies

[](#infrastructure--dependencies)

- **`usesPredis()`** - Validates Predis Redis client is installed
- **`isLaravelVersionMaintained()`** - Validates Laravel 11+ is used
- 🔧 **`doesNotUseSail()`** - Validates Sail is NOT used *(partial: deletes docker-compose.yml; run `composer remove laravel/sail` manually)*
- **`doesNotUseSpatiePasskeysWithFortify()`** - Fails if both `spatie/laravel-passkeys` and `laravel/fortify` are installed, as they overlap in authentication responsibility
- **`doesNotUseHorizonWatcher()`** - Validates Spatie Horizon Watcher is NOT installed
- 🔧 **`doesNotUseGreaterThanOrEqualConstraints()`** - Validates no `>=` version constraints in composer.json (use `^` or `~` instead) *(replaces `>=X.Y` with `^X.Y` in composer.json)*

### CI/CD &amp; Deployment

[](#cicd--deployment)

- **`hasCiJobs()`** - Validates GitLab CI pipeline jobs are properly configured
- 🔧 **`hasTrivyConfig()`** - Validates Trivy security scanning CI job, `trivy.yaml` (scanners, skip-files, skip-dirs, ignorefile, cache.dir, telemetry/VEX/dependency-tree flags), presence of `.trivyignore.yaml`, and `.trivycache/` in `.gitignore` *(creates/merges trivy.yaml, creates an empty .trivyignore.yaml, appends to .gitignore, and adds CI job)*
- **`callsSentryHook()`** - Warns if Sentry error tracking is missing (optional)
- **`phpVersionMatchesCi()`** - Validates PHP version consistency with CI configuration
- **`isCiLintComplete()`** - Validates complete linting pipeline
- **`doesNotUseIgnition()`** - Validates Ignition debugger is NOT installed

### Local Development

[](#local-development)

- **`phpVersionMatchesDdev()`** - Validates PHP version consistency with DDEV
- 🔧 **`ddevHasPcovPackage()`** - Validates DDEV coverage configuration *(adds pcov to webimage\_extra\_packages and creates .ddev/php/90-custom.ini)*
- **`ddevHasRedisAddon()`** - Validates DDEV Redis addon is installed and at minimum version 2.2.0
- 🔧 **`ddevMutagenIgnoresNodeModules()`** - Validates DDEV Mutagen sync configuration *(creates mutagen.yml and fixes .gitignore)*
- **`updatesDdevAddons()`** - Fails if any installed DDEV add-on (`.ddev/addon-metadata/*/manifest.yaml`) has an `install_date` older than 3 months; comment shows the `ddev add-on get ` command to refresh each stale add-on

### Build &amp; Release

[](#build--release)

- 🔧 **`bumpsComposer()`** - Validates automatic composer dependency bumping *(adds `composer bump` to post-update-cmd)*
- 🔧 **`usesReleaseIt()`** - Validates automated release management *(partial: creates/fixes .release-it.json and adds release npm script if packages installed)*
- **`hasNpmScripts()`** - Validates required npm build scripts

### Security &amp; Configuration

[](#security--configuration)

- 🔧 **`modelShouldBeStrict()`** - Validates `Model::shouldBeStrict()` is called in AppServiceProvider with `true`, no argument, or a dynamic expression (not `false`) *(adds `Model::shouldBeStrict(! app()->isProduction())` to boot())*
- 🔧 **`formRequestFailOnUnknownFields()`** - Validates `FormRequest::failOnUnknownFields()` is called in AppServiceProvider (Laravel ≥13.6 only; warns on older versions) *(adds `FormRequest::failOnUnknownFields(! app()->isProduction())` to boot())*
- **`hasDailyLogging()`** - Validates logging uses `daily` channel (directly or via `stack`)
- **`hasEncryptedEnvFile()`** - Validates encrypted environment file exists
- **`usesReadableEncryptedEnvFile()`** - Validates the encrypted env file uses the readable line-per-variable format produced by `ddev artisan env:encrypt --readable` (variable names stay visible in diffs), not the opaque blob format. Passes when no encrypted file exists (existence is `hasEncryptedEnvFile`'s concern).
- **`doesNotPinOldMailTemplate()`** - Fails if a published mail view that pins the old template (`resources/views/vendor/mail/html/themes/default.css` or `html/header.blade.php`) exists, preventing adoption of Laravel's modernized mail template.
- 🔧 **`callsBaseline()`** - Validates self-validation runs after updates *(adds/upgrades post-update-cmd entry to include `--fix`)*
- **`doesNotCallPeriodicBaselineOnUpdate()`** - Fails if `php artisan limenet:laravel-baseline:periodic` is in the `post-update-cmd` scripts (it shouldn't be — periodic checks fail CI automatically when expired)
- 🔧 **`doesNotHaveGuidelinesScript()`** - Fails if the removed `php artisan limenet:laravel-baseline:guidelines` command is still in `post-update-cmd` (removed in v2.1.0) *(removes the entry from composer.json)*
- 🔧 **`isInstalledAsRegularDependency()`** - Validates `limenet/laravel-baseline` is in `require` (not `require-dev`) *(moves from require-dev to require in composer.json)*
- 🔧 **`usesLaravelLang()`** - Validates `laravel-lang/lang` dev dependency is installed with `lang:update` and pint in post-update scripts *(partial: adds post-update scripts if package in require-dev)*

Testing
-------

[](#testing)

```
composer test
```

Changelog
---------

[](#changelog)

Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently.

Contributing
------------

[](#contributing)

Please see [CONTRIBUTING](CONTRIBUTING.md) for details.

Security Vulnerabilities
------------------------

[](#security-vulnerabilities)

Please review [our security policy](../../security/policy) on how to report security vulnerabilities.

Credits
-------

[](#credits)

- [Linus Metzler](https://github.com/limenet)
- [All Contributors](../../contributors)

License
-------

[](#license)

The MIT License (MIT). Please see [License File](LICENSE.md) for more information.

###  Health Score

53

—

FairBetter than 96% of packages

Maintenance99

Actively maintained with recent releases

Popularity21

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity68

Established project with proven stability

 Bus Factor1

Top contributor holds 96.7% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~3 days

Total

102

Last Release

4d ago

Major Versions

v0.2.12 → v1.0.02025-11-07

1.3.6 → v2.0.02026-05-10

PHP version history (2 changes)v0.1.0PHP ^8.3

v0.1.6PHP ^8.2

### Community

Maintainers

![](https://www.gravatar.com/avatar/60ffeab38b702282a7178b82152e912d8a5e934fe5cb63df272a9392f00b8f84?d=identicon)[limenet](/maintainers/limenet)

---

Top Contributors

[![limenet](https://avatars.githubusercontent.com/u/474329?v=4)](https://github.com/limenet "limenet (266 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (7 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (2 commits)")

---

Tags

laravelLinus Metzlerlaravel-baseline

###  Code Quality

TestsPest

Static AnalysisPHPStan

Code StyleLaravel Pint

### Embed Badge

![Health badge](/badges/limenet-laravel-baseline/health.svg)

```
[![Health](https://phpackages.com/badges/limenet-laravel-baseline/health.svg)](https://phpackages.com/packages/limenet-laravel-baseline)
```

###  Alternatives

[laravel/framework

The Laravel Framework.

34.8k543.8M20.1k](/packages/laravel-framework)[statamic/cms

The Statamic CMS Core Package

4.8k3.6M987](/packages/statamic-cms)[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[dedoc/scramble

Automatic generation of API documentation for Laravel applications.

2.1k11.2M100](/packages/dedoc-scramble)[drupal/core

Drupal is an open source content management platform powering millions of websites and applications.

21866.0M1.7k](/packages/drupal-core)[typo3/cms

TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL.

1.2k1.9M122](/packages/typo3-cms)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
