Passkeys, Moats, and Scheduling Models
Download MP3Hey everybody welcome to Laravel
news podcast episode 259 today is
Wednesday the 27th of May
2026 glad to have you with us. Mr.
Dyrynda. How's it going my friend?
Going well, I had a bit more sleep last
night than the night. Nice. Just okay
You know, we've got we've got the full
schedule published for Lara con are you
happening next week?
So next week and so as
these things always go it's a
Mad to the finish line to make sure
everything is in place. So
Yeah, we are
Did the we said we had all the all the
speaker acceptances came
through we sent out nice
nations to the people that we didn't
place on the schedule this year and had
some a few people reach out for
For for feedback which we were well
positioned to give meaningful face here
because I feel like that's always a gap,
you know, some people and
some events will not send you
a notice at all like you either
get the
Invitational you get crickets and some
events. Yeah, we'll send like a very you
know blunt kind of one line
Sorry, you didn't make it. And
We we try to do things a little bit
differently this year in terms of like
sending the blanket email
but then also we emailed the whole list
just kind of talking about how we built
the whole program this year and
I'm excited to share this year's lineup
with everyone next week
How cool. Yeah, that's awesome
I know you guys have put a ton of work
into the process and we actually talked
about that over on our other podcast
I think a couple weeks ago
And so definitely check that one out
If you're interested if you've ever had
to run a conference yourself and are
curious about the best way to accept
Submissions and then review those
submissions. You might
want to give that one a listen
I know that the speakers and the
attendees this year will very much
appreciate all the work that went into
creating the lineup and
the scheduling of it
and the cadence of it and
Just all the attention to detail that was
given to the lineup this year. So
congratulations. I'm finishing that up.
That is very exciting
We've also actually I don't know if we're
talking about it later on but like layer
valve Japan was kind of going all over
Yeah
Pretty cool. So that was a that was an
event that was going
on the last couple days
So excited to see if some of the blog
posts come out about that one here from
all the folks who were
there in the meantime
However, we have got some releases some
news and some packages for you. We're
gonna kick it off with Laravel 13 dot
9 so what is new and
level 13.9? We've got password
Rules, you can now auto
generate valid passwords in
In
There is this thing in one password, what
is this thing? Hold
on. I gotta look at this
so this is like a string
that goes into an attribute on
Your your password input fields and it
serves as a hint to
one password that these
Parameters that you need to follow
So if you're just like an alphanumeric
thing then one password knows it won't
put symbols in there if it needs to
constrain to a length
very cool
It basically hooks into your
Password rules in your application and
then generates a string that one password
can then understand when it comes to
generating a password
So that you know, we've been we've been
to those websites
usually financial institutions
We generate a random 32
character password. Yeah
Yeah, no, we need a
Eight characters letters and
numbers are only kind of thing
So this this allows you to generate the
string that is compatible with one
password and it's not really actually
even something that's generally
It's one password specific. This is
actually a specification that was
introduced by Apple. It looks like so
this password rules validation tool
That is allowed in there
But this was something that was
introduced by them that lets browsers and
password managers
including not only one password
But also Safari and bitwarden
Read an app's passwords constraints and
then generate a valid password
Automatically rather than the user having
to trial an error a suggested password
against validation errors. So
Really nice that's very very cool. There
also is this uncompromised
Which a has no password rules equivalent
and is not included in the output
So this is sort of this
have I been pwned sort of thing
I believe which checks for commonly used
passwords and makes sure
that those are not in the list
The passage that you're
putting it is not in that list
So they have in the documentation here
the outputs for common combinations
verified against the merge tests
Most practical use is
pairing it with password
defaults so that the same policy that
you're defining in your app service
provider drives both the
server side validation and the
Browser's password suggestions so you can
set this up in your app service provider
You simply say password do dot defaults
and then you pass in there a closure
With the requirements for your password
and then you are able to use that both in
the front end as well as in your
Validation so when the user focuses into
a field that has that
password manager support
It'll be offered a generated password
that already satisfies the rules no back
and forth with the
validation errors very very cool
I have never heard of
this before actually
I'm Liam is the contributor of that one
Liam Hammett longtime community member
Contributed that one. So good job on
that. Okay. We've
also got cloud Q metrics
So these are three PRs
all by t Mac Tim McDonald
This as metrics tracking for
Laravel cloud Q connections
This is the new illuminate
foundation cloud Q decorator
what this does is it
wraps any Q driver and
emits events through a socket when jobs
are queued when processing starts and
Finishes and what this does is it gives
Laravel cloud
visibility into your throughput
Processing duration and worker activity
and so you can get reporting on that now
Config caching is also
now supported for cloud Q's
Prefix and suffix values are read from
the config file rather than from the
environment variables directly
So that PHP artisan config cache will
work correctly in your cloud deployments,
which is something I would highly suggest
Doing in your cloud deployments similar
to how you would do it in a regular
VPS situation helps
on those lookups. Okay
optional disk storage for large
SQS payloads so SQS which is like simple
queuing service. This is AWS is offering
For queues. Let's think of it as some
simple email service ses. This is SQS
There is a maximum
message size of one megabyte
So when you have a job that's the
serialized payload is ending up being
more than a megabyte
AWS is just going to reject it with an
invalid parameter value,
which isn't super helpful
But this release adds a built-in solution
Which is an extended store options block
in the SQS queue connection config that
will take those large
payloads and will offload them
To a file system disk such as s3 and then
it will send it a
small pointer through SQS
Instead then workers will fetch that full
payload from disk when processing the
job. This reminds me of
Serializes models where what it will do
is instead of serializing the entire
model into the job payload
It will instead only grab the id the
pointer and then it will refetch that
from the database at
the time that it goes to
Run the job very similar here. It says
here's a little pointer
You can go fetch the entire payload off
of a disk and then it will
hydrate that object when the uh
When the job actually is
getting executed in your
in your application
So that is in the
q.php config under the SQS
There's an existing config there and then
you have this extended store options
I would take a look at this in the
documentation as well
as in the show notes here
It has a couple different flags you're
going to need to be aware of it is
opt-in. It's backwards compatible. You
don't have to do this
Existing SQS users will be unaffected
unless they set the enabled value to true
under this extended store options
So very cool there orison is the one who
contributed that uh, Kevin
We ran into this
in the past when we were when when thing
then ping we still existed where
You know, we were passing payloads across
and the only way really around it
Is to take that payload throw it
As as this does to throw that payload
into s3 or whatever and then fetch it
again when the when the job is processed
And I mean you've got to balance the the
trade-off there is obviously okay
Now we've got the the http
latency to go and fetch that from
Um, you know to make
that extra request to s3
But in most practical cases if you're
deferring something to the queue, it's
not a huge issue unless you know
Unless you need to process that stuff
very quickly. So yeah, very cool. Very
cool to see that as
part of the framework now
Very very good. Yeah, absolutely. I
agree. Nice nice. Um, nice option there
Okay, concurrency, which is something
that was introduced. I
think maybe last year
Concurrency run will use
the process driver by default
So this will run each task through
layervel's process layer
And then the problem is that that layer
has a default 60 second timeout and there
was no way to customize
that from the concurrency
Run option so a new timeout parameter has
been made available for that process
driver. You can add
this as a new parameter
Using name parameters timeout and just
set it to 300
whatever you might have there
um
And that will make sure that the long
running task that you might have there
won't time out with
that 60 second default
pending dispatch
Conditional so pending dispatch now
implements the conditionable trait which
is something that has existed before
Uh, but this is what adds
the when and the unless methods
To a particular class. So now you can
configure dispatch jobs in line without
wrapping those
dispatch calls and conditional
Send personal details to
fraud detection tool dispatch
arrow when or arrow unless
so that you can do basically
When i'm passing this to you go ahead and
inspect this object and see if it matches
the requirements that I need
In order to be able to do the dispatch so
you can just do the when or the unless
Directly on that dispatch
rather than having to wrap it
Nice little addition there prepares for
dispatch interface has been added
This adds a prepare for dispatch method
that will run before a
job is pushed to the queue
This method can return false to cancel
the dispatch entirely
And this will be useful for jobs that are
dispatched from multiple call sites that
all need the same pre-dispatch logic
For example, if you wanted to deduplicate
ids or check whether a job is still
needed before you start
consuming queue capacity
Maybe you're checking to see does this
does this thing even
exist anymore before I need to
Go do this. So at the time that this is
getting pushed to the queue
It's going to run this prepare for
dispatch method for it turns false. It
just eliminates it doesn't even bother
Uh going through that portion there
Okay schema helper.
There is a new foreign uuid4
Method on the schema blueprints. This is
inside of a migration so you
can say table foreign uuid4
You pass in a class and
then you say constraint
So while the existing foreign id4 already
handles uuid backed models
by detecting the key type
This new one foreign uuid4 makes the
intent clear and then mirrors the same
model aware behavior
You could have just used id before but
uuid is more clear here. And so you're
going to use that one instead. Okay
Two more throttles
exceptions the back off method
On throttles exceptions middleware now
accepts a closure that will receive the
value or sorry the
throwable or the exception
So this is useful when
the exception carries
retry timing information such as a retry
after header from an external api you can
imagine that i'm making a
Job call out to this api endpoint. It
says nope, you're getting throttled now
We're going to send back
this retry after header
And so what you can do is you can delay
an additional amount of seconds rather
than a fixed back off value. So
Really handy there and
then lastly enum support
for contextual
attribute binding so the auth
authenticated and cache attributes now
accept both the unit enum
And backed enum values in addition to
strings. So let's this lets
you use enum cases to reference
Different guards and cache stores inside
of dependency injection again, just
following this through the framework now
We've got lots of places that accept
these different enums
um, the interesting thing about this one
is the unit enum is sort of a
a
Included enum value, uh, but it now
includes that as well as any other backed
enum value that you
might want to pass into there
Okay, that's all of it. That's a lot.
Check out the show notes for any other
additional details on lorvel 13.9
lorvel 13.10 little known lorvel
community member and sometimes
contributor taylor ottwell
And they use storage case driver that
uses lorvel's file system and or storage
service to store cached values
This is primarily useful for using an
existing s3 disk as a key value cache.
There is no redis or memcached required
This default config cache, uh, that's
part of the lorvel framework now includes
a storage store entry and you can point
cache storage disk at any
configured disk including s3
And the case driver will read and write
values through the file system layer
Each cached value is stored as a file
containing a serialized payload with an
expiration timestamp
Uh good nice, especially if you're you
know on lorvel cloud or on some other
Environment where you don't have
persistent local disk again the minor
overhead there is the htp stuff
So just something to be mindful of if you
are going down that route
The other option the other change here
from taylor is a new
Flag that you can pass to the queue work
command called stop when empty for
That will stop the worker after it has
gone a configured number of seconds
without processing any jobs
This stops the worker if no jobs have
been processed for that number of seconds
and it is useful for short-lived workers
In scaled down environments or any
situation where you want workers to exit
automatically when queues go quiet rather
than running indefinitely
Which is kind of handy and then you can
use your supervisor tasks
to spin them back up again
So they don't just go
away and never come back
Jack Bailis added a new worker idle event
that is dispatched when a queue worker
checks for a job and
finds the queue empty
This is distinct from job popping which
fires on every pop attempt regardless of
whether a job was found
Listening to the worker idle event lets
you detect workers that are genuinely
unused and is useful for rebalancing
worker capacity or logging idle time
Also from Jack Bailis
there is a worker options
Class I guess
Which includes the name flag and worker
configuration that is now passed to
pausing resuming
interrupted and looping worker events
Previously these events did not include
the workers configuration making it
harder to know which
working instance was resolved
That was involved in a listener
At Cosmos tech
introduced a
Lifecycle callbacks on the schedule group
Method which allows you to output
callback methods. Sorry on the lifecycle
This now supports the same lifecycle and
output callback methods available on
individual events and allows you to
attach callbacks once for an entire group
instead of repeating them
on each task inside of your
Schedule file you can have schedule group
and have some number of commands in there
And then you can have a on failure and
pass it a closure for any failing task in
the group and likewise for on success
Also from Cosmos tech
The scheduled event callbacks such as on
success on failure and then can now
optionally receive the
event instance as a parameter
And this gives call back direct access to
the events configuration its command its
output path and other properties
shout out there as well
We're grouping these
we've grouped these by
contributors this week
Oh, I just saw that it was another one
here this one. So at Tressor
Tressor Cassinda
Has added a new schema has foreign key
method that checks whether a specific
foreign key constraint exists on a table
Complimenting the existing get foreign
keys and has index helpers and which is
useful in migrations in package install
scripts and schema assertions
where you want to avoid adding or
removing I suppose a foreign key
That exists or doesn't exist depending on
which direction you're going
Also Tressor added a
queue failed artisan command
Support for the JSON flag which outputs
fail jobs as JSON and each entry includes
details about the job itself
An empty result returns an empty array
which matches the JSON support already in
route list db show
queue monitor and other
Commands useful. I suppose if you've got
machines reading the
output of these commands
The SQS extended store which was added in
Over 13.9 now it
supports a flush on clear option
When enabled running qclear will also
call flush on the configured overflow
cache store after purging SQS
reclaiming storage immediately
Rather than waiting for tto expiration
this matters for s3 backed stores
Where leftover objects incur an ongoing
cost the option defaults defaults
preserve existing behavior,
but note that most case stores
Um that for most case stores
flush wipes the entire store
Uh q assert pushed once is a more
readable alternative
to q assert push times
Job clustering and then the number so you
can use this in your tests. Thanks to
whez hooper for that one
Q fake now normalizes enum Q names the
same way the real q
driver does so passing a unit
Enum case and a q name to push size or
pending jobs will now work correctly and
assertions against enum Q
names behave consistently with
Their string equivalents and lastly Jared
tillbrook for
applications running on larval cloud
The request id is now output in logger
entries using a custom JSON
Formatter and will appear as a standalone
field rather than being nested inside the
monologue context or
extra blocks another big chain
set of changes
Thanks to all the contributors
What is this unit enum thing?
The unit enum is a enum that doesn't have
a back value. It's just a list of cases
Gotcha
Gotcha. Gotcha. Okay, you might not need
to you just want like here
is a typed set of options
But you don't necessarily need to store
it anywhere or whatever. It's just this
is how we're going to
refer to things inside of
Inside of code
That makes sense makes sense
Well, hey folks, we're going to switch
gears a little bit here
If you happen to be a fan of
tailwind css you are in luck
We are talking about
tailwind css version 4.3
0s, there's a couple new things that
you're going to want to be aware of
How many of you guys
remember dynamic drive?
Dhtml think back way back and just try
and remember what that was
Um, yeah, it was a long time ago
Well, it used to be a thing that you know
You'd sort of customize
mouse cursors around the screen
You have like a trailing mouse cursor and
stuff things something like that, but you
would also at that time
Customize scroll bars. So a lot of times
you just like hide the scroll bar
altogether because it was like
Yeah, it's sort of let's hide the scroll
bar and that sort of stuff
And then it kind of fell out of style
Well tailwind css version 4.3.0 is not
satisfied to stop with the defaults
They're saying we want to provide
first-party utilities for styling
Scroll bars and i've got to say if you
look at some of the examples they have
it's actually pretty cool
So now you can control the width and the
color of scroll bars directly
You can also reserve gutter space to
prevent layout shift when those scroll
bars appear, which is
actually pretty cool
So you can say I want to reserve this
much width on the side of
my page because I do not want
The value I don't want all my layout to
shift when that value gets when that size
gets taken up by the scroll bar
Which I think is probably the original
problem. They set out to solve and
they're like, you know what?
Let's also do the styling stuff too. Why
not right? So you've got scroll bar thin
Scroll bar thumb slate 500 so like this
is going to control the tracks the track
color as well as the little icon there
That's going to be on there. So you can
customize the color the the size of
course and then the scroll bar gutter
Stable will reserve that space for you so
the layout doesn't jump
when the scroll bar appears
Pretty cool stuff there
Okay, a couple other items. There is now
this container size utility.
So this is something that's
very cool
we've
For a long time been constrained to only
being able to inspect
the size of the viewport
So if i'm saying I want to look at what
size is the viewport
currently at am I at you know
This pixel size or my
this pixel size or whatever
Well container queries shipped earlier in
v4 and this release adds a container size
utility what this does is
it exposes the containers?
size
For use inside the container. So if you
have something that
says I am going to you know
I'm currently at size
medium or size small then you can
Sort of pair your css
your utilities inside of that
Along with that container
size rather than having to
You know keep looking
back to the viewport
So this pair is naturally with the
existing container utilities for layouts
that need to respond to their parent
Rather than the viewport very cool. I
love this. So container
size utility check that one out
Zoom and tab are two css properties that
are now getting coverage in this release
Zoom is a property think like transform
scale if you think about
that transform scale is cool
It allows you to scale
things up and down, but it also
That transform scale will affect layout
flow zoom does that without affecting the
layout flow so you can use zoom dash
Star right that's in the utility so you
can use that zoom css
property in addition
There's one called tab dash star. This
controls tab size and this is important
for elements where
your preserved white space
Matters think like code pre blocks things
like that that tab dash size
element or that tab dash size
Css property is now able to be controlled
with this tab dash star utility very cool
Uh, there is now a
flexible variant directive
What this does is this allows you to?
stack
compound variants
Used in class names, okay,
so let me give you an example
If you wanted to target both hover and
focus states on an
element at the same time
You can do this without writing multiple
rules. You can do it in a single rule
So you write at variant hover colon focus
so you're targeting both of those then
you just write your css
Similarly, you could do hover comma focus
But in either case you can do this
without splitting those into two
different rules that have the same
properties essentially
You just use that variant
syntax. So pretty cool there
Um, there's a couple that are a little
bit more advanced here if you
I'll go through these sort of quickly,
but I will recommend that you read the
documentation on
these if you're interested
There's functional utilities that you can
define inside of tailwind with a utility
directive, but there's these default
There's dash dash default dash
dash value dash dash modifier
And now the default is uh allowing you to
provide a fallback when
there is no value that's supplied
So this makes custom utilities behave
more like the built-in
utilities inside of tailwind
And those will already gracefully handle
the no argument case if there's nothing
passed in you can provide a default value
That was not previously available in the
functional utilities now it is
lastly
canonicalization
You know how long it took me to figure
how I was going to say that one
canonicalization and upgrade fixes
So the canonicalizer which is used by the
upgrade tool got a round of fixes
That matter if you run tailwind css
upgrade on your projects
I'm going to let you look
at that one if you do that
Take a look at this one a couple things
you might want to know about but it's not
It's a little bit too technical to try
and describe on the air
And so i'm going to point you
to the show notes on that one
But lots of cool stuff on there tailwind
4.3.0
Moving in to the news first up lara voll
has introduced native parsky
authentication support
through new first party packages
both on the server and client side
If you install with composer the larval
parsky server package from packages
It will bring migrations routes for login
confirmation and credential management
plus web authentication
actions events and escape
hatches when you need customize
Your authorization responses or your own
route files and for you the listener the
consumer of the the
package all you need to do
is implement parsky user on your
Authenticatable
Entity and then use the passkey
authenticatable trait on it
And then client side you import passkeys
from the at larval slash passkeys library
and you can await passkeys.register
And await passkeys.verify this includes
The browser ceremonies for registration
and verification with a small core api
and first class helpers for react view
and svelte including
Server-side rendering safe hooks. So
client only api's do
not fight your framework
larval fortify integrates
the stack behind a features
dot op passkeys
Method and a passkey
section in your fortify config
So fortify apps get the same endpoints
and contracts for the passkey
user and the authenticatable
Without re-implementing any of the glow
and together the server package npm
client and fortify
lineup on routes and contacts
passwordless auth stays boring to wire up
portable across frontend stacks check it
out we have links to that
for you in the show notes
All right, larval ai's sdk, which is
something we've been talking a little bit
about recently now has sub
Agents. So what are we talking about
here? This sdk will now let
you hand off agents as tools
To other agents we're gonna we're gonna
explain what this means
But this allows the sdk to basically be a
proper orchestration layer now rather
than just calling a single
um
A single thing at a time, right?
Real apps are rarely going to live in one
prompt a general support agent might need
different instructions or tools
Maybe even a different model when
answering something like a refund
question versus like a billing question.
Maybe so these sub agents
make that delegation
a first class
Concept if you will instead of a router
that you have to build yourself
so the way that it
works is in the tools method
of a
Prompt you can return an agent from
another agent's tools
method. So inside of tools
Typically you're going to have an array
Of different things that you can call
from within that particular
Agent and so now what you can do is you
can have like maybe
something called a refunds agent
And so this parent agent can delegate a
specific task to use that tool and that
tool is just a sub agent's
Response while answering the original
prompt each one of these sub agents then
carries its own
instructions and system prompt
Its own tools, right? So again, you just
basically define this as
its own agent over there
It can have its own provider and model
and I don't mean
eloquent model. I mean like
llm model you can pin a
sub agent to anthropic or to
Openai or to
Gemini, right you can specify on that sub
agent what you want it to be and then you
can have its own configuration like
Temperature or max steps or timeout so
you can see how if you have like a
general purpose agent
That's sort of running a chatbot and it
needs to talk to something that says hey
I don't want your temperature to be do
not give me anything
that you're going to make up
I'm not looking for your creativity here.
I have a billing question, right?
That might need to be something that's
going to have a little
bit different configuration
Now you can do that really easily by
defining this sub agent as a tool inside
of your general agent really nice
You get finer control implement can act
as tool on the sub agent to be able to
define the name and the
description that the parent
Will see you also
There is one catch each sub agent
Invokes itself in isolation. It doesn't
receive the parent's conversation
History the parent has to pass a clear
self-contained task
description to that tool
But there is a entire write-up
on the sub agent documentation
inside of the l'arravel
ai-sdk documentation under sub agents
So we've linked that up in the blog post
to check that out in the show notes
So
DHH will be joining
l'arravel live denmark in
2026 for a fireside
chat with taylor ottwell
Why is this notable? Well rails and
l'arravel for those of you who aren't
aware are often compared and the two
frameworks have influenced each other
Over the years so bringing the creators
together on a l'arravel
conference stage in dHH's hometown
Is an unusual pairing for a community
event and should make for an interesting
conversation about framework design
developer experience and the craft of
building web applications
For those of you not aware l'arravel live
denmark takes place in copenhagen denmark
on the 20th and 21st of august
This year you can grab your tickets at
l'arravellive.dk. We'll have links to all
of that for you in the show notes
very cool
PHP storm a jet brains ide we've been
talking about PHP storm quite a bit. I
feel like they're on a hot streak here
They've just been implementing a bunch of
new cool features last time
we were talking about them
We talked about first
party work tree support
Well, they've now shipped a new l'arravel
tool window for PHP storm that lets you
manage and troubleshoot your l'arravel
cloud deployments without even leaving
Your editor. So this is part of the
l'arravel idea
plugin, which has been free
We announced that actually last year. I
think it used to be a
paid product that is now free
So this includes an ai assisted
troubleshooting flow
for these failed deploys
A lot of times this is what ends up
happening. I had this
happen recently on forge
Something failed I copied the output
pasted into claudine said what happened
here what went wrong?
What might be the problem?
Well now you don't
have to do that, right?
You can just hop into your editor your
PHP storm and it has the
ability to grab all those errors
Off of your failed deployment in
l'arravel cloud and then use ai to
troubleshoot them for you
So you can pull this up from the sidebar
in uh in PHP storm if
you don't know shift shift
We'll do like a search everywhere. So you
press shift shift search for l'arravel
Or from the view menu and it will split
your view into three
panels. You have dashboard
Errors and l'arravel cloud and so
dashboard is like you're going to run
local commands like refresh your data
start the server run migrations
things like that
Errors which is for local application
errors and then l'arravel cloud for
everything tied to
your hosted environments
Um, so eric barnes are free to say to
recorded a
walkthrough that tests this out
He intentionally broke a deploy and then
used the ai assistant to fix it so you
can check that one out
It's really really
pretty quick. Very cool
We talk about how you
connect to l'arravel cloud
It's just really using an
api key behind the scenes
You can generate one from your l'arravel
cloud account paste it into PHP storm and
then the panels will
pull down your environments
Automatically from there you get the
running status of each environment the
deployment log signed url, etc, etc
And then you also can
watch a deploy in real time
So as the state changes those panels
reflect the
deployment status push a commit
You can watch the build move from queued
to running to deployed without having to
flip over to the cloud dashboard
Which is really cool
And then as we said ai assisted
troubleshooting when it fails the
deployment log is right
there inside the panel
This is the new piece that you can then
hand the failure to jet brains ai
Open in the ai chat ask why it failed it
reads the logs, etc. So a couple things
you have to have here
Uh for that the ai feature requires a jet
brains ai subscription if you don't want
that you don't have
to the rest of the tool
Workflow, uh window works. It doesn't it
works without it. So if you don't want
the ai assisted troubleshooting
No worries. You can still get that you
have to also have php storm
2026.1.1
Or later and that's it pretty cool in
there. Thanks. Php storm
Nice l'arravel mode. Well, actually, I
don't think we're
calling it l'arravel mode
But the l'arravel team has released moat
which is a new command line tool that
reviews the security
posture of a github user
organization or repository
With a single command it inspects
github's built-in security protocols and
returns a report showing what is enabled
What is missing and which
settings may deserve attention?
Moat verifies settings across the user
org repo branch release and workflow
scopes and checks include
two-factor authentication
Sign commit secret scanning
and secret push protection
depender bot alerts and security updates
immutable releases
fork pull request approval
Workflow permissions and pinned actions
pull request target misuse repository
webhooks direct collaborators
private vulnerability reporting and the
presence of a security dot m
Defile each finding comes with a short
explanation of the risk and the report
includes a hardening
score alongside pass and fail
totals
Moat is available through homebrew or as
pre-built binaries and once installed
pointed at any account organization or
repository using the moat command line
And for authentication moat will resolve
a github token from the
github token or gh token
Environment variable or your
authenticated command line
session using github auth token
What moat is not the
project is clear about its scope?
It is read only and does not modify any
sentings or harden
repositories on your behalf
It does not prevent intrusions or
remediate compromise and it surfaces
suggestions based on github settings that
remain yours to evaluate
A clean report does not certify that an
account is secure and a failing report
does not mean it has been compromised
It is simply a checklist for github's own
security controls not a supply chain
security product. I saw in there
Nuno posted a video on
twitter the other day
Talking about you know, it goes through
all of these settings which you would
think would be default
enabled in an account
And they just they're just not so this
goes through and you know
figures out all of the things that you
should be going to change and providing
recommendations to do so
To check that one out. It'll be good for
those in uh, you know
ISO and SOC certified organizations to
make sure that the controls and and
settings are in place to to
give them the best level of
security incident mitigation possible
Absolutely, even for those of you who are
not in situations like that definitely
still check this out. Uh, very nice
This is pretty cool. We've been actually
doing quite a bit of
hardening on our side
And so i'm interesting to i'm
interested to run this and see
How um how we're doing on that it is it
is a nice sort of just brew install
That's all you have to do brew install
there of a moat slash moat
There's a if you go to the github repo,
it's really easy to to add that and then
just run moat account
That's it. Run your account and it will
Go through it check it out. So how to
suggest that one other thing here that
you might want to do
if you've not done this
Like if you are the one who manages your
particular
organization inside of github, um,
You might want to add this is one thing
that you can do that even if you've not
Like got everything all set up across the
across your organization
You can add a branch rule
Uh a rule set that applies across all of
your different repositories that says
Nothing can force push to master
Everything requires a pull request and
every pull request requires the approval
of another member of the
team before it can be merged
The reason why this is really important
is because a lot of these things that has
been that have been
compromising github tokens
Are secretly pushing force pushing to
like master or they're finding some
orphan to commit pushing something and
then creating a new release and
That's that's how it
gets messy real quick
But if you have these settings turned on
it is impossible. I won't say impossible
It is very difficult
for those things to change
Without having some advanced notice to
your team that those things are changing
And so definitely a good and it used to
be that those would have to be turned on
on a per repository basis
You can say across the entire org apply
this rule set and it'll apply
across the board to everything
Used to be much more difficult to do that
now. It is much easier
There's really no excuse not to turn that
on so definitely check that out as well
if that's the only
thing you do well worth it
Okay
We're going to move on to packages
friends model based scheduling for
laravel with a new package called cadence
So cadence is by our
good friend steve balman
And this takes a
different approach to scheduling
In laravel rather than centralizing all
of your timed tasks inside of a single
scheduler file like console.php
This will let you attach one or more
schedules directly to an individual
eloquent model instance
Each of those eloquent model instances
would have their own expression and time
zone and then fires
events when they're due
So how does this work?
After installing your package and
publishing migration you get a schedules
table and this is going to hold
A polymorphic reference, which is just a
fancy way to say it
applies across any model for you
It will have a reference to the model
then the schedule expression
An optional optional time zone and then a
pre-computed next run at
last run at time stamps
So what you're going to do is you're
going to take your model you're going to
add this schedulable
Interface and has schedules trait to any
model that you want to be able to
schedule then what you're going to do
Is you're going to attach a schedule to a
model instance and when I say instance, I
think of like a single record, right?
I have a single
record of an eloquent model
I'm going to attach a schedule to that
model instance and then cadence will ship
with drivers for chron expressions
For our rule patterns and then you can
pick which libraries you need to install
in order to enable that particular driver
So the chron base schedule is very
straightforward. You just say i'm going
to pull up one of my um
So let's say let's I have a model called
a subscription and on that subscription
i'm going to go pull
it out of my database
Subscription find one and i'm going to
store that in the dollar sign
subscription and i'm
going to say add schedule
And then i'm just going to pass in a new
chron schedule in there
And now that's going to enable a
particular thing to run every month on
the first at midnight
And so, uh for more expressive recurrence
Our rule gives you a lot more control
over things that are awkward to express
in chron like
frequency weekly interval to
By day tuesday thursday, right? So this
is just a little bit, uh different
It's a lot more readable to people who
are unfamiliar with chron scheduling
And then again as we stated before these
schedules are time zone aware
Which is really helpful because user in
different regions get the right local
time. So if you're used to
Saying i'm going to charge your account
every friday at noon
You can do that, right? If i'm doing it
for michael, I can say australia sydney
time or adelade time, right?
versus jake's america chicago time. So
then how do you dispatch and
React to these things you have the
schedule run command
That will actually take
care of this each time it runs
It will find all the records where the
next run at is past due and then fire a
schedule triggered event
A lot of stuff that you know, I just
threw at you here.
It's very interesting. Um,
typically the way that i've handled this
before is in each of my
particular
Models themselves they'll have like a
next like send at it's typical what i've
had right send at and then
i'll have a scheduled job
Or not a scheduled job. I will have a
scheduled command that will
go check and in that thing
It says find any where the senda is
previous to now and then queue that up to
go run and then it updates its own
You know send at timestamp
But if you're doing this across multiple
models and you're having to do this
On a regular basis it makes sense that
you would abstract this to something that
can kind of happen at a top level
Rather than having to create a new
scheduled job and invent your own
convention for how you do
this for every single model
Right. So this is a pretty cool idea.
I've never heard of this before, but
looks interesting. So
cadence check that one out
so
Here's the next one What does this look like? Larabanda is a type safe light panda
browser stk for larabelle
It is a headless browser
Built well written in zig if you don't
know what light panda is
The package itself handles runtime
resolution between the command line
binary and docker profile
based instance management type
and each profile can
override the global defaults
for runtime mode, binary
path and Docker settings,
making it straightforward
to maintain separate profiles
for general fetching
crawling in AI tool sessions.
The auto runtime prefers CLI execution
whenever a binary path is configured
and the binary is
executable and falls back to Docker.
Otherwise, you can
also pin profiles to CLI
or Docker explicitly.
The fetch request method
will return a fetch result,
which is a strict typed object
tied to the selected dump format
and calling a mismatch
accessor throws an exception
rather than silently
returning garbage data.
Our event, LaraPanda
exposes lightPanda as tools
for the Laravel AI SDK and
the adapter is session aware,
passing the same
session ID across tool calls
keeps the browser
session open between steps,
which matters for
multi-step browsing tasks
and potentially across
multi-agent workflows
as we spoke about earlier as well.
And for applications
using the Laravel MCP server,
LaraPanda provides an adapter
that registers lightPanda tools with
Laravel's container,
applies profile based runtime resolution
and shares the session
pool and proxy policy
with the AI SDK adapter.
If you need to do
some AI driven, awesome,
tool driven browsing, then perhaps
LaraPanda is for you.
Check it out links in the show notes.
Awesome.
If you have ever used Google Sheets
as a tool with your team
and they manage a bunch of
information through that,
and you've said it would be really nice
if I could just pull all
that stuff out of Google Sheets
and utilize that
inside of my application,
boy are you in luck.
This is called Laravel
Google Sheets Database Driver.
It's by Amazing BV.
And what this does is it registers
a custom Google Sheets connection,
which lets Eloquent, the query builder
and all your migrations,
read and write directly
to a Google Sheet.
This is pretty cool because
the mental model is so simple.
A spreadsheet is the database.
If you think about it like that.
Each tab in that spreadsheet is a table
and then the header
row defines the columns.
The rest is just plumbing.
It's just the data, right?
And that's it.
So it does not make
sense for everything, right?
This is not a MySQL replacement.
The package author is
quite upfront about that.
The intended audience is really people
who have a small team
with modest data needs.
You've got people on your team
who are already using Google Sheets.
Maybe it's a part of
your workflow already.
Non-developers want to look
at or edit the data directly.
Those are all instances in
which this might make sense.
If you need transactions or foreign keys
or database level constraints,
this is not the right pick for you.
So keep that in mind.
By getting set up really simple,
you install the package with Composer.
You're gonna need a service account,
JSON key from the Google Cloud.
Little bit of walkthrough
for how you need to do that.
But with the key in hand,
you set it up in your ENV.
PHP artisan sheets install.
One time install command
prepares the internal tabs
and that the driver uses, and then you
are off to the races.
So there's a couple examples
inside of the write up here.
A tiny app for tracking
RSVPs to a community meetup.
They talk through how you
write a schema, migration,
how you run that migration,
and then how you make your usual calls,
just like you
normally would, RSVP create.
So it's not just to read from.
You can also write to
the Google Sheet as well,
which is really handy.
There are a couple of limitations
for what you can and can't query.
I'm not gonna go through all of it,
but the main limitations are
you don't get group by having
unions or real transactions.
Not something you can do.
You also don't get like unique or index
or foreign ID constraints,
but they don't fail.
It's just that Google
Sheets not gonna enforce them.
It doesn't have, it's
not a database engine,
so it's not gonna do that.
The last thing is that Google Sheets
has per minute API quotas.
The driver does put a
few guardrails in place
to sort of prevent you
from having these throttlings,
but be aware of that.
I think that's it.
It's a pretty cool package,
and I think it seems like a decent idea
for people who are
already using Google Sheets
or the example that they gave
of like a small community meetup thing.
You just wanna throw it in Sheets
and let somebody on your team manage it.
I love it.
I think it's a great idea,
so definitely check this one out.
Yeah, when I saw this,
I sent it straight to my boss,
and I said, "We can fix our quote tool
by just hooking straight
into the giant spreadsheet."
Oh yeah, absolutely.
It's great, I love it.
Laravel Reorderable by Richie McMullen
adds a drag and drop
sorting functionality
to any eloquent model.
It ships with the ready-made blade and
live wire components,
persists new positions
automatically via a package route,
and supports scoping sort
order within a parent group.
The package works by
applying the has sort order trait
and reorderable contract to a model,
and the trait will
automatically assign a sort position
on creation and adds
an ordered query scope
so you fetch records
in the right sequence.
The package covers
both rendering approaches,
being blade and live wire.
You can drop an at include
directive into a blade view
or use the live wire component,
both except the same set of options.
The package restricts sort
operations to a parent group,
so dragging tasks in one project
doesn't affect tasks in another.
If you're using the whole
project scoping example.
There is a generator command,
there is authorization and
events that are used as well.
You can check all this out.
By the way, we haven't mentioned this,
but Eric Barnes, our fearless leader,
has been putting together
these little rapid-fire,
two, three, four-minute long videos
for each of these articles as well.
So if you want more
in-depth, check them out.
Links to all of it
will be in the show notes.
Awesome.
If you happen to be
one of the brave souls
who's already on PHP 8.5,
we're on our way over there,
PHP 8.5 introduced this
idea of the pipe operator.
So this is like pipe arrow,
and what this does is it
passes the values on its left
as the arguments to the
callable on its right.
So it just pipes these things through.
It works with any
single argument callable,
but PHP's built-in functions,
as well as Laravel's chainable classes,
were not designed
around this PHP 8.5 ability,
the pipe operator, right?
So Spasi, shocker, has introduced this
library called Piper,
and what this does is it
ports Laravel's collection
and string methods into a
standalone, curried function,
which will sit on the
right side of these pipes.
So previously, you wouldn't
have had things like filter
and map and values and join,
all these things that we
use as collection methods,
whereas even string methods, right?
We have the STR, right,
where you get these
fluent chains that you can use.
Those things aren't
available by default yet.
They're not available.
Laravel has not
tagged 8.5 as a requirement
for any of its versions of Laravel yet.
Maybe they will in the future,
and maybe they'll
change it at that point,
but not currently.
So this Piper will
sort of fill in that gap.
So Laravel's collection and stringables
are method chainable
because you're working
with a wrapper object.
So you're going to,
let's see here, let
me see how this works.
You, hmm, hmm, hmm, hmm.
There's no wrapper
instance, it doesn't look like.
Each function takes an
array and returns an array,
and then the pipe
operator threads the values
through the different methods
that you would send it through.
So it fits this new
syntax, this pipe arrow syntax,
and it's a natural
companion to the collection
when you're already
working with native values.
So pretty cool.
Again, if it's something
that you are already using
with PHP 8.5, this is a great way to get
all the functionality
that you're used to
inside of Laravel collections
over to PHP 8.5 without
having to rewrite all that stuff
yourself or wait for the
Laravel team to port it over,
to pipe it over.
So there you go, Piper.
Laravel toggle is a
lightweight feature flag package
focused on global on-off switches.
So where Laravel's
first party pennant package
is built for user
segmented rollouts and A-B testing,
Laravel toggle is intentionally simpler
and skips user resolution entirely,
leaving you with flags controlled by
environment variables,
the database, or a mix of the two.
The package works in PHP 8.2 and above,
and Laravel 11 and above
is installed via Composer.
If you wanna use the database driver,
you can publish and run migrations
that are included by the package.
You can define and check toggles.
So first off, you will place your toggle,
you will define your
features inside the config toggle
configuration file and check
them through the toggle facade.
Toggle inactive is a handy
way for guarding behavior
that should only run
while a feature is off,
like falling back to a plain email digest
when the richer
newsletter pipeline is disabled,
for example.
Blade templates get dedicated directive
so you don't have to
wrap conditionals manually.
And if you prefer type safe identifiers,
you can use it back to enum anywhere,
a flag name is accepted.
Centralizing flag names
in a feature enum keeps
the autocompleteability
and ease of grippability
when it is time to retire a feature.
Laravel toggle ships
with two storage drivers,
which you can select
through the toggle driver
environment variable,
either config or database.
The config driver is
a read only at runtime
because its values are sourced from
environment variables,
whilst the database
driver checks database first
and falls back to the
config value if no record exists.
So config defaults still
apply until you override them.
So you've got this nice cascading thing
that you could build a UI
to do all this kind of stuff as well.
When the database driver is active,
you can enable or
disable flags at runtime
and an editor publishing breaking news,
for example, might flip a
banner on from an admin screen
without touching envy or having to deploy
a new version of the code.
If your front end uses inertia,
the included share
toggles with inertia middleware
exposes every toggle as a flags prop
and allows you in your view, react,
or spell components to
conditionally render features
without requiring additional API calls.
There's also a
handful of artisan commands
for day-to-day work,
including a toggle list
to inspect every defined flag,
a toggle create to scaffold a new flag
in your toggle
configuration and environment files,
and a toggle cache clear to flush either
all the toggle caches or a single entry.
See all of the
information in the show notes.
Very cool.
Speaking of feature flags,
I just saw this yesterday, I think.
Cloudflare has introduced
this idea of feature flags
that you can use
without having to like reship
your code with them if
you're using Cloudflare workers.
And it's using
something called Open Feature.
So Open Feature is these standard,
it's the standardized
feature flag sort of standard,
standardizing feature
flagging for everyone
is what it is.
And so Open Feature is
an open specification
that provides a vendor
agnostic community driven API
for feature flagging that
works with your favorite
feature flag management
tool or in-house solution.
So Open Feature.dev is where this is at.
It looks very interesting.
Feature flagging has been
something that I feel like is,
it's not like it's new, certainly,
but it's had a lot of activity around it
and a lot of different companies
trying to solve this problem.
And so Open Feature seems
like a very interesting topic
for someone to dig
into and tell us all about
at a future Laricon, I think.
You should talk about it.
Somebody should talk about it.
So Open Feature.dev, check that out.
Okay, wasn't in the show notes.
Larival paper.
So this is a flat file eloquent driver.
I was gonna say that
like the Google Sheets thing
almost reminded me of Caleb Porzio's
Larival Sushi from back in
the day, if you remember,
but they're actually, they're different.
But if you don't know
about Larival Sushi,
you should check that one out as well.
But this one is Larival
Paper by Jacob Jorgensen.
And what this does is it
brings eloquence feature set
to flat file data sources.
I've read this through a couple of times.
Let me give you what I
think is the easiest way
for me to explain it.
Let's say that you have a directory
full of Markdown or JSON files.
And you want to be able
to easily access these
using familiar syntax to
you, which is eloquent.
So how do you do this?
Well, you can say I have a
new model called Document.
And this is going to
use a trait called Paper.
What this is going to do is
it's going to map that model
to a specific directory on your disk.
You don't need to configure a
separate database connection
to run migrations to get started.
It's just going to say,
point me at a particular path.
So you have an
attribute called ContentPath
and you say that is going to
live, this driver, this model,
sorry, is going to live at slash content
slash docs on my local disk.
Great.
So once you've got that set up,
you can then use your
document model to query
across those different flat files.
So you can use
standard query builder methods
to filter and sort those things.
The slug of each one of these documents
will be automatically
generated from the file name.
So if you have
something called initial setup
or you have something
called installation instructions,
that's the name of it,
installation dash instructions,
you can just say
document colon colon find
installation dash instructions.
And that will retrieve that
specific page by its file name.
You can also search for
items by their front matter.
So if you have a YAML front matter
on the front of this markdown document,
you can say document
where contains labels
and then pass an
array of different labels
that you want to look for.
It will look through all
of those different files
inside of that flat file system,
grabbing all of them
where the YAML front matter
contains a label,
matching one of the
things that you've asked,
and it will go retrieve
all of those documents.
Pretty dang cool.
And it also has methods for linking
different flat file models.
So you can define associations between
those things, right?
Like categories or sub
pages or things like that.
Not only can you query for these values,
you can also manage
these files through eloquent.
So it supports full write capabilities.
So you can call it save or
delete on the eloquent model
and the package will perform
the corresponding file system operations.
So if you say I want
to look up a document
and then I want to change the slug
or I want to change the title,
I want to change the
content and then call save,
it will actually do the file system
operation to save that.
Or you can say I want
to find this document
and then delete it.
It will remove that file from the disk.
Really simple to install,
requires PHP 8.4 in Laravel 12 or higher,
but pretty interesting.
And I think that could be a useful one
if you're trying to
roll your own sort of blog
or something like that.
This is gonna be
something that you could use.
Or I suppose there's a lot of things
that these AI agents
are using Markdown for
or generating Markdown for.
I suppose you could
use something like that
for those as well.
Pretty neat.
All right, that is called Laravel Paper.
Tutorials this week,
we'll go through both of
them one after the other,
continuing the MongoDB
series that we've had over,
I feel like a long
like months at this point,
we've seen new articles about this.
Laravel MongoDB full text search,
the art of the relevancy.
There are very compelling reasons
to use a full text search
based on an inverted index
and a relevancy scoring model in Hubert
Nguyen's experience.
The author of this article,
the best reason is when
you are actually trying
to perform a search function
and expect the first
result to be the most relevant.
That is exactly why
search engines were built.
And he will assume that
that is your main use case.
So check out that if
you are using MongoDB
and following along with this series.
And lastly, Harris Riftopoulous,
ship AI with Laravel,
his video series is up to episode seven.
This one talks about
real time streaming chat UI
with Livewire.
So far we've been testing the agent
that we've been
building through Jason Routes.
It returns the full
reply once the AI is done
and works for development,
but it's terrible for customers.
Nobody wants to stare at
a spinner for five seconds
wondering if anything is happening.
So in this episode,
he's built a real time chat widget
with a responses stream in word by word,
like chat GVT and any of the other agents
that you are used to using.
User types a question hits send
and the agents reply
starts appearing immediately
as it generates.
I have links to both of those tutorials
for you in the show notes.
Very nice.
Well folks, that is the
entire show for today.
Episode 259 is in the books.
Find the show notes for this one at
podcast.lerible-news.com
slash 259.
If you have any questions,
we'd love to hear from
you on X at Michael Deridina
at Jacob Bennett or at Laravel news.
And of course, if you liked the show,
please rate it up five stars in your
podcatcher of choice
would be incredible.
So next time my
friends, we'll see you later.
See you out.
Creators and Guests
