Passkeys, Moats, and Scheduling Models

Hey everybody, welcome to Laravel News podcast episode 259. Today is Wednesday the 27th of May 2026. Glad to have you with us. Mr. Dinda, how's it going my friend? Going well. I uh I had a bit more sleep last night than the night before. Just uh you know, we we've got we've got the full schedule published for Laron AU happening next week. We've got tickets going on sale next week. And so, as these things always go, it's a mad dash to the finish line to make sure everything is in place. So, yeah, we uh did the the we had all the all the speaker acceptances came through. We sent out all the notifications to the people that we didn't place on the schedule this year and had some uh a few people reach out for for feedback, which we were well positioned to give meaningful feedback this year because I feel like that's always a gap. You know, some people um some events will not send you a notice at all. Like you either get the the invitation or you get crickets. Um some events will send like a very, you know, blunt kind of onelined, sorry, you didn't make it. Um we we tried to do things a little bit differently this year in terms of like sending the blanket email, but then also we emailed the whole list just kind of talking about how we built the whole program this year. and I'm excited to share this year's lineup with everyone next week. How cool. Yeah, that's awesome. I know you guys have put a ton of work into the process and uh we actually talked about that over on our other podcast, I think a couple weeks ago and so definitely check that one out if you're interested. If you've ever had to run a conference yourself and are curious about the best way to accept submissions and then review those submissions, you might want to give that one a listen. Um, I know that the speakers and the attendees this year will very much appreciate all the work that went into creating the lineup and uh the scheduling of it and the cadence of it and um just all the attention to detail that was given to the lineup this year. So, congratulations on finishing that up. That is very exciting. Um, we've also actually I don't know if we're talking about it later on, but uh like Laravel Japan was kind of going on Lar. Yeah, pretty cool. So that was uh that was an event that was been going on the last couple days. So excited to see some of the blog posts come out about that one here from all the folks who were there. In the meantime, however, we have got some releases, some news, and some packages for you. We're going to kick it off with Laravel 13.9. So what is new in Laravel 13.9? We've got password rules. You can now autogenerate valid passwords in um Is this saying in one password? What is this saying? Hold on. I got to look at this. So, this is like a a string that goes into an attribute on uh your your password input fields and it's it serves as a hint to one password that these are the parameters that you need to follow. So, if you're just like an alpha numeric thing, then one password knows it won't put symbols in there if it needs to constrain to a length. One password will know how to do that. So, it's it's it basically hooks into your password rules in your application and then generates a string that one password can then understand when it comes to generating a password. So that you know we've been to we've been to those websites usually financial institutions where you generate a random 32 character password with letters numbers and special characters and it goes no we need a eight characters letters and numbers only kind of thing. So this this allows you to generate the string that is compatible with one password and it's not really actually even something that's generally um one password specific. This is actually a specification that was introduced by Apple it looks like. So we have this password rules validation tool uh that is allowed in there but um this was something that was introduced by them that lets browsers and password managers including not only one password but also Safari and Bit Warden read an app's password constraints and then generate a valid password automatically rather than the user having to trial and error a suggested password against validation errors. So um really nice. That's very very cool. There also is this uncompromised uh which a uh has no password rules equivalent and is not included in the output. So this is sort of this uh have I been poned sort of thing I believe which checks for commonly used passwords and makes sure that those are not in the list u the password that you're putting in is not in that list. So they have in the documentation here the outputs for common combinations verified against the merge tests. The most practical use is pairing it with password defaults so that the same policy that you're defining in your app service provider drives both the server side validation and the browser's password suggestion. So you can set this up in your app service provider. You simply say password do defaults and then you pass in there a closure with the requirements for your password and then you are able to use that both in the front end as well as in your validation. So when a user focuses into a field that has that password manager support, it'll be offered a generated password that already satisfies the rules. No back and forth with the validation errors. Very very cool. I have never heard of this before actually. Um, I'm Liam uh is the contributor of that one. Liam Hammet, longtime community member uh contributed that one. So, good job on that. Okay, we've also got Cloud Q metrics. So, these are three PRs all uh by T-Mac, Tim McDonald. This adds metrics tracking for Laravel cloud Q connections. This is the new Illuminate Foundation cloud Q decorator. What this does is it wraps any Q driver and emits events through a socket when jobs are ceued, when processing starts and finishes. And what this does is it gives Laravel cloud visibility into your throughput, processing duration and worker activity. And so you can get reporting on that. Now config caching is also now supported for cloud cues. Prefix and suffix values are read from the config file rather than from the environment variables directly. so that PHP artisan config cache will work correctly in your cloud deployments which is something I would highly suggest um doing in your cloud deployments similar to how you would do it in a regular uh VPS situation uh helps on those lookups. Okay, optional disk storage for large SQS payloads. So SQS which is like simple queuing service this is AWS's offering um for cues think of it you know simple email service this is SQS there is a maximum message size of 1 megabyte so when you have a job that's the serialized payload is ending up being more than a megabyte AWS is just going to reject it with an invalid parameter value which isn't super helpful but this release adds a built-in solution which is an extended store options block in the SQSQ connection config that will take those large payloads and will offload them to a file system disk such as S3 and then it will send a small pointer through SQS instead. Then workers will fetch that full payload from disk when processing the job. This reminds me of um serializes models where what it will do is instead of serializing the entire model into the job payload, it will instead only grab the ID, the pointer, and then it will refetch that from the database at the time that it goes to run the job. Very similar here. It says here's a little pointer. You can go fetch the entire payload off of disk and then it will hydrate that object when the uh when the job actually is getting executed in your u in your application. So that is in the Q.PHP config under the SQS. There's an existing config there. And then you have this extended store options. I would take a look at this in the documentation as well as in the show notes here. It has a couple different flags you're going to need to be aware of. Uh it is optin. It's backwards compatible. You don't have to do this. Existing SQS users will be unaffected unless they set the enabled value to true under this extended store options. So very cool there. Orrison is the one who contributed that Kevin. We ran into this in the past when we were when when thing then ping me still existed where you know we were passing payloads across and the the only way really around it is to take that payload throw it as as this does to throw that payload into S3 or whatever and then fetch it again when the when the job is processed. And I mean you've got to balance the the trade-off there is obviously okay now we've got the the HTTP latency to go and fetch that from um you know to make that X request to S3 but in most practical cases if you're deferring something to the queue it's not a huge issue unless you know unless you need to process that stuff very quickly. So yeah very cool very cool to see that as part of the framework now. Very very good. Yeah absolutely I agree nice nice um nice option there. Okay, concurrency, which is something that was introduced, I think maybe last year. Um, concurrency run will use the process driver by default. So, this will run each task through Laravel's process layer. The only problem is that that layer has a default 60-second timeout. And there was no way to customize that from the concurrency run option. So, a new timeout parameter has been uh made available for that process driver. You can add this as a new parameter uh using name parameters timeout and just set it to 300 whatever you might have there. Um and that will uh make sure that the longunning task that you might have there won't time out with that 60-second default. Pending dispatch conditional. So pending dispatch now implements the conditionable trait which is something that has existed before. uh but this is what adds the when and the unless methods to a particular class. So now you can configure dispatch jobs in line without wrapping those dispatch calls in conditional send personal details to fraud detection tool dispatch arrow when or arrow unless so that you can do basically when I'm passing this to you go ahead and inspect this object and see if it matches the requirements that I need in order to be able to do the dispatch. So you can just do the when or the unless directly on that dispatch rather than having to wrap it. Nice little addition there. Prepares for dispatch interface has been added. Uh this adds a prepare for dispatch method that will run before a job is pushed to the queue. This method can return false to cancel the dispatch entirely. And this will be useful for jobs that are dispatched from multiple call sites that all need the same pre-dispatch logic. For example, if you wanted to dduplicate ids or check whether a job is still needed before you start consuming Q capacity, maybe you're checking to see does this does this thing even exist anymore before I need to uh go do this. So at the time that this is getting pushed to the queue, it's going to run this prepare for dispatch method. If it returns false, it just eliminates it. Doesn't even bother uh going through that portion there. Okay. Schema helper. There is a new foreign UUID4 method on the schema blueprints. This is inside of a migration. So you can say table foreign UU ID4. You pass in a class and then you say constraint. So while the existing foreign ID 4 already handles UUID backed models by detecting the key type. This new one foreign UU ID4 makes the intent clearer and then mirrors the same modelware behavior. You could have just used ID before, but UU ID is more clear here and so you're going to use that one instead. Okay, two more throttles exceptions. The back off method on throttles exceptions middleware now accepts a closure that will receive the value or sorry the throwable or the exception. So this is useful when the exception carries retry timing information such as a retry after header from an external API. You can imagine that I'm making a job call out to this API endpoint. It says, "Nope, you're getting throttled now. We're going to send back this retry after header." And so what you can do is you can delay an additional amount of seconds rather than a fixed backoff value. So uh really handy there. And then lastly, enum support for contextual attribute binding. So the off authenticated and cache attributes now accept both the unit enum and backed enum values in addition to strings. So let's this lets you use enum cases to reference uh different guards and cache stores inside of dependency injection. Again just following this through the framework. Now we've got lots of places that accept these different enums. Um the interesting thing about this one is the unit enum is sort of a a um included enum value. Uh but it now includes that as well as any other backed enum value that you might want to pass into there. Okay, that's all of it. That's a lot. Check out the show notes for any other additional details on Laravel 13.9. Laravel 13.10. Little known Laravel community member and sometimes contributor Taylor Otwell added a new storage C driver that uses Laravel's file system and or storage service to store cached values. This is primarily useful for using an existing S3 disc as a key value cache. There is no reddus or mem cached required. This default config uh that's part of the Laravel framework now includes a storage store entry and you can point C storage disk at any configured disk including S3 and the C case driver will read and write values through the file system layer. Each ced value is stored as a file containing a serialized payload with an expiration timestamp. Uh good nice especially if you're you know on Laravel cloud or on some other Absolutely. Y um environment where you don't have persistent local disk. Again, the minor overhead there is the HTTP stuff. So, just something to be mindful of if you are going down that route. The other option uh the other change here from Taylor is a new uh flag that you can pass to the Q work command called stop when empty that will stop the worker after it has gone a configured number of seconds without processing any jobs. This stops the worker if no jobs have been processed for that number of seconds. And it is useful for short-lived workers in scaled downer environments or any situation where you want workers to exit automatically when cues go quiet rather than running indefinitely which is kind of handy. And that and then you can use your supervisor task to spin them back up again so they don't just go away and never come back. Jack Bis added a new worker idle event that is dispatched when a Q worker checks for a job and finds the queue empty. This is distinct from job popping, which fires on every pop attempt, regardless of whether a job was found. Listening to the worker idle event lets you detect workers that are genuinely unused and is useful for rebalancing worker capacity or logging idle time. Also from Jack Balis, there is a worker options uh class I guess uh which includes the name flag and worker configuration that is now passed to pausing, resuming, interrupted and looping worker events. Previously, these events did not include the workers configuration, making it harder to know which worker instance was resolved that was involved in a listener. Uh, at Cosmos Tech introduced a uh life cycle call backs on the schedule group method uh which allows you to output callback methods sorry on the life cycle. This now supports the same life cycle and output callback methods available on individual events and allows you to attach callbacks once for an entire group instead of repeating them on each task. So inside of your uh schedule file you can have schedule group and have some number of commands in there and then you can have a on failure and password closure for any failing task in the group and likewise for on success. Uh also from cosmotech the scheduled event call back such as on success on failure and then can now optionally receive the event instance as a parameter. And this gives callback direct access to the events configuration its command its output path and other properties. Shout out there as well. We're grouping these. We've grouped these by uh contributors this week. Oh almost I lied. I just saw that there was another one here. This one. So uh Tresor Tresor Cassender has added a new schema has foreign key method that checks whether a specific foreign key constraint exists on a table complementing the existing get foreign keys and has index helpers which is useful in migrations and package install scripts and schema assertions where you want to avoid adding or uh removing I suppose a foreign key that exists or doesn't exist depending on which direction you're Uh, also Tresor added a Q failed artisan command support for the JSON flag which outputs fail jobs as JSON and each entry includes details about the job itself. An empty result returns an empty array which matches the JSON support already in route list DB show Q monitor and other commands. Useful I suppose if you've got machines reading the output of these commands. The SQS extended store which was added in Oraville 13.9 now supports a flush on clear option when enabled. Running Qclear will also call flush on the configured overflow cage store after purging SQS reclaiming storage immediately while rather than waiting for TTO expiration. This matters for S3 back stores where leftover objects incur an ongoing cost. The option defaults to false preserve existing behavior. But note that most C stores um that for most C stores flush wipes the entire store. Uh Q assert pushed once is a more readable alternative to Q assert push times job clustering and then the number. So you can use this in your tests. Thanks to Wes Hooper for that one. Q fake now normalizes enum Q names the same way the real Q driver does. So passing a unit enum case on a Q name to push size or pending jobs will now work correctly and assertions against enum Q names behave consistently with their string equivalents. And lastly, Jared Tilbrook uh for applications running on Laravel Cloud, the request ID is now output in log entries using a custom JSON formatter and will appear as a standalone field rather than being nested inside the monologue context or extra blocks. Another big chain uh set of changes thanks to all the contributors. What is this unit enum thing? So unit enum is a enum that doesn't have a back value. It's just a list of cases. Gotcha. Gotcha. So you might like you might not need to you just want like here is a type set of options but you don't necessarily need to store it anywhere or whatever. It's just this is how we're going to refer to things inside of um inside of code. That makes sense. Makes sense. Well, hey folks, we're going to switch gears a little bit here. If you happen to be a fan of Tailwind CSS, you are in luck. We are talking about Tailwind CSS version 4.3.0. So, there's a couple new things that you're going to want to be aware of. How many of you guys remember dynamic drive DHTML? think back way back and try and remember what that was. It was like high school stuff. Yeah, it was a long time ago. Well, it used to be a thing that, you know, you'd sort of customize mouse cursors around the screen. You have like a trailing mouse cursor and stuff some things like that. But you would also at that time customize scroll bars. So a lot of times you just like hide the scroll bar altogether because it was like eh it's sort of ugly. Let's hide the scroll bar and that sort of stuff. And then it kind of fell out of style. Well, Tailwind CSS version 4.3.0 O is not satisfied to stop with the defaults. They are saying we want to provide first-party utilities for styling scroll bars. And I've got to say, if you look at some of the examples they have, it's actually pretty cool. So now you can control the width and the color of scroll bars directly. You can also reserve gutter space to prevent layout shift when those scroll bars appear, which is actually pretty cool. So you can say I want to reserve this much width on the side of my page because I do not want the value I don't want all my layout to shift when that value get when that size gets taken up by the scroll bar which I think is probably the original problem they set out to solve and they're like you know what let's also do the styling stuff too why not right so you've got scroll bar thin scroll bar thumb slate 500 so like this is going to control the tracks the track color as well as the little uh icon there uh that's going to be on there so you You can customize the color, the the size of course. And then that scroll bar gutter stable will reserve that space for you so the layout doesn't jump when the scroll bar appears. Pretty cool stuff there. Okay, a couple other items. There is now this container size utility. So this is something that's very cool. Um, we've for a long time been constrained to only being able to inspect the size of the viewport. So if I'm saying I want to look at what size is the viewport currently at. Am I at you know this pixel size or am I at this pixel size or whatever. Well container queries shipped earlier in V4 and this release adds a container size utility. What this does is this exposes the containers size for use inside the container. So if you have something that says I am going to you know I'm currently at size medium or size small then you can uh sort of pair your CSS your utilities inside of that along with that container size rather than having to uh you know keep looking back to the viewport. So this pairs naturally with the existing container utilities for layouts that need to respond to their parent rather than the viewport. Very cool. I love this. So, container size utility, check that one out. Uh, zoom and tab are two CSS properties that are now getting coverage in this release. Zoom is a property. Think like uh transform scale if you think about that. Transform scale is cool. It allows you to scale things up and down, but it also that transform scale will affect layout flow. Zoom does that without affecting the layout flow. So, you can use zoom dash star, right? That's a new utility. So you can use that zoom CSS property. In addition, there's one called tab-st star. This controls tab size. And this is important for elements where your preserved white space matters. Think like code preblocks, things like that. That tab- size element or that tab- size CSS property is now able to be controlled with this tab-st star utility. Very cool. Uh there is now a flexible variant directive. What this does is this allows you to stack um compound variants used in class names. Okay, so let me give you an example. If you wanted to target both hover and focus states on an element at the same time, you can do this without writing multiple rules. You can do it in a single rule. So you'd write at variant hover colon focus. So you're targeting both of those. Then you just write your CSS. Uh similarly, you could do hover comma focus. But in either case, you can do this without splitting those into two different rules that have the same properties. Essentially, you just use that variant syntax. So, pretty cool there. Um, there's a couple that are a little bit more advanced here. If you I'll go through these sort of quickly, but I will recommend that you read the documentation on these if you're interested. There's functional utilities that you can define inside of Tailwind with a utility directive, but there's these default uh there's d-default d-value d-modifier. And now the default is uh allowing you to provide a fallback when there is no value that's applied. So this makes custom utilities behave more like the built-in utilities inside of Tailwind. And those will already gracefully handle the no argument case. If there's nothing passed in, you can provide a default value that was not previously available in the functional utilities. Now it is. Lastly, canonicalization. You know how long it took me to figure out how I was going to say that one? Canonicalization and upgrade fixes. So the canonicalizer, which is used by the upgrade tool, got a round of fixes that matter if you run Tailwind CSS upgrade on your projects. I'm going to let you look at that one. If you do that, take a look at this one. couple things you might want to know about, but it's not it's a little bit too technical to try and describe on the air. Uh, and so I'm gonna point you to the show notes on that one. Uh, but lots of cool stuff on there. Tailwind 4.3.0. Moving into the news. First up, Laravel has introduced native PKI authentication support through new firstparty packages both on the server and client side. If you install with composer the Laravel pass key server package from packages, it will bring migrations, routes for login confirmation and credential management plug plus web authentication actions, events and escape hatches when you need customize your authorization responses or your own route files. for you dear listener the consumer of the the package. All you need to do is implement pass key user on your authenticatable entity and then use the pass key authenticatable trait on it. And then client side you import pass keys from the at laravel/pass keys library and you can await pass keys.register and await pass keys.verify. includes the browser ceremonies for registration and verification with a small core API and first class helpers for react view and spelt including serverside rendering safe hooks so client only APIs do not fight your framework. Laravel fortify integrates the stack behind a features do pass keys method and a pass key section in your Fortify config. So Fortify apps get the same endpoints and contracts for the pass user and the authenticatable without reimplementing any of the glow and together the server package npm client and fortify lineup on routes and contacts so passwordless orth stays boring to wire up and portable across front-end stacks. Check it out. We have links to that for you in the show notes. All right, Laravel AI's SDK, which is something we've been talking a little bit about recently, now has sub agents. So what are we talking about here? This SDK will now let you hand off agents as tools to other agents. We're g we're going to explain what this means, but this allows the SDK to basically be a proper orchestration layer now rather than just calling a single um a single thing at a time, right? Real apps are rarely going to live in a in one prompt. a general support agent might need different instructions or tools, maybe even a different model when answering something like a refund question versus like a billing question maybe. So these sub agents make that delegation a first class concept if you will instead of a router uh that you have to build yourself. So, the way that it works is in the tools method of a uh prompt, you can return an agent from another agent's tools method. So, inside of tools, typically you're going to have an array of different things that you can call from within that particular uh agent. And so, now what you can do is you can have like maybe something called a refunds agent. And so this parent agent can delegate a specific task to use that tool and that tool is just a sub agents response while answering the original prompt. Each one of these sub agents then carries its own instructions and system prompt its own tools. Right? So again you just basically define this as its own agent over there. It can have its own provider and model and not I don't mean eloquent model I mean like LLM model. You can pin a sub agent to Anthropic or to uh OpenAI or to Gemini, right? You can spec specify on that sub agent what you want it to be and then you can have its own configuration like temperature or max steps or timeout. So you can see how if you have like a general purpose agent that's sort of running a chatbot and it needs to talk to something that says, "Hey, I want your temperature to be do not give me anything that you're going to make up. I'm not looking for your creativity here. I have a billing question, right? That might need to be something that's going to uh have a little bit different configuration. Now you can do that really easily by defining this sub agent as a tool inside of your general agent. Really nice. You get finer control implement can act as tool on the sub aent to be able to define the name and the description that the parent will see. Uh you also uh there is one catch. Each sub aent uh invokes itself in isolation. It doesn't receive the parents conversation history. the parent has to pass a clear self-contained task description to that tool. Uh, but there is a entire write up on the sub agent documentation uh inside of the Laravel AI SDK documentation under sub aents. So, we've linked that up in the blog post. Check that out in the show notes. DHH will be joining Laravel Live Denmark in 2026 for a fireside chat with Taylor Otwell. Why is this notable? Well, Rails and Laravel, for those of you who aren't aware, are often compared, and the two frameworks have influenced each other over the years. So bringing the creators together on a Laravel conference stage in DHH's hometown is an unusual pairing for a community event and should make for an interesting conversation about framework design, developer experience, and the craft of building web applications. Uh for those of you not aware, Laravel Live Denmark takes place in Copenhagen, Denmark on the 20th and 21st of August this year. You can grab your tickets at laravelive.dk. We'll have links to all of that for you in the Very cool. PHP Storm, a Jet Brains IDE. We've been talking about PHP Storm quite a bit. I feel like they're on a hot streak here. They've just been implementing a bunch of new cool features. Last time we were talking about them, we talked about firstparty workree support. Well, they've now shipped a new Laravel tool window for PHP Storm that lets you manage and troubleshoot your Laravel cloud deployments without even leaving your editor. So, this is part of the Laravel idea plugin, which has been free. We announced that actually last year. I think is used to be a paid product that is now free. So this includes an AI assisted troubleshooting flow for these failed deploys. A lot of times this is what ends up happening. I had this happen recently on Forge. I something failed. I copied the output, pasted into Claude and said, "What happened here? What went wrong? What might be the problem?" Well, now you don't have to do that, right? you can just hop into your editor, your PHP Storm, and it has the ability to grab all those errors off of your failed deployment in Laravel Cloud and then use AI to troubleshoot them for you. So, you can pull this up from the sidebar in uh in PHPtorm if you didn't know. Shift shift will do like a search everywhere. So, you press shift shift, search for Laravel uh or from the view menu, and it will split your view into three panels. You have dashboard, errors, and Laravel cloud. And so dashboard is like you're going to run local commands like refresh your data, start the server, run migrations, things like that. Um errors, which is for local application errors, and then Laravel cloud for everything tied to your hosted environments. Um so Eric Barnes, our fearless leader, recorded a walkthrough that tests this out. He intentionally broke a deploy and then used the AI assistant to fix it. So you can check that one out. Uh it's really, really pretty quick, very cool. Uh we talk about how you connect to Laravel Cloud. This is just really using an API key behind the scenes. You can generate one from your Laravel cloud account, paste it into PHPtorm and then the panels will pull down your environments automatically. From there, you get the running status of each environment, the deployment log, signed URL, etc., etc. And then you also can watch a deploy in real time. So as the state changes, those panels reflect the deployment status. Push a commit, you can watch the build move from cued to running to deployed without having to flip over to the cloud dashboard, which is really cool. And then as we said AI assisted troubleshooting when it fails the deployment log is right there inside the panel. This is the new piece that you can then hand the failure to jet brains AI open AI chat ask why it failed it reads the logs etc. So couple things you have to have here uh for that the AI feature requires a Jetrains AI subscription. If you don't want that you don't have to. The rest of the tool workflow uh window works it doesn't it works without it. If you don't want the AI assistant troubleshooting no worries you can still get that. You have to also have PHPtorm 2026.1.1 or later. And that's it. Pretty cool one there. Thanks, PHP Storm. Laravel Mo. Well, actually, I don't think we're calling it Laravel mode, but the Laravel team has released moat, which is a new command line tool that reviews the security posture of a GitHub user, organization, or repository. With a single command, it inspects GitHub's built-in security protocols and returns a report showing what is enabled, what is missing, and which settings may deserve attention. Mote verifies settings across the user or repo branch release and workflow scopes and checks include two-factor authentication, branch protection, sign commits, secret scanning and secret push protection, dependabot alerts and security updates, immutable releases, fork pull request approval, workflow permissions and pinned actions, pull request target misuse repository web hooks, direct collaborators, private vulnerability reporting, and the presence of a security.md file. Each finding comes with a short explanation of the risk and the report includes a hardening score alongside pass and fail totals. Mo is available through homebrew or as pre-built binaries and once installed pointed at any account, organization or repository using the moat command line. And for authentication, moat will resolve a GitHub token from the GitHub token or GH token environment variable or your authenticated command line session using GitHub or token. What moat is not. The project is clear about its scope. It is read only and does not modify any settings or harden repositories on your behalf. It does not prevent intrusions or remediate a compromise and it surfaces suggestions based on GitHub settings that remain yours to evaluate. A clean report does not certify that an account is secure and a failing report does not mean it has been compromised. It is simply a checklist for GitHub's own security controls, not a supply chain security product. I saw in there um Nuno posted a video on Twitter the other day talking about you know it goes through all of these settings which you would think would be default enabled in a new account and they're just they're just not. So this goes through and you know figures out all of the things that you should be going to change and providing recommendations to do so. Check that one out. It'll be good for those in, you know, ISO and sock certified organizations to make sure that the controls and and settings are in place to to give them the best level of um security incident mitigation possible. Absolutely. Even for those of you who are not in situations like that, definitely still check this out. Uh very nice. This is pretty cool. We've been actually doing quite a bit of hardening on our side. And so I'm interesting to I'm interested to run this and see how um how we're doing on that. It is it is a nice sort of just brew install. That's all you have to do. Brew install Laraveville moat/mote. There's a if you go to the GitHub repo, it's really easy to to add that and then just run moat account. That's it. Run run run run your account and it will go through it. Check it out. So highly suggest that. One other thing here that you might want to do if you've not done this, like if you are the one who manages your particular organization inside of GitHub, um you might want to add this is one thing that you can do that even if you've not like got everything all set up across the across your organization, you can add a branch rule uh a rule set that applies across all of your different repositories that says nothing can force push to master. Everything requires a pull request and every pull request requires the approval of another member of the team before it can be merged. The reason why this is really important is because a lot of these things that has been that have been compromising GitHub tokens are secretly pushing force pushing to lick master or they're finding some orphan commit pushing something and then creating a new release and it that's that's how it gets messy real quick. But if you have these settings turned on, it is impossible. I won't say impossible, it is very difficult for those things to change without having some advanced notice to your team that those things are changing. And so definitely a good and and it used to be that those would have to be turned on on a per per repository basis. You can say across the entire org apply this rule set and it'll apply across the board to everything. Used to be much more difficult to do that. Now it is much easier. There's really no excuse not to turn that on. So definitely check that out as well if that's the only thing you do. Well worth it. Okay, we're going to move on to packages, friends. Modelbased scheduling for Laravel with a new package called Cadence. So Cadence is by our good friend Steve Balman. And this takes a different approach to scheduling in Laravel. Rather than centralizing all of your timed tasks inside of a singleuler file like console.php, PHP. This will let you attach one or more schedules directly to an individual eloquent model instance. Each of those Eloquent model instances would have their own expression and time zone and then fires events when they're due. So, how does this work? After installing your package and publishing migration, you get a schedules table and this is going to hold a polymorphic reference, which is just a fancy way to say it applies across any model for you. Uh, it will have a reference to the model. the schedule expression, an optional optional time zone, and then a premputed next run at last run at time stamps. So what you're going to do is you're going to take your model, you're going to add this schedulable interface and has schedules trait to any model that you want to be able to schedule. Then what you're going to do is you're going to attach a schedule to a model instance. And when I say instance, I think of like a single record, right? I have a single record of an Eloquent model. I'm going to attach a schedule to that model instance and then cadence will ship with drivers for chron expressions for our rule patterns and then you can pick which libraries you need to install in order to enable that particular driver. So the crownbased schedule is very straightforward. you just say, I'm going to pull up one of my um let's say let's I have a model called subscription and on that subscription I'm going to go pull it out of my database subscription find one and I'm going to store that in the dollar sign subscription and I'm going to say add schedule and then I'm just going to pass in a new cron schedule in there and now that's going to enable a particular thing to run every month on the first at midnight and so uh for more expressive recurrence Our rule gives you a lot more control over things that are awkward to express in cron like frequency weekly interval 2 by day Tuesday Thursday right so this is just a little bit uh different it's a lot more readable to people who are unfamiliar with cron scheduling uh and then again as we stated before these schedules are time zone aware which is really helpful because user in different regions get the right local time so if you're used to uh saying I'm going to charge your account every Friday at noon you can do that right If I'm doing it for Michael, I can say Australia Sydney time or Adelaide time, right? Versus Jake's America Chicago time. So then how do you dispatch and uh react to these things? You have the schedule run command uh that will actually take care of this each times it runs. It will find all the records where the next run at is passed due and then fire a schedule triggered event. A lot of stuff that you know I just threw at you here. It's very interesting. Um, typically the way that I've handled this before is in each of my particular models themselves, they'll have like a next like send at is typically what I've had, right? Send at and then I'll have a scheduled job or not a scheduled job, I will have a scheduled command that will go check and in that thing it says find any where the send at is previous to now and then cue that up to go run and then it updates its own u, you know, send at time stamp. But if you're doing this across multiple models and you're having to do this on a regular basis, it makes sense that you would abstract this to something that can kind of happen at a top level rather than having to create a new schedule job and invent your own convention for how you do this for every single model. Right? So this is a pretty cool idea. I've never heard of this before. Um but looks interesting. So Cadence, check that one out. Laranda is a type light panda browser SDK for Laravel. It is a headless browser built or written in Zigg if you don't know what light pander is. The package itself handles runtime resolution between the command line binary and docker profile-based instance management type typed fetch results and optional adapters for the Laravel AI SDK. So configuration is organized into named instance profiles and each profile can override the global defaults for runtime mode, binary path and docker settings making it straightforward to maintain separate profiles for general fetching, crawling and AI tool sessions. The auto runtime prefers CLI execution when a valid binary path is configured and the binary is executable and falls back to docker. Otherwise, you can also pin profiles to CLI or docker explicitly. The fetch request method will return a fetch result which is a strict uh typed object tied to the selected dump format and calling a mismatch accessor throws an exception rather than silently returning garbage data. Larapanda exposes light panda as tools for the Laravel AI SDK and the adapter is session aware. Passing the same session ID across tool calls keeps the browser session open between steps which matters for multi-step browsing tasks and potentially across multi- aent workflows as we spoke about earlier as well. And for applications using the Laravel MCP server, Larapanda provides an adapter that registers Light Panda tools with Laravel's container, applies profile-based runtime resolution, and shares the session pool and proxy policy with the AI SDK adapter. If you need to do some AIdriven um awesome tool driven browsing, then perhaps Laranda is for you. Check it out. Links in the show notes. Awesome. Hey, if you have ever used Google Sheets as a tool with your team and they manage a bunch of information through that and you've said it would be really nice if I could just pull all that stuff out of Google Sheets and utilize that inside of my application. Boy, are you in luck. This is called Laravel Google Sheets database driver. It's by Amazing BV. And what this does is it registers a custom Google Sheets connection which lets Eloquent the query builder and all your migrations read and write directly to a Google sheet. This is pretty cool because um the mental model is so simple, right? A spreadsheet is the database if you think about it like that. Each tab in that spreadsheet is a table and then the header row defines the columns. The rest is just plumbing. It's just the data, right? And that's it. So it's it does not make sense for everything, right? This is not a MySQL replacement. The package author is quite upfront about that. The intended audience is really people who have a small team with modest data needs. You've got team people on your team who are already using Google Sheets. Uh maybe it's a part of your workflow already. Non-developers want to look at or edit the data directly. Those are all instances in which this might make sense. If you need transactions or foreign keys or database level constraints, this is not the right pick for you. So keep that in mind. But getting set up is really simple. You install the package with composer. You're going to need a service account JSON key from the Google cloud. Little bit of uh walk through for how you need to do that. But with the key in hand, you set it up in your env PHP artisan sheets install one-time install command. It prepare prepares the internal tabs and that the driver uses and then you are off to the races. So, there's a couple examples inside of the writeup here. Uh, a tiny app for tracking RSVPs to a community meetup. They c they talk through how you write a schema migration, how you run that migration, and then how you make your usual calls just like you normally would RSVP create. So, it's it's not just um to read from. You can also write to the Google sheet as well, uh, which is is really handy. There are a couple limitations for what you can and can't query. Not going to go through all of it, but the main limitations are you don't get group by having unions or real transactions. Um, not something you can do. Um, you also don't get like unique or index or foreign ID constraints, but they don't fail. It's just that Google Sheets not going to enforce them. It's it doesn't have it's not a database engine, so it's not going to do that. Uh the last thing is that Google Sheets has permitt API quotas. The driver does put a few guard rails in place to sort of prevent you from having these throttlings, but be aware of that. I think that's it. It's a pretty cool package and I think it seems like a decent idea for people who are already using Google Sheets or the example that they gave of like a small community meetup thing. you just want to throw it in sheets and let somebody on your team manage it. I love it. I think it's a great idea. So, definitely check this one out. Yeah. When I saw this, I sent it straight to my boss and I said, "We can we can fix our quote tool by just hooking straight into the giant spreadsheet." Oh, yeah. Already exists. Absolutely. Mhm. It's it's great. I love it. Uh, Laravel reorderable by Richie McMullen adds a drag and drop sorting functionality to any eloquent model. It ships with a ready-made blade and livewire components, persists new positions automatically via a package route and supports scoping sort order within a parent group. The package works by applying the has sword order trait and reorderable contract to your model and the trait will automatically assign a sort position on creation and adds an ordered query scope so you fetch records in the right sequence. The package covers both rendering approaches uh being blade and livewire. You can drop an at@ include directive into blade into a blade view or use the livewire component. Both accept the same set of options. The package restricts sort operations to a parent group. So dragging tasks in one project doesn't affect tasks in another. Uh if you're using the the whole project scoping example, there is a generator command. There is authorization and events that are used as well. Um you can check all this out. By the way, we haven't mentioned this, but Eric Barnes, our fearless leader, has been putting together um these little rapidfired, you know, two two three four minute long videos for each of these articles as well. So, if you want more in depth, check them out. Links to all of it will be in the show notes. Awesome. If you happen to be one of the brave souls who is already on PHP85, we're on our way over there. Um PHP85 introduced this idea of the pipe operator. So, this is like pipe arrow. And what this does is it passes the values on its left as the arguments to the callable on its right. So it just pipes these things through. It works with any single argument callable. But PHP's built-in functions as well as Laravel's chainable classes were not designed around this PHP 85 um ability, the pipe operator. Right? So, Spasi shocker has introduced this library called Piper. And what this does is it ports Laravel's collection and string methods into a standalone curried function which will sit on the right side of these pipes. So, previously you wouldn't have had things like filter and map and values and join all these things that we use as collection methods or as even string methods, right? We have the uh str right where you get these fluent chains that you can use. Those things aren't available by default yet. They're not available. Laravel has not tagged 8.5 as a requirement for any of its versions of Laravel yet. Maybe they will in the future and maybe they'll change it at that point, but not currently. So, this piper will sort of fill in that gap. So, Laravel's collection and stringables are method chainable because you're working with a wrapper object. There's no wrapper instance. it doesn't look like each function takes an array and returns an array and then the pipe operator threads the values through the different methods that you would uh send it through. So it's a it's fits this new syntax this pipe arrow syntax and um it's a natural companion to the collection when you're already working with native values. So pretty cool. Again, if it's something that you are already using with PHP8.5, this is a great way to get all the functionality that you're used to inside of Laravel collections over to PHP85 without having to rewrite all that stuff yourself or wait for the uh Laravel team to to port it over to pipe it over. So there you go. Piper Laravel toggle is a lightweight feature flag package focused on global onoff switches. So where Laravel's first party penant package is built for user segmented rollouts and AB testing, Laravel toggle is intentionally simpler and you and skips user resolution entirely, leaving you with flags controlled by environment variables, the database or a mix of the two. The package works in PHP 8.2 and above and Laravel 11 and above and is installed via composer. If you want to use the database driver, you can publish and run migrations that are included by the package. You can define and check toggles. So first off, you will place your toggle uh your you will define your features inside the config toggle configuration file and check them through the toggle facade. Toggle inactive is a handy way for guarding behavior that should only run while a feature is off, like falling back to a plain email digest when the richer newsletter pipeline is disabled, for example. Blade templates get dedicated directives, so you don't have to wrap conditionals manually. And if you prefer type- safe identifiers, you can use a backed enum anywhere a flag name is accepted. Centralizing flag names in a feature enum keeps the autocomplete and ease of greability when it is time to retire a feature. Laravel toggle ships with two storage drivers which you can select through the toggle driver environment variable either config or database. The config driver is a read only at runtime because it values are sourced from environment variables. Whilst the database driver checks database first and falls back to the config value if no record exists. So config defaults still apply until you override them. So you've got this nice cascading thing that you could build a UI to do all this kind of stuff as well. Uh, when the database driver is active, you can enable or disable flags at runtime and an editor publishing breaking news, for example, might flip a banner on from an admin screen without touching envy or having to deploy a new version of the code. If your front end uses inertia, the included share toggles with inertia middleware exposes every toggle as a flags prop and allows you in your view, react, or spelt components to conditionally render features without requiring additional API calls. There's also a handful of artisan commands for day-to-day work, including a toggle list to inspect every defined flag, a toggle create to scaffold a new flag in your uh toggle configuration and a environment files, and a toggle cache clear to flash either all the toggle caches or a single entry. See all of the information uh in the show notes. Very cool. Uh speaking of feature flags, I just saw this yesterday. I think Cloudflare has introduced this idea of feature flags that you can use without having to like reship um your code with them if you're using Cloudflare workers. And it's using something called open feature. So open feature is these standard it's the standardized feature flag sort of I don't know standard standardizing feature flagging for everyone is what it is. And so open feature is an open specification that provides a vendor agnostic communitydriven API for feature flagging that works with your favorite feature flag management tool or in-house solution. So um openfeature.dev is where this is at. It looks very interesting. Feature flagging has been something that I feel like is it's not like it's new certainly um but it's had a lot of activity around it and a lot of different companies trying to solve this problem. And so open feature seems like a very interesting topic for someone to dig into and tell us all about at a future Laracon. I think you should talk about it. Somebody should talk about it. So open feature.dev. Check that out. Okay. Wasn't in the show notes. Laravel paper. So this is a flat file eloquent driver. Um, I was going to say that like the Google Sheets thing and this thing almost remind me of Caleb Porzio's Laravel Sushi from back in the day if you remember, but they're actually they're they're different. Uh, but if you don't know about Laravel Sushi, you should check that one out as well. But this one is Laravel paper by Jacob Jorgensson. And what this does is it brings Eloquence feature set to flat file data sources. I've read this through a couple times. Let me give you what I think is the easiest way for me to explain it. Let's say that you have a directory full of markdown or JSON files and you want to be able to easily access these using familiar syntax to you which is eloquent. Um, so how do you do this? Well, you can say I have a new model called document and this is going to use a trait called paper. And what this is going to do is it's going to map that model to a specific directory on your disk. You don't need to configure a separate database connection or run migrations to get started. It's just going to say point me at a particular path. So you have an attribute called content path and you say that is going to live this this driver this model sorry is going to live at slashcontentdocs on my local disk. Great. So once you've got that set up, you can then use your document model to query across those different flat files. So you can use standard query builder methods to filter and sort those things. Um the slug of each one of these documents will be automatically generated from the file name. So if you have something called uh initial setup or you have something called installation instructions that's the name of it you know installation- instructions you can just say document colon find installation-instructions and that will retrieve that specific page by its file name. You can also search for items by their front matter. So if you have a YAML front matter on the front of this markdown document, you can say document where contains labels and then pass an array of different labels that you want to look for. It will look through all of those different files inside of that flat file system grabbing all of them where the YAML front matter contains a label matching one of the things that you've asked and it will go retrieve all of those documents. Pretty dang cool. It also has methods for linking different flat file models. So you can define associations between those things, right? Like categories or subpages or things like that. Not only can you query for these values, you can also manage these files through Eloquent. So it supports full write capabilities. So you can call save or delete on the Eloquent model and the package will perform the corresponding file system operations. So if you say I want to look up a document and then I want to change the slug or I want to change the title or I want to change the content then call save it will actually do the file system operation to save that or you can say I want to find this document and then delete it. It will remove that file from the disk. Uh really simple to install requires PHP 8.4 and Laravel 12 or higher but pretty interesting and um I think that could be a useful one if you're trying to roll your own sort of blog or something like that. This is be something that you could use. Um, or I suppose there's a lot of things that these AI agents are using markdown for or generating markdown for. I suppose you could use something like that for those as well. Pretty neat. All right, that is called Laravel paper tutorials this week. We'll go through both of them one after the other. Continuing the MongoDB uh series that we've had over I feel like a long like months at this point. We've seen new articles about this. Laravel MongoDB full text search the art of the relevancy. There are very compelling reasons to use a full text search base uh full text search based on an inverted index and a relevancy scoring model. In Hubert Nuin's uh experience, the author of this article, the best reason is when you are actually trying to perform a search function and expect the first result to be the most relevant. That is exactly why search engines were built and he will assume that that is your main use case. So check out that if you are using MongoDB and following along with this series. And lastly, Harris Rafopoulos ship AI with Laravel. His video series is up to episode 7. This one talks about real time streaming chat UI with LiveWire. So far we've been testing the agent that we've been building through JSON routes. It returns the full reply once the AI is done and works for development, but is terrible for customers. cuz nobody wants to stare at a spinner for 5 seconds wondering if anything is happening. So in this episode, he's built a real-time chat widget where the responses stream in word by word like chat GBT and any of the other agents that you are used to using. User types a question, hit send, and the agents reply starts appearing immediately as it generates. I have links to both of those tutorials for you in the show notes. Very nice. Well folks, that is the entire show for today. Episode 259 is in the books. Find the show notes for this one at podcast.larvel-news.com/259. If you have any questions, we'd love to hear from you on xichel derinda jacob bennett or at Laravel News. And of course, if you liked the show, please rate it up. Five stars in your podcaster of choice would be incredible. Till next time, my friends, we'll see you later. See you out.