project://ordain-delegation

[04/08]

open-source

LIVE

Ordain Delegation

Permission Delegation Package

PHP 8.2+Laravel 11/12Spatie PermissionBlade DirectivesArtisan Commands

// Overview

A Laravel package that extends Spatie Permission to answer "What can this user GRANT?" rather than just "What can they DO?". Adds hierarchical delegation with escalation prevention, user creation quotas, and comprehensive audit logging. While Spatie Permission handles role/permission assignment, Ordain adds a delegation layer that validates authority BEFORE allowing assignments. Features Blade directives (@canDelegate, @canAssignRole), route macros, and 5 Artisan commands. Built with DelegationScope value objects for immutable authorization boundaries.

// Metrics

PHPStan: Level 9

// On this page

→ Features
→ Architecture

✦✦✦✦✦✦✦✦Features✦✦✦✦✦✦✦✦

Key Features

Major features and technical achievements.

[01]

Escalation Prevention

Automatic boundary enforcement on delegation

Validates delegator possesses permissions
Blocks privilege escalation attempts
Automatic permission boundary checking

[02]

Domain Events

Comprehensive audit trail support

Role and permission delegation events
Unauthorized attempt logging
Easy integration with audit systems

[03]

Octane Compatible

Stateless design for high-performance environments

No request state pollution
Scoped service bindings
Cache-optimized lookups

[04]

Developer Experience

Blade directives and route macros for seamless integration

@canDelegate / @canAssignRole Blade directives
->canDelegate() and ->canAssignRole() route macros
Delegation facade with fluent API
IDE-friendly type hints throughout

[05]

CLI Administration

Artisan commands for delegation management

delegation:install - Interactive setup wizard
delegation:show {user} - Display delegation scope
delegation:assign - Role assignment via CLI
delegation:health - System validation check

[06]

Granular Quotas

User creation limits and boundary controls

maxManageableUsers per manager
Configurable root admin bypass
Hierarchical oversight enforcement
Automatic quota validation

════════Architecture════════

System Design

Architectural patterns and design decisions.

HTTP

→ Middleware
→ Route Protection

Services

→ DelegationService
→ Authorizer

Domain

→ DelegationScope
→ Events
→ Exceptions

Infrastructure

→ Repositories
→ Spatie Adapter
→ Cache

System Architecture

Design Patterns

Contract-First Design

Interface Segregation

All services depend on contracts (DelegationServiceInterface, AuthorizerInterface). Enables easy testing with mocks and swapping implementations without changing consumers.

Authorization Guard

Decorator Pattern

Authorizer wraps delegation operations, validating every action before execution. Separation of authorization logic from business logic.

Domain Events

Event Sourcing Lite

Six distinct events capture delegation lifecycle. Enables audit trails, notifications, and external system integration without coupling.

Repository Pattern

Data Access Abstraction

RoleRepository and PermissionRepository abstract Spatie Permission internals. Isolates domain from ORM specifics.

Value Objects

DelegationScope Container

DelegationScope encapsulates delegation boundaries (canManageUsers, maxManageableUsers, assignableRoleIds, assignablePermissionIds) as an immutable value object. Ensures consistent authorization state across the application.

← Back to all projects

project://ordain-delegation

[04/08]

open-source

LIVE

Ordain Delegation

Permission Delegation Package

PHP 8.2+Laravel 11/12Spatie PermissionBlade DirectivesArtisan Commands

View Source

// Overview

// Metrics

PHPStan: Level 9

// On this page

→ Features
→ Architecture

✦✦✦✦✦✦✦✦Features✦✦✦✦✦✦✦✦

Key Features

Major features and technical achievements.

[01]

Escalation Prevention

Automatic boundary enforcement on delegation

Validates delegator possesses permissions
Blocks privilege escalation attempts
Automatic permission boundary checking

[02]

Domain Events

Comprehensive audit trail support

Role and permission delegation events
Unauthorized attempt logging
Easy integration with audit systems

[03]

Octane Compatible

Stateless design for high-performance environments

No request state pollution
Scoped service bindings
Cache-optimized lookups

[04]

Developer Experience

Blade directives and route macros for seamless integration

@canDelegate / @canAssignRole Blade directives
->canDelegate() and ->canAssignRole() route macros
Delegation facade with fluent API
IDE-friendly type hints throughout

[05]

CLI Administration

Artisan commands for delegation management

delegation:install - Interactive setup wizard
delegation:show {user} - Display delegation scope
delegation:assign - Role assignment via CLI
delegation:health - System validation check

[06]

Granular Quotas

User creation limits and boundary controls

maxManageableUsers per manager
Configurable root admin bypass
Hierarchical oversight enforcement
Automatic quota validation

════════Architecture════════

System Design

Architectural patterns and design decisions.

HTTP

→ Middleware
→ Route Protection

Services

→ DelegationService
→ Authorizer

Domain

→ DelegationScope
→ Events
→ Exceptions

Infrastructure

→ Repositories
→ Spatie Adapter
→ Cache

System Architecture

Design Patterns

Contract-First Design

Interface Segregation

All services depend on contracts (DelegationServiceInterface, AuthorizerInterface). Enables easy testing with mocks and swapping implementations without changing consumers.

Authorization Guard

Decorator Pattern

Authorizer wraps delegation operations, validating every action before execution. Separation of authorization logic from business logic.

Domain Events

Event Sourcing Lite

Six distinct events capture delegation lifecycle. Enables audit trails, notifications, and external system integration without coupling.

Repository Pattern

Data Access Abstraction

RoleRepository and PermissionRepository abstract Spatie Permission internals. Isolates domain from ORM specifics.

Value Objects

DelegationScope Container

← Back to all projects