laravel-iam-bridge-spatie-permission
padosoft/laravel-iam-bridge-spatie-permission is the migration path off
spatie/laravel-permission onto
Laravel IAM — an Identity & Authorization control plane.
It treats migration as an observation problem before it is a switch: you scan your existing roles and
permissions (read-only), turn them into an IAM manifest, run both authorities side by side, record only
the decisions where they disagree, and cut over only once that diff is clean — with a rollback that is a
single environment variable away.
You never flip authorization blindly. During the shadow phase Spatie keeps deciding for real and IAM
decides in parallel; the bridge logs only the mismatches. Nobody is ever blocked or let in by IAM until you
explicitly switch to enforce.
The three phases
- Inventory —
iam:spatie:scanreads your Spatie roles/permissions (touches nothing) and
iam:spatie:manifestturns them into alaravel-iam.manifest.v2. - Shadow — Spatie keeps deciding;
ShadowGateevaluates IAM in parallel on everyGatecheck and logs
the divergences asiam.shadow.mismatch. - Enforce — once the mismatch log is clean (or every entry is explained), flip
IAM_SPATIE_MODE=enforce. IAM becomes the authority; Spatie stays a read-only cache. Rollback = flip it
back.
Why this exists
spatie/laravel-permission is an excellent in-app RBAC library — until you outgrow it. Multiple apps, a real
audit trail, ABAC/ReBAC conditions, governance and access reviews, an OAuth/OIDC provider: that is a
control plane, and that is Laravel IAM. But you cannot just flip authorization for a live application and
hope. One wrong mapping locks people out of production — or, worse, lets them in. This bridge makes the move
boring and reversible.
Ecosystem
This package is one piece of Laravel IAM. The other consumable packages:
| Package | Role |
|---|---|
| laravel-iam-contracts | Shared contracts/interfaces + DTOs (PDP, KeyProvider, Assurance, FeatureScope) — the dependency root |
| laravel-iam-server | The IAM server: identity, org, Application Registry + manifest, PDP (RBAC+ABAC+ReBAC), OAuth/OIDC, tamper-evident audit, IGA, Admin API + panel |
| laravel-iam-client | Laravel client for consumer apps: OIDC login, JWT/JWKS verification, introspection, iam.auth/iam.can middleware, Gate adapter, policy cache, webhook receiver |
| laravel-iam-bridge-spatie-permission (this repo) | Migration bridge off spatie/laravel-permission (scan, manifest, shadow mode, cutover, rollback) |
| laravel-iam-ai | Optional AI module, advisory-only (redaction + hallucination-guard + audit) on a sovereign transport |
| laravel-iam-directory | Optional Directory module: LDAP / Active Directory (LdapRecord) |
| laravel-iam-node | Node/TS client SDK — thin + fail-closed |
| laravel-iam-react-native | React Native client SDK — thin + hooks |
| laravel-iam-rust | Rust client SDK — async + blocking, fail-closed |
Where to next
- Quickstart — install and run your first scan.
- Core concepts — the mental model.
- Migration runbook → Cutover & rollback — the full reversible flow.
- Reference → CLI — every command and option.