feat!: use assignments to seed roles and permissions without code-fir… (#29)

Refactored the role/permission assignments configuration to make it work independently of code-first mode. The assignments configuration is moved from mandate.code_first.assignments to mandate.assignments at the top level, and the --seed flag now works even when code-first is disabled.

Changes:
- Moved assignments configuration from mandate.code_first.assignments to top-level mandate.assignments
- Enabled --seed flag to work without code-first mode enabled (seed-only mode)
- Updated command logic to skip code-first syncing when running in seed-only mode

Author: shavonn

README.md

@@ -1076,30 +1076,33 @@ The sync is **additive only** — it never deletes database records to prevent d
 
 ### Seeding Role Assignments
 
-Configure role-permission assignments in the config file:
+Configure role-permission assignments in the config file. This works with **both code-first and database-only workflows**:
 
 ```php
 // config/mandate.php
-'code_first' => [
-    'enabled' => true,
-    'assignments' => [
-        'admin' => [
-            'permissions' => ['article:*', 'user:*'],
-            'capabilities' => ['content-management'],
-        ],
-        'editor' => [
-            'permissions' => ['article:view', 'article:edit'],
-        ],
+'assignments' => [
+    'admin' => [
+        'permissions' => ['article:*', 'user:*'],
+        'capabilities' => ['content-management'],
+    ],
+    'editor' => [
+        'permissions' => ['article:view', 'article:edit'],
     ],
 ],
 ```
 
-Then sync with the `--seed` flag:
+Then seed with the `--seed` flag:
 
 ```bash
 php artisan mandate:sync --seed
 ```
 
+The `--seed` flag will **automatically create** any roles, permissions, or capabilities that don't exist in the database, then assign permissions to roles as configured. This makes it easy to define your entire RBAC structure in config.
+
+**Behavior based on code-first setting:**
+- **Code-first enabled**: Syncs PHP class definitions to database first, then seeds assignments
+- **Code-first disabled**: Only seeds assignments (useful for database-only workflows)
+
 ### Label and Description Columns
 
 To store labels and descriptions in the database, publish and run the metadata migration:
@@ -1247,6 +1250,12 @@ Event::listen(MandateSynced::class, function ($event) {
 });
 ```
 
+### Assignments Configuration
+
+| Option        | Default | Description                                                                |
+|---------------|---------|----------------------------------------------------------------------------|
+| `assignments` | `[]`    | Role-permission/capability assignments (works with or without code-first)  |
+
 ### Code-First Configuration Options
 
 | Option                          | Default                                | Description                              |
@@ -1255,7 +1264,6 @@ Event::listen(MandateSynced::class, function ($event) {
 | `code_first.paths.permissions`  | `app_path('Permissions')`              | Directory to scan for permission classes |
 | `code_first.paths.roles`        | `app_path('Roles')`                    | Directory to scan for role classes       |
 | `code_first.paths.capabilities` | `app_path('Capabilities')`             | Directory to scan for capability classes |
-| `code_first.assignments`        | `[]`                                   | Role-permission/capability assignments   |
 | `code_first.typescript_path`    | `resource_path('js/types/mandate.ts')` | Default output path for TypeScript types |
 | `feature_generator`             | `null`                                 | Custom feature generator class           |
 

UPGRADE.md

@@ -185,6 +185,14 @@ return [
 ```php
 // config/mandate.php
 return [
+    // Role-permission assignments (works with or without code-first)
+    'assignments' => [
+        'admin' => [
+            'permissions' => ['user:*', 'article:*'],
+            'capabilities' => ['user-management'],
+        ],
+    ],
+
     // Code-first is now optional (disabled by default)
     'code_first' => [
         'enabled' => false,
@@ -193,12 +201,6 @@ return [
             'roles' => app_path('Roles'),
             'capabilities' => app_path('Capabilities'),
         ],
-        'assignments' => [
-            'admin' => [
-                'permissions' => ['user:*', 'article:*'],
-                'capabilities' => ['user-management'],
-            ],
-        ],
         'typescript_path' => resource_path('js/types/mandate.ts'),
     ],
 

config/mandate.php

@@ -78,6 +78,27 @@
         'on_missing_handler' => 'deny',
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Role Assignments
+    |--------------------------------------------------------------------------
+    |
+    | Define role-permission and role-capability assignments for seeding.
+    | Use `php artisan mandate:sync --seed` to apply these assignments.
+    | This works with both code-first and database-only workflows.
+    |
+    */
+
+    'assignments' => [
+        // 'admin' => [
+        //     'permissions' => ['user:*', 'article:*'],
+        //     'capabilities' => ['user-management'],
+        // ],
+        // 'editor' => [
+        //     'permissions' => ['article:view', 'article:edit'],
+        // ],
+    ],
+
     /*
     |--------------------------------------------------------------------------
     | Code-First Definitions
@@ -89,7 +110,6 @@
     |
     | enabled: Whether code-first mode is active
     | paths: Directories to scan for definition classes
-    | assignments: Role-permission and role-capability assignments for seeding
     |
     */
 
@@ -102,16 +122,6 @@
             'capabilities' => app_path('Capabilities'),
         ],
 
-        'assignments' => [
-            // 'admin' => [
-            //     'permissions' => ['user:*', 'article:*'],
-            //     'capabilities' => ['user-management'],
-            // ],
-            // 'editor' => [
-            //     'permissions' => ['article:view', 'article:edit'],
-            // ],
-        ],
-
         'typescript_path' => resource_path('js/types/mandate.ts'),
     ],
 

src/Commands/SyncCommand.php

@@ -54,7 +54,14 @@ public function handle(
         DefinitionCache $cache,
         MandateRegistrar $registrar
     ): int {
-        if (! config('mandate.code_first.enabled', false)) {
+        $codeFirstEnabled = config('mandate.code_first.enabled', false);
+        $seedOnly = $this->option('seed')
+            && ! $this->option('permissions')
+            && ! $this->option('roles')
+            && ! $this->option('capabilities');
+
+        // Allow --seed to work without code-first enabled
+        if (! $codeFirstEnabled && ! $seedOnly) {
             $this->components->error('Code-first mode is not enabled. Set mandate.code_first.enabled to true.');
 
             return self::FAILURE;
@@ -71,16 +78,16 @@ public function handle(
         $isDryRun = (bool) $this->option('dry-run');
         /** @var string|null $guard */
         $guard = $this->option('guard') ?: null;
-        $syncAll = ! $this->option('permissions') && ! $this->option('roles') && ! $this->option('capabilities');
+        $syncAll = ! $this->option('permissions') && ! $this->option('roles') && ! $this->option('capabilities') && ! $seedOnly;
 
         if ($isDryRun) {
             $this->components->info('Dry run mode - no changes will be made.');
         }
 
-        // Determine what to sync
-        $syncPermissions = $syncAll || $this->option('permissions');
-        $syncRoles = $syncAll || $this->option('roles');
-        $syncCapabilities = ($syncAll || $this->option('capabilities')) && config('mandate.capabilities.enabled', false);
+        // Determine what to sync (skip if seed-only mode)
+        $syncPermissions = $codeFirstEnabled && ($syncAll || $this->option('permissions'));
+        $syncRoles = $codeFirstEnabled && ($syncAll || $this->option('roles'));
+        $syncCapabilities = $codeFirstEnabled && ($syncAll || $this->option('capabilities')) && config('mandate.capabilities.enabled', false);
 
         // Discover and sync
         if ($syncPermissions) {
@@ -414,7 +421,7 @@ private function syncCapability(
      */
     private function seedAssignments(?string $guard): void
     {
-        $assignments = config('mandate.code_first.assignments', []);
+        $assignments = config('mandate.assignments', []);
 
         if (empty($assignments)) {
             return;
@@ -438,28 +445,43 @@ private function seedAssignments(?string $guard): void
                 ->where('guard', $roleGuard)
                 ->first();
 
-            if (! $role) {
-                $this->components->warn("Role '{$roleName}' not found, skipping assignments.");
-
-                continue;
+            if ($role === null) {
+                $role = $roleClass::create([
+                    'name' => $roleName,
+                    'guard' => $roleGuard,
+                ]);
+                $this->components->twoColumnDetail(
+                    '  <fg=green>Created role</>',
+                    $roleName
+                );
             }
 
             // Sync permissions
             if (! empty($assignment['permissions'])) {
                 /** @var array<string> $permissionNames */
                 $permissionNames = $assignment['permissions'];
-                $permissionIds = collect($permissionNames)
-                    ->map(function (string $name) use ($permissionClass, $roleGuard) {
-                        /** @var Permission|null $permission */
-                        $permission = $permissionClass::query()
-                            ->where('name', $name)
-                            ->where('guard', $roleGuard)
-                            ->first();
-
-                        return $permission?->getKey();
-                    })
-                    ->filter()
-                    ->all();
+                $permissionIds = [];
+
+                foreach ($permissionNames as $permissionName) {
+                    /** @var Permission|null $permission */
+                    $permission = $permissionClass::query()
+                        ->where('name', $permissionName)
+                        ->where('guard', $roleGuard)
+                        ->first();
+
+                    if ($permission === null) {
+                        $permission = $permissionClass::create([
+                            'name' => $permissionName,
+                            'guard' => $roleGuard,
+                        ]);
+                        $this->components->twoColumnDetail(
+                            '  <fg=green>Created permission</>',
+                            $permissionName
+                        );
+                    }
+
+                    $permissionIds[] = $permission->getKey();
+                }
 
                 if (! empty($permissionIds)) {
                     $role->permissions()->syncWithoutDetaching($permissionIds);
@@ -474,18 +496,28 @@ private function seedAssignments(?string $guard): void
             if (config('mandate.capabilities.enabled', false) && ! empty($assignment['capabilities'])) {
                 /** @var array<string> $capabilityNames */
                 $capabilityNames = $assignment['capabilities'];
-                $capabilityIds = collect($capabilityNames)
-                    ->map(function (string $name) use ($capabilityClass, $roleGuard) {
-                        /** @var Capability|null $capability */
-                        $capability = $capabilityClass::query()
-                            ->where('name', $name)
-                            ->where('guard', $roleGuard)
-                            ->first();
-
-                        return $capability?->getKey();
-                    })
-                    ->filter()
-                    ->all();
+                $capabilityIds = [];
+
+                foreach ($capabilityNames as $capabilityName) {
+                    /** @var Capability|null $capability */
+                    $capability = $capabilityClass::query()
+                        ->where('name', $capabilityName)
+                        ->where('guard', $roleGuard)
+                        ->first();
+
+                    if ($capability === null) {
+                        $capability = $capabilityClass::create([
+                            'name' => $capabilityName,
+                            'guard' => $roleGuard,
+                        ]);
+                        $this->components->twoColumnDetail(
+                            '  <fg=green>Created capability</>',
+                            $capabilityName
+                        );
+                    }
+
+                    $capabilityIds[] = $capability->getKey();
+                }
 
                 if (! empty($capabilityIds)) {
                     $role->capabilities()->syncWithoutDetaching($capabilityIds);