offload-project
diff --git a/‎src/Facades/Mandate.php‎
Lines changed: 4 additions & 0 deletions b/‎src/Facades/Mandate.php‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Mandate.php‎
Lines changed: 343 additions & 0 deletions b/‎src/Mandate.php‎
Lines changed: 343 additions & 0 deletions
@@ -14,6 +14,7 @@
 use OffloadProject\Mandate\Contracts\Role as RoleContract;
 use OffloadProject\Mandate\Mandate as MandateService;
 use OffloadProject\Mandate\MandateRegistrar;
+use OffloadProject\Mandate\SyncResult;
 
 /**
  * Facade for the Mandate service.
@@ -70,6 +71,9 @@
  * @method static CapabilityContract findOrCreateCapability(string $name, ?string $guard = null)
  * @method static Collection<int, CapabilityContract> getAllCapabilities(?string $guard = null)
  *
+ * Sync (programmatic equivalent of mandate:sync command):
+ * @method static SyncResult sync(bool $permissions = false, bool $roles = false, bool $capabilities = false, bool $seed = false, ?string $guard = null)
+ *
  * Utility:
  * @method static bool clearCache()
  * @method static MandateRegistrar getRegistrar()
 
@@ -7,11 +7,17 @@
 use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Collection;
+use OffloadProject\Mandate\CodeFirst\DefinitionCache;
+use OffloadProject\Mandate\CodeFirst\DefinitionDiscoverer;
 use OffloadProject\Mandate\Concerns\HasRoles;
 use OffloadProject\Mandate\Contracts\Capability as CapabilityContract;
 use OffloadProject\Mandate\Contracts\FeatureAccessHandler;
 use OffloadProject\Mandate\Contracts\Permission as PermissionContract;
 use OffloadProject\Mandate\Contracts\Role as RoleContract;
+use OffloadProject\Mandate\Events\CapabilitiesSynced;
+use OffloadProject\Mandate\Events\MandateSynced;
+use OffloadProject\Mandate\Events\PermissionsSynced;
+use OffloadProject\Mandate\Events\RolesSynced;
 use OffloadProject\Mandate\Models\Capability;
 use OffloadProject\Mandate\Models\Permission;
 use OffloadProject\Mandate\Models\Role;
@@ -649,6 +655,343 @@ public function getAuthorizationData(?Authenticatable $subject = null, ?Model $c
         return $data;
     }
 
+    /**
+     * Sync code-first definitions to the database and optionally seed assignments.
+     *
+     * This method programmatically performs the same operations as the `mandate:sync` command.
+     *
+     * @param  bool  $permissions  Sync only permissions (if true without roles/capabilities, only permissions are synced)
+     * @param  bool  $roles  Sync only roles (if true without permissions/capabilities, only roles are synced)
+     * @param  bool  $capabilities  Sync only capabilities (if true without permissions/roles, only capabilities are synced)
+     * @param  bool  $seed  Seed role-permission and role-capability assignments from config
+     * @param  string|null  $guard  Sync for a specific guard only
+     *
+     * @throws RuntimeException If code-first mode is not enabled (unless using seed-only mode)
+     */
+    public function sync(
+        bool $permissions = false,
+        bool $roles = false,
+        bool $capabilities = false,
+        bool $seed = false,
+        ?string $guard = null,
+    ): SyncResult {
+        $codeFirstEnabled = (bool) config('mandate.code_first.enabled', false);
+        $seedOnly = $seed && ! $permissions && ! $roles && ! $capabilities;
+
+        // Allow seed to work without code-first enabled
+        if (! $codeFirstEnabled && ! $seedOnly) {
+            throw new RuntimeException('Code-first mode is not enabled. Set mandate.code_first.enabled to true.');
+        }
+
+        $permissionsCreated = 0;
+        $permissionsUpdated = 0;
+        $rolesCreated = 0;
+        $rolesUpdated = 0;
+        $capabilitiesCreated = 0;
+        $capabilitiesUpdated = 0;
+
+        $syncAll = ! $permissions && ! $roles && ! $capabilities && ! $seedOnly;
+
+        // Determine what to sync (skip if seed-only mode)
+        $syncPermissions = $codeFirstEnabled && ($syncAll || $permissions);
+        $syncRoles = $codeFirstEnabled && ($syncAll || $roles);
+        $syncCapabilities = $codeFirstEnabled && ($syncAll || $capabilities) && $this->capabilitiesEnabled();
+
+        // Only instantiate code-first dependencies when actually needed
+        if ($syncPermissions || $syncRoles || $syncCapabilities) {
+            $discoverer = app(DefinitionDiscoverer::class);
+            $cache = app(DefinitionCache::class);
+
+            // Sync permissions
+            if ($syncPermissions) {
+                $result = $this->syncDefinitionsToDatabase($discoverer, 'permissions', $guard);
+                $permissionsCreated = $result['created'];
+                $permissionsUpdated = $result['updated'];
+            }
+
+            // Sync roles
+            if ($syncRoles) {
+                $result = $this->syncDefinitionsToDatabase($discoverer, 'roles', $guard);
+                $rolesCreated = $result['created'];
+                $rolesUpdated = $result['updated'];
+            }
+
+            // Sync capabilities
+            if ($syncCapabilities) {
+                $result = $this->syncDefinitionsToDatabase($discoverer, 'capabilities', $guard);
+                $capabilitiesCreated = $result['created'];
+                $capabilitiesUpdated = $result['updated'];
+            }
+
+            // Clear definition cache
+            $cache->forget();
+        }
+
+        // Seed assignments if requested
+        $assignmentsSeeded = false;
+        if ($seed) {
+            $this->seedAssignmentsFromConfig($guard);
+            $assignmentsSeeded = true;
+        }
+
+        // Clear permission cache (always needed after any sync/seed operation)
+        $this->registrar->forgetCachedPermissions();
+
+        // Dispatch events only when actual sync operations were performed
+        $anySyncPerformed = $syncPermissions || $syncRoles || $syncCapabilities;
+
+        if ($anySyncPerformed) {
+            // Create event objects
+            $permissionsEvent = new PermissionsSynced($permissionsCreated, $permissionsUpdated, collect());
+            $rolesEvent = new RolesSynced($rolesCreated, $rolesUpdated, collect());
+            $capabilitiesEvent = $syncCapabilities
+                ? new CapabilitiesSynced($capabilitiesCreated, $capabilitiesUpdated, collect())
+                : null;
+
+            // Dispatch individual events only for types that were actually synced
+            if ($syncPermissions) {
+                event($permissionsEvent);
+            }
+            if ($syncRoles) {
+                event($rolesEvent);
+            }
+            if ($capabilitiesEvent) {
+                event($capabilitiesEvent);
+            }
+
+            // Dispatch combined event
+            event(new MandateSynced($permissionsEvent, $rolesEvent, $capabilitiesEvent));
+        }
+
+        return new SyncResult(
+            permissionsCreated: $permissionsCreated,
+            permissionsUpdated: $permissionsUpdated,
+            rolesCreated: $rolesCreated,
+            rolesUpdated: $rolesUpdated,
+            capabilitiesCreated: $capabilitiesCreated,
+            capabilitiesUpdated: $capabilitiesUpdated,
+            assignmentsSeeded: $assignmentsSeeded,
+        );
+    }
+
+    /**
+     * Sync definitions to the database for a given entity type.
+     *
+     * @param  'permissions'|'roles'|'capabilities'  $entityType
+     * @return array{created: int, updated: int}
+     */
+    private function syncDefinitionsToDatabase(
+        DefinitionDiscoverer $discoverer,
+        string $entityType,
+        ?string $guard
+    ): array {
+        $paths = config("mandate.code_first.paths.{$entityType}", []);
+        $paths = is_array($paths) ? $paths : [$paths];
+
+        // Discover definitions based on entity type
+        $definitions = match ($entityType) {
+            'permissions' => $discoverer->discoverPermissions($paths),
+            'roles' => $discoverer->discoverRoles($paths),
+            'capabilities' => $discoverer->discoverCapabilities($paths),
+        };
+
+        // Filter by guard if specified
+        if ($guard !== null) {
+            $definitions = $definitions->filter(fn ($d) => $d->guard === $guard);
+        }
+
+        // Get the model class and check for label column
+        $modelConfigKey = match ($entityType) {
+            'permissions' => 'permission',
+            'roles' => 'role',
+            'capabilities' => 'capability',
+        };
+        $defaultClass = match ($entityType) {
+            'permissions' => Permission::class,
+            'roles' => Role::class,
+            'capabilities' => Capability::class,
+        };
+
+        /** @var class-string<Permission|Role|Capability> $modelClass */
+        $modelClass = config("mandate.models.{$modelConfigKey}", $defaultClass);
+        $hasLabelColumn = $modelClass::hasLabelColumn();
+
+        $created = 0;
+        $updated = 0;
+
+        foreach ($definitions as $definition) {
+            $existing = $modelClass::query()
+                ->where('name', $definition->name)
+                ->where('guard', $definition->guard)
+                ->first();
+
+            if ($existing) {
+                $needsUpdate = false;
+                $updates = [];
+
+                if ($hasLabelColumn) {
+                    if ($definition->label !== null && $existing->label !== $definition->label) {
+                        $updates['label'] = $definition->label;
+                        $needsUpdate = true;
+                    }
+                    if ($definition->description !== null && $existing->description !== $definition->description) {
+                        $updates['description'] = $definition->description;
+                        $needsUpdate = true;
+                    }
+                }
+
+                if ($needsUpdate) {
+                    $existing->update($updates);
+                    $updated++;
+                }
+            } else {
+                $attributes = [
+                    'name' => $definition->name,
+                    'guard' => $definition->guard,
+                ];
+
+                if ($hasLabelColumn) {
+                    $attributes['label'] = $definition->label;
+                    $attributes['description'] = $definition->description;
+                }
+
+                $modelClass::query()->create($attributes);
+                $created++;
+            }
+        }
+
+        return ['created' => $created, 'updated' => $updated];
+    }
+
+    /**
+     * Seed role-permission and role-capability assignments from config.
+     */
+    private function seedAssignmentsFromConfig(?string $guard): void
+    {
+        /** @var array<string, array{permissions?: array<string>, capabilities?: array<string>}> $assignments */
+        $assignments = config('mandate.assignments', []);
+
+        if (empty($assignments)) {
+            return;
+        }
+
+        $roleGuard = $guard ?? config('auth.defaults.guard', 'web');
+
+        /** @var class-string<Role> $roleClass */
+        $roleClass = config('mandate.models.role', Role::class);
+        /** @var class-string<Permission> $permissionClass */
+        $permissionClass = config('mandate.models.permission', Permission::class);
+        /** @var class-string<Capability> $capabilityClass */
+        $capabilityClass = config('mandate.models.capability', Capability::class);
+
+        // Collect all unique names needed
+        $roleNames = array_keys($assignments);
+        $allPermissionNames = [];
+        $allCapabilityNames = [];
+
+        foreach ($assignments as $assignment) {
+            if (! empty($assignment['permissions'])) {
+                $allPermissionNames = array_merge($allPermissionNames, $assignment['permissions']);
+            }
+            if (! empty($assignment['capabilities'])) {
+                $allCapabilityNames = array_merge($allCapabilityNames, $assignment['capabilities']);
+            }
+        }
+
+        $allPermissionNames = array_unique($allPermissionNames);
+        $allCapabilityNames = array_unique($allCapabilityNames);
+
+        // Batch fetch existing roles
+        /** @var Collection<int, Role> $existingRoles */
+        $existingRoles = $roleClass::query()
+            ->whereIn('name', $roleNames)
+            ->where('guard', $roleGuard)
+            ->get()
+            ->keyBy('name');
+
+        // Create missing roles
+        $rolesMap = [];
+        foreach ($roleNames as $roleName) {
+            if ($existingRoles->has($roleName)) {
+                $rolesMap[$roleName] = $existingRoles->get($roleName);
+            } else {
+                $rolesMap[$roleName] = $roleClass::create([
+                    'name' => $roleName,
+                    'guard' => $roleGuard,
+                ]);
+            }
+        }
+
+        // Batch fetch existing permissions (skip if none needed)
+        $permissionsMap = [];
+        if (! empty($allPermissionNames)) {
+            /** @var Collection<int, Permission> $existingPermissions */
+            $existingPermissions = $permissionClass::query()
+                ->whereIn('name', $allPermissionNames)
+                ->where('guard', $roleGuard)
+                ->get()
+                ->keyBy('name');
+
+            // Create missing permissions
+            foreach ($allPermissionNames as $permissionName) {
+                if ($existingPermissions->has($permissionName)) {
+                    $permissionsMap[$permissionName] = $existingPermissions->get($permissionName);
+                } else {
+                    $permissionsMap[$permissionName] = $permissionClass::create([
+                        'name' => $permissionName,
+                        'guard' => $roleGuard,
+                    ]);
+                }
+            }
+        }
+
+        // Batch fetch existing capabilities (if enabled)
+        $capabilitiesMap = [];
+        if ($this->capabilitiesEnabled() && ! empty($allCapabilityNames)) {
+            /** @var Collection<int, Capability> $existingCapabilities */
+            $existingCapabilities = $capabilityClass::query()
+                ->whereIn('name', $allCapabilityNames)
+                ->where('guard', $roleGuard)
+                ->get()
+                ->keyBy('name');
+
+            foreach ($allCapabilityNames as $capabilityName) {
+                if ($existingCapabilities->has($capabilityName)) {
+                    $capabilitiesMap[$capabilityName] = $existingCapabilities->get($capabilityName);
+                } else {
+                    $capabilitiesMap[$capabilityName] = $capabilityClass::create([
+                        'name' => $capabilityName,
+                        'guard' => $roleGuard,
+                    ]);
+                }
+            }
+        }
+
+        // Assign permissions and capabilities to roles
+        foreach ($assignments as $roleName => $assignment) {
+            /** @var Role $role */
+            $role = $rolesMap[$roleName];
+
+            // Sync permissions
+            if (! empty($assignment['permissions'])) {
+                $permissionIds = array_map(
+                    fn (string $name) => $permissionsMap[$name]->getKey(),
+                    $assignment['permissions']
+                );
+                $role->permissions()->syncWithoutDetaching($permissionIds);
+            }
+
+            // Sync capabilities
+            if ($this->capabilitiesEnabled() && ! empty($assignment['capabilities'])) {
+                $capabilityIds = array_map(
+                    fn (string $name) => $capabilitiesMap[$name]->getKey(),
+                    $assignment['capabilities']
+                );
+                $role->capabilities()->syncWithoutDetaching($capabilityIds);
+            }
+        }
+    }
+
     /**
      * Handle the case when feature handler is not available.
      */