Tier: Preview. Laravel is a preview stack — Archiet generates real, idiomatic Laravel 11 code, boot-tested in CI, with cross-stack parity work ongoing relative to the four stable stacks. The output is production-shaped; review before shipping rather than treating it as runtime-certified.
What generating a Laravel app from requirements produces
app/
Models/ User.php, Workspace.php, {Entity}.php (Eloquent + global scope)
Http/
Controllers/ Auth/*, {Entity}Controller.php (resource controllers)
Requests/ Store{Entity}Request.php, Update{Entity}Request.php
Resources/ {Entity}Resource.php (API resource, no model leaks)
Middleware/ ResolveWorkspace.php
Policies/ {Entity}Policy.php (authorize per action)
database/
migrations/ one migration per entity, FK + indexes
factories/, seeders/
routes/
api.php # Sanctum-protected resource routes
tests/
Feature/ {Entity}Test.php (PHPUnit feature tests)
docker-compose.yml # php-fpm + nginx + postgres + redis
Dockerfile
openapi.yaml
Laravel-specific patterns Archiet gets right
Tenant isolation via an Eloquent global scope — every query on a tenant-owned model is filtered automatically, so a forgotten where() can't leak another workspace's data:
class Order extends Model
{
protected static function booted(): void
{
static::addGlobalScope('workspace', function (Builder $q) {
if ($id = auth()->user()?->workspace_id) {
$q->where('workspace_id', $id);
}
});
}
}
Policy-based authorization, registered per resource:
public function update(User $user, Order $order): bool
{
return $user->workspace_id === $order->workspace_id
&& $user->hasAnyRole(['admin', 'manager']);
}
Sanctum auth in httpOnly cookies. The SPA flow issues a HttpOnly; Secure; SameSite=Lax session cookie — no tokens in localStorage. CSRF is handled by Sanctum's stateful guard.
API Resources on every response. Controllers return {Entity}Resource instead of raw models, so internal columns and hidden attributes never leak. Form Requests validate input and return 422 with a consistent error shape.
PostgreSQL + real migrations. The generated config targets PostgreSQL; schema changes are versioned migrations, run with php artisan migrate. No SQLite in production config.
What is included beyond the Laravel backend
- Next.js frontend — every screen from your manifest, wired to the Sanctum SPA flow
- Docker — php-fpm + nginx + PostgreSQL + Redis via
docker-compose.yml - GitHub Actions — Pint (lint) →
php artisan test→ build → deploy - Architecture docs — ADRs under
docs/decisions/ - OpenAPI 3.1 spec — for client SDKs and gateways
Related
- Step-by-step walkthrough: Generate a production Laravel app from your PRD
- Template-oriented page: Laravel boilerplate generator
- All use cases: archiet.com/use-cases
FAQ
Which Laravel version does it generate?
Laravel 11 with Eloquent ORM, Sanctum authentication, and PHPUnit feature tests, targeting PHP 8.2+.
How is multi-tenancy enforced?
Through an Eloquent global scope on every tenant-owned model, so all reads are filtered by the authenticated user's workspace_id automatically — plus policy checks on writes.
Does it use API tokens or cookies?
Sanctum's SPA cookie flow: an httpOnly, Secure, SameSite cookie. No bearer tokens stored in the browser, with CSRF protection on stateful requests.
Is the Laravel stack production-ready?
It is a preview stack: real, idiomatic Laravel 11, boot-tested in CI with parity work ongoing. Use it as a strong starting point and review before production.
CTA
Generate a complete Laravel + Next.js application from your requirements — free plan, no credit card.
Describe your product, pick Laravel, and download a production-shaped codebase in about 90 seconds.
Start free at archiet.com.