Add PHP SDK (Laravel, Symfony, plain PHP)#131
Merged
Merged
Conversation
A thin PHP client (`cachix/secretspec`) that mirrors the other language SDKs' builder API and resolves secrets through the one Rust core, so it inherits every provider with no PHP-side logic. It reaches the resolver over the shared JSON envelope through two native backends, preferring whichever is available: - the `secretspec-php-native` extension (ext-php-rs), which embeds the resolver and works under PHP-FPM with no `ffi.enable`, like `ext-redis`; and - a runtime `ext-ffi` fallback that dlopens the `secretspec-ffi` library. The Composer manifest is the repo-root `composer.json` (so Packagist can read it straight from the monorepo) with `vendor-dir` pointing into `secretspec-php/` so the tooling stays there. `vendor/bin/secretspec-install-lib` fetches the ext-ffi library on demand. Covered by phpunit (both backends) plus the shared cross-language conformance fixtures. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Wire PHP into conformance/run.sh and scripts/ci-sdks.sh so every push exercises it against a freshly built resolver: the cross-language conformance fixtures via the ext-ffi backend, and the full phpunit suite under both the ext-ffi fallback and the native extension. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Publish the client straight from the monorepo — Packagist reads the repo-root composer.json, so there is no split/mirror repo, workflow, or token. php-ext.yml builds prebuilt extension binaries per PHP minor x platform and attaches them to the release; ffi-build.yml also attaches the per-target secretspec-ffi library (with a sha256) that the SDK's install-lib command downloads. RELEASE.md documents the one-time Packagist registration and the known gaps. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the PHP SDK doc page (quick start plus Laravel, Symfony, and plain-PHP integration, typed access, and the two native backends), and list PHP in the SDK overview, the docs sidebar, the landing page, and the README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
secretspec | 3e3cc6f | Commit Preview URL Branch Preview URL |
Jul 14 2026, 02:43 PM |
The `cargo test --all` Windows job tried to build secretspec-php-native, which ext-php-rs cannot build on the bare runner (no PHP dev toolchain, and it rejects the runner's PHP version); exclude that crate there — the PHP SDK is covered by sdks.yml. Fix php-ext.yml's matrix so php x target actually cross-products (the old form only produced Windows jobs), and scope it to Linux + macOS; a Windows extension build is deferred to a follow-up (Windows users have the ext-ffi backend), noted in RELEASE.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The macOS linker errors on the undefined Zend symbols a PHP extension leaves for dlopen time, failing the extension build (ld: symbol(s) not found for arm64). Add a build.rs that passes `-undefined dynamic_lookup` on macOS only (the flag pyo3 and ext-php-rs need); Linux/ELF is unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Capture the ordering the live Packagist + release-asset paths need (merge, register, dev-main smoke, tag, then verify both backends against the real release) — the steps CI cannot exercise until a tag exists. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Give Native one authority for the platform cdylib file name and have the ext-ffi installer reuse it, so the downloaded copy and the loader can no longer drift. Collapse the list-of-one library-name lookup, borrow the request JSON as &str across the native boundary, and factor the repeated builder wiring and request-field setters into shared helpers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #129.
Adds a PHP SDK for SecretSpec, covering plain PHP, Laravel, and Symfony.
Design
A thin PHP client (
cachix/secretspec) mirroring the other SDKs' builder API. Itresolves through the one Rust core over the shared JSON envelope, so it inherits
every provider with no PHP-side logic. It has two native backends and prefers
whichever is available:
secretspec-php-native— an ext-php-rsextension that embeds the resolver. No
ffi.enable, works under PHP-FPM likeext-redis— the recommended path for Laravel/Symfony.ext-ffi— dlopens thesecretspec-ffilibrary at runtime. Nothing tocompile; ideal for CLI and local dev.
Application code is identical either way.
Tests
as_path,setAsEnv,invalid manifest) — passes under both backends.
canonical result as every other SDK.
sdks.yml(both backends) andconformance/run.sh.Publishing (no new infrastructure)
manifest is the repo-root
composer.json(withvendor-dirpointing intosecretspec-php/), which Packagist reads directly — no split/mirror repo, notoken, no workflow. One-time setup is documented in
RELEASE.md.php-ext.ymlbuilds prebuilt binaries per PHPminor × platform.
ffi-build.ymlattaches the per-target cdylib; the SDK'svendor/bin/secretspec-install-libfetches it on demand (fail-soft, opt-in).Notes / known gaps
portability caveat the Ruby/Python jobs carry.
source, which does not fit a Cargo extension); documented in
RELEASE.md.docs/src/content/docs/sdk/php.mdcovers Laravel, Symfony, and plain PHP.🤖 Generated with Claude Code