bherila · bherila · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,116 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+permissions:
+  contents: read
+
+jobs:
+  changes:
+    name: Detect changes
+    runs-on: ubuntu-latest
+    outputs:
+      php: ${{ steps.filter.outputs.php }}
+      js: ${{ steps.filter.outputs.js }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: dorny/paths-filter@v4
+        id: filter
+        with:
+          filters: |
+            php:
+              - 'php/**'
+              - 'composer.json'
+              - 'composer.lock'
+              - 'phpunit.xml'
+              - '.github/workflows/**'
+            js:
+              - 'ui/**'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+              - '.github/workflows/**'
+
+  php:
+    name: PHP package (bherila/auth-laravel)
+    needs: changes
+    if: needs.changes.outputs.php == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.5'
+          extensions: mbstring, xml, ctype, iconv, sqlite3, bcmath, intl
+          coverage: none
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v5
+        with:
+          path: vendor
+          key: composer-${{ hashFiles('composer.json') }}
+          restore-keys: composer-
+
+      - name: Install Composer dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: Run PHPUnit
+        run: composer test
+
+  js:
+    name: JS package (bwh-auth)
+    needs: changes
+    if: needs.changes.outputs.js == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 8
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v6
+        with:
+          version: 11
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Type-check
+        run: pnpm --filter bwh-auth run typecheck
+
+      - name: Build
+        run: pnpm --filter bwh-auth run build
+
+  result:
+    name: CI result
+    needs: [changes, php, js]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check result
+        run: |
+          for r in "${{ needs.changes.result }}" "${{ needs.php.result }}" "${{ needs.js.result }}"; do
+            if [[ "$r" == "failure" || "$r" == "cancelled" ]]; then
+              echo "A required job failed: $r"
+              exit 1
+            fi
+          done
+          echo "Required checks passed or no matching paths changed."
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,6 @@
 node_modules/
 ui/node_modules/
-laravel/vendor/
+php/vendor/
 /vendor/
 /composer.lock
 .phpunit.result.cache

diff --git a/README.md b/README.md
@@ -4,12 +4,12 @@ Shared authentication packages for BWH Laravel/Vite applications.
 
 This repository contains:
 
-- `ui`: npm package `bwh-auth` for React auth UI and browser WebAuthn helpers.
-- `laravel`: Composer package `bherila/auth-laravel` for Laravel auth services, passkeys, migrations, routes, and extension contracts.
+- `ui`: pnpm package `bwh-auth` for React auth UI and browser WebAuthn helpers.
+- `php`: Composer package `bherila/auth-laravel` for Laravel auth services, passkeys, migrations, routes, and extension contracts. Its manifest is the repository-root `composer.json` (required for Composer VCS resolution); the source lives under `php/`.
 
 The packages intentionally keep app-specific policy outside the shared core. Apps decide whether a user can log in, where they go after login, and how audit events are recorded.
 
-Laravel apps that own their primary `/login` route must wire package opt-in features into that controller. For example, enabling the audit-log-backed throttle config does not by itself enforce lockout on a custom login controller; the app must call the Laravel package's throttle trait or contract before attempting credentials. See `laravel/README.md`.
+Laravel apps that own their primary `/login` route must wire package opt-in features into that controller. For example, enabling the audit-log-backed throttle config does not by itself enforce lockout on a custom login controller; the app must call the Laravel package's throttle trait or contract before attempting credentials. See `php/README.md`.
 
 ## UI Installation
 

diff --git a/composer.json b/composer.json
@@ -23,12 +23,12 @@
   },
   "autoload": {
     "psr-4": {
-      "BWH\\Auth\\": "laravel/src/"
+      "BWH\\Auth\\": "php/src/"
     }
   },
   "autoload-dev": {
     "psr-4": {
-      "BWH\\Auth\\Tests\\": "laravel/tests/"
+      "BWH\\Auth\\Tests\\": "php/tests/"
     }
   },
   "scripts": {

diff --git a/laravel/composer.json b/laravel/composer.json