fix(auth): Set sanctum as default guard in config/auth.php

[kevalyq]

Summary

Updates config/auth.php to set sanctum as the default guard instead of web, aligning configuration with SecPal's API-only, token-based architecture.

Changes

• ✅ Changed default guard: 'web' → 'sanctum'
• ✅ Added explicit sanctum guard configuration to guards array
• ✅ Updated documentation comments explaining API-only architecture
• ✅ Self-documenting: Config now clearly shows React PWA + Bearer token architecture

Why This Matters

Before: Config defaulted to web guard (semantically incorrect for API-only app)
After: Config defaults to sanctum guard (matches actual authentication mechanism)

Benefits:

• Self-documenting configuration (future developers immediately see "API-only, token-based")
• Consistent with User model $guard_name = 'sanctum' (Add $guard_name property to User model #129)
• Aligns config with actual authentication mechanism (all routes use auth:sanctum)
• Prevents confusion about authentication mechanism

Review Notes: Guard Usage in Routes

Question: Are explicit auth:sanctum guard specifications in routes still necessary after this change?

Answer: ✅ YES - They should REMAIN.

Reasoning:

1. Best Practice: Explicit guard specification is recommended in Laravel
2. Self-Documenting: Makes the intent clear (API token-based authentication)
3. No Ambiguity: Prevents accidental fallback to wrong guard
4. Future-Proof: If we add other guards, explicit specification prevents confusion

Current Routes (CORRECT):

Route::middleware('auth:sanctum')->group(function () {
    // Protected API endpoints
});

Don't Change To:

Route::middleware('auth')->group(function () {  // ❌ Implicit - less clear
    // Protected API endpoints
});

Conclusion: Keep explicit auth:sanctum in routes. This PR only aligns the config with reality - it doesn't change the explicit route specifications (which are best practice).

Testing

• ✅ All 207 tests passing (no behavior change)
• ✅ PHPStan Level Max: 0 errors
• ✅ Laravel Pint: Clean
• ✅ REUSE 3.3: Compliant
• ✅ Preflight script: Passed

Specific Tests Verified

# Full test suite
ddev exec php artisan test
# Result: 207 passed (623 assertions)

# RoleApiTest (uses permissions with sanctum guard)
ddev exec php artisan test --filter=RoleApiTest
# Result: 24 passed

# AuthTest (token generation)
ddev exec php artisan test --filter=AuthTest
# Result: 18 passed

Related Issues

• Fixes Set sanctum as default guard in config/auth.php #134
• Part of: [EPIC] Migrate Permission System from 'web' to 'sanctum' Guard #125 (EPIC: Migrate Permission System to sanctum guard)
• Depends on: Add $guard_name property to User model #129 (User model already declares sanctum guard) ✅
• Follows: fix(tests): Migrate permission system from web to sanctum guard #133 (Tests and User model already use sanctum) ✅

Implementation Notes

Why keep web guard?

• Laravel requires it for default password reset flow
• We only use it for password reset email verification (stateless token-based)
• NOT used for actual authentication sessions

No Breaking Changes:

• Config change only - no code behavior change
• All authentication already uses auth:sanctum middleware
• User model already has $guard_name = 'sanctum'
• Tests already create permissions with guard_name='sanctum'

Checklist

• TDD: Tests written first (no new tests needed - config aligns with existing tests)
• All tests pass (207 tests, 623 assertions)
• PHPStan Level Max: 0 errors
• Laravel Pint: Clean
• REUSE 3.3: Compliant
• CHANGELOG.md updated (in same commit)
• Documentation comments updated
• No --no-verify bypass used
• One topic only (configuration change)
• Self-reviewed using 4-pass review strategy

PR Size

• Lines Changed: 39 lines (config + CHANGELOG)
• Complexity: Low (configuration alignment)
• Risk: Very low (aligns config with existing code)

---

Category: Configuration / Architecture
Effort: 15 minutes
Impact: Self-documenting configuration, architectural clarity

[github-actions]

💡 Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

• 💰 Saves CI runtime and Copilot review credits
• 🎯 Automatically sets linked issues to "🚧 In Progress" status
• 🚀 Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

1. Click "Still in progress? Convert to draft" in the sidebar, OR
2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊

[Copilot]

Pull Request Overview

This PR updates the default authentication guard configuration to match the actual authentication mechanism used throughout the application. SecPal uses Laravel Sanctum for stateless API token authentication, and this change makes the configuration explicitly reflect that architecture.

Key changes:

• Changed default guard from 'web' to 'sanctum' in config/auth.php
• Added explicit sanctum guard configuration to the guards array
• Updated documentation comments to clearly explain the API-only, token-based architecture

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
config/auth.php	Changed default guard to 'sanctum', added sanctum guard configuration, and updated documentation comments to explain API-only architecture
CHANGELOG.md	Documented the configuration change with comprehensive details about the alignment with existing authentication patterns

[github-actions]

💡 Tip: Consider Using Draft PRs

Benefits of opening PRs as drafts initially:

• 💰 Saves CI runtime and Copilot review credits
• 🎯 Automatically sets linked issues to "🚧 In Progress" status
• 🚀 Mark "Ready for review" when done to trigger full CI pipeline

How to convert:

1. Click "Still in progress? Convert to draft" in the sidebar, OR
2. Use gh pr ready when ready for review

This is just a friendly reminder - feel free to continue as is! 😊