feat: upgrade Laravel 12 to 13

[danielhe4rt]

Summary

• Upgrade laravel/framework from ^12.56.0 to ^13.0 (installed v13.4.0)
• Upgrade laravel/tinker from ^2.11.1 to ^3.0 and spatie/laravel-backup from ^9.4.1 to ^10.0 (L13 compatibility)
• Rename VerifyCsrfToken → PreventRequestForgery middleware in all 5 Filament Panel Providers (L13 canonical name)
• Add serializable_classes to config/cache.php with ExternalIdentity::class (L13 cache security hardening)
• Temporarily remove laracord/framework + he4rt/bot-discord (fork pins illuminate/* ^12.0, needs separate update)

Breaking Change Analysis

All L13 breaking changes were analyzed against the codebase. Only two required code changes:

1. CSRF middleware rename — VerifyCsrfToken deprecated in favor of PreventRequestForgery
2. Cache serializable_classes — Two places cache ExternalIdentity Eloquent objects; L13 blocks arbitrary unserialization by default

No impact from: queue events, pagination views, Container::call, upsert validation, model boot, domain routing, Js::from unicode, Str factories, Manager extend binding, HTTP client signatures.

Follow-up

• Update danielhe4rt/laracord-framework fork to support illuminate/* ^12.0|^13.0
• Re-add laracord/framework + he4rt/bot-discord to composer.json
• Smoke test all Filament panels (/admin, /app, /partner, /event, /)

Test plan

• vendor/bin/pint --dirty — pass
• vendor/bin/phpstan analyse — 0 errors (excluding bot-discord module, expected)
• vendor/bin/rector --dry-run — pass
• vendor/bin/pest --compact — 128/128 non-bot tests pass, 600 assertions
• Manual smoke test on Filament panels
• OAuth login flow verification

Summary by CodeRabbit

• Chores
  • Updated security middleware across all admin panels to enhance system protection
  • Upgraded core framework and dependencies to latest compatible versions
  • Removed unused package dependencies and streamlined requirements

[coderabbitai]

Warning

Rate limit exceeded

@danielhe4rt has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 35 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 44 minutes and 35 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f1bde73d-0a45-41e9-ae46-a52d84cc0dcf

📥 Commits

Reviewing files that changed from the base of the PR and between b28d9bc and 8fc25a8.

📒 Files selected for processing (26)

• app-modules/activity/src/Message/Models/Message.php
• app-modules/activity/src/Tracking/Models/Interaction.php
• app-modules/activity/src/Voice/Models/Voice.php
• app-modules/community/src/Feedback/Models/Feedback.php
• app-modules/community/src/Feedback/Models/Review.php
• app-modules/community/src/Meeting/Models/Meeting.php
• app-modules/community/src/Meeting/Models/MeetingType.php
• app-modules/economy/src/Models/Transaction.php
• app-modules/economy/src/Models/Wallet.php
• app-modules/events/src/Models/EventAgenda.php
• app-modules/events/src/Models/EventModel.php
• app-modules/events/src/Models/EventSubmission.php
• app-modules/events/src/Models/Pivot/EventAttend.php
• app-modules/events/src/Models/Pivot/EventSubmissionSpeaker.php
• app-modules/events/src/Models/Pivot/SponsorAttend.php
• app-modules/events/src/Models/Sponsor.php
• app-modules/gamification/src/Badge/Models/Badge.php
• app-modules/gamification/src/Character/Models/Character.php
• app-modules/gamification/src/Character/Models/PastSeason.php
• app-modules/gamification/src/Season/Models/Season.php
• app-modules/identity/src/ExternalIdentity/Models/ExternalIdentity.php
• app-modules/identity/src/Tenant/Models/Tenant.php
• app-modules/identity/src/User/Models/Address.php
• app-modules/identity/src/User/Models/Information.php
• app-modules/identity/src/User/Models/User.php
• rector.php

📝 Walkthrough

Walkthrough

This pull request updates multiple components of the application. The Filament admin, event, guest, partner, and user panel providers all replace the CSRF token verification middleware with the request forgery prevention middleware. The composer.json file receives multiple dependency updates including a major version bump for Laravel framework (to ^13.4), Laravel tinker (to ^3.0), and spatie laravel-backup (to ^10.2.1), along with several minor and patch updates. Two packages—he4rt/bot-discord and laracord/framework—are removed from the dependencies. Additionally, a new serializable classes configuration entry is added to the cache configuration to whitelist the ExternalIdentity class for unserialization.

Suggested reviewers

• thalesmengue
• gvieira18
• Clintonrocha98

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately reflects the main objective: upgrading Laravel from version 12 to 13, which is the primary focus of the changeset across composer.json and all provider files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

config/cache.php (1)

131-133: Consider migrating this cache payload away from full Eloquent objects.

This whitelist is fine for the upgrade, but app/Http/Middleware/VerifyIfHasTenantProviderMiddleware.php:28-35 is still caching ExternalIdentity models directly. A follow-up to cache the id or a small array would reduce config coupling and lines up with Laravel's recommendation to prefer non-object cache payloads when possible. (laravel.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/cache.php` around lines 131 - 133, The cache currently stores full
Eloquent ExternalIdentity models (see
VerifyIfHasTenantProviderMiddleware::handle in
app/Http/Middleware/VerifyIfHasTenantProviderMiddleware where ExternalIdentity
is cached), which couples configuration to model internals; change the
middleware to cache a scalar or small array instead (e.g., ExternalIdentity->id
or ['id'=>..., 'provider'=>...] ), update any consumers to hydrate the model
only when needed, and keep ExternalIdentity::class in
config/cache.php::'serializable_classes' only for transitional cases or remove
it once all cached payloads are converted to non-object scalars/arrays.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@composer.json`:
- Around line 32-44: Remove the orphaned Composer script named "bot" that runs
"@php artisan bot:boot" from composer.json's "scripts" section; locate the "bot"
entry in the scripts object and delete that key (or replace it with a valid
command if intended), ensuring no references remain to the non-existent artisan
command "bot:boot" so composer scripts no longer fail.

---

Nitpick comments:
In `@config/cache.php`:
- Around line 131-133: The cache currently stores full Eloquent ExternalIdentity
models (see VerifyIfHasTenantProviderMiddleware::handle in
app/Http/Middleware/VerifyIfHasTenantProviderMiddleware where ExternalIdentity
is cached), which couples configuration to model internals; change the
middleware to cache a scalar or small array instead (e.g., ExternalIdentity->id
or ['id'=>..., 'provider'=>...] ), update any consumers to hydrate the model
only when needed, and keep ExternalIdentity::class in
config/cache.php::'serializable_classes' only for transitional cases or remove
it once all cached payloads are converted to non-object scalars/arrays.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b487cb8d-13d2-47f6-bb3f-be20f147b8ce

📥 Commits

Reviewing files that changed from the base of the PR and between 3cc3e19 and b28d9bc.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• app/Providers/Filament/AdminPanelProvider.php
• app/Providers/Filament/EventPanelProvider.php
• app/Providers/Filament/GuestPanelProvider.php
• app/Providers/Filament/PartnerPanelProvider.php
• app/Providers/Filament/UserPanelProvider.php
• composer.json
• config/cache.php

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Expectation:
# - At least one local Artisan command still defines `bot:boot`, OR
# - the Composer script should be removed/updated.

echo "Searching for a local definition of the bot:boot command..."
rg -nP -C2 "(AsCommand\\s*\\(.*bot:boot|protected\\s+\\$signature\\s*=\\s*['\"]bot:boot['\"]|public\\s+\\$signature\\s*=\\s*['\"]bot:boot['\"])" --glob '!vendor/**'

echo
echo "Showing the Composer script entry that still points at bot:boot..."
rg -nP -C1 '"bot"\s*:\s*"@php artisan bot:boot"' composer.json

Repository: he4rt/heartdevs.com

Length of output: 186

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking composer.json line 117 area ==="
sed -n '110,125p' composer.json

echo
echo "=== Searching for bot:boot command definitions ==="
# Search for any Artisan command with bot:boot signature
rg "bot:boot" --glob '!vendor/**' -n

echo
echo "=== Checking app/Console/Commands directory ==="
if [ -d "app/Console/Commands" ]; then
  ls -la app/Console/Commands/ | head -20
else
  echo "Directory app/Console/Commands does not exist"
fi

Repository: he4rt/heartdevs.com

Length of output: 1318

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Searching for files with 'bot' in name ==="
find . -type f -name "*bot*" -o -name "*Bot*" 2>/dev/null | grep -v vendor | grep -v node_modules || echo "No files found"

echo
echo "=== Searching for class definitions with 'bot' keyword ==="
rg "class.*[Bb]ot|namespace.*[Bb]ot" --glob '!vendor/**' -i -n || echo "No matches found"

echo
echo "=== Checking if bot commands exist elsewhere (e.g., in packages) ==="
rg "bot:boot" --glob 'vendor/**' -l | head -5 || echo "No matches in vendor"

echo
echo "=== Looking at git log to see what was removed ==="
git log --oneline -1 2>/dev/null || echo "Git not available"

echo
echo "=== Checking what bot-related packages exist in composer.json (removed or present) ==="
rg '"(.*bot.*|.*Bot.*)"' composer.json -i -A0 || echo "No bot packages found"

Repository: he4rt/heartdevs.com

Length of output: 4947

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking BotDiscordServiceProvider for command registration ==="
cat -n app-modules/bot-discord/src/Providers/BotDiscordServiceProvider.php

echo
echo "=== Searching for bot:boot command definition in entire codebase ==="
rg "bot:boot|'bot'" app-modules/bot-discord/ -n -C3

echo
echo "=== Checking if Artisan command with signature bot:boot exists ==="
rg "protected.*\\\$signature|public.*\\\$signature" app-modules/bot-discord/ -A1 -n

echo
echo "=== Listing all PHP files in bot-discord Commands directory ==="
find app-modules/bot-discord/src/Commands -name "*.php" -type f 2>/dev/null | xargs -I {} bash -c "echo '=== {} ===' && head -20 {}"

Repository: he4rt/heartdevs.com

Length of output: 1581

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking for Laracord package in composer.json ==="
rg "laracord" composer.json -i -n

echo
echo "=== Looking at git diff for changes to composer.json ==="
git diff HEAD~1 composer.json 2>/dev/null | head -100 || echo "Git diff not available"

echo
echo "=== Checking all require-dev packages ==="
rg '"[^"]+":' composer.json | grep -A 50 '"require-dev"' | head -60

Repository: he4rt/heartdevs.com

Length of output: 117

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking entire require-dev section in current composer.json ==="
sed -n '/^[[:space:]]*"require-dev"/,/^[[:space:]]*}/p' composer.json | head -80

echo
echo "=== Attempting to get the previous version of composer.json ==="
git show HEAD~1:composer.json 2>/dev/null | sed -n '/^[[:space:]]*"require-dev"/,/^[[:space:]]*}/p' | head -80 || echo "Cannot get previous version"

echo
echo "=== Searching for what package provides bot:boot command ==="
rg "bot:boot" app-modules/ -B5 -A5 || echo "Not found in app-modules"

Repository: he4rt/heartdevs.com

Length of output: 1124

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Searching for artisan:command or Command class that defines bot:boot ==="
rg "class.*Command|protected.*signature.*=.*['\"]bot" app-modules/bot-discord/ -n -C2

echo
echo "=== Checking if there's a base Command class or boot command anywhere ==="
find . -type f -name "*.php" -path "*/Commands/*" ! -path "*/vendor/*" ! -path "*/node_modules/*" -exec grep -l "bot:boot\|signature.*bot" {} \;

echo
echo "=== Checking Makefile for context ==="
sed -n '95,110p' Makefile

echo
echo "=== Searching for 'laracord' in the entire codebase ==="
rg "laracord|Laracord" --glob '!vendor/**' -i -n | head -20

Repository: he4rt/heartdevs.com

Length of output: 6791

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Searching entire composer.json for any 'laracord' reference ==="
cat composer.json | grep -i laracord || echo "No laracord found in current composer.json"

echo
echo "=== Confirming: is Laracord a package that provides Artisan commands? ==="
web_search "Laracord Laravel Discord package bot:boot command"

Repository: he4rt/heartdevs.com

Length of output: 316

---

🌐 Web query:

Laracord Laravel package bot:boot Artisan command

💡 Result:

No bot:boot Artisan command exists in Laracord. The primary command to boot/start the Discord bot is php laracord (no arguments). Laracord uses a custom binary laracord (built on Laravel Zero) rather than standard php artisan. Known console commands from official docs: - php laracord - Boots the bot - php laracord bot:admin - Adds a Discord user as bot admin - php laracord tinker - Opens Tinker REPL - php laracord list - Lists all available commands - php laracord make:command - Generates a bot command - php laracord make:slash-command - Generates a slash command - php laracord app:build - Builds production PHAR To see the full list in a Laracord project: php laracord list. Sources confirm no bot:boot; it may be confused with php laracord or bot:admin.

Citations:

• 1: https://github.com/laracord/laracord
• 2: https://laracord.com/docs/installation
• 3: https://laracord.com/
• 4: https://laracord.com/docs/2.x/installation
• 5: https://laracord.com/docs/commands
• 6: https://github.com/laracord/laracord.com/blob/main/content/docs/2.x/slash-commands.md
• 7: https://github.com/laracord/framework
• 8: https://laracord.com/docs/slash-commands

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Final verification: searching for ANY definition of bot:boot command ==="
rg "bot.boot|bot:boot|'bot'|\"bot\"" . --glob '!vendor/**' -n | grep -v "composer.json\|Makefile\|^Binary"

echo
echo "=== Checking if there's a BootBot or similar command class ==="
find . -type f -name "*Bot*.php" ! -path "*/vendor/*" ! -path "*/node_modules/*" -exec grep -l "protected.*\$signature\|public.*\$signature" {} \;

echo
echo "=== Listing all files in app/Console/Commands ==="
ls -la app/Console/Commands/

Repository: he4rt/heartdevs.com

Length of output: 565

---

Remove the orphaned bot Composer script.

The script at line 117 references @php artisan bot:boot, but this command does not exist in the codebase. No local Artisan command defines bot:boot, and the Laracord package (which the bot-discord module depends on) is not in composer.json and does not provide this command anyway. The script will fail when executed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@composer.json` around lines 32 - 44, Remove the orphaned Composer script
named "bot" that runs "@php artisan bot:boot" from composer.json's "scripts"
section; locate the "bot" entry in the scripts object and delete that key (or
replace it with a valid command if intended), ensuring no references remain to
the non-existent artisan command "bot:boot" so composer scripts no longer fail.