Architecture overview

Everything lives under the Padosoft\Iam\ namespace in src/, organized by domain. This page is the map;
each subsystem has its own deep page.

The domains

flowchart TB subgraph Identity ID["Identity/<br/>users · Session · Assurance · Federation"] ORG["Organizations/<br/>tenants"] end subgraph Policy APP["Applications/<br/>Registry + Manifest"] PDP["Authorization/Pdp/<br/>NativeSqlEngine"] end subgraph Trust OAUTH["OAuth/<br/>league + OIDC"] CRYPTO["Crypto/<br/>keys · cipher"] AUDIT["Audit/<br/>hash-chain · outbox · PII"] end GOV["Governance/<br/>Reviews · Requests · Recommendations"] HTTP["Http/Admin/<br/>controllers · middleware"] OBS["Observability/<br/>health · tracer"] HTTP --> PDP HTTP --> APP HTTP --> GOV HTTP --> AUDIT APP --> PDP ID --> PDP ORG --> PDP OAUTH --> ID CRYPTO --> OAUTH CRYPTO --> AUDIT PDP --> AUDIT GOV --> AUDIT

Subsystem map

Namespace Responsibility Deep page
Domain/Identity/ Users, server-side Session/, Assurance/ (AAL), Federation/, Models/ Sessions & step-up
Domain/Organizations/ Tenant/org isolation Multi-tenancy
Domain/Applications/ Application Registry + Manifest/ (validate, diff, apply, registry) Manifests
Domain/Authorization/Pdp/ The PDP — NativeSqlEngine, ConditionEvaluator, DecisionQuery, Decision PDP pipeline
Domain/Crypto/ LocalKeyProvider (envelope encryption), LocalSecretCipher (encrypt/decrypt/shred) Configuration
Domain/OAuth/ IdP on league/oauth2-server + Oidc/ (MIT) OAuth & OIDC
Domain/Audit/ Hash-chain, Export/, Webhooks/, Outbox/, Pii/, Events/ Tamper-evident audit
Domain/Governance/ Reviews/, Requests/, Recommendations/, NativeFeatureScope Access reviews
Http/Admin/ Controllers + Middleware/ (iam.admin_auth/iam.can/iam.idempotency) Admin API
Observability/ HealthCheck, Tracer/NullTracer/LogTracer Observability

Implementing the contracts

The server is the reference implementation of
laravel-iam-contracts:

Contract Server implementation
AuthorizationEngine NativeSqlEngine
KeyProvider LocalKeyProvider
SecretCipher LocalSecretCipher
FeatureScope NativeFeatureScope

Consumers depend on the contracts, not on the server internals — which is what lets the
clients and SDKs talk to it over a stable interface.

A request, end to end

sequenceDiagram participant App participant Mw as iam.can middleware participant Ctl as Admin controller participant PDP as NativeSqlEngine participant Aud as Audit chain App->>Mw: request (Bearer token) Mw->>PDP: authorize caller (iam:permission) PDP-->>Mw: allow / deny Mw->>Ctl: (if allowed) Ctl->>PDP: domain decision / mutation Ctl->>Aud: append audit event (same tx) Ctl-->>App: { data: ... }

Note the PDP appears twice: once to authorize the admin caller (via iam.can), and once for the domain
operation. The Admin API authorizes itself with the same engine it exposes.

Next