What this prompt does
This prompt makes the model a senior Laravel engineer and asks for complete, PSR-12-compliant code with file paths rather than fragments. It defines six deliverables: a migration and Eloquent model with correct column types, casts, and a deliberately set fillable/guarded, FormRequest classes for store and update with real validation rules and authorize() logic, an API Resource and collection shaping responses to your chosen format, a resourceful controller with pagination and consistent JSON errors, a Policy enforcing per-record authorization wired to the auth model, and PHPUnit feature tests covering the happy path, validation failure, and an unauthorized-access case. The structure works because it puts Form Requests, Resources, and a Policy in from the start rather than bolting them on later.
Four variables drive it. [resource] names the API resource and its fields, like articles with title, body, author, and published_at. [laravel_version] sets the framework target, such as Laravel 12. [auth] chooses the authentication mechanism, like Sanctum token auth, which the Policy wires to. [response_shape] defines the envelope, such as data-wrapped JSON with meta pagination. The unauthorized-access test in deliverable six is the load-bearing part: a missing policy check is the leak that hurts, so generating that test guards against it. Setting fillable/guarded deliberately on the model matters too, since mass-assignment slips are easy and quiet.
When to use it
- You are building a production Laravel REST API and want it structured correctly from the start.
- You want Form Requests, API Resources, and a Policy generated together, not bolted on later.
- Per-record authorization matters and you want a test that proves it.
- A consistent response envelope with pagination meta is part of the contract.
- You need PHPUnit feature tests covering happy path, validation failure, and unauthorized access.
- You want PSR-12-compliant code delivered with explicit file paths.
Example output
Expect each file in its own fenced block headed by its path, targeting [laravel_version]. A migration and Eloquent model for [resource] set column types, casts, and fillable/guarded deliberately; store and update FormRequests carry real rules and authorize() logic; an API Resource and collection shape responses to [response_shape]; a resourceful controller adds pagination and consistent JSON errors; a Policy enforces per-record authorization wired to [auth]; and PHPUnit feature tests cover the happy path, a validation failure, and an unauthorized-access case. It is PSR-12-compliant, buildable code you drop into a Laravel project.
Pro tips
- Spell out
[resource]fields precisely, since they drive the migration columns, casts, and validation rules. - Match
[laravel_version]to your project so generated syntax and conventions line up with your installed framework. - Set
[auth]to your real mechanism so the Policy wires to the correct auth model. - Always keep the unauthorized-access test; a missing policy check is the leak that hurts most.
- Set fillable/guarded intentionally on the model, because mass-assignment slips are easy and quiet.
- If the
[response_shape]envelope drifts, re-run specifying the exact data and meta structure you require.
