Skip to content

Tighten README installation and access-control guidance for non-local environments #16

Description

@morcen

Summary

Tighten the README's installation and access-control guidance for non-local environments so users understand how to expose Omni safely outside local development.

Why

The current README explains the default viewOmni gate and shows a basic override example, but it still leaves a few important questions open for real deployments:

  • how to use Omni behind authentication middleware
  • how to think about non-local or staging environments
  • how to disable Omni entirely
  • how to change the path from /omni
  • how to balance convenience with safety when enabling command-backed actions

Since access control is the most sensitive part of this package, the docs should be extra explicit here.

Current Implementation Notes

Relevant docs/config:

  • README.md
  • config/omni.php
  • src/OmniServiceProvider.php
  • src/Http/Middleware/AuthorizeOmni.php

The README already covers:

  • package installation
  • config publishing
  • the default viewOmni gate
  • a sample gate override
  • middleware configuration at a high level

The missing piece is practical guidance for using Omni anywhere other than a purely local setup.

Proposed Scope

Improve the README with clearer guidance for:

Safe installation and exposure

  • local-only usage versus staging/production usage
  • requiring authentication middleware in non-local environments
  • using a restrictive viewOmni gate with real application auth logic
  • disabling Omni completely with OMNI_ENABLED=false

Common configuration paths

  • changing the URI path with OMNI_PATH
  • layering middleware such as web and auth
  • turning off unfinished modules with feature flags where appropriate

Expectations and guardrails

  • explain that Omni includes read-only diagnostics plus a small number of command-backed workflow helpers
  • call out that access control should be reviewed before enabling the package outside local development
  • add a short example configuration for a safer non-local setup

Acceptance Criteria

  • the README includes a practical non-local setup section
  • docs clearly explain viewOmni, middleware, path, and enabled
  • docs include at least one safer example for authenticated/admin-only access
  • the guidance is clear enough for first-time package users evaluating whether Omni is safe for their environment

Nice To Have

  • add a short troubleshooting note for common "why am I getting 403/404?" questions
  • include a small "recommended defaults" snippet for staging or internal admin use

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions