fix: correct 3 documentation inaccuracies against source code

Emre Akay · claude · Emre Akay · commit 3a0cfc732dd3 · 2026-02-05T14:39:13.000+03:00
- Remove fictitious Policies section (src/Policies/ doesn't exist, Gate::policy() removed)
- Replace with Gate::before integration docs reflecting actual service provider code
- Add missing ?OrganizationNode $organizationNode property to RoleSwitchedEvent docs
- Fix allWithoutAAuthOrganizationNodeScope() to show as instance method, not static

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.ai/guidelines/core.blade.php b/.ai/guidelines/core.blade.php
@@ -9,7 +9,7 @@
 - **ABAC**: Model-level attribute filtering with JSON rules applied via global scopes
 - **Automatic Data Filtering**: Global scopes filter data based on user's authorized organization nodes
 - **Middleware**: Route-level permission, role, and organization scope protection
-- **Policies**: Laravel Gate integration with OrganizationNode and Role policies
+- **Gate Integration**: `Gate::before` callback for Laravel authorization integration
 - **Cache**: Configurable caching with automatic invalidation via observers
 - **Super Admin**: Bypass all permission checks with configurable column
 - **Events**: Lifecycle events for roles and permissions
@@ -512,8 +512,8 @@ public static function getABACRules(): array
 // Access the related organization node
 $orgNode = $school->relatedAAuthOrganizationNode();
 
-// Get all records without organization scope filtering
-$all = School::allWithoutAAuthOrganizationNodeScope();
+// Get all records without organization scope filtering (instance method)
+$all = (new School)->allWithoutAAuthOrganizationNodeScope();
 </code-snippet>
 @endverbatim
 
@@ -567,64 +567,47 @@ public static function getABACRules(): array
 </code-snippet>
 @endverbatim
 
-### Policies
+### Laravel Gate Integration
 
-AAuth registers Laravel Gate policies for `OrganizationNode` and `Role` models via `Gate::policy()` in the service provider. A `Gate::before` callback also integrates AAuth with Laravel's built-in authorization and checks super admin status.
-
-**OrganizationNodePolicy** (`src/Policies/OrganizationNodePolicy.php`):
+AAuth integrates with Laravel's built-in authorization via a `Gate::before` callback registered in the service provider:
 
 @verbatim
-<code-snippet name="OrganizationNodePolicy" lang="php">
-// viewAny: requires 'view_organization_nodes' permission
-// view:    requires 'view_organization_nodes' + verifies node is accessible via AAuth::organizationNode($id)
-// create:  requires 'create_organization_nodes' permission
-// update:  requires 'update_organization_nodes' + verifies node accessibility
-// delete:  requires 'delete_organization_nodes' + verifies node accessibility
-
-// Usage with Laravel Gate:
-Gate::allows('viewAny', OrganizationNode::class);
-Gate::allows('view', $organizationNode);
-Gate::allows('update', $organizationNode);
-</code-snippet>
-@endverbatim
+<code-snippet name="Gate::before Integration" lang="php">
+// Registered in AAuthServiceProvider::boot()
+Gate::before(function ($user, $ability, $arguments = []) {
+    $aauth = app('aauth');
+
+    // Super admin bypasses all permission checks
+    if ($aauth->isSuperAdmin()) {
+        return true;
+    }
 
-**RolePolicy** (`src/Policies/RolePolicy.php`):
+    // Delegate to AAuth::can() for all Gate checks
+    return $aauth->can($ability, ...$arguments) ?: null;
+});
 
-@verbatim
-<code-snippet name="RolePolicy" lang="php">
-// viewAny: requires 'view_roles' permission
-// view:    requires 'view_roles' + for organization roles, checks scope access
-// create:  requires 'create_roles' permission
-// update:  requires 'update_roles' + for organization roles, checks scope access
-// delete:  requires 'delete_roles' + checks $role->deletable + for org roles, checks scope access
-
-// Organization role scope check: iterates user's organization nodes
-// and verifies at least one node matches the role's organization_scope_id.
-// System roles always pass the scope check.
-
-// Usage with Laravel Gate:
-Gate::allows('update', $role);
-Gate::allows('delete', $role); // also checks deletable attribute
+// This means standard Laravel Gate/Policy checks work with AAuth:
+Gate::allows('edit_something');
+$user->can('edit_something');
+@can('edit_something') ... @endcan
 </code-snippet>
 @endverbatim
 
-**Gate::before callback**: The service provider registers a `Gate::before` that checks `isSuperAdmin()` (bypasses all checks if true) and then delegates to `AAuth::can()` for all Gate checks.
-
 ### Events
 
 AAuth dispatches events for role and permission lifecycle:
 
 @verbatim
 <code-snippet name="Available Events" lang="php">
-use AuroraWebSoftware\AAuth\Events\RoleCreatedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleUpdatedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleDeletedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleAssignedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleRemovedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleSwitchedEvent;
-use AuroraWebSoftware\AAuth\Events\PermissionAddedEvent;
-use AuroraWebSoftware\AAuth\Events\PermissionUpdatedEvent;
-use AuroraWebSoftware\AAuth\Events\PermissionRemovedEvent;
+use AuroraWebSoftware\AAuth\Events\RoleCreatedEvent;       // Role $role
+use AuroraWebSoftware\AAuth\Events\RoleUpdatedEvent;       // Role $role
+use AuroraWebSoftware\AAuth\Events\RoleDeletedEvent;       // Role $role
+use AuroraWebSoftware\AAuth\Events\RoleAssignedEvent;      // int $userId, Role $role, ?OrganizationNode $organizationNode
+use AuroraWebSoftware\AAuth\Events\RoleRemovedEvent;       // int $userId, Role $role, ?OrganizationNode $organizationNode
+use AuroraWebSoftware\AAuth\Events\RoleSwitchedEvent;      // int $userId, Role $newRole, ?Role $oldRole, ?OrganizationNode $organizationNode
+use AuroraWebSoftware\AAuth\Events\PermissionAddedEvent;   // Role $role, string $permission, ?array $parameters
+use AuroraWebSoftware\AAuth\Events\PermissionUpdatedEvent; // Role $role, string $permission, ?array $parameters, ?array $oldParameters
+use AuroraWebSoftware\AAuth\Events\PermissionRemovedEvent; // Role $role, string $permission
 
 // Listen to events in your EventServiceProvider or listener classes
 </code-snippet>
diff --git a/README.md b/README.md
@@ -1138,35 +1138,30 @@ aauth_is_super_admin(); // bool
 
 ---
 
-## Policies
+## Laravel Gate Integration
 
-AAuth registers Laravel Gate policies for `OrganizationNode` and `Role` models.
+AAuth integrates with Laravel's built-in authorization via a `Gate::before` callback registered in `AAuthServiceProvider`:
 
-### OrganizationNodePolicy
-
-| Method | Permission | Additional Check |
-|--------|-----------|-----------------|
-| viewAny | `view_organization_nodes` | - |
-| view | `view_organization_nodes` | Node accessibility check |
-| create | `create_organization_nodes` | - |
-| update | `update_organization_nodes` | Node accessibility check |
-| delete | `delete_organization_nodes` | Node accessibility check |
-
-### RolePolicy
+```php
+// Super admin bypasses all permission checks
+// All other Gate checks are delegated to AAuth::can()
+Gate::before(function ($user, $ability, $arguments = []) {
+    $aauth = app('aauth');
 
-| Method | Permission | Additional Check |
-|--------|-----------|-----------------|
-| viewAny | `view_roles` | - |
-| view | `view_roles` | Scope access check for org roles |
-| create | `create_roles` | - |
-| update | `update_roles` | Scope access check for org roles |
-| delete | `delete_roles` | Deletable + scope access check |
+    if ($aauth->isSuperAdmin()) {
+        return true;
+    }
 
-### Gate::before Integration
+    return $aauth->can($ability, ...$arguments) ?: null;
+});
+```
 
-AAuth registers a `Gate::before` callback that:
-1. Checks if user is super admin (bypasses all checks)
-2. Delegates to `AAuth::can()` for all Gate checks
+This means standard Laravel authorization works with AAuth:
+```php
+Gate::allows('edit_something');
+$user->can('edit_something');
+@can('edit_something') ... @endcan
+```
 
 ---
 
@@ -1223,7 +1218,7 @@ use AuroraWebSoftware\AAuth\Events\RoleUpdatedEvent;    // Properties: Role $rol
 use AuroraWebSoftware\AAuth\Events\RoleDeletedEvent;    // Properties: Role $role
 use AuroraWebSoftware\AAuth\Events\RoleAssignedEvent;   // Properties: int $userId, Role $role, ?OrganizationNode
 use AuroraWebSoftware\AAuth\Events\RoleRemovedEvent;    // Properties: int $userId, Role $role, ?OrganizationNode
-use AuroraWebSoftware\AAuth\Events\RoleSwitchedEvent;   // Properties: int $userId, Role $newRole, ?Role $oldRole
+use AuroraWebSoftware\AAuth\Events\RoleSwitchedEvent;   // Properties: int $userId, Role $newRole, ?Role $oldRole, ?OrganizationNode $organizationNode
 use AuroraWebSoftware\AAuth\Events\PermissionAddedEvent;   // Properties: Role $role, string $permission, ?array $parameters
 use AuroraWebSoftware\AAuth\Events\PermissionUpdatedEvent; // Properties: Role $role, string $permission, ?array $parameters, ?array $oldParameters
 use AuroraWebSoftware\AAuth\Events\PermissionRemovedEvent; // Properties: Role $role, string $permission
diff --git a/resources/boost/guidelines/core.blade.php b/resources/boost/guidelines/core.blade.php
@@ -9,7 +9,7 @@
 - **ABAC**: Model-level attribute filtering with JSON rules applied via global scopes
 - **Automatic Data Filtering**: Global scopes filter data based on user's authorized organization nodes
 - **Middleware**: Route-level permission, role, and organization scope protection
-- **Policies**: Laravel Gate integration with OrganizationNode and Role policies
+- **Gate Integration**: `Gate::before` callback for Laravel authorization integration
 - **Cache**: Configurable caching with automatic invalidation via observers
 - **Super Admin**: Bypass all permission checks with configurable column
 - **Events**: Lifecycle events for roles and permissions
@@ -512,8 +512,8 @@ public static function getABACRules(): array
 // Access the related organization node
 $orgNode = $school->relatedAAuthOrganizationNode();
 
-// Get all records without organization scope filtering
-$all = School::allWithoutAAuthOrganizationNodeScope();
+// Get all records without organization scope filtering (instance method)
+$all = (new School)->allWithoutAAuthOrganizationNodeScope();
 </code-snippet>
 @endverbatim
 
@@ -567,64 +567,47 @@ public static function getABACRules(): array
 </code-snippet>
 @endverbatim
 
-### Policies
+### Laravel Gate Integration
 
-AAuth registers Laravel Gate policies for `OrganizationNode` and `Role` models via `Gate::policy()` in the service provider. A `Gate::before` callback also integrates AAuth with Laravel's built-in authorization and checks super admin status.
-
-**OrganizationNodePolicy** (`src/Policies/OrganizationNodePolicy.php`):
+AAuth integrates with Laravel's built-in authorization via a `Gate::before` callback registered in the service provider:
 
 @verbatim
-<code-snippet name="OrganizationNodePolicy" lang="php">
-// viewAny: requires 'view_organization_nodes' permission
-// view:    requires 'view_organization_nodes' + verifies node is accessible via AAuth::organizationNode($id)
-// create:  requires 'create_organization_nodes' permission
-// update:  requires 'update_organization_nodes' + verifies node accessibility
-// delete:  requires 'delete_organization_nodes' + verifies node accessibility
-
-// Usage with Laravel Gate:
-Gate::allows('viewAny', OrganizationNode::class);
-Gate::allows('view', $organizationNode);
-Gate::allows('update', $organizationNode);
-</code-snippet>
-@endverbatim
+<code-snippet name="Gate::before Integration" lang="php">
+// Registered in AAuthServiceProvider::boot()
+Gate::before(function ($user, $ability, $arguments = []) {
+    $aauth = app('aauth');
+
+    // Super admin bypasses all permission checks
+    if ($aauth->isSuperAdmin()) {
+        return true;
+    }
 
-**RolePolicy** (`src/Policies/RolePolicy.php`):
+    // Delegate to AAuth::can() for all Gate checks
+    return $aauth->can($ability, ...$arguments) ?: null;
+});
 
-@verbatim
-<code-snippet name="RolePolicy" lang="php">
-// viewAny: requires 'view_roles' permission
-// view:    requires 'view_roles' + for organization roles, checks scope access
-// create:  requires 'create_roles' permission
-// update:  requires 'update_roles' + for organization roles, checks scope access
-// delete:  requires 'delete_roles' + checks $role->deletable + for org roles, checks scope access
-
-// Organization role scope check: iterates user's organization nodes
-// and verifies at least one node matches the role's organization_scope_id.
-// System roles always pass the scope check.
-
-// Usage with Laravel Gate:
-Gate::allows('update', $role);
-Gate::allows('delete', $role); // also checks deletable attribute
+// This means standard Laravel Gate/Policy checks work with AAuth:
+Gate::allows('edit_something');
+$user->can('edit_something');
+@can('edit_something') ... @endcan
 </code-snippet>
 @endverbatim
 
-**Gate::before callback**: The service provider registers a `Gate::before` that checks `isSuperAdmin()` (bypasses all checks if true) and then delegates to `AAuth::can()` for all Gate checks.
-
 ### Events
 
 AAuth dispatches events for role and permission lifecycle:
 
 @verbatim
 <code-snippet name="Available Events" lang="php">
-use AuroraWebSoftware\AAuth\Events\RoleCreatedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleUpdatedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleDeletedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleAssignedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleRemovedEvent;
-use AuroraWebSoftware\AAuth\Events\RoleSwitchedEvent;
-use AuroraWebSoftware\AAuth\Events\PermissionAddedEvent;
-use AuroraWebSoftware\AAuth\Events\PermissionUpdatedEvent;
-use AuroraWebSoftware\AAuth\Events\PermissionRemovedEvent;
+use AuroraWebSoftware\AAuth\Events\RoleCreatedEvent;       // Role $role
+use AuroraWebSoftware\AAuth\Events\RoleUpdatedEvent;       // Role $role
+use AuroraWebSoftware\AAuth\Events\RoleDeletedEvent;       // Role $role
+use AuroraWebSoftware\AAuth\Events\RoleAssignedEvent;      // int $userId, Role $role, ?OrganizationNode $organizationNode
+use AuroraWebSoftware\AAuth\Events\RoleRemovedEvent;       // int $userId, Role $role, ?OrganizationNode $organizationNode
+use AuroraWebSoftware\AAuth\Events\RoleSwitchedEvent;      // int $userId, Role $newRole, ?Role $oldRole, ?OrganizationNode $organizationNode
+use AuroraWebSoftware\AAuth\Events\PermissionAddedEvent;   // Role $role, string $permission, ?array $parameters
+use AuroraWebSoftware\AAuth\Events\PermissionUpdatedEvent; // Role $role, string $permission, ?array $parameters, ?array $oldParameters
+use AuroraWebSoftware\AAuth\Events\PermissionRemovedEvent; // Role $role, string $permission
 
 // Listen to events in your EventServiceProvider or listener classes
 </code-snippet>
