.cursor/skills/laravel-best-practices/rules/config.md
env() Only in Config FilesDirect env() calls may return null when config is cached.
Incorrect:
$key = env('API_KEY');
Correct:
// config/services.php
'key' => env('API_KEY'),
// Application code
$key = config('services.key');
Never store production secrets in plain .env files in version control.
Incorrect:
# .env committed to repo or shared in Slack
STRIPE_SECRET=sk_live_abc123
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI
Correct:
php artisan env:encrypt --env=production --readable
php artisan env:decrypt --env=production
For cloud deployments, prefer the platform's native secret store (AWS Secrets Manager, Vault, etc.) and inject at runtime.
App::environment() for Environment ChecksIncorrect:
if (env('APP_ENV') === 'production') {
Correct:
if (app()->isProduction()) {
// or
if (App::environment('production')) {
Use class constants instead of hardcoded magic strings for model states, types, and statuses.
// Incorrect
return $this->type === 'normal';
// Correct
return $this->type === self::TYPE_NORMAL;
If the application already uses language files for localization, use __() for user-facing strings too. Do not introduce language files purely for English-only apps — simple string literals are fine there.
// Only when lang files already exist in the project
return back()->with('message', __('app.article_added'));