<laravel-boost-guidelines>
=== .ai/architecture rules ===

# MediLink Architecture (project-specific)

> Stack reality: **Inertia + Vue 3** (NOT React). The architecture guideline this is based on
> mentioned React/`.jsx`; in this project always use `.vue` and Vue idioms.

## Core flow

```
Route → Form Request → Controller → Service → Inertia Page
```

- **Business logic lives in Services.** Controllers stay thin.
- Controllers are responsible ONLY for: validation (via Form Requests), transactions, calling
  services, returning Inertia responses, and error handling.
- Controllers must NEVER contain queries, aggregations, calculations, or reporting/domain logic.

## Naming — per MODEL (project preference)

Name the service, controller, model, and route file after the **model** (not per-metric/card),
unless the unit is a non-model package/integration.

Example — the `Appointment` model:
- Model: `app/Models/Appointment.php`
- Service: `app/Services/AppointmentService.php`
- Controller: `app/Http/Controllers/AppointmentController.php`
- Routes: `routes/appointment.php`
- Pages: `resources/js/Pages/Appointment/Index.vue`

Service methods are domain verbs: `patientAppointments()`, `providerAppointments()`,
`create()`, `reschedule()`, `cancel()`.

## Auth lives in one place

Everything auth-related goes in **`AuthService`**, **`AuthController`**, and **`routes/auth.php`** —
do not split into per-action controllers/services (no `RegisterController`, `LoginService`, etc.).
Form Requests (`Auth/RegisterRequest`, `Auth/LoginRequest`) stay as the validation layer.

## Database transactions — controller only

The DB transaction envelope belongs in the **controller**, never in services. Open the
transaction as the **first line inside the `try`** — `DB::beginTransaction()` after `try {`,
then `commit()`; `rollBack()` + `Log::error` in `catch`. Services contain business logic
only — they must not open transactions.

```php
public function register(RegisterRequest $request): RedirectResponse
{
    try {
        DB::beginTransaction();

        $user = $this->auth->register($request->validated());
        Auth::login($user);
        $request->session()->regenerate();

        DB::commit();
    } catch (Throwable $e) {
        DB::rollBack();
        Log::error('Registration failed', ['exception' => $e]);
        return back()->with('error', $e->getMessage()); // surface the real cause
    }

    return redirect()->intended(route('dashboard'))   // outside the try, after commit
        ->with('success', ResponseMessageEnum::RegistrationSuccessful->message());
}
```

Write this envelope inline in each write action (no shared transaction helper).

## Responses & messages (backend-owned)

- **Every** user-facing message comes from the backend via flash data — the frontend never
  hardcodes copy. Success/error are flashed as `->with('success'|'error', ...)`.
- **Success** messages come from `ResponseMessageEnum` (`->message()`). Add new copy there.
- **Error** messages are dynamic: in the `catch`, flash the thrown exception's `getMessage()`
  (`back()->with('error', $e->getMessage())`) so the real cause reaches the UI.
- The frontend surfaces flashes as SweetAlert **toasts** automatically (see below) — controllers
  just flash; pages don't render flash banners.

## Don't repeat — extract a helper

Anything used more than once becomes a reusable unit, not copy-paste — a class under
`app/Helpers`, a util in `resources/js/Utils`, or a composable in `resources/js/Composables`
(e.g. the SweetAlert helpers below). Exception: the DB transaction envelope is written
**inline** in each write action (explicit preference) — do not extract it into a helper.

## Alerts — SweetAlert2 (toasts + confirmation)

Use the shared helpers in `resources/js/Utils/alert.js` — never call `Swal` directly in pages:
- `toast(icon, message)` — fired automatically from backend flash by the `useFlashToasts`
  composable (mounted via the renderless `FlashMessages` component in both layouts).
- `confirmAction({...})` → `Promise<boolean>` — **every mutating action must confirm first**
  (admin actions, profile saves, logout, etc.).
- `promptReason({...})` → `Promise<string|null>` — confirm + collect a required reason.

```js
const remove = async (id) => {
    if (await confirmAction({ title: 'Delete this?', confirmButtonText: 'Yes, delete' })) {
        router.post(`/things/${id}/delete`, {}, { preserveScroll: true });
    }
};
```

## Enums

- Every enum class name ends with `Enum` (`RoleEnum`, `StatusEnum`), file `App\Enums\<Name>Enum.php`.
- Use a **single shared `StatusEnum`** for ALL status concerns (accounts, appointments,
  consultations…). Add new cases to `StatusEnum` rather than creating per-domain status enums.
- TitleCase case keys.

## Service contract

Every service exposes a consistent primary entry point, plus domain methods:

```php
class AppointmentService
{
    /** @param array<string, mixed> $filters @return array<string, mixed> */
    public function execute(array $filters = []): array
    {
        //
    }
}
```

Keep one service per model/domain. Avoid large services bundling unrelated concerns.

## Controller pattern

```php
class AppointmentController extends Controller
{
    public function __construct(
        private readonly AppointmentService $appointments,
    ) {}

    public function index(): Response
    {
        return Inertia::render('Appointment/Index', [
            'appointments' => $this->appointments->execute(),
        ]);
    }
}
```

## Folder structure

```
app/
├── Http/{Controllers,Requests,Middleware}/
├── Services/            # one <Model>Service.php per domain

├── Models/  Enums/  Jobs/  Events/  Listeners/  Helpers/  Exceptions/

resources/js/
├── Pages/<Model>/Index.vue
├── Components/{Cards,Charts,Tables,Filters}/   # independently reusable

├── Layouts/  Composables/  (Vue equiv. of Hooks)  Utils/  Types/

routes/
├── web.php              # requires per-module route files (behind auth)

├── <model>.php          # one route file per module

```

## Adding a new feature/metric

1. Create the Service. 2. Create the Component(s). 3. Inject the service into the Controller.
4. Pass data to the Inertia page. 5. Render the component.
Existing metric/feature implementations must not require modification.

## Audit logging — trait + facade (not manual service calls)

Route audit logging through these, never `app(AuditLogService::class)` inline:

- **Model CRUD** → add `use App\Concerns\Auditable;` to the model. It auto-logs
  `created` / `updated` / `deleted` as `<model>.<event>`. Override `auditedEvents()`,
  `auditAction()`, or `auditMetadata()` to customise. Default update metadata stores only
  changed attribute *names*, never values (no PII).
- **Non-CRUD events** (login, failed login, logout, room entry, record *access*) → call the
  `App\Facades\Audit` facade: `Audit::log('user.login', auditable: $user, metadata: [...])`.

Both funnel through the single `AuditLogService` writer. Keep metadata PII-free.

## Frontend rules

- Vue components have a single root element.
- One Page per domain (`Pages/<Model>/Index.vue`); compose it from reusable `Components/*`.
- Use `Composables/` for shared reactive logic (the Vue equivalent of React hooks).
- Keep business logic in Services (backend) and presentation logic in Vue; controllers thin.

=== .ai/module-workflow rules ===

# MediLink Module Workflow & Definition of Done

> We build **one module at a time, build → test → done**, tracked in `docs/BUILD_CHECKLIST.md`.
> When the user says "let's work on module/phase X", open that checklist section first and walk
> the Definition of Done below so nothing is missed.

## Before starting a module

- Read the module's section in `docs/BUILD_CHECKLIST.md` (scope, FR refs, exit criteria).
- Check the **Data-model ownership** table — this module brings its own migrations/models/factories.
- Resolve any **Open decisions** tied to this module (e.g. Pusher vs Ably, email provider, PDF) before coding; if undecided, ask the user.
- Don't start a new module until the current one's exit criteria pass.

## Per-module Definition of Done

Every module is only "done" when ALL of these exist and pass — tick the matching boxes in `docs/BUILD_CHECKLIST.md`:

- [ ] **Schema** — migration(s) + model(s) + factory(ies) for the tables this module owns (FKs + indexes on dates/statuses/FKs)
- [ ] **Enums** — `<Name>Enum`-suffixed classes; reuse the single shared `StatusEnum` for status (don't create per-domain status enums)
- [ ] **Transactions** — each write action writes the `try { DB::beginTransaction()… } catch` envelope inline (controller-owned; `back()->with('error', $e->getMessage())` on failure); never open transactions in services
- [ ] **Messages** — success copy from `ResponseMessageEnum`; errors flash the exception `getMessage()`; all messages backend-owned (frontend never hardcodes copy)
- [ ] **Alerts** — mutating UI actions confirm via `confirmAction`/`promptReason`; flashes shown as toasts; reuse `resources/js/Utils/alert.js` (never call `Swal` directly)
- [ ] **DRY** — anything used more than once becomes a helper (`app/Helpers`) / util / composable, not copy-paste (the transaction envelope is the deliberate exception — kept inline)
- [ ] **Service** — `<Model>Service` holding all business logic (the only place queries/aggregations live)
- [ ] **Validation** — Form Request(s) for every write action
- [ ] **Controller** — thin `<Model>Controller`, constructor-injects the service, returns `Inertia::render`
- [ ] **Authorization** — Policy + route middleware; verified-provider / role / ownership gating enforced
- [ ] **Routes** — uncomment `routes/<model>.php`, require it from `web.php` behind `auth`, use named routes
- [ ] **Frontend** — `Pages/<Model>/Index.vue` + reusable `Components/*` (Cards/Charts/Tables/Filters)
- [ ] **Audit logging** — add `use Auditable;` to the module's models for CRUD; use the `Audit` facade for non-CRUD events (login, access, room entry). Attributable + timestamped, no PII
- [ ] **Notifications** — events + queued jobs (database queue via cron) where the module triggers them
- [ ] **Consent** — capture/enforce where the module requires it (formalized in the Consent module)
- [ ] **Tests** — unit (service) + feature (happy/failure/edge) + **authorization** tests, all green
- [ ] **Low-bandwidth** — pagination, indexes, lazy-loading, queued email applied as built
- [ ] **Quality gate** — `vendor/bin/pint`, `php artisan test`, and `npm run build` all pass

## Cross-cutting reminders (apply within every module)

- Audit logging, RBAC policies, notifications via queued jobs, consent, and tests ship WITH the module — not later.
- No hard deletes of clinical records; corrections preserve an audit trail.
- Emergency cases must surface guidance to emergency services, never rely on teleconsultation.
- Only verified providers may run consultations or create clinical records.

## Finishing a module

- Run the quality gate (pint + tests + build).
- Update the module's checkboxes and any resolved Open decisions in `docs/BUILD_CHECKLIST.md`.
- Confirm the module's **Exit** line in the checklist is satisfied before moving on.

=== foundation rules ===

# Laravel Boost Guidelines

The Laravel Boost guidelines are specifically curated by Laravel maintainers for this application. These guidelines should be followed closely to ensure the best experience when building Laravel applications.

## Foundational Context

This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.

- php - 8.4
- inertiajs/inertia-laravel (INERTIA_LARAVEL) - v2
- laravel/framework (LARAVEL) - v13
- laravel/prompts (PROMPTS) - v0
- laravel/boost (BOOST) - v2
- laravel/mcp (MCP) - v0
- laravel/pail (PAIL) - v1
- laravel/pint (PINT) - v1
- phpunit/phpunit (PHPUNIT) - v12
- @inertiajs/vue3 (INERTIA_VUE) - v3
- vue (VUE) - v3
- tailwindcss (TAILWINDCSS) - v4

## Conventions

- You must follow all existing code conventions used in this application. When creating or editing a file, check sibling files for the correct structure, approach, and naming.
- Use descriptive names for variables and methods. For example, `isRegisteredForDiscounts`, not `discount()`.
- Check for existing components to reuse before writing a new one.

## Verification Scripts

- Do not create verification scripts or tinker when tests cover that functionality and prove they work. Unit and feature tests are more important.

## Application Structure & Architecture

- Stick to existing directory structure; don't create new base folders without approval.
- Do not change the application's dependencies without approval.

## Frontend Bundling

- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `npm run build`, `npm run dev`, or `composer run dev`. Ask them.

## Documentation Files

- You must only create documentation files if explicitly requested by the user.

## Replies

- Be concise in your explanations - focus on what's important rather than explaining obvious details.

=== boost rules ===

# Laravel Boost

## Tools

- Laravel Boost is an MCP server with tools designed specifically for this application. Prefer Boost tools over manual alternatives like shell commands or file reads.
- Use `database-query` to run read-only queries against the database instead of writing raw SQL in tinker.
- Use `database-schema` to inspect table structure before writing migrations or models.
- Use `get-absolute-url` to resolve the correct scheme, domain, and port for project URLs. Always use this before sharing a URL with the user.

## Searching Documentation (IMPORTANT)

- Always use `search-docs` before making code changes. Do not skip this step. It returns version-specific docs based on installed packages automatically.
- Pass a `packages` array to scope results when you know which packages are relevant.
- Use multiple broad, topic-based queries: `['rate limiting', 'routing rate limiting', 'routing']`. Expect the most relevant results first.
- Do not add package names to queries because package info is already shared. Use `test resource table`, not `filament 4 test resource table`.

### Search Syntax

1. Use words for auto-stemmed AND logic: `rate limit` matches both "rate" AND "limit".
2. Use `"quoted phrases"` for exact position matching: `"infinite scroll"` requires adjacent words in order.
3. Combine words and phrases for mixed queries: `middleware "rate limit"`.
4. Use multiple queries for OR logic: `queries=["authentication", "middleware"]`.

## Artisan

- Run Artisan commands directly via the command line (e.g., `php artisan route:list`). Use `php artisan list` to discover available commands and `php artisan [command] --help` to check parameters.
- Inspect routes with `php artisan route:list`. Filter with: `--method=GET`, `--name=users`, `--path=api`, `--except-vendor`, `--only-vendor`.
- Read configuration values using dot notation: `php artisan config:show app.name`, `php artisan config:show database.default`. Or read config files directly from the `config/` directory.

## Tinker

- Execute PHP in app context for debugging and testing code. Do not create models without user approval, prefer tests with factories instead. Prefer existing Artisan commands over custom tinker code.
- Always use single quotes to prevent shell expansion: `php artisan tinker --execute 'Your::code();'`
  - Double quotes for PHP strings inside: `php artisan tinker --execute 'User::where("active", true)->count();'`

=== php rules ===

# PHP

- Always use curly braces for control structures, even for single-line bodies.
- Use PHP 8 constructor property promotion: `public function __construct(public GitHub $github) { }`. Do not leave empty zero-parameter `__construct()` methods unless the constructor is private.
- Use explicit return type declarations and type hints for all method parameters: `function isAccessible(User $user, ?string $path = null): bool`
- Use TitleCase for Enum keys: `FavoritePerson`, `BestLake`, `Monthly`.
- Prefer PHPDoc blocks over inline comments. Only add inline comments for exceptionally complex logic.
- Use array shape type definitions in PHPDoc blocks.

=== deployments rules ===

# Deployment

- Laravel can be deployed using [Laravel Cloud](https://cloud.laravel.com/), which is the fastest way to deploy and scale production Laravel applications.

=== tests rules ===

# Test Enforcement

- Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
- Run the minimum number of tests needed to ensure code quality and speed. Use `php artisan test --compact` with a specific filename or filter.

=== inertia-laravel/core rules ===

# Inertia

- Inertia creates fully client-side rendered SPAs without modern SPA complexity, leveraging existing server-side patterns.
- Components live in `resources/js/Pages` (unless specified in `vite.config.js`). Use `Inertia::render()` for server-side routing instead of Blade views.
- ALWAYS use `search-docs` tool for version-specific Inertia documentation and updated code examples.
- IMPORTANT: Activate `inertia-vue-development` when working with Inertia Vue client-side patterns.

# Inertia v2

- Use all Inertia features from v1 and v2. Check the documentation before making changes to ensure the correct approach.
- New features: deferred props, infinite scroll, merging props, polling, prefetching, once props, flash data.
- When using deferred props, add an empty state with a pulsing or animated skeleton.

=== laravel/core rules ===

# Do Things the Laravel Way

- Use `php artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using `php artisan list` and check their parameters with `php artisan [command] --help`.
- If you're creating a generic PHP class, use `php artisan make:class`.
- Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.

### Model Creation

- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `php artisan make:model --help` to check the available options.

## APIs & Eloquent Resources

- For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.

## URL Generation

- When generating links to other pages, prefer named routes and the `route()` function.

## Testing

- When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
- Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
- When creating tests, make use of `php artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.

## Vite Error

- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `npm run build` or ask the user to run `npm run dev` or `composer run dev`.

=== pint/core rules ===

# Laravel Pint Code Formatter

- If you have modified any PHP files, you must run `vendor/bin/pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
- Do not run `vendor/bin/pint --test --format agent`, simply run `vendor/bin/pint --format agent` to fix any formatting issues.

=== phpunit/core rules ===

# PHPUnit

- This application uses PHPUnit for testing. All tests must be written as PHPUnit classes. Use `php artisan make:test --phpunit {name}` to create a new test.
- If you see a test using "Pest", convert it to PHPUnit.
- Every time a test has been updated, run that singular test.
- When the tests relating to your feature are passing, ask the user if they would like to also run the entire test suite to make sure everything is still passing.
- Tests should cover all happy paths, failure paths, and edge cases.
- You must not remove any tests or test files from the tests directory without approval. These are not temporary or helper files; these are core to the application.

## Running Tests

- Run the minimal number of tests, using an appropriate filter, before finalizing.
- To run all tests: `php artisan test --compact`.
- To run all tests in a file: `php artisan test --compact tests/Feature/ExampleTest.php`.
- To filter on a particular test name: `php artisan test --compact --filter=testName` (recommended after making a change to a related file).

=== inertia-vue/core rules ===

# Inertia + Vue

Vue components must have a single root element.
- IMPORTANT: Activate `inertia-vue-development` when working with Inertia Vue client-side patterns.

</laravel-boost-guidelines>