Authorization

Design authorization around permissions, not roles. Roles only group permissions.

• Permissions defined as enums in App\Enums\Permission — single source of truth
• Permission naming: [action]:[resource] (e.g. create:users, view:users)
• Always check permissions, never roles (except for grouping large route sections)
• Frontend only reflects backend authorization — backend is source of truth

Activate authorization-guidelines skill for full patterns, examples, and frontend integration.

=== .ai/controller-architecture rules ===

Controller Architecture

Single-action controller + action pattern: Request → FormRequest → Controller → Action → Response

• All controllers are invokable (__invoke()), named Show|Store|Update|Delete{Resource}Controller
• Show controllers: accept Request, no action class, return Response | RedirectResponse
• Mutation controllers: accept FormRequest + Action via DI, delegate logic to action
• Scaffold with php artisan make:feature Users/StoreUserController

Activate controller-architecture skill for full directory structure, examples, and rules.

=== .ai/frontend-structure rules ===

Frontend Structure

Frontend lives in resources/js/. Always use path aliases (@, @components, @lib, @hooks, @utils, @types, @assets, @styles, @lang) over relative imports.

• @components/ui/ = Shadcn/UI primitives, @components/ = app-level composed components
• Pages in @/pages map to Inertia::render() calls
• @/actions and @/routes are auto-generated Wayfinder bindings — never edit manually

Activate frontend-structure skill for full directory overview, aliases table, and conventions.

=== .ai/generics rules ===

Project Skills Activation

Activate the relevant skill whenever you work in that domain:

• controller-architecture — When creating controllers, actions, form requests, or using make:feature
• authorization-guidelines — When working with roles, permissions, authorization checks, or policies
• tenancy-development — When working with workspaces, tenant routing, domains, or tenant databases
• frontend-structure — When working on React/frontend files, creating pages/components, or using path aliases
• translations-guidelines — When adding/editing translations or working with i18n keys

General code instructions

• Don't generate code comments above the methods or code blocks if they are obvious. Don't add docblock comments when defining variables, unless instructed to, like /** @var \App\Models\User $currentUser */. Generate comments only for something that needs extra explanation for the reasons why that code was written.
• For new features, you MUST generate Pest automated tests.
• For library documentation, if some library is not available in Laravel Boost 'search-docs', always use context7. Automatically use the Context7 MCP tools to resolve library id and the get library docs without me having to explicitly ask.

PHP instructions

• In PHP, use match operator over switch whenever possible
• Generate Enums always in the folder app/Enums, not in the main app/ folder, unless instructed differently.
• Always use Enum value as the default in the migration if column values are from the enum. Always casts this column to the enum type in the Model.
• Don't create temporary variables like $currentUser = auth()->user() if that variable is used only one time.
• Always use Enum where possible instead of hardcoded string values, if Enum class exists. For example, in Blade files, and in the tests when creating data if field is casted to Enum then use that Enum instead of hardcoding the value.

Laravel instructions

• Eloquent Observers should be registered in Eloquent Models with PHP Attributes, and not in AppServiceProvider. Example: #[ObservedBy([UserObserver::class])] with use Illuminate\Database\Eloquent\Attributes\ObservedBy; on top
• Use Laravel helpers instead of use section classes. Examples: use auth()->id() instead of Auth::id() and adding Auth in the use section. Other examples: use redirect()->route() instead of Redirect::route(), or str()->slug() instead of Str::slug().
• Don't use whereKey() or whereKeyNot(), use specific fields like id. Example: instead of ->whereKeyNot($currentUser->getKey()), use ->where('id', '!=', $currentUser->id).
• Don't add ::query() when running Eloquent create() statements. Example: instead of User::query()->create(), use User::create().
• When adding columns in a migration, update the model's $fillable array to include those new attributes.
• Never chain multiple migration-creating commands (e.g., make:model -m, make:migration) with && or ; — they may get identical timestamps. Run each command separately and wait for completion before running the next.
• Enums: If a PHP Enum exists for a domain concept, always use its cases (or their ->value) instead of raw strings everywhere — routes, middleware, migrations, seeds, configs, and UI defaults.
• Don't create Controllers with just one method which just returns view(). Instead, use Route::view() with Blade file directly.
• Always use Laravel's @session() directive instead of @if(session()) for displaying flash messages in Blade templates.
• In Blade files always use @selected() and @checked() directives instead of selected and checked HTML attributes. Good example: @selected(old('status') === App\Enums\ProjectStatus::Pending->value). Bad example: {{ old('status') === App\Enums\ProjectStatus::Pending->value ? 'selected' : '' }}.

Testing instructions

Before Writing Tests

1. Check database schema - Use database-schema tool to understand:

   • Which columns have defaults
   • Which columns are nullable
   • Foreign key relationship names

2. Verify relationship names - Read the model file to confirm:

   • Exact relationship method names (not assumed from column names)
   • Return types and related models

3. Test realistic states - Don't assume:

   • Empty model = all nulls (check for defaults)
   • user_id foreign key = user() relationship (could be author(), employer(), etc.)
   • When testing form submissions that redirect back with errors, assert that old input is preserved using assertSessionHasOldInput().

=== .ai/tenancy rules ===

Tenancy

Stancl/Tenancy with domain identification. Each Workspace gets its own database, cache, filesystem, and queue scope.

• Central routes in routes/web.php, tenant routes in routes/tenant.php
• Central DB holds workspaces + domains tables; all other tables in tenant DB
• Tenant migrations in database/migrations/tenant/, run with php artisan tenants:migrate
• Do not use DB:: for tenant data — always use Model::query()

Activate tenancy-development skill for full architecture, Workspace model, bootstrappers, and domain resolution.

=== .ai/translations rules ===

Translations

Per-domain JSON files in lang/{locale}/**/*.json. File path = key prefix.

• React: import @lib/i18n before useTranslation(), interpolation uses :placeholder (not {{}})
• PHP: __('domain.key') with ['placeholder' => $value]
• Key format: <domain>.<entity>.<action|property> — lowercase, dot-separated
• Never hardcode visible text — always use the translation system

Activate translations-guidelines skill for full file structure, naming rules, and examples.

=== foundation rules ===

Laravel Boost Guidelines

The Laravel Boost guidelines are specifically curated by Laravel maintainers for this application. These guidelines should be followed closely to ensure the best experience when building Laravel applications.

Foundational Context

This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.

• php - 8.4.18
• inertiajs/inertia-laravel (INERTIA_LARAVEL) - v2
• laravel/cashier (CASHIER) - v16
• laravel/fortify (FORTIFY) - v1
• laravel/framework (LARAVEL) - v12
• laravel/prompts (PROMPTS) - v0
• laravel/wayfinder (WAYFINDER) - v0
• laravel/boost (BOOST) - v2
• laravel/mcp (MCP) - v0
• laravel/pail (PAIL) - v1
• laravel/pint (PINT) - v1
• laravel/sail (SAIL) - v1
• pestphp/pest (PEST) - v4
• phpunit/phpunit (PHPUNIT) - v12
• rector/rector (RECTOR) - v2
• @inertiajs/react (INERTIA_REACT) - v2
• react (REACT) - v19
• tailwindcss (TAILWINDCSS) - v4
• @laravel/vite-plugin-wayfinder (WAYFINDER_VITE) - v0
• eslint (ESLINT) - v9
• prettier (PRETTIER) - v3

Skills Activation

This project has domain-specific skills available. You MUST activate the relevant skill whenever you work in that domain—don't wait until you're stuck.

• wayfinder-development — Activates whenever referencing backend routes in frontend components. Use when importing from @/actions or @/routes, calling Laravel routes from TypeScript, or working with Wayfinder route functions.
• pest-testing — Tests applications using the Pest 4 PHP framework. Activates when writing tests, creating unit or feature tests, adding assertions, testing Livewire components, browser testing, debugging test failures, working with datasets or mocking; or when the user mentions test, spec, TDD, expects, assertion, coverage, or needs to verify functionality works.
• inertia-react-development — Develops Inertia.js v2 React client-side applications. Activates when creating React pages, forms, or navigation; using <Link>, <Form>, useForm, or router; working with deferred props, prefetching, or polling; or when user mentions React with Inertia, React pages, React forms, or React navigation.
• tailwindcss-development — Styles applications using Tailwind CSS v4 utilities. Activates when adding styles, restyling components, working with gradients, spacing, layout, flex, grid, responsive design, dark mode, colors, typography, or borders; or when the user mentions CSS, styling, classes, Tailwind, restyle, hero section, cards, buttons, or any visual/UI changes.
• developing-with-fortify — Laravel Fortify headless authentication backend development. Activate when implementing authentication features including login, registration, password reset, email verification, two-factor authentication (2FA/TOTP), profile updates, headless auth, authentication scaffolding, or auth guards in Laravel applications.
• laravel-permission-development — Build and work with Spatie Laravel Permission features, including roles, permissions, middleware, policies, teams, and Blade directives.
• authorization-guidelines — Use when working with roles, permissions, authorization checks, middleware guards, policies, or Spatie Laravel Permission. Activates when adding permission checks to controllers, routes, or frontend components.
• controller-architecture — Use when creating controllers, actions, form requests, or scaffolding new features. Activates when working with make:feature, invokable controllers, FormRequest classes, or Action classes.
• frontend-structure — Use when working on React/frontend files, creating new pages or components, importing with path aliases, or needing to understand the frontend directory layout. Activates when touching resources/js/ files.
• tenancy-development — Use when working with workspaces, tenant routing, domains, tenant databases, central vs tenant migrations, or the Stancl/Tenancy package. Activates when touching routes/tenant.php, the Workspace model, or multi-database concerns.
• translations-guidelines — Use when adding or editing translations, working with i18n keys, creating new language files, or using useTranslation/t() in React or __() in PHP. Activates when touching lang/ files or adding visible text.

Conventions

• You must follow all existing code conventions used in this application. When creating or editing a file, check sibling files for the correct structure, approach, and naming.
• Use descriptive names for variables and methods. For example, isRegisteredForDiscounts, not discount().
• Check for existing components to reuse before writing a new one.

Verification Scripts

• Do not create verification scripts or tinker when tests cover that functionality and prove they work. Unit and feature tests are more important.

Application Structure & Architecture

• Stick to existing directory structure; don't create new base folders without approval.
• Do not change the application's dependencies without approval.

Frontend Bundling

• If the user doesn't see a frontend change reflected in the UI, it could mean they need to run pnpm run build, pnpm run dev, or composer run dev. Ask them.

Documentation Files

• You must only create documentation files if explicitly requested by the user.

Replies

• Be concise in your explanations - focus on what's important rather than explaining obvious details.

=== boost rules ===

Laravel Boost

• Laravel Boost is an MCP server that comes with powerful tools designed specifically for this application. Use them.

Artisan

• Use the list-artisan-commands tool when you need to call an Artisan command to double-check the available parameters.

URLs

• Whenever you share a project URL with the user, you should use the get-absolute-url tool to ensure you're using the correct scheme, domain/IP, and port.

Tinker / Debugging

• You should use the tinker tool when you need to execute PHP to debug code or query Eloquent models directly.
• Use the database-query tool when you only need to read from the database.
• Use the database-schema tool to inspect table structure before writing migrations or models.

Reading Browser Logs With the browser-logs Tool

• You can read browser logs, errors, and exceptions using the browser-logs tool from Boost.
• Only recent browser logs will be useful - ignore old logs.

Searching Documentation (Critically Important)

• Boost comes with a powerful search-docs tool you should use before trying other approaches when working with Laravel or Laravel ecosystem packages. This tool automatically passes a list of installed packages and their versions to the remote Boost API, so it returns only version-specific documentation for the user's circumstance. You should pass an array of packages to filter on if you know you need docs for particular packages.
• Search the documentation before making code changes to ensure we are taking the correct approach.
• Use multiple, broad, simple, topic-based queries at once. For example: ['rate limiting', 'routing rate limiting', 'routing']. The most relevant results will be returned first.
• Do not add package names to queries; package information is already shared. For example, use test resource table, not filament 4 test resource table.

Available Search Syntax

1. Simple Word Searches with auto-stemming - query=authentication - finds 'authenticate' and 'auth'.
2. Multiple Words (AND Logic) - query=rate limit - finds knowledge containing both "rate" AND "limit".
3. Quoted Phrases (Exact Position) - query="infinite scroll" - words must be adjacent and in that order.
4. Mixed Queries - query=middleware "rate limit" - "middleware" AND exact phrase "rate limit".
5. Multiple Queries - queries=["authentication", "middleware"] - ANY of these terms.

=== php rules ===

PHP

• Always use curly braces for control structures, even for single-line bodies.

Constructors

• Use PHP 8 constructor property promotion in __construct().
  • public function __construct(public GitHub $github) { }
• Do not allow empty __construct() methods with zero parameters unless the constructor is private.

Type Declarations

• Always use explicit return type declarations for methods and functions.
• Use appropriate PHP type hints for method parameters.

protected function isAccessible(User $user, ?string $path = null): bool
{
    ...
}

Enums

• That being said, keys in an Enum should follow existing application Enum conventions.

Comments

• Prefer PHPDoc blocks over inline comments. Never use comments within the code itself unless the logic is exceptionally complex.

PHPDoc Blocks

• Add useful array shape type definitions when appropriate.

=== herd rules ===

Laravel Herd

• The application is served by Laravel Herd and will be available at: https?://[kebab-case-project-dir].test. Use the get-absolute-url tool to generate valid URLs for the user.
• You must not run any commands to make the site available via HTTP(S). It is always available through Laravel Herd.

=== tests rules ===

Test Enforcement

• Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
• Run the minimum number of tests needed to ensure code quality and speed. Use php artisan test --compact with a specific filename or filter.

=== inertia-laravel/core rules ===

Inertia

• Inertia creates fully client-side rendered SPAs without modern SPA complexity, leveraging existing server-side patterns.
• Components live in resources/js/pages (unless specified in vite.config.js). Use Inertia::render() for server-side routing instead of Blade views.
• ALWAYS use search-docs tool for version-specific Inertia documentation and updated code examples.
• IMPORTANT: Activate inertia-react-development when working with Inertia client-side patterns.

Inertia v2

• Use all Inertia features from v1 and v2. Check the documentation before making changes to ensure the correct approach.
• New features: deferred props, infinite scroll, merging props, polling, prefetching, once props, flash data.
• When using deferred props, add an empty state with a pulsing or animated skeleton.

=== laravel/core rules ===

Do Things the Laravel Way

• Use php artisan make: commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the list-artisan-commands tool.
• If you're creating a generic PHP class, use php artisan make:class.
• Pass --no-interaction to all Artisan commands to ensure they work without user input. You should also pass the correct --options to ensure correct behavior.

Database

• Always use proper Eloquent relationship methods with return type hints. Prefer relationship methods over raw queries or manual joins.
• Use Eloquent models and relationships before suggesting raw database queries.
• Avoid DB::; prefer Model::query(). Generate code that leverages Laravel's ORM capabilities rather than bypassing them.
• Generate code that prevents N+1 query problems by using eager loading.
• Use Laravel's query builder for very complex database operations.

Model Creation

• When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using list-artisan-commands to check the available options to php artisan make:model.

APIs & Eloquent Resources

• For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.

Controllers & Validation

• Always create Form Request classes for validation rather than inline validation in controllers. Include both validation rules and custom error messages.
• Check sibling Form Requests to see if the application uses array or string based validation rules.

Authentication & Authorization

• Use Laravel's built-in authentication and authorization features (gates, policies, Sanctum, etc.).

URL Generation

• When generating links to other pages, prefer named routes and the route() function.

Queues

• Use queued jobs for time-consuming operations with the ShouldQueue interface.

Configuration

• Use environment variables only in configuration files - never use the env() function directly outside of config files. Always use config('app.name'), not env('APP_NAME').

Testing

• When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
• Faker: Use methods such as $this->faker->word() or fake()->randomDigit(). Follow existing conventions whether to use $this->faker or fake().
• When creating tests, make use of php artisan make:test [options] {name} to create a feature test, and pass --unit to create a unit test. Most tests should be feature tests.

Vite Error

• If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run pnpm run build or ask the user to run pnpm run dev or composer run dev.

=== laravel/v12 rules ===

Laravel 12

• CRITICAL: ALWAYS use search-docs tool for version-specific Laravel documentation and updated code examples.
• Since Laravel 11, Laravel has a new streamlined file structure which this project uses.

Laravel 12 Structure

• In Laravel 12, middleware are no longer registered in app/Http/Kernel.php.
• Middleware are configured declaratively in bootstrap/app.php using Application::configure()->withMiddleware().
• bootstrap/app.php is the file to register middleware, exceptions, and routing files.
• bootstrap/providers.php contains application specific service providers.
• The app\Console\Kernel.php file no longer exists; use bootstrap/app.php or routes/console.php for console configuration.
• Console commands in app/Console/Commands/ are automatically available and do not require manual registration.

Database

• When modifying a column, the migration must include all of the attributes that were previously defined on the column. Otherwise, they will be dropped and lost.
• Laravel 12 allows limiting eagerly loaded records natively, without external packages: $query->latest()->limit(10);.

Models

• Casts can and likely should be set in a casts() method on a model rather than the $casts property. Follow existing conventions from other models.

=== wayfinder/core rules ===

Laravel Wayfinder

Wayfinder generates TypeScript functions for Laravel routes. Import from @/actions/ (controllers) or @/routes/ (named routes).

• IMPORTANT: Activate wayfinder-development skill whenever referencing backend routes in frontend components.
• Invokable Controllers: import StorePost from '@/actions/.../StorePostController'; StorePost().
• Parameter Binding: Detects route keys ({post:slug}) — show({ slug: "my-post" }).
• Query Merging: show(1, { mergeQuery: { page: 2, sort: null } }) merges with current URL, null removes params.
• Inertia: Use .form() with <Form> component or form.submit(store()) with useForm.

=== pint/core rules ===

Laravel Pint Code Formatter

• If you have modified any PHP files, you must run vendor/bin/pint --dirty --format agent before finalizing changes to ensure your code matches the project's expected style.
• Do not run vendor/bin/pint --test --format agent, simply run vendor/bin/pint --format agent to fix any formatting issues.

=== pest/core rules ===

Pest

• This project uses Pest for testing. Create tests: php artisan make:test --pest {name}.
• Run tests: php artisan test --compact or filter: php artisan test --compact --filter=testName.
• Do NOT delete tests without approval.
• CRITICAL: ALWAYS use search-docs tool for version-specific Pest documentation and updated code examples.
• IMPORTANT: Activate pest-testing every time you're working with a Pest or testing-related task.

=== inertia-react/core rules ===

Inertia + React

• IMPORTANT: Activate inertia-react-development when working with Inertia React client-side patterns.

=== tailwindcss/core rules ===

Tailwind CSS

• Always use existing Tailwind conventions; check project patterns before adding new ones.
• IMPORTANT: Always use search-docs tool for version-specific Tailwind CSS documentation and updated code examples. Never rely on training data.
• IMPORTANT: Activate tailwindcss-development every time you're working with a Tailwind CSS or styling-related task.

=== laravel/fortify rules ===

Laravel Fortify

• Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
• IMPORTANT: Always use the search-docs tool for detailed Laravel Fortify patterns and documentation.
• IMPORTANT: Activate developing-with-fortify skill when working with Fortify authentication features.