107 KiB
App Project Implementation Plan
Generated: 2026-05-29
1. Scope and Readout
This plan is based on the uploaded app/ project slice. The zip contains the Laravel-style application layer, not the full repository. That means routes, migrations, config outside app/, composer metadata, tests, CI, frontend assets, and deployment files were not available unless embedded in this directory. So the plan avoids pretending the missing pieces magically exist, a level of honesty software planning could use more often.
Inventory
- Real project files inspected: 1184
- PHP files inspected: 1183
- Approximate PHP LOC: 103,161
- Controllers: 129
- Models: 133
- Services: 386
- Form requests: 298
- API resources: 167
- Middleware: 12
- Console commands: 14
- Policies: 10
2. Project Thesis
The app is already organized around a service-heavy backend: controllers orchestrate, request classes validate, resources shape responses, and services carry domain logic. That is the right direction. The weak point is not that the code lacks structure. The weak point is that the project is broad enough for rules to drift across domains unless the boundaries are enforced deliberately.
The plan should therefore optimize for correctness and regression safety, not cosmetic refactors. Refactoring without tests here would be performance art with a stack trace.
3. Main Architecture Plan
Target shape
- Controllers stay thin: authorize, validate, call one service action, return one resource/response.
- Services own business rules and transactions.
- Form requests own validation and request normalization.
- Resources own response shape and avoid leaking internal model structure.
- Policies/Gates own permission checks.
- Events/listeners own async or side-effect workflows, especially communications.
- Console commands remain operational entry points only, not hidden domain logic.
Non-negotiable rules
- No money-changing action without an explicit transaction, audit trail, idempotency check, and test.
- No attendance, score, promotion, or enrollment mutation without actor tracking and date boundary tests.
- No file endpoint without MIME, size, storage path, authorization, and download-name tests.
- No communication endpoint without recipient preview, opt-out logic, deduplication, and send-log tests.
- No direct request parsing in controllers where a FormRequest already exists or should exist.
- No raw SQL without parameter binding review and a test proving the query behavior.
4. Evidence-Based Risk Notes
These are not accusations; they are where bugs usually crawl out wearing a tiny hat.
- Raw SQL / raw query usage: 59 files, 166 matches.
- Direct request input access: 50 files, 194 matches.
- File operation endpoints: 18 files, 34 matches.
- Email or messaging behavior: 62 files, 192 matches.
- Auth/Gate/authorization usage: 325 files, 482 matches.
- Explicit DB transactions: 48 files, 72 matches.
- CodeIgniter compatibility surface: 41 files, 62 matches.
- Queued or dispatched work: 7 files, 8 matches.
- Cache-dependent behavior: 5 files, 12 matches.
Review priority should follow blast radius: auth, finance, payments, attendance, grading, promotions, messaging, files, then lower-risk CRUD.
5. Delivery Phases
Phase 0: Baseline and Guardrails
- Add a project map document describing module ownership, service boundaries, and route ownership.
- Add static analysis to CI: PHPStan or Larastan, Pint/PHP-CS-Fixer, and a dead-code detector if practical.
- Add a minimal smoke test suite covering auth, health checks, and one representative CRUD module.
- Create fixtures/factories for User, Student, Family, Enrollment, Invoice, Payment, AttendanceRecord, Score, and Staff.
- Freeze API response contracts for critical endpoints with JSON snapshot tests.
Phase 1: Security and Access Control
- Inventory every controller method and map required role/permission/policy.
- Confirm every mutation endpoint uses authorization before business logic.
- Normalize role switching/session timeout behavior and log security-relevant events.
- Review IP ban, login attempts, password reset cleanup, registration captcha, and auth session flows.
- Add negative tests proving unauthorized roles cannot read or mutate cross-family, cross-student, or cross-staff data.
Phase 2: Financial Correctness
- Define canonical money rules: rounding, currency precision, refund state machine, invoice adjustment rules, and payment reconciliation.
- Wrap invoice/payment/refund/discount mutations in transactions and audit logs.
- Add idempotency rules to PayPal sync, payment notifications, manual payments, refunds, and invoice generation.
- Build reconciliation tests: invoice total = tuition + fees + event charges + extras - discounts - refunds - payments.
- Add report consistency tests so PDFs, dashboard totals, and API totals cannot disagree like three humans in a meeting.
Phase 3: Student Lifecycle Correctness
- Model the lifecycle from registration/enrollment through attendance, grading, report cards, and promotion.
- Add date boundary tests for semesters, attendance windows, class assignment windows, grading locks, and promotion deadlines.
- Centralize student/family visibility checks.
- Make promotion eligibility deterministic and explainable through audit logs.
- Add regression tests for edge cases: missing scores, below-60 notifications, class transfers, inactive students, deleted/unverified users.
Phase 4: Communications Reliability
- Standardize recipient resolution for Email, Messaging, Notifications, WhatsApp, and BroadcastEmail.
- Require preview/dry-run paths for bulk sends.
- Add send logs, dedupe keys, failure states, and retry strategy.
- Separate composition from delivery.
- Test opt-outs, guardian/family recipient selection, teacher/staff targeting, and notification cleanup.
Phase 5: Operations and Reporting
- Review PDF generation paths for badges, certificates, finance reports, report cards, slips, stickers, and print requests.
- Validate all file downloads and upload paths.
- Add operational health endpoints for database, config, cleanup scheduler, and time-sensitive jobs.
- Add runbooks for cleanup commands, payment sync, attendance publishing, and notification dispatch.
Phase 6: Documentation and API Contracts
- Generate OpenAPI output from route definitions, once routes are included.
- Document each module: owner, purpose, inputs, outputs, permissions, side effects, and failure modes.
- Document legacy compatibility areas explicitly, especially CodeIgniter adapters and helper shims.
- Add API examples for primary user flows: login, role switch, parent dashboard, attendance submission, invoice payment, grading submission.
6. Module-by-Module Plan
Each module gets the same discipline: define ownership, confirm validation, confirm authorization, isolate service logic, test happy paths and failures, document side effects.
Admin
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 2 services, 3 requests, 5 resources.
Services: CompetitionWinnersDomain, CompetitionWinnersAdminService Requests: StoreCompetitionWinnerRequest, UpdateCompetitionWinnerRequest, SaveCompetitionScoresRequest Resources: PrintRecipientsResource, TeacherSubmissionReportResource, AdminNotificationAlertsResource, ProgressGroupResource, ProgressReportDetailResource Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Administrator
Priority: P2/P3 Feature hardening Detected surface: 8 controllers, 18 services, 5 requests, 0 resources.
Controllers: AdministratorAbsenceController, AdministratorDashboardController, AdministratorEnrollmentController, AdministratorNotificationController, AdministratorPromotionController, AdministratorTeacherSubmissionController, EmergencyContactController, TeacherClassAssignmentController Services: AdministratorUserSearchService, AdministratorAbsenceService, AdministratorDashboardService, AdministratorMetricsService, AdministratorEnrollmentStatusService, AdministratorEnrollmentEventService, AdministratorNotificationService, AdminNotificationSubjectService, TeacherSubmissionSupportService, AdministratorSharedService, TeacherSubmissionNotificationService, TeacherSubmissionReportService ... Requests: SavePrintRecipientsRequest, SaveAdminNotificationSubjectsRequest, SubmitAdministratorAbsenceRequest, UpdateEnrollmentStatusesRequest, SendTeacherSubmissionNotificationsRequest Plan:
- Centralize identity lookup and cross-entity authorization.
- Test directory/search pagination and visibility filtering.
- Ensure updates cannot orphan related records or break family/student/staff links.
- Add lifecycle tests for active, inactive, newly enrolled, transferred, and deleted/unverified users.
Api
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 0 services, 4 requests, 0 resources.
Requests: SaveAdminNotificationSubjectsRequest, IndexAdminProgressRequest, SendTeacherSubmissionNotificationsRequest, SavePrintNotificationRecipientsRequest Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
ApiRoot
Priority: P2/P3 Feature hardening Detected surface: 7 controllers, 0 services, 0 requests, 0 resources.
Controllers: BaseApiController, CiRequestAdapter, RolePermissionController, RoleSwitcherController, ScannerController, StatsController, UserController Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Assignment
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 5 services, 2 requests, 2 resources.
Controllers: AssignmentApiController Services: AssignmentSectionService, AssignmentMetaService, AssignmentService, AssignmentContextService, AssignmentDataLoaderService Requests: StoreAssignmentRequest, StoreStudentAssignmentRequest Resources: AssignmentOverviewResource, AssignmentSectionResource Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
Attendance
Priority: P1 Student lifecycle Detected surface: 6 controllers, 16 services, 7 requests, 7 resources.
Controllers: AdminAttendanceApiController, AttendanceCommentTemplateController, EarlyDismissalsController, LateSlipLogsController, StaffAttendanceApiController, TeacherAttendanceApiController Services: SemesterRangeService, TeacherAttendanceSubmissionService, AttendanceAutoPublishJobService, AttendanceAutoPublishService, LateSlipLogQueryService, AttendanceConsequenceService, AttendanceRecordSyncService, AttendanceDailySummaryService, AttendanceService, StudentAttendanceWriterService, LateSlipLogCommandService, AttendanceSummaryRebuildService ... Requests: SaveStaffAttendanceCellRequest, UpdateAttendanceManagementRequest, LateSlipLogIndexRequest, TeacherSubmitAttendanceRequest, SaveAdminAttendanceRequest, TeacherUpdateGridRequest, AdminAddAttendanceEntryRequest Resources: DailyAttendanceResource, AdminAttendanceResource, LateSlipLogCollection, LateSlipLogResource, TeacherGridResource, StaffMonthResource, TeacherAttendanceFormResource Plan:
- Lock down date and semester boundary behavior before changing implementation.
- Test teacher/admin/parent visibility separately.
- Ensure auto-publish, notification, late slip, early dismissal, and violation rules are deterministic.
- Record who changed attendance, when, and why.
AttendanceCommentTemplate
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 0 services, 2 requests, 0 resources.
Requests: StoreAttendanceCommentTemplateRequest, UpdateAttendanceCommentTemplateRequest Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
AttendanceTracking
Priority: P1 Student lifecycle Detected surface: 1 controllers, 12 services, 5 requests, 0 resources.
Controllers: AttendanceTrackingController Services: AttendanceNotificationLogService, AttendanceViolationStudentResolverService, AttendanceNotificationWorkflowService, AttendanceTrackingService, ViolationRuleEngineService, AttendanceMailerService, AttendanceParentLookupService, AttendanceCommunicationSupportService, AttendanceEmailComposerService, AttendancePendingViolationService, AttendanceCaseQueryService, DefaultAttendanceMailerService Requests: RecordAttendanceTrackingRequest, ComposeAttendanceEmailRequest, SendAttendanceManualEmailRequest, ParentsInfoRequest, SaveAttendanceNotificationNoteRequest Plan:
- Lock down date and semester boundary behavior before changing implementation.
- Test teacher/admin/parent visibility separately.
- Ensure auto-publish, notification, late slip, early dismissal, and violation rules are deterministic.
- Record who changed attendance, when, and why.
Auth
Priority: P0 Security/Foundation Detected surface: 7 controllers, 9 services, 3 requests, 1 resources.
Controllers: AuthController, AuthSessionController, IpBanController, RegisterController, RolePermissionController, RoleSwitcherController, SessionTimeoutController Services: RegistrationCaptchaService, PermissionCheckService, CodeIgniterApiRegistrationService, RegistrationService, ApiLoginSecurityService, AuthSessionService, UserRoleService, PasswordResetCleanupService, RegistrationFormatterService Requests: RegisterRequest, SetRoleSessionRequest, LoginSessionRequest Resources: RegisterResource Plan:
- Map every endpoint to required auth state, role, and permission.
- Test login throttling, IP bans, password reset cleanup, session timeout, role switching, and registration captcha.
- Confirm security logs include actor, IP, user agent, outcome, and reason.
- Reject role changes that create privilege escalation or stale-session leaks.
BadgeScan
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 1 services, 0 requests, 0 resources.
Controllers: BadgeScanController Services: BadgeScanService Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Badges
Priority: P2 Operations Detected surface: 1 controllers, 7 services, 3 requests, 0 resources.
Controllers: BadgeController Services: BadgeTextFormatter, BadgeStudentLookupService, BadgeFormDataService, BadgePdfService, BadgeUserLookupService, BadgeService, BadgePrintLogService Requests: BadgePrintStatusRequest, GenerateBadgePdfRequest, LogBadgePrintRequest Plan:
- Review upload/download/PDF generation permissions.
- Validate file type, file size, generated names, and storage paths.
- Add tests for inventory movement consistency and purchase-order state transitions where applicable.
- Make printable outputs reproducible from stable data snapshots.
Billing
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 3 services, 0 requests, 0 resources.
Services: BalanceCalculationService, BillingTotalsService, ChargeService Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
BroadcastEmail
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 5 services, 0 requests, 0 resources.
Services: BroadcastEmailComposerService, BroadcastEmailRecipientService, BroadcastEmailDispatchService, BroadcastEmailImageService, BroadcastEmailSenderOptionsService Plan:
- Separate recipient selection, message composition, dispatch, and logging.
- Add preview/dry-run tests before bulk sending.
- Deduplicate sends and persist failure states.
- Verify opt-outs, guardian selection, role targeting, and retry behavior.
Certificates
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 1 services, 0 requests, 0 resources.
Controllers: CertificateController Services: CertificatePdfService Plan:
- Review upload/download/PDF generation permissions.
- Validate file type, file size, generated names, and storage paths.
- Add tests for inventory movement consistency and purchase-order state transitions where applicable.
- Make printable outputs reproducible from stable data snapshots.
ClassPrep
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 2 services, 0 requests, 0 resources.
Services: ClassRosterService, StickerCountService Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
ClassPreparation
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 9 services, 4 requests, 2 resources.
Controllers: ClassPreparationController Services: ClassPreparationAdjustmentWriterService, ClassPreparationCalculatorService, ClassPreparationLogService, ClassPreparationAdjustmentService, ClassPreparationContextService, ClassPreparationService, ClassPreparationPrintService, ClassPreparationRosterService, ClassPreparationInventoryService Requests: ClassPreparationMarkPrintedRequest, ClassPreparationPrintRequest, ClassPreparationIndexRequest, ClassPreparationAdjustmentRequest Resources: ClassPreparationPrintResource, ClassPreparationResultResource Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
ClassProgress
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 5 services, 5 requests, 4 resources.
Controllers: ClassProgressController Services: ClassProgressRuleService, ClassProgressAttachmentService, ClassProgressQueryService, ClassProgressMetaService, ClassProgressMutationService Requests: ClassProgressStoreRequest, ClassProgressMetaRequest, ClassProgressIndexRequest, ClassProgressFormRequest, ClassProgressUpdateRequest Resources: ClassProgressGroupCollection, ClassProgressAttachmentResource, ClassProgressShowResource, ClassProgressReportResource Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
ClassSections
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 4 services, 0 requests, 0 resources.
Services: ClassSectionCommandService, ClassAttendanceService, ClassSectionSeedService, ClassSectionQueryService Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
Classes
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 0 services, 3 requests, 4 resources.
Controllers: ClassController Requests: ClassSectionUpdateRequest, ClassSectionStoreRequest, ClassSectionIndexRequest Resources: ClassSectionCollection, ClassSectionResource, ClassAttendanceResource, ClassAttendanceStudentResource Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
Communication
Priority: P1 Communications Detected surface: 1 controllers, 6 services, 0 requests, 0 resources.
Controllers: CommunicationController Services: CommunicationFamilyService, CommunicationSendService, CommunicationTemplateService, CommunicationPreviewService, CommunicationStudentService, CommunicationLogService Plan:
- Separate recipient selection, message composition, dispatch, and logging.
- Add preview/dry-run tests before bulk sending.
- Deduplicate sends and persist failure states.
- Verify opt-outs, guardian selection, role targeting, and retry behavior.
CompetitionScores
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 4 services, 0 requests, 0 resources.
Controllers: CompetitionScoresController Services: CompetitionScoresRosterService, CompetitionScoresSaveService, CompetitionScoresContextService, CompetitionScoresQueryService Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Core
Priority: P2/P3 Feature hardening Detected surface: 2 controllers, 0 services, 0 requests, 0 resources.
Controllers: BaseApiController, CiRequestAdapter Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Dashboard
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 1 services, 0 requests, 0 resources.
Services: DashboardRouteService Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Discounts
Priority: P0 Financial correctness Detected surface: 1 controllers, 5 services, 3 requests, 2 resources.
Controllers: DiscountController Services: DiscountParentService, DiscountApplyService, DiscountInvoiceService, DiscountVoucherService, DiscountContextService Requests: UpdateDiscountVoucherRequest, ApplyDiscountVoucherRequest, StoreDiscountVoucherRequest Resources: DiscountVoucherResource, DiscountParentResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Docs
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 3 services, 0 requests, 0 resources.
Services: DocsCatalogService, ApiDocsService, OpenApiRouteExporter Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Documentation
Priority: P2/P3 Feature hardening Detected surface: 2 controllers, 0 services, 0 requests, 0 resources.
Controllers: ApiDocsAdminController, DocsCatalogController Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Priority: P1 Communications Detected surface: 3 controllers, 5 services, 2 requests, 3 resources.
Controllers: BroadcastEmailController, EmailController, EmailExtractorController Services: EmailAttachmentService, EmailExtractorService, EmailProfileService, EmailDispatchService, EmailSenderOptionsService Requests: EmailExtractorCompareRequest, EmailSendRequest Resources: EmailSenderResource, EmailExtractorEmailsResource, EmailExtractorCompareResource Plan:
- Separate recipient selection, message composition, dispatch, and logging.
- Add preview/dry-run tests before bulk sending.
- Deduplicate sends and persist failure states.
- Verify opt-outs, guardian selection, role targeting, and retry behavior.
EmergencyContacts
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 2 services, 2 requests, 3 resources.
Services: EmergencyContactDirectoryService, EmergencyContactCrudService Requests: EmergencyContactParentRequest, EmergencyContactUpdateRequest Resources: EmergencyContactGroupResource, EmergencyContactStudentResource, EmergencyContactResource Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Events
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 6 services, 6 requests, 3 resources.
Services: EventChargeService, EventStudentChargeService, EventCategoryService, EventListService, EventChargeQueryService, EventManagementService Requests: EventIndexRequest, EventUpdateRequest, EventStoreRequest, EventStudentsWithChargesRequest, EventChargeUpdateRequest, EventChargeIndexRequest Resources: EventChargeResource, EventResource, EventStudentChargeResource Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Exams
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 4 services, 3 requests, 1 resources.
Controllers: ExamDraftController Services: ExamDraftTeacherService, ExamDraftAdminService, ExamDraftConfigService, ExamDraftFileService Requests: ExamDraftTeacherStoreRequest, ExamDraftAdminLegacyRequest, ExamDraftAdminReviewRequest Resources: ExamDraftResource Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
Expenses
Priority: P0 Financial correctness Detected surface: 1 controllers, 7 services, 3 requests, 2 resources.
Controllers: ExpenseController Services: ExpenseQueryService, ExpenseStaffService, ExpenseRetailorService, ExpenseReceiptService, ExpenseWriteService, ExpenseContextService, ExpenseStatusService Requests: UpdateExpenseRequest, StoreExpenseRequest, UpdateExpenseStatusRequest Resources: ExpenseResource, ExpenseStaffResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
ExtraCharges
Priority: P0 Financial correctness Detected surface: 1 controllers, 6 services, 2 requests, 3 resources.
Controllers: ExtraChargesController Services: ExtraChargesMetaService, ExtraChargesInvoiceService, ExtraChargesParentService, ExtraChargesChargeService, ExtraChargesContextService, ExtraChargesListService Requests: UpdateExtraChargeRequest, StoreExtraChargeRequest Resources: ExtraChargeInvoiceOptionResource, ExtraChargeResource, ExtraChargeParentOptionResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Families
Priority: P1 Student lifecycle Detected surface: 0 controllers, 4 services, 14 requests, 7 resources.
Services: FamilyNotificationService, FamilyFinanceService, FamilyMutationService, FamilyQueryService Requests: FamilyImportLegacyRequest, FamilyUnlinkStudentRequest, FamilySetPrimaryHomeRequest, FamilyAdminCardRequest, FamiliesByStudentRequest, FamilyBootstrapRequest, FamilyAttachSecondByEmailRequest, FamilyAdminSearchRequest ... Resources: FamilyPaymentResource, FamilyInvoiceResource, FamilySearchItemResource, FamilyResource, FamilyGuardianResource, FamilyStudentResource, FamilyEmergencyContactResource Plan:
- Centralize identity lookup and cross-entity authorization.
- Test directory/search pagination and visibility filtering.
- Ensure updates cannot orphan related records or break family/student/staff links.
- Add lifecycle tests for active, inactive, newly enrolled, transferred, and deleted/unverified users.
Family
Priority: P2/P3 Feature hardening Detected surface: 2 controllers, 0 services, 0 requests, 0 resources.
Controllers: FamilyAdminController, FamilyController Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Fees
Priority: P0 Financial correctness Detected surface: 0 controllers, 6 services, 2 requests, 6 resources.
Services: FeeConfigService, TuitionCalculationService, FeeRefundCalculatorService, FeeGradeService, FeeRefundDetailService, FeeStudentFeeService Requests: FeeTuitionTotalRequest, FeeRefundRequest Resources: FeeRefundResource, FeeFamilyBalanceResource, ChargeActionResource, ChargeListResource, FeeTuitionBreakdownResource, FeeTuitionTotalResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Files
Priority: P2 Operations Detected surface: 0 controllers, 2 services, 1 requests, 1 resources.
Services: FileServeService, ExamDraftDownloadNameService Requests: FileNameRequest Resources: FileMetaResource Plan:
- Review upload/download/PDF generation permissions.
- Validate file type, file size, generated names, and storage paths.
- Add tests for inventory movement consistency and purchase-order state transitions where applicable.
- Make printable outputs reproducible from stable data snapshots.
Finance
Priority: P0 Financial correctness Detected surface: 14 controllers, 8 services, 12 requests, 9 resources.
Controllers: ChargeController, FeeCalculationController, FinancialController, InvoiceController, PaymentController, PaymentEventChargesController, PaymentManualController, PaymentNotificationController, PaymentTransactionController, PaypalPaymentController ... Services: FinancialPdfReportService, FinancialSchoolYearService, FinancialPaymentService, FinancialReportService, FinancialSummaryService, FinancialChartService, FinancialDonationRecipientService, FinancialUnpaidParentsService Requests: FinancialUnpaidParentsRequest, FeeTuitionTotalRequest, ChargeListRequest, FinancialReportRequest, FinancialSummaryRequest, MarkEventChargePaidRequest, FeeTuitionBreakdownRequest, StoreExtraChargeRequest ... Resources: FinancialReportResource, FinancialSummaryResource, FinancialExpenseSummaryResource, FinancialInvoiceResource, FinancialPaymentResource, FinancialRefundResource, FinancialUnpaidParentResource, FinancialDiscountResource ... Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Frontend
Priority: P2/P3 Feature hardening Detected surface: 4 controllers, 9 services, 2 requests, 6 resources.
Controllers: FrontendController, InfoIconController, LandingPageController, PageController Services: LandingPageTeacherSummaryService, LandingPageRoleService, LandingPageParentDashboardService, LandingPageService, StaticPageService, FrontendPageService, ContactSubmissionService, LandingPageContextService, ProfileIconService Requests: LandingTeacherRequest, ContactSubmitRequest Resources: LandingPageResource, ContactSubmissionResource, FrontendPageResource, FrontendUserResource, ProfileIconResource, PageContentResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Grading
Priority: P1 Student lifecycle Detected surface: 2 controllers, 9 services, 18 requests, 3 resources.
Controllers: GradingController, HomeworkTrackingController Services: BelowSixtyEmailService, GradingLockService, GradingOverviewService, GradingPlacementService, HomeworkTrackingService, GradingScoreService, GradingBelowSixtyService, HomeworkTrackingCalendarService, GradingRefreshService Requests: BelowSixtyListRequest, BelowSixtySendRequest, GradingLockAllRequest, BelowSixtyMeetingRequest, PlacementLevelsRequest, GradingRefreshRequest, GradingScoreShowRequest, HomeworkTrackingRequest ... Resources: BelowSixtyStudentResource, GradingScoreResource, HomeworkTrackingTeacherResource Plan:
- Centralize score formulas and missing-score behavior.
- Add golden test cases for semester score, quiz, homework, project, participation, final/midterm, and prediction risk calculations.
- Prove grading locks block writes but not allowed reads.
- Verify below-60 communication and parent visibility rules.
Incidents
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 4 services, 5 requests, 4 resources.
Controllers: IncidentController Services: CurrentIncidentService, IncidentHistoryService, IncidentLookupService, IncidentAnalysisService Requests: IncidentCancelRequest, IncidentCloseRequest, IncidentStoreRequest, IncidentListRequest, IncidentStateRequest Resources: IncidentStudentOptionResource, IncidentAnalysisStudentResource, IncidentResource, IncidentGradeResource Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Inventory
Priority: P2 Operations Detected surface: 5 controllers, 8 services, 19 requests, 5 resources.
Controllers: InventoryCategoryController, InventoryController, InventoryMovementController, SupplierController, SupplyCategoryController Services: InventorySummaryService, InventoryCategoryService, InventoryItemService, InventoryContextService, SupplierService, InventoryMovementService, SupplyCategoryService, InventoryTeacherDistributionService Requests: InventoryItemIndexRequest, SupplierUpdateRequest, InventoryCategoryStoreRequest, InventoryTeacherDistributionRequest, InventoryItemUpdateRequest, InventoryItemStoreRequest, InventoryTeacherDistributionStoreRequest, InventoryCategoryUpdateRequest ... Resources: InventoryItemResource, InventoryCategoryResource, InventoryMovementResource, SupplierResource, SupplyCategoryResource Plan:
- Review upload/download/PDF generation permissions.
- Validate file type, file size, generated names, and storage paths.
- Add tests for inventory movement consistency and purchase-order state transitions where applicable.
- Make printable outputs reproducible from stable data snapshots.
Invoices
Priority: P0 Financial correctness Detected surface: 0 controllers, 8 services, 4 requests, 2 resources.
Services: InvoiceGradeService, InvoiceConfigService, InvoicePaymentService, InvoiceTuitionService, InvoiceManagementService, InvoicePdfService, InvoiceService, InvoiceGenerationService Requests: InvoiceStatusRequest, InvoiceManagementRequest, InvoiceParentRequest, InvoiceGenerateRequest Resources: InvoiceManagementParentResource, InvoiceResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Messaging
Priority: P1 Communications Detected surface: 2 controllers, 3 services, 3 requests, 3 resources.
Controllers: MessagesController, WhatsappController Services: MessageRecipientService, MessageCommandService, MessageQueryService Requests: MessageSendRequest, MessageIndexRequest, MessageUpdateRequest Resources: MessageResource, MessageCollection, RecipientResource Plan:
- Separate recipient selection, message composition, dispatch, and logging.
- Add preview/dry-run tests before bulk sending.
- Deduplicate sends and persist failure states.
- Verify opt-outs, guardian selection, role targeting, and retry behavior.
Navigation
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 2 services, 0 requests, 0 resources.
Services: NavBuilderService, NavbarService Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
NonApi
Priority: P2/P3 Feature hardening Detected surface: 3 controllers, 0 services, 0 requests, 0 resources.
Controllers: Controller, DocsController, TeacherCalendarPageController Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Notifications
Priority: P1 Communications Detected surface: 1 controllers, 12 services, 5 requests, 2 resources.
Controllers: NotificationController Services: NotificationDispatchService, NotificationRecipientService, NotificationShowService, NotificationManagementService, NotificationReadService, NotificationUserListService, NotificationCleanupService, UserNotificationDispatchService, NotificationTriggerService, NotificationSendService, NotificationActiveService, NotificationDeletedService Requests: NotificationSendRequest, NotificationActiveRequest, NotificationDeletedRequest, NotificationUpdateRequest, NotificationIndexRequest Resources: UserNotificationResource, NotificationResource Plan:
- Separate recipient selection, message composition, dispatch, and logging.
- Add preview/dry-run tests before bulk sending.
- Deduplicate sends and persist failure states.
- Verify opt-outs, guardian selection, role targeting, and retry behavior.
Parents
Priority: P1 Student lifecycle Detected surface: 5 controllers, 14 services, 16 requests, 4 resources.
Controllers: AuthorizedUserInviteController, AuthorizedUsersController, ParentAttendanceReportController, ParentController, ParentPromotionController Services: ParentEventParticipationService, ParentRegistrationService, PrimaryParentUserResolver, ParentAttendanceReportCalendarService, ParentAttendanceService, AuthorizedUsersManagementService, ParentEnrollmentService, ParentInvoiceService, ParentProgressQueryService, ParentAttendanceReportService, ParentReportCardService, ParentConfigService ... Requests: ParentAttendanceReportUpdateRequest, ParentAttendanceReportListRequest, ParentAttendanceReportSubmitRequest, ParentEmergencyContactRequest, UpdateAuthorizedUserRequest, ParentAttendanceReportCheckRequest, ParentProfileUpdateRequest, ParentInvoiceRequest ... Resources: ParentEmergencyContactResource, ParentAttendanceReportResource, ParentStudentResource, ParentAttendanceResource Plan:
- Centralize identity lookup and cross-entity authorization.
- Test directory/search pagination and visibility filtering.
- Ensure updates cannot orphan related records or break family/student/staff links.
- Add lifecycle tests for active, inactive, newly enrolled, transferred, and deleted/unverified users.
Payments
Priority: P0 Financial correctness Detected surface: 0 controllers, 14 services, 15 requests, 4 resources.
Services: PaymentNotificationDispatchService, PaymentMissedCheckService, PaymentManualService, PaymentLookupService, PaymentTestNotificationService, PaypalPaymentSyncService, PaymentBalanceService, PaypalPaymentService, PaymentTransactionService, PaymentEnrollmentEventService, PaymentNotificationService, PaymentPlanService ... Requests: PaymentManualSearchRequest, PaymentEventChargesListRequest, PaymentNotificationSendRequest, PaymentNotificationListRequest, PaymentCreateRequest, PaypalTransactionsListRequest, PaymentManualEditRequest, PaymentEventChargesStoreRequest ... Resources: PaymentNotificationLogResource, PaymentTransactionResource, PaypalTransactionResource, PaymentResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Phone
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 1 services, 0 requests, 0 resources.
Services: PhoneFormatterService Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Policy
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 1 services, 0 requests, 0 resources.
Services: PolicyContentService Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Preferences
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 3 services, 2 requests, 3 resources.
Services: PreferencesCommandService, PreferencesQueryService, PreferencesOptionsService Requests: PreferencesIndexRequest, PreferencesUpsertRequest Resources: PreferencesListResource, PreferencesCollection, PreferencesResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
PrintRequests
Priority: P2 Operations Detected surface: 1 controllers, 1 services, 0 requests, 0 resources.
Controllers: PrintRequestsController Services: PrintRequestsPortalService Plan:
- Review upload/download/PDF generation permissions.
- Validate file type, file size, generated names, and storage paths.
- Add tests for inventory movement consistency and purchase-order state transitions where applicable.
- Make printable outputs reproducible from stable data snapshots.
Promotions
Priority: P1 Student lifecycle Detected surface: 0 controllers, 7 services, 8 requests, 4 resources.
Services: PromotionStatusService, PromotionEnrollmentService, PromotionReminderService, LevelProgressionService, PromotionAuditService, PromotionQueryService, PromotionEligibilityService Requests: SendReminderRequest, ParentPromotionOverviewRequest, AdminListPromotionsRequest, EvaluateEligibilityRequest, UpdatePromotionStatusRequest, ParentEnrollmentStepRequest, SetEnrollmentDeadlineRequest, UpsertLevelProgressionRequest Resources: LevelProgressionResource, PromotionAuditLogResource, PromotionReminderResource, StudentPromotionResource Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
Public
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 0 services, 0 requests, 0 resources.
Controllers: PublicWinnersController Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
PublicWinners
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 1 services, 0 requests, 0 resources.
Services: PublicWinnersPortalService Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
PurchaseOrders
Priority: P2 Operations Detected surface: 0 controllers, 4 services, 3 requests, 2 resources.
Services: PurchaseOrderStatusService, PurchaseOrderReceiveService, PurchaseOrderCreateService, PurchaseOrderQueryService Requests: PurchaseOrderIndexRequest, PurchaseOrderStoreRequest, PurchaseOrderReceiveRequest Resources: PurchaseOrderResource, PurchaseOrderItemResource Plan:
- Review upload/download/PDF generation permissions.
- Validate file type, file size, generated names, and storage paths.
- Add tests for inventory movement consistency and purchase-order state transitions where applicable.
- Make printable outputs reproducible from stable data snapshots.
Refunds
Priority: P0 Financial correctness Detected surface: 0 controllers, 9 services, 6 requests, 1 resources.
Services: RefundSummaryService, RefundInvoiceAdjustmentService, RefundPolicyService, RefundPayoutService, RefundRequestService, RefundQueryService, RefundOverpaymentService, RefundDecisionService, RefundNotificationService Requests: RefundStoreRequest, RefundPaymentRequest, RefundDecisionRequest, RefundRecalculateRequest, RefundIndexRequest, RefundRejectRequest Resources: RefundResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Reimbursements
Priority: P0 Financial correctness Detected surface: 0 controllers, 11 services, 13 requests, 5 resources.
Services: ReimbursementFileService, ReimbursementBatchAssignmentService, ReimbursementContextService, ReimbursementExportService, ReimbursementLookupService, ReimbursementEmailService, ReimbursementRecipientService, ReimbursementBatchService, ReimbursementQueryService, ReimbursementDonationService, ReimbursementCrudService Requests: ReimbursementBatchAdminFileRequest, ReimbursementUpdateRequest, ReimbursementBatchCreateRequest, ReimbursementBatchEmailRequest, ReimbursementProcessRequest, ReimbursementExportBatchRequest, ReimbursementIndexRequest, ReimbursementExportRequest ... Resources: ReimbursementRecipientResource, ReimbursementExpenseResource, ReimbursementBatchResource, ReimbursementResource, ReimbursementUnderProcessingItemResource Plan:
- Define one source of truth for monetary calculations and rounding.
- Require transactions around every mutation that changes balance, invoice state, refund state, payment state, or reimbursement status.
- Add audit logs and idempotency keys for external payment/payment-notification flows.
- Build reconciliation tests across API, reports, dashboards, and PDFs.
Reports
Priority: P2 Operations Detected surface: 4 controllers, 9 services, 11 requests, 8 resources.
Controllers: FilesController, ReportCardsController, SlipPrinterController, StickersController Services: SlipPrinterFormatterService, SlipPrinterPdfService, SlipPrinterService, SlipPrinterConfigService, StickerPrintService, StickerPresetService, StickerQueryService, StickerContextService, ReportCardService Requests: SlipPreviewRequest, SlipLogListRequest, SlipPrintRequest, SlipReprintRequest, StickerStudentsByClassRequest, StickerPrintRequest, StickerFormDataRequest, ReportCardCompletenessRequest ... Resources: LateSlipLogResource, StickerStudentResource, StickerPresetResource, StickerClassSectionResource, ReportCardStudentMetaResource, ReportCardAcknowledgementResource, ReportCardClassSectionResource, ReportCardCompletenessStudentResource Plan:
- Review upload/download/PDF generation permissions.
- Validate file type, file size, generated names, and storage paths.
- Add tests for inventory movement consistency and purchase-order state transitions where applicable.
- Make printable outputs reproducible from stable data snapshots.
Roles
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 8 services, 9 requests, 4 resources.
Services: RolePermissionService, RoleDashboardService, RoleCrudService, RoleAssignmentService, RoleSwitchService, RoleStaffService, PermissionCrudService, RoleQueryService Requests: AssignUserRolesRequest, RolePermissionUpdateRequest, UserRoleListRequest, PermissionUpdateRequest, PermissionStoreRequest, RoleSwitchRequest, RoleStoreRequest, RoleUpdateRequest ... Resources: RolePermissionResource, RoleResource, UserWithRolesResource, PermissionResource Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Root
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 8 services, 1 requests, 1 resources.
Services: FeeCalculationService, SemesterRangeService, ApplicationUrlService, SchoolIdService, AssignmentService, AttendanceCommentTemplateService, PhoneFormatterService, EmailService Requests: ApiFormRequest Resources: TeacherSubmissionRowResource Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
School
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 4 services, 0 requests, 0 resources.
Services: AccountEventService, SemesterSelectionService, EnrollmentEventService, PaymentEventService Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
SchoolIds
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 2 services, 1 requests, 1 resources.
Services: SchoolIdAssignmentService, SchoolIdGenerationService Requests: SchoolIdAssignRequest Resources: SchoolIdResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Scores
Priority: P1 Student lifecycle Detected surface: 9 controllers, 16 services, 10 requests, 3 resources.
Controllers: FinalController, HomeworkController, MidtermController, ParticipationController, ProjectController, QuizController, ScoreCommentController, ScoreController, ScorePredictorController Services: ParticipationScoreService, QuizCalculator, QuizScoreService, ScoreCommentService, ScoreDashboardService, HomeworkCalculator, SemesterScoreService, ScorePredictorRiskService, ProjectScoreService, HomeworkScoreService, ScoreTermService, ProjectCalculator ... Requests: ScoreCommentSaveRequest, ScorePredictorRequest, ScoreLockRequest, ScoreUpdateRequest, ScoreOverviewRequest, ScoreStudentRequest, ScoreCommentListRequest, ScoreClassRequest ... Resources: ScorePredictorStudentResource, ScoreCommentResource, ScoreStudentResource Plan:
- Centralize score formulas and missing-score behavior.
- Add golden test cases for semester score, quiz, homework, project, participation, final/midterm, and prediction risk calculations.
- Prove grading locks block writes but not allowed reads.
- Verify below-60 communication and parent visibility rules.
Security
Priority: P0 Security/Foundation Detected surface: 0 controllers, 3 services, 3 requests, 2 resources.
Services: IpBanCommandService, IpBanQueryService, Pbkdf2Hasher Requests: IpBanIndexRequest, IpUnbanRequest, IpBanRequest Resources: IpBanCollection, IpBanResource Plan:
- Map every endpoint to required auth state, role, and permission.
- Test login throttling, IP bans, password reset cleanup, session timeout, role switching, and registration captcha.
- Confirm security logs include actor, IP, user agent, outcome, and reason.
- Reject role changes that create privilege escalation or stale-session leaks.
Semesters
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 1 services, 4 requests, 2 resources.
Services: SemesterConfigService Requests: SchoolYearRangeRequest, SemesterResolveRequest, SemesterNormalizeRequest, SemesterRangeRequest Resources: SemesterResolveResource, SemesterRangeResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Settings
Priority: P2/P3 Feature hardening Detected surface: 6 controllers, 8 services, 8 requests, 5 resources.
Controllers: ConfigurationAdminController, EventController, PolicyController, PreferencesController, SchoolCalendarController, SettingsController Services: SettingsService, ConfigurationService, SchoolCalendarMutationService, SchoolCalendarNotificationService, SchoolCalendarContextService, SchoolCalendarQueryService, SchoolCalendarFormatterService, SchoolCalendarMeetingService Requests: SchoolCalendarStoreRequest, ConfigurationStoreRequest, SettingsUpdateRequest, SchoolCalendarIndexRequest, ConfigurationUpdateRequest, SchoolCalendarUpdateRequest, PolicyShowRequest, SchoolCalendarOptionsRequest Resources: PolicyResource, SchoolCalendarEventResource, SettingsResource, ConfigurationResource, SchoolCalendarEventDetailResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Staff
Priority: P2/P3 Feature hardening Detected surface: 3 controllers, 3 services, 3 requests, 2 resources.
Controllers: StaffController, TeacherController, TimeOffNotificationController Services: StaffQueryService, StaffTimeOffLinkService, StaffCommandService Requests: StaffIndexRequest, StaffUpdateRequest, StaffStoreRequest Resources: StaffCollection, StaffResource Plan:
- Centralize identity lookup and cross-entity authorization.
- Test directory/search pagination and visibility filtering.
- Ensure updates cannot orphan related records or break family/student/staff links.
- Add lifecycle tests for active, inactive, newly enrolled, transferred, and deleted/unverified users.
Students
Priority: P1 Student lifecycle Detected surface: 1 controllers, 7 services, 7 requests, 4 resources.
Controllers: StudentController Services: StudentScoreCardService, StudentStatusService, StudentDirectoryService, StudentAutoDistributionService, StudentConfigService, StudentProfileService, StudentAssignmentService Requests: StudentRemoveClassRequest, StudentUpdateRequest, StudentAssignClassRequest, StudentSetActiveRequest, StudentPromotionTotalsRequest, StudentAssignmentListRequest, StudentAutoDistributeRequest Resources: StudentAssignmentResource, StudentRemovedResource, StudentClassSectionResource, StudentScoreCardRowResource Plan:
- Centralize identity lookup and cross-entity authorization.
- Test directory/search pagination and visibility filtering.
- Ensure updates cannot orphan related records or break family/student/staff links.
- Add lifecycle tests for active, inactive, newly enrolled, transferred, and deleted/unverified users.
Subjects
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 1 services, 2 requests, 2 resources.
Controllers: SubjectCurriculumController Services: SubjectCurriculumService Requests: SubjectCurriculumUpdateRequest, SubjectCurriculumStoreRequest Resources: SubjectCurriculumResource, SubjectClassResource Plan:
- Define the academic workflow state machine and valid transitions.
- Test teacher/admin/parent role boundaries.
- Protect uploads and generated academic files.
- Add audit logs for status changes, submissions, and deadline changes.
Support
Priority: P2/P3 Feature hardening Detected surface: 2 controllers, 2 services, 3 requests, 3 resources.
Controllers: ContactController, SupportController Services: SupportRequestService, ContactMessageService Requests: SupportRequestStoreRequest, SupportRequestIndexRequest, ContactSendRequest Resources: ContactMessageResource, SupportRequestResource, SupportRequestCollection Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
System
Priority: P0 Security/Foundation Detected surface: 9 controllers, 6 services, 2 requests, 4 resources.
Controllers: AccessDeniedController, DashboardController, DashboardRedirectController, DatabaseHealthController, HealthController, NavBuilderController, SchoolIdController, SemesterRangeController, StatsController Services: HealthCheckService, CleanupSchedulerService, GlobalConfigService, DatabaseHealthService, ConfigUpdateService, TimeService Requests: NavItemStoreRequest, NavItemReorderRequest Resources: DashboardRouteResource, NavItemResource, HealthStatusResource, NavBuilderDataResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Teachers
Priority: P2/P3 Feature hardening Detected surface: 0 controllers, 4 services, 6 requests, 4 resources.
Services: TeacherAbsenceService, TeacherDashboardService, TeacherConfigService, TeacherAssignmentService Requests: TeacherClassViewRequest, TeacherAbsenceSubmitRequest, TeacherAssignmentDeleteRequest, TeacherAssignmentStoreRequest, TeacherAssignmentListRequest, TeacherSwitchClassRequest Resources: TeacherAbsenceResource, TeacherStudentResource, TeacherClassResource, TeacherAssignmentResource Plan:
- Centralize identity lookup and cross-entity authorization.
- Test directory/search pagination and visibility filtering.
- Ensure updates cannot orphan related records or break family/student/staff links.
- Add lifecycle tests for active, inactive, newly enrolled, transferred, and deleted/unverified users.
Ui
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 1 services, 1 requests, 1 resources.
Controllers: UiController Services: UiStyleService Requests: UiStyleRequest Resources: UiStyleResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Users
Priority: P2/P3 Feature hardening Detected surface: 1 controllers, 6 services, 4 requests, 2 resources.
Controllers: UserController Services: UserListService, LoginActivityService, InactiveUserCleanupService, UserManagementService, UserEventService, DeleteUnverifiedUserService Requests: UserStoreRequest, UserListRequest, UserUpdateRequest, LoginActivityRequest Resources: LoginActivityResource, UserWithRolesResource Plan:
- Confirm all inputs are validated through FormRequest classes.
- Confirm all reads and writes are authorized.
- Move business rules out of controllers if any remain.
- Add feature tests for list/show/create/update/delete and key failure paths.
Utilities
Priority: P2/P3 Feature hardening Detected surface: 2 controllers, 0 services, 1 requests, 1 resources.
Controllers: PhoneFormatterController, ProofreadController Requests: PhoneFormatRequest Resources: PhoneFormatResource Plan:
- Confirm config reads/writes are permissioned and validated.
- Add health/config smoke tests.
- Document public versus authenticated surfaces.
- Keep UI/style/static-page services separated from domain mutations.
Priority: P1 Communications Detected surface: 0 controllers, 8 services, 7 requests, 5 resources.
Services: WhatsappContactService, WhatsappInviteService, WhatsappLinkService, WhatsappContextService, WhatsappInviteNotificationService, WhatsappMembershipService, WhatsappInviteBundleService, WhatsappInviteEmailService Requests: WhatsappLinkIndexRequest, WhatsappMembershipUpdateRequest, WhatsappLinkStoreRequest, WhatsappLinkUpdateRequest, WhatsappParentContactsRequest, WhatsappParentContactsByClassRequest, WhatsappInviteSendRequest Resources: WhatsappParentContactResource, WhatsappGroupLinkResource, WhatsappClassSectionParentResource, WhatsappGroupLinkCollection, WhatsappClassSectionContactResource Plan:
- Separate recipient selection, message composition, dispatch, and logging.
- Add preview/dry-run tests before bulk sending.
- Deduplicate sends and persist failure states.
- Verify opt-outs, guardian selection, role targeting, and retry behavior.
7. Cross-Cutting Test Matrix
| Area | Minimum tests | Failure tests | Regression traps |
|---|---|---|---|
| Auth / Security | Login, refresh, logout, role switch, timeout | Invalid creds, banned IP, stale role, unauthorized role | Privilege escalation, session confusion |
| Finance / Payments | Invoice generation, manual payment, PayPal sync, refunds | Duplicate webhook, failed payment, partial refund | Balance mismatch, rounding drift |
| Attendance | Teacher submit, admin edit, parent report | Out-of-window edit, unauthorized class, duplicate submit | Semester boundary, timezone/date errors |
| Grading / Scores | Score calculations, locks, below-60 notification | Missing score, locked write, invalid class | Formula drift, notification spam |
| Students / Families | Profile, guardians, enrollments, authorized users | Cross-family read/write, inactive student | Orphan relationships |
| Communications | Preview, send, log, retry | Invalid recipient, opt-out, duplicate send | Bulk-send mistakes |
| Files / Reports | Upload, download, PDF generation | Bad MIME, oversize file, unauthorized file | Path traversal, stale report data |
| Inventory / Ops | Item movement, PO receive, print requests | Negative stock, duplicate receive | Count mismatch |
8. Refactor Rules
- Do not start by renaming everything. That is not architecture; that is sweeping broken glass into a different corner.
- Start with tests around the highest-risk behavior, then refactor behind those tests.
- One module per pull request unless a shared contract demands otherwise.
- For each PR, include: risk summary, affected endpoints, permission impact, migration impact, rollback path, and test evidence.
- Any service over roughly 300 lines should be reviewed for split points, but line count alone is not a crime. Unclear responsibility is the crime.
- Any controller doing calculations, direct DB orchestration, or multi-step workflow should delegate to a service.
- Any duplicated request validation should be consolidated into shared rules or dedicated FormRequests.
9. Immediate Next Work Queue
- Add route inventory from
routes/api.phpandroutes/web.phponce the full repo is available. - Produce an endpoint-permission matrix from routes + controllers + policies.
- Add baseline feature tests for Auth, Finance/Payments, Attendance, Grading/Scores, Students/Families, and Communications.
- Create factories and seed data for the core school domain.
- Add OpenAPI generation to CI using the existing Docs/OpenAPI service surface.
- Review raw SQL and direct request access matches before any large refactor.
- Add idempotency and audit requirements to payment, invoice, refund, promotion, and messaging mutations.
- Write runbooks for console commands and operational cleanup jobs.
10. Definition of Done
A module is not considered done until all of this is true:
- All public endpoints have route docs and permission mapping.
- All inputs use FormRequests or clearly justified validation.
- All responses use Resources or documented response builders.
- All mutations are transactional where consistency matters.
- All side effects are logged and testable.
- All critical behavior has feature tests and at least one negative authorization test.
- All money/date/file/message behavior has edge-case tests.
- No endpoint relies on undocumented legacy behavior unless that behavior is explicitly preserved and tested.
Appendix A: Controller Groups
- Administrator: 8 controllers. AdministratorAbsenceController, AdministratorDashboardController, AdministratorEnrollmentController, AdministratorNotificationController, AdministratorPromotionController, AdministratorTeacherSubmissionController, EmergencyContactController, TeacherClassAssignmentController
- ApiRoot: 7 controllers. BaseApiController, CiRequestAdapter, RolePermissionController, RoleSwitcherController, ScannerController, StatsController, UserController
- Assignment: 1 controllers. AssignmentApiController
- Attendance: 6 controllers. AdminAttendanceApiController, AttendanceCommentTemplateController, EarlyDismissalsController, LateSlipLogsController, StaffAttendanceApiController, TeacherAttendanceApiController
- AttendanceTracking: 1 controllers. AttendanceTrackingController
- Auth: 7 controllers. AuthController, AuthSessionController, IpBanController, RegisterController, RolePermissionController, RoleSwitcherController, SessionTimeoutController
- BadgeScan: 1 controllers. BadgeScanController
- Badges: 1 controllers. BadgeController
- Certificates: 1 controllers. CertificateController
- ClassPreparation: 1 controllers. ClassPreparationController
- ClassProgress: 1 controllers. ClassProgressController
- Classes: 1 controllers. ClassController
- Communication: 1 controllers. CommunicationController
- CompetitionScores: 1 controllers. CompetitionScoresController
- Core: 2 controllers. BaseApiController, CiRequestAdapter
- Discounts: 1 controllers. DiscountController
- Documentation: 2 controllers. ApiDocsAdminController, DocsCatalogController
- Email: 3 controllers. BroadcastEmailController, EmailController, EmailExtractorController
- Exams: 1 controllers. ExamDraftController
- Expenses: 1 controllers. ExpenseController
- ExtraCharges: 1 controllers. ExtraChargesController
- Family: 2 controllers. FamilyAdminController, FamilyController
- Finance: 14 controllers. ChargeController, FeeCalculationController, FinancialController, InvoiceController, PaymentController, PaymentEventChargesController, PaymentManualController, PaymentNotificationController, PaymentTransactionController, PaypalPaymentController, PaypalTransactionsController, PurchaseOrderController, RefundController, ReimbursementController
- Frontend: 4 controllers. FrontendController, InfoIconController, LandingPageController, PageController
- Grading: 2 controllers. GradingController, HomeworkTrackingController
- Incidents: 1 controllers. IncidentController
- Inventory: 5 controllers. InventoryCategoryController, InventoryController, InventoryMovementController, SupplierController, SupplyCategoryController
- Messaging: 2 controllers. MessagesController, WhatsappController
- NonApi: 3 controllers. Controller, DocsController, TeacherCalendarPageController
- Notifications: 1 controllers. NotificationController
- Parents: 5 controllers. AuthorizedUserInviteController, AuthorizedUsersController, ParentAttendanceReportController, ParentController, ParentPromotionController
- PrintRequests: 1 controllers. PrintRequestsController
- Public: 1 controllers. PublicWinnersController
- Reports: 4 controllers. FilesController, ReportCardsController, SlipPrinterController, StickersController
- Scores: 9 controllers. FinalController, HomeworkController, MidtermController, ParticipationController, ProjectController, QuizController, ScoreCommentController, ScoreController, ScorePredictorController
- Settings: 6 controllers. ConfigurationAdminController, EventController, PolicyController, PreferencesController, SchoolCalendarController, SettingsController
- Staff: 3 controllers. StaffController, TeacherController, TimeOffNotificationController
- Students: 1 controllers. StudentController
- Subjects: 1 controllers. SubjectCurriculumController
- Support: 2 controllers. ContactController, SupportController
- System: 9 controllers. AccessDeniedController, DashboardController, DashboardRedirectController, DatabaseHealthController, HealthController, NavBuilderController, SchoolIdController, SemesterRangeController, StatsController
- Ui: 1 controllers. UiController
- Users: 1 controllers. UserController
- Utilities: 2 controllers. PhoneFormatterController, ProofreadController
Appendix B: Service Groups
- Admin: 2 services, 1,089 LOC. CompetitionWinnersDomain, CompetitionWinnersAdminService
- Administrator: 18 services, 2,196 LOC. AdministratorUserSearchService, AdministratorAbsenceService, AdministratorDashboardService, AdministratorMetricsService, AdministratorEnrollmentStatusService, AdministratorEnrollmentEventService, AdministratorNotificationService, AdminNotificationSubjectService, TeacherSubmissionSupportService, AdministratorSharedService, TeacherSubmissionNotificationService, TeacherSubmissionReportService, AdminNotificationUserService, AdministratorEnrollmentRefundService, AdminPrintRecipientService, AdministratorTeacherSubmissionService, AdministratorEnrollmentService, AdministratorEnrollmentQueryService
- Assignment: 5 services, 421 LOC. AssignmentSectionService, AssignmentMetaService, AssignmentService, AssignmentContextService, AssignmentDataLoaderService
- Attendance: 16 services, 3,241 LOC. SemesterRangeService, TeacherAttendanceSubmissionService, AttendanceAutoPublishJobService, AttendanceAutoPublishService, LateSlipLogQueryService, AttendanceConsequenceService, AttendanceRecordSyncService, AttendanceDailySummaryService, AttendanceService, StudentAttendanceWriterService, LateSlipLogCommandService, AttendanceSummaryRebuildService, StaffAttendanceService, AttendanceQueryService, AttendancePolicyService, AttendanceCommentService
- AttendanceTracking: 12 services, 2,979 LOC. AttendanceNotificationLogService, AttendanceViolationStudentResolverService, AttendanceNotificationWorkflowService, AttendanceTrackingService, ViolationRuleEngineService, AttendanceMailerService, AttendanceParentLookupService, AttendanceCommunicationSupportService, AttendanceEmailComposerService, AttendancePendingViolationService, AttendanceCaseQueryService, DefaultAttendanceMailerService
- Auth: 9 services, 870 LOC. RegistrationCaptchaService, PermissionCheckService, CodeIgniterApiRegistrationService, RegistrationService, ApiLoginSecurityService, AuthSessionService, UserRoleService, PasswordResetCleanupService, RegistrationFormatterService
- BadgeScan: 1 services, 108 LOC. BadgeScanService
- Badges: 7 services, 2,815 LOC. BadgeTextFormatter, BadgeStudentLookupService, BadgeFormDataService, BadgePdfService, BadgeUserLookupService, BadgeService, BadgePrintLogService
- Billing: 3 services, 751 LOC. BalanceCalculationService, BillingTotalsService, ChargeService
- BroadcastEmail: 5 services, 241 LOC. BroadcastEmailComposerService, BroadcastEmailRecipientService, BroadcastEmailDispatchService, BroadcastEmailImageService, BroadcastEmailSenderOptionsService
- Certificates: 1 services, 144 LOC. CertificatePdfService
- ClassPrep: 2 services, 205 LOC. ClassRosterService, StickerCountService
- ClassPreparation: 9 services, 653 LOC. ClassPreparationAdjustmentWriterService, ClassPreparationCalculatorService, ClassPreparationLogService, ClassPreparationAdjustmentService, ClassPreparationContextService, ClassPreparationService, ClassPreparationPrintService, ClassPreparationRosterService, ClassPreparationInventoryService
- ClassProgress: 5 services, 941 LOC. ClassProgressRuleService, ClassProgressAttachmentService, ClassProgressQueryService, ClassProgressMetaService, ClassProgressMutationService
- ClassSections: 4 services, 190 LOC. ClassSectionCommandService, ClassAttendanceService, ClassSectionSeedService, ClassSectionQueryService
- Communication: 6 services, 374 LOC. CommunicationFamilyService, CommunicationSendService, CommunicationTemplateService, CommunicationPreviewService, CommunicationStudentService, CommunicationLogService
- CompetitionScores: 4 services, 325 LOC. CompetitionScoresRosterService, CompetitionScoresSaveService, CompetitionScoresContextService, CompetitionScoresQueryService
- Dashboard: 1 services, 70 LOC. DashboardRouteService
- Discounts: 5 services, 792 LOC. DiscountParentService, DiscountApplyService, DiscountInvoiceService, DiscountVoucherService, DiscountContextService
- Docs: 3 services, 244 LOC. DocsCatalogService, ApiDocsService, OpenApiRouteExporter
- Email: 5 services, 395 LOC. EmailAttachmentService, EmailExtractorService, EmailProfileService, EmailDispatchService, EmailSenderOptionsService
- EmergencyContacts: 2 services, 142 LOC. EmergencyContactDirectoryService, EmergencyContactCrudService
- Events: 6 services, 496 LOC. EventChargeService, EventStudentChargeService, EventCategoryService, EventListService, EventChargeQueryService, EventManagementService
- Exams: 4 services, 532 LOC. ExamDraftTeacherService, ExamDraftAdminService, ExamDraftConfigService, ExamDraftFileService
- Expenses: 7 services, 231 LOC. ExpenseQueryService, ExpenseStaffService, ExpenseRetailorService, ExpenseReceiptService, ExpenseWriteService, ExpenseContextService, ExpenseStatusService
- ExtraCharges: 6 services, 475 LOC. ExtraChargesMetaService, ExtraChargesInvoiceService, ExtraChargesParentService, ExtraChargesChargeService, ExtraChargesContextService, ExtraChargesListService
- Families: 4 services, 827 LOC. FamilyNotificationService, FamilyFinanceService, FamilyMutationService, FamilyQueryService
- Fees: 6 services, 952 LOC. FeeConfigService, TuitionCalculationService, FeeRefundCalculatorService, FeeGradeService, FeeRefundDetailService, FeeStudentFeeService
- Files: 2 services, 159 LOC. FileServeService, ExamDraftDownloadNameService
- Finance: 8 services, 1,150 LOC. FinancialPdfReportService, FinancialSchoolYearService, FinancialPaymentService, FinancialReportService, FinancialSummaryService, FinancialChartService, FinancialDonationRecipientService, FinancialUnpaidParentsService
- Frontend: 9 services, 1,011 LOC. LandingPageTeacherSummaryService, LandingPageRoleService, LandingPageParentDashboardService, LandingPageService, StaticPageService, FrontendPageService, ContactSubmissionService, LandingPageContextService, ProfileIconService
- Grading: 9 services, 1,969 LOC. BelowSixtyEmailService, GradingLockService, GradingOverviewService, GradingPlacementService, HomeworkTrackingService, GradingScoreService, GradingBelowSixtyService, HomeworkTrackingCalendarService, GradingRefreshService
- Incidents: 4 services, 499 LOC. CurrentIncidentService, IncidentHistoryService, IncidentLookupService, IncidentAnalysisService
- Inventory: 8 services, 1,449 LOC. InventorySummaryService, InventoryCategoryService, InventoryItemService, InventoryContextService, SupplierService, InventoryMovementService, SupplyCategoryService, InventoryTeacherDistributionService
- Invoices: 8 services, 1,248 LOC. InvoiceGradeService, InvoiceConfigService, InvoicePaymentService, InvoiceTuitionService, InvoiceManagementService, InvoicePdfService, InvoiceService, InvoiceGenerationService
- Messaging: 3 services, 334 LOC. MessageRecipientService, MessageCommandService, MessageQueryService
- Navigation: 2 services, 273 LOC. NavBuilderService, NavbarService
- Notifications: 12 services, 451 LOC. NotificationDispatchService, NotificationRecipientService, NotificationShowService, NotificationManagementService, NotificationReadService, NotificationUserListService, NotificationCleanupService, UserNotificationDispatchService, NotificationTriggerService, NotificationSendService, NotificationActiveService, NotificationDeletedService
- Parents: 14 services, 2,306 LOC. ParentEventParticipationService, ParentRegistrationService, PrimaryParentUserResolver, ParentAttendanceReportCalendarService, ParentAttendanceService, AuthorizedUsersManagementService, ParentEnrollmentService, ParentInvoiceService, ParentProgressQueryService, ParentAttendanceReportService, ParentReportCardService, ParentConfigService, ParentProfileService, ParentEmergencyContactService
- Payments: 14 services, 2,096 LOC. PaymentNotificationDispatchService, PaymentMissedCheckService, PaymentManualService, PaymentLookupService, PaymentTestNotificationService, PaypalPaymentSyncService, PaymentBalanceService, PaypalPaymentService, PaymentTransactionService, PaymentEnrollmentEventService, PaymentNotificationService, PaymentPlanService, PaymentEventChargesService, PaypalTransactionsService
- Phone: 1 services, 23 LOC. PhoneFormatterService
- Policy: 1 services, 51 LOC. PolicyContentService
- Preferences: 3 services, 190 LOC. PreferencesCommandService, PreferencesQueryService, PreferencesOptionsService
- PrintRequests: 1 services, 558 LOC. PrintRequestsPortalService
- Promotions: 7 services, 1,740 LOC. PromotionStatusService, PromotionEnrollmentService, PromotionReminderService, LevelProgressionService, PromotionAuditService, PromotionQueryService, PromotionEligibilityService
- PublicWinners: 1 services, 115 LOC. PublicWinnersPortalService
- PurchaseOrders: 4 services, 252 LOC. PurchaseOrderStatusService, PurchaseOrderReceiveService, PurchaseOrderCreateService, PurchaseOrderQueryService
- Refunds: 9 services, 1,210 LOC. RefundSummaryService, RefundInvoiceAdjustmentService, RefundPolicyService, RefundPayoutService, RefundRequestService, RefundQueryService, RefundOverpaymentService, RefundDecisionService, RefundNotificationService
- Reimbursements: 11 services, 1,776 LOC. ReimbursementFileService, ReimbursementBatchAssignmentService, ReimbursementContextService, ReimbursementExportService, ReimbursementLookupService, ReimbursementEmailService, ReimbursementRecipientService, ReimbursementBatchService, ReimbursementQueryService, ReimbursementDonationService, ReimbursementCrudService
- Reports: 9 services, 2,445 LOC. SlipPrinterFormatterService, SlipPrinterPdfService, SlipPrinterService, SlipPrinterConfigService, StickerPrintService, StickerPresetService, StickerQueryService, StickerContextService, ReportCardService
- Roles: 8 services, 545 LOC. RolePermissionService, RoleDashboardService, RoleCrudService, RoleAssignmentService, RoleSwitchService, RoleStaffService, PermissionCrudService, RoleQueryService
- Root: 8 services, 550 LOC. FeeCalculationService, SemesterRangeService, ApplicationUrlService, SchoolIdService, AssignmentService, AttendanceCommentTemplateService, PhoneFormatterService, EmailService
- School: 4 services, 990 LOC. AccountEventService, SemesterSelectionService, EnrollmentEventService, PaymentEventService
- SchoolIds: 2 services, 41 LOC. SchoolIdAssignmentService, SchoolIdGenerationService
- Scores: 16 services, 2,846 LOC. ParticipationScoreService, QuizCalculator, QuizScoreService, ScoreCommentService, ScoreDashboardService, HomeworkCalculator, SemesterScoreService, ScorePredictorRiskService, ProjectScoreService, HomeworkScoreService, ScoreTermService, ProjectCalculator, ScorePredictorDataService, ScorePredictorService, ExamScoreService, AttendanceCalculator
- Security: 3 services, 171 LOC. IpBanCommandService, IpBanQueryService, Pbkdf2Hasher
- Semesters: 1 services, 42 LOC. SemesterConfigService
- Settings: 8 services, 656 LOC. SettingsService, ConfigurationService, SchoolCalendarMutationService, SchoolCalendarNotificationService, SchoolCalendarContextService, SchoolCalendarQueryService, SchoolCalendarFormatterService, SchoolCalendarMeetingService
- Staff: 3 services, 325 LOC. StaffQueryService, StaffTimeOffLinkService, StaffCommandService
- Students: 7 services, 1,254 LOC. StudentScoreCardService, StudentStatusService, StudentDirectoryService, StudentAutoDistributionService, StudentConfigService, StudentProfileService, StudentAssignmentService
- Subjects: 1 services, 80 LOC. SubjectCurriculumService
- Support: 2 services, 123 LOC. SupportRequestService, ContactMessageService
- System: 6 services, 353 LOC. HealthCheckService, CleanupSchedulerService, GlobalConfigService, DatabaseHealthService, ConfigUpdateService, TimeService
- Teachers: 4 services, 641 LOC. TeacherAbsenceService, TeacherDashboardService, TeacherConfigService, TeacherAssignmentService
- Ui: 1 services, 95 LOC. UiStyleService
- Users: 6 services, 647 LOC. UserListService, LoginActivityService, InactiveUserCleanupService, UserManagementService, UserEventService, DeleteUnverifiedUserService
- Whatsapp: 8 services, 1,407 LOC. WhatsappContactService, WhatsappInviteService, WhatsappLinkService, WhatsappContextService, WhatsappInviteNotificationService, WhatsappMembershipService, WhatsappInviteBundleService, WhatsappInviteEmailService
Appendix C: Request Groups
- Admin: 3 requests. StoreCompetitionWinnerRequest, UpdateCompetitionWinnerRequest, SaveCompetitionScoresRequest
- Administrator: 5 requests. SavePrintRecipientsRequest, SaveAdminNotificationSubjectsRequest, SubmitAdministratorAbsenceRequest, UpdateEnrollmentStatusesRequest, SendTeacherSubmissionNotificationsRequest
- Api: 4 requests. SaveAdminNotificationSubjectsRequest, IndexAdminProgressRequest, SendTeacherSubmissionNotificationsRequest, SavePrintNotificationRecipientsRequest
- Assignment: 2 requests. StoreAssignmentRequest, StoreStudentAssignmentRequest
- Attendance: 7 requests. SaveStaffAttendanceCellRequest, UpdateAttendanceManagementRequest, LateSlipLogIndexRequest, TeacherSubmitAttendanceRequest, SaveAdminAttendanceRequest, TeacherUpdateGridRequest, AdminAddAttendanceEntryRequest
- AttendanceCommentTemplate: 2 requests. StoreAttendanceCommentTemplateRequest, UpdateAttendanceCommentTemplateRequest
- AttendanceTracking: 5 requests. RecordAttendanceTrackingRequest, ComposeAttendanceEmailRequest, SendAttendanceManualEmailRequest, ParentsInfoRequest, SaveAttendanceNotificationNoteRequest
- Auth: 3 requests. RegisterRequest, SetRoleSessionRequest, LoginSessionRequest
- Badges: 3 requests. BadgePrintStatusRequest, GenerateBadgePdfRequest, LogBadgePrintRequest
- ClassPreparation: 4 requests. ClassPreparationMarkPrintedRequest, ClassPreparationPrintRequest, ClassPreparationIndexRequest, ClassPreparationAdjustmentRequest
- ClassProgress: 5 requests. ClassProgressStoreRequest, ClassProgressMetaRequest, ClassProgressIndexRequest, ClassProgressFormRequest, ClassProgressUpdateRequest
- Classes: 3 requests. ClassSectionUpdateRequest, ClassSectionStoreRequest, ClassSectionIndexRequest
- Discounts: 3 requests. UpdateDiscountVoucherRequest, ApplyDiscountVoucherRequest, StoreDiscountVoucherRequest
- Email: 2 requests. EmailExtractorCompareRequest, EmailSendRequest
- EmergencyContacts: 2 requests. EmergencyContactParentRequest, EmergencyContactUpdateRequest
- Events: 6 requests. EventIndexRequest, EventUpdateRequest, EventStoreRequest, EventStudentsWithChargesRequest, EventChargeUpdateRequest, EventChargeIndexRequest
- Exams: 3 requests. ExamDraftTeacherStoreRequest, ExamDraftAdminLegacyRequest, ExamDraftAdminReviewRequest
- Expenses: 3 requests. UpdateExpenseRequest, StoreExpenseRequest, UpdateExpenseStatusRequest
- ExtraCharges: 2 requests. UpdateExtraChargeRequest, StoreExtraChargeRequest
- Families: 14 requests. FamilyImportLegacyRequest, FamilyUnlinkStudentRequest, FamilySetPrimaryHomeRequest, FamilyAdminCardRequest, FamiliesByStudentRequest, FamilyBootstrapRequest, FamilyAttachSecondByEmailRequest, FamilyAdminSearchRequest, FamilySetGuardianFlagsRequest, FamilyAdminIndexRequest, FamilyComposeEmailRequest, FamilyUnlinkGuardianRequest, GuardiansByFamilyRequest, FamilyAttachSecondByUserRequest
- Fees: 2 requests. FeeTuitionTotalRequest, FeeRefundRequest
- Files: 1 requests. FileNameRequest
- Finance: 12 requests. FinancialUnpaidParentsRequest, FeeTuitionTotalRequest, ChargeListRequest, FinancialReportRequest, FinancialSummaryRequest, MarkEventChargePaidRequest, FeeTuitionBreakdownRequest, StoreExtraChargeRequest, StoreEventChargeRequest, FeeFamilyBalanceRequest, ApplyExtraChargeRequest, FeeRefundRequest
- Frontend: 2 requests. LandingTeacherRequest, ContactSubmitRequest
- Grading: 18 requests. BelowSixtyListRequest, BelowSixtySendRequest, GradingLockAllRequest, BelowSixtyMeetingRequest, PlacementLevelsRequest, GradingRefreshRequest, GradingScoreShowRequest, HomeworkTrackingRequest, GradingScoreUpdateRequest, PlacementRequest, PlacementBatchUpdateRequest, BelowSixtyEmailRequest, BelowSixtyStatusRequest, PlacementBatchRequest, GradingLockRequest, PlacementLevelRequest, BelowSixtyMeetingSaveRequest, GradingOverviewRequest
- Incidents: 5 requests. IncidentCancelRequest, IncidentCloseRequest, IncidentStoreRequest, IncidentListRequest, IncidentStateRequest
- Inventory: 19 requests. InventoryItemIndexRequest, SupplierUpdateRequest, InventoryCategoryStoreRequest, InventoryTeacherDistributionRequest, InventoryItemUpdateRequest, InventoryItemStoreRequest, InventoryTeacherDistributionStoreRequest, InventoryCategoryUpdateRequest, SupplyCategoryStoreRequest, InventoryCategoryIndexRequest, InventoryAdjustRequest, InventoryAuditRequest, SupplierIndexRequest, InventoryMovementIndexRequest, InventoryMovementBulkDeleteRequest, SupplierStoreRequest, InventoryMovementUpdateRequest, InventoryMovementStoreRequest ...
- Invoices: 4 requests. InvoiceStatusRequest, InvoiceManagementRequest, InvoiceParentRequest, InvoiceGenerateRequest
- Messaging: 3 requests. MessageSendRequest, MessageIndexRequest, MessageUpdateRequest
- Notifications: 5 requests. NotificationSendRequest, NotificationActiveRequest, NotificationDeletedRequest, NotificationUpdateRequest, NotificationIndexRequest
- Parents: 16 requests. ParentAttendanceReportUpdateRequest, ParentAttendanceReportListRequest, ParentAttendanceReportSubmitRequest, ParentEmergencyContactRequest, UpdateAuthorizedUserRequest, ParentAttendanceReportCheckRequest, ParentProfileUpdateRequest, ParentInvoiceRequest, ParentEnrollmentRequest, SignParentReportCardRequest, ParentAttendanceRequest, StoreAuthorizedUserRequest, ParentStudentUpdateRequest, ParentEventParticipationRequest, ParentEnrollmentActionRequest, ParentRegistrationRequest
- Payments: 15 requests. PaymentManualSearchRequest, PaymentEventChargesListRequest, PaymentNotificationSendRequest, PaymentNotificationListRequest, PaymentCreateRequest, PaypalTransactionsListRequest, PaymentManualEditRequest, PaymentEventChargesStoreRequest, PaymentUpdateBalanceRequest, PaymentManualUpdateRequest, PaymentManualSuggestRequest, PaypalExecuteRequest, PaymentByParentRequest, PaymentTransactionStatusRequest, PaymentTransactionCreateRequest
- Preferences: 2 requests. PreferencesIndexRequest, PreferencesUpsertRequest
- Promotions: 8 requests. SendReminderRequest, ParentPromotionOverviewRequest, AdminListPromotionsRequest, EvaluateEligibilityRequest, UpdatePromotionStatusRequest, ParentEnrollmentStepRequest, SetEnrollmentDeadlineRequest, UpsertLevelProgressionRequest
- PurchaseOrders: 3 requests. PurchaseOrderIndexRequest, PurchaseOrderStoreRequest, PurchaseOrderReceiveRequest
- Refunds: 6 requests. RefundStoreRequest, RefundPaymentRequest, RefundDecisionRequest, RefundRecalculateRequest, RefundIndexRequest, RefundRejectRequest
- Reimbursements: 13 requests. ReimbursementBatchAdminFileRequest, ReimbursementUpdateRequest, ReimbursementBatchCreateRequest, ReimbursementBatchEmailRequest, ReimbursementProcessRequest, ReimbursementExportBatchRequest, ReimbursementIndexRequest, ReimbursementExportRequest, ReimbursementMarkDonationRequest, ReimbursementBatchAssignmentRequest, ReimbursementStoreRequest, ReimbursementBatchLockRequest, ReimbursementUnderProcessingRequest
- Reports: 11 requests. SlipPreviewRequest, SlipLogListRequest, SlipPrintRequest, SlipReprintRequest, StickerStudentsByClassRequest, StickerPrintRequest, StickerFormDataRequest, ReportCardCompletenessRequest, ReportCardPdfRequest, ReportCardAcknowledgementRequest, ReportCardMetaRequest
- Roles: 9 requests. AssignUserRolesRequest, RolePermissionUpdateRequest, UserRoleListRequest, PermissionUpdateRequest, PermissionStoreRequest, RoleSwitchRequest, RoleStoreRequest, RoleUpdateRequest, RoleListRequest
- Root: 1 requests. ApiFormRequest
- SchoolIds: 1 requests. SchoolIdAssignRequest
- Scores: 10 requests. ScoreCommentSaveRequest, ScorePredictorRequest, ScoreLockRequest, ScoreUpdateRequest, ScoreOverviewRequest, ScoreStudentRequest, ScoreCommentListRequest, ScoreClassRequest, ScoreCommentUpdateRequest, ScoreAddColumnRequest
- Security: 3 requests. IpBanIndexRequest, IpUnbanRequest, IpBanRequest
- Semesters: 4 requests. SchoolYearRangeRequest, SemesterResolveRequest, SemesterNormalizeRequest, SemesterRangeRequest
- Settings: 8 requests. SchoolCalendarStoreRequest, ConfigurationStoreRequest, SettingsUpdateRequest, SchoolCalendarIndexRequest, ConfigurationUpdateRequest, SchoolCalendarUpdateRequest, PolicyShowRequest, SchoolCalendarOptionsRequest
- Staff: 3 requests. StaffIndexRequest, StaffUpdateRequest, StaffStoreRequest
- Students: 7 requests. StudentRemoveClassRequest, StudentUpdateRequest, StudentAssignClassRequest, StudentSetActiveRequest, StudentPromotionTotalsRequest, StudentAssignmentListRequest, StudentAutoDistributeRequest
- Subjects: 2 requests. SubjectCurriculumUpdateRequest, SubjectCurriculumStoreRequest
- Support: 3 requests. SupportRequestStoreRequest, SupportRequestIndexRequest, ContactSendRequest
- System: 2 requests. NavItemStoreRequest, NavItemReorderRequest
- Teachers: 6 requests. TeacherClassViewRequest, TeacherAbsenceSubmitRequest, TeacherAssignmentDeleteRequest, TeacherAssignmentStoreRequest, TeacherAssignmentListRequest, TeacherSwitchClassRequest
- Ui: 1 requests. UiStyleRequest
- Users: 4 requests. UserStoreRequest, UserListRequest, UserUpdateRequest, LoginActivityRequest
- Utilities: 1 requests. PhoneFormatRequest
- Whatsapp: 7 requests. WhatsappLinkIndexRequest, WhatsappMembershipUpdateRequest, WhatsappLinkStoreRequest, WhatsappLinkUpdateRequest, WhatsappParentContactsRequest, WhatsappParentContactsByClassRequest, WhatsappInviteSendRequest
Appendix D: Resource Groups
- Admin: 5 resources. PrintRecipientsResource, TeacherSubmissionReportResource, AdminNotificationAlertsResource, ProgressGroupResource, ProgressReportDetailResource
- Assignment: 2 resources. AssignmentOverviewResource, AssignmentSectionResource
- Attendance: 7 resources. DailyAttendanceResource, AdminAttendanceResource, LateSlipLogCollection, LateSlipLogResource, TeacherGridResource, StaffMonthResource, TeacherAttendanceFormResource
- Auth: 1 resources. RegisterResource
- ClassPreparation: 2 resources. ClassPreparationPrintResource, ClassPreparationResultResource
- ClassProgress: 4 resources. ClassProgressGroupCollection, ClassProgressAttachmentResource, ClassProgressShowResource, ClassProgressReportResource
- Classes: 4 resources. ClassSectionCollection, ClassSectionResource, ClassAttendanceResource, ClassAttendanceStudentResource
- Discounts: 2 resources. DiscountVoucherResource, DiscountParentResource
- Email: 3 resources. EmailSenderResource, EmailExtractorEmailsResource, EmailExtractorCompareResource
- EmergencyContacts: 3 resources. EmergencyContactGroupResource, EmergencyContactStudentResource, EmergencyContactResource
- Events: 3 resources. EventChargeResource, EventResource, EventStudentChargeResource
- Exams: 1 resources. ExamDraftResource
- Expenses: 2 resources. ExpenseResource, ExpenseStaffResource
- ExtraCharges: 3 resources. ExtraChargeInvoiceOptionResource, ExtraChargeResource, ExtraChargeParentOptionResource
- Families: 7 resources. FamilyPaymentResource, FamilyInvoiceResource, FamilySearchItemResource, FamilyResource, FamilyGuardianResource, FamilyStudentResource, FamilyEmergencyContactResource
- Fees: 6 resources. FeeRefundResource, FeeFamilyBalanceResource, ChargeActionResource, ChargeListResource, FeeTuitionBreakdownResource, FeeTuitionTotalResource
- Files: 1 resources. FileMetaResource
- Finance: 9 resources. FinancialReportResource, FinancialSummaryResource, FinancialExpenseSummaryResource, FinancialInvoiceResource, FinancialPaymentResource, FinancialRefundResource, FinancialUnpaidParentResource, FinancialDiscountResource, FinancialReimbursementSummaryResource
- Frontend: 6 resources. LandingPageResource, ContactSubmissionResource, FrontendPageResource, FrontendUserResource, ProfileIconResource, PageContentResource
- Grading: 3 resources. BelowSixtyStudentResource, GradingScoreResource, HomeworkTrackingTeacherResource
- Incidents: 4 resources. IncidentStudentOptionResource, IncidentAnalysisStudentResource, IncidentResource, IncidentGradeResource
- Inventory: 5 resources. InventoryItemResource, InventoryCategoryResource, InventoryMovementResource, SupplierResource, SupplyCategoryResource
- Invoices: 2 resources. InvoiceManagementParentResource, InvoiceResource
- Messaging: 3 resources. MessageResource, MessageCollection, RecipientResource
- Notifications: 2 resources. UserNotificationResource, NotificationResource
- Parents: 4 resources. ParentEmergencyContactResource, ParentAttendanceReportResource, ParentStudentResource, ParentAttendanceResource
- Payments: 4 resources. PaymentNotificationLogResource, PaymentTransactionResource, PaypalTransactionResource, PaymentResource
- Preferences: 3 resources. PreferencesListResource, PreferencesCollection, PreferencesResource
- Promotions: 4 resources. LevelProgressionResource, PromotionAuditLogResource, PromotionReminderResource, StudentPromotionResource
- PurchaseOrders: 2 resources. PurchaseOrderResource, PurchaseOrderItemResource
- Refunds: 1 resources. RefundResource
- Reimbursements: 5 resources. ReimbursementRecipientResource, ReimbursementExpenseResource, ReimbursementBatchResource, ReimbursementResource, ReimbursementUnderProcessingItemResource
- Reports: 8 resources. LateSlipLogResource, StickerStudentResource, StickerPresetResource, StickerClassSectionResource, ReportCardStudentMetaResource, ReportCardAcknowledgementResource, ReportCardClassSectionResource, ReportCardCompletenessStudentResource
- Roles: 4 resources. RolePermissionResource, RoleResource, UserWithRolesResource, PermissionResource
- Root: 1 resources. TeacherSubmissionRowResource
- SchoolIds: 1 resources. SchoolIdResource
- Scores: 3 resources. ScorePredictorStudentResource, ScoreCommentResource, ScoreStudentResource
- Security: 2 resources. IpBanCollection, IpBanResource
- Semesters: 2 resources. SemesterResolveResource, SemesterRangeResource
- Settings: 5 resources. PolicyResource, SchoolCalendarEventResource, SettingsResource, ConfigurationResource, SchoolCalendarEventDetailResource
- Staff: 2 resources. StaffCollection, StaffResource
- Students: 4 resources. StudentAssignmentResource, StudentRemovedResource, StudentClassSectionResource, StudentScoreCardRowResource
- Subjects: 2 resources. SubjectCurriculumResource, SubjectClassResource
- Support: 3 resources. ContactMessageResource, SupportRequestResource, SupportRequestCollection
- System: 4 resources. DashboardRouteResource, NavItemResource, HealthStatusResource, NavBuilderDataResource
- Teachers: 4 resources. TeacherAbsenceResource, TeacherStudentResource, TeacherClassResource, TeacherAssignmentResource
- Ui: 1 resources. UiStyleResource
- Users: 2 resources. LoginActivityResource, UserWithRolesResource
- Utilities: 1 resources. PhoneFormatResource
- Whatsapp: 5 resources. WhatsappParentContactResource, WhatsappGroupLinkResource, WhatsappClassSectionParentResource, WhatsappGroupLinkCollection, WhatsappClassSectionContactResource
Appendix E: Notable Review Queues
Raw SQL review queue
app/Services/Finance/FinancialSummaryService.php: 28 matchesapp/Services/Grading/GradingOverviewService.php: 11 matchesapp/Services/Finance/FinancialReportService.php: 10 matchesapp/Models/User.php: 7 matchesapp/Models/AttendanceData.php: 6 matchesapp/Services/Refunds/RefundOverpaymentService.php: 6 matchesapp/Services/Reports/ReportCards/ReportCardService.php: 6 matchesapp/Services/AttendanceTracking/ViolationRuleEngineService.php: 5 matchesapp/Services/AttendanceTracking/AttendanceCaseQueryService.php: 4 matchesapp/Services/Grading/GradingBelowSixtyService.php: 4 matchesapp/Services/Grading/HomeworkTrackingService.php: 4 matchesapp/Models/Payment.php: 3 matchesapp/Services/Attendance/AttendanceQueryService.php: 3 matchesapp/Services/Inventory/InventoryItemService.php: 3 matchesapp/Services/Inventory/InventoryMovementService.php: 3 matchesapp/Services/Payments/PaymentMissedCheckService.php: 3 matchesapp/Services/Scores/ScoreDashboardService.php: 3 matchesapp/Services/Scores/ScorePredictorDataService.php: 3 matchesapp/Models/Invoice.php: 2 matchesapp/Models/Role.php: 2 matchesapp/Models/TeacherClass.php: 2 matchesapp/Services/Admin/CompetitionWinners/CompetitionWinnersAdminService.php: 2 matchesapp/Services/Attendance/AttendanceDailySummaryService.php: 2 matchesapp/Services/AttendanceTracking/AttendancePendingViolationService.php: 2 matchesapp/Services/Families/FamilyQueryService.php: 2 matchesapp/Services/Finance/FinancialPaymentService.php: 2 matchesapp/Services/Promotions/PromotionQueryService.php: 2 matchesapp/Services/Refunds/RefundPayoutService.php: 2 matchesapp/Services/Refunds/RefundQueryService.php: 2 matchesapp/Services/Staff/StaffQueryService.php: 2 matchesapp/Services/Whatsapp/WhatsappInviteBundleService.php: 2 matchesapp/Models/AdditionalCharge.php: 1 matchesapp/Models/AttendanceRecord.php: 1 matchesapp/Models/AttendanceTracking.php: 1 matchesapp/Models/Project.php: 1 matchesapp/Models/RoleNavItem.php: 1 matchesapp/Models/StaffAttendance.php: 1 matchesapp/Models/StudentAllergy.php: 1 matchesapp/Models/StudentMedicalCondition.php: 1 matchesapp/Models/WhatsappGroupMembership.php: 1 matches- ... 19 more files
Direct request access review queue
app/Http/Controllers/Api/AttendanceTracking/AttendanceTrackingController.php: 16 matchesapp/Http/Controllers/Api/Attendance/AttendanceCommentTemplateController.php: 15 matchesapp/Http/Controllers/Api/Communication/CommunicationController.php: 12 matchesapp/Http/Controllers/Api/Badges/BadgeController.php: 9 matchesapp/Http/Controllers/Api/Email/BroadcastEmailController.php: 9 matchesapp/Http/Controllers/Api/ExtraCharges/ExtraChargesController.php: 9 matchesapp/Http/Controllers/Api/Students/StudentController.php: 9 matchesapp/Http/Controllers/Api/Attendance/StaffAttendanceApiController.php: 8 matchesapp/Http/Controllers/Api/Attendance/EarlyDismissalsController.php: 7 matchesapp/Http/Controllers/Api/ClassPreparation/ClassPreparationController.php: 7 matchesapp/Http/Controllers/Api/Attendance/TeacherAttendanceApiController.php: 5 matchesapp/Http/Controllers/Api/Certificates/CertificateController.php: 5 matchesapp/Http/Controllers/Api/Reports/ReportCardsController.php: 5 matchesapp/Http/Controllers/Api/CompetitionScores/CompetitionScoresController.php: 4 matchesapp/Http/Controllers/Api/Finance/ReimbursementController.php: 4 matchesapp/Http/Controllers/Api/PrintRequests/PrintRequestsController.php: 4 matchesapp/Http/Controllers/Api/Administrator/AdministratorEnrollmentController.php: 3 matchesapp/Http/Controllers/Api/Assignment/AssignmentApiController.php: 3 matchesapp/Http/Controllers/Api/Finance/InvoiceController.php: 3 matchesapp/Http/Controllers/Api/Finance/PaymentManualController.php: 3 matchesapp/Http/Controllers/Api/Parents/AuthorizedUserInviteController.php: 3 matchesapp/Http/Controllers/Api/Scores/ScoreCommentController.php: 3 matchesapp/Http/Controllers/Api/Scores/ScoreController.php: 3 matchesapp/Services/Administrator/AdministratorAbsenceService.php: 3 matchesapp/Http/Controllers/Api/Administrator/AdministratorNotificationController.php: 2 matchesapp/Http/Controllers/Api/Attendance/AdminAttendanceApiController.php: 2 matchesapp/Http/Controllers/Api/Auth/AuthSessionController.php: 2 matchesapp/Http/Controllers/Api/Auth/RegisterController.php: 2 matchesapp/Http/Controllers/Api/Classes/ClassController.php: 2 matchesapp/Http/Controllers/Api/Finance/PaymentController.php: 2 matchesapp/Http/Controllers/Api/Finance/PaymentTransactionController.php: 2 matchesapp/Http/Controllers/Api/Finance/PurchaseOrderController.php: 2 matchesapp/Http/Controllers/Api/Incidents/IncidentController.php: 2 matchesapp/Http/Controllers/Api/Scores/FinalController.php: 2 matchesapp/Http/Controllers/Api/Scores/HomeworkController.php: 2 matchesapp/Http/Controllers/Api/Scores/MidtermController.php: 2 matchesapp/Http/Controllers/Api/Scores/ParticipationController.php: 2 matchesapp/Http/Controllers/Api/Scores/ProjectController.php: 2 matchesapp/Http/Controllers/Api/Scores/QuizController.php: 2 matchesapp/Services/Administrator/TeacherSubmissionNotificationService.php: 2 matches- ... 10 more files
File operation review queue
app/Services/Reimbursements/ReimbursementEmailService.php: 5 matchesapp/Http/Controllers/Api/Students/StudentController.php: 3 matchesapp/Services/Badges/BadgePdfService.php: 3 matchesapp/ThirdParty/fpdf/fpdf.php: 3 matchesapp/Http/Controllers/Api/ClassProgress/ClassProgressController.php: 2 matchesapp/Http/Controllers/Api/Finance/ReimbursementController.php: 2 matchesapp/Services/Payments/PaymentManualService.php: 2 matchesapp/Services/PrintRequests/PrintRequestsPortalService.php: 2 matchesapp/Services/System/ConfigUpdateService.php: 2 matchesapp/Services/Whatsapp/WhatsappInviteEmailService.php: 2 matchesapp/Http/Controllers/Api/Attendance/EarlyDismissalsController.php: 1 matchesapp/Http/Controllers/Api/Finance/FinancialController.php: 1 matchesapp/Http/Controllers/Api/Finance/PaypalTransactionsController.php: 1 matchesapp/Http/Controllers/Api/PrintRequests/PrintRequestsController.php: 1 matchesapp/Services/Attendance/StaffAttendanceService.php: 1 matchesapp/Services/Finance/FinancialChartService.php: 1 matchesapp/Services/Parents/ParentAttendanceReportService.php: 1 matchesapp/Services/Reimbursements/ReimbursementFileService.php: 1 matches
Queue/dispatch review queue
app/Services/Promotions/PromotionReminderService.php: 2 matchesapp/Console/Commands/DeleteUnverifiedUsersCommand.php: 1 matchesapp/Services/Administrator/AdministratorEnrollmentEventService.php: 1 matchesapp/Services/Grading/GradingBelowSixtyService.php: 1 matchesapp/Services/Notifications/NotificationTriggerService.php: 1 matchesapp/Services/Whatsapp/WhatsappInviteNotificationService.php: 1 matchesapp/Services/Whatsapp/WhatsappInviteService.php: 1 matches
Legacy compatibility review queue
app/Services/Parents/ParentAttendanceReportService.php: 4 matchesapp/Config/Database.php: 3 matchesapp/Helpers/ci_helpers.php: 3 matchesapp/Http/Controllers/Api/Attendance/AttendanceCommentTemplateController.php: 3 matchesapp/Http/Controllers/Api/Auth/RegisterController.php: 3 matchesapp/Http/Controllers/Api/BaseApiController.php: 3 matchesapp/Http/Controllers/Api/Core/BaseApiController.php: 2 matchesapp/Services/Admin/CompetitionWinners/CompetitionWinnersAdminService.php: 2 matchesapp/Services/AttendanceTracking/AttendanceTrackingService.php: 2 matchesapp/Services/Auth/ApiLoginSecurityService.php: 2 matchesapp/Services/Auth/CodeIgniterApiRegistrationService.php: 2 matchesapp/Services/Discounts/DiscountApplyService.php: 2 matchesapp/Services/ExtraCharges/ExtraChargesChargeService.php: 2 matchesapp/Services/Payments/PaymentManualService.php: 2 matchesapp/Http/Controllers/Api/Auth/AuthController.php: 1 matchesapp/Http/Controllers/Api/Auth/AuthSessionController.php: 1 matchesapp/Http/Controllers/Api/CiRequestAdapter.php: 1 matchesapp/Http/Controllers/Api/Core/CiRequestAdapter.php: 1 matchesapp/Http/Controllers/Api/System/HealthController.php: 1 matchesapp/Http/Controllers/Api/Utilities/ProofreadController.php: 1 matchesapp/Http/Middleware/EnsureClassProgressTeacherPortalAccess.php: 1 matchesapp/Http/Middleware/EnsureParentProgressAccess.php: 1 matchesapp/Http/Middleware/EnsurePrintRequestsAdminAccess.php: 1 matchesapp/Http/Middleware/EnsurePrintRequestsTeacherAccess.php: 1 matchesapp/Http/Middleware/TeacherPortalAuthenticate.php: 1 matchesapp/Http/Requests/Admin/SaveCompetitionScoresRequest.php: 1 matchesapp/Http/Requests/Admin/StoreCompetitionWinnerRequest.php: 1 matchesapp/Http/Requests/Admin/UpdateCompetitionWinnerRequest.php: 1 matchesapp/Models/CiDatabase.php: 1 matchesapp/Models/User.php: 1 matchesapp/Services/Admin/CompetitionWinners/CompetitionWinnersDomain.php: 1 matchesapp/Services/Attendance/StaffAttendanceService.php: 1 matchesapp/Services/Auth/AuthSessionService.php: 1 matchesapp/Services/BadgeScan/BadgeScanService.php: 1 matchesapp/Services/Docs/DocsCatalogService.php: 1 matchesapp/Services/Parents/AuthorizedUsersManagementService.php: 1 matchesapp/Services/Parents/ParentProgressQueryService.php: 1 matchesapp/Services/Parents/ParentReportCardService.php: 1 matchesapp/Services/Parents/PrimaryParentUserResolver.php: 1 matchesapp/Services/PrintRequests/PrintRequestsPortalService.php: 1 matches- ... 1 more files