# NGBVD Developer Modification Notes

## Phase 1 - Project-wide defensive write guards

This package applies the first controlled modernization phase across the existing Laravel project.

### What changed

1. Added reusable transaction helpers in `app/Http/Controllers/Controller.php`:
   - `guardedWebTransaction()`
   - `guardedApiTransaction()`

2. Wrapped write-heavy CRUD methods in guarded transactions across:
   - `DataEntryController`
   - `ApiController`
   - `IndicatorController`
   - `LocationController`
   - `PartnerController`
   - `UserMgtController`
   - `SettingsController`
   - `ConfigurationController`

3. Replaced controller/model `save()` calls with `saveOrFail()` so failed database writes throw exceptions and trigger rollback.

4. Moved public API v1 routes from `routes/web.php` to `routes/api.php`.

5. Removed sensitive runtime files from the deliverable:
   - `.env`
   - `id_rsa`
   - `id_rsa.pub`
   - `known_hosts.ssh`
   - `known_hosts.ssh.pub`

6. Updated `.gitignore` to prevent committing environment and SSH key material.

### Important implementation rule

Any method that writes to multiple tables should remain inside `guardedWebTransaction()` or `guardedApiTransaction()`. Use `saveOrFail()` instead of `save()` inside guarded operations.

### Recommended testing after applying

- Create survivor profile
- Add multiple incidents to one survivor
- Add multiple perpetrators
- Add witness
- Add services/action taken
- Add case status
- Update existing case tabs
- Create/update indicators
- Create/update/delete locations
- Create/update partners
- Create users and change passwords
- Call `/api/v1/token`
- Call `/api/v1/processdata` with valid and invalid token
- Call `/api/v1/incidentstats` with valid and invalid token

### Next recommended phase

Add Form Request validation for case entry and API endpoints, then begin extracting case registration logic into services.