# Items Requiring Attention

## 1. Allergies Module - Missing Foreign Key References

### Migration: `Modules/Allergies/Database/migrations/*_create_allergens_table.php`
- `student_id` column has no foreign key constraint to `students.id`
- `created_by` column has no foreign key constraint to `users.id`

### Form Request: `Modules/Allergies/Http/Requests/StoreAllergenRequest.php`
- `student_id` rule should be: `['required', 'integer', 'exists:students,id']` instead of `['required', 'integer']`
- `created_by` should be set from `auth()->id()` and NOT accepted from request

## 2. Permissions Seeding

After modifications, run:
```bash
php artisan db:seed --class=PermissionSeeder
php artisan db:seed --class=RoleSeeder
```

## 3. Key Conventions Enforced

| Rule | Explanation |
|------|-------------|
| `applyPermissions` | DO NOT pass the 3rd `$merge` parameter for default CRUD mappings (`list`, `show`, `create`, `edit`, `delete`) as they're already defined in `AddPermissions` trait defaults |
| Foreign keys | Always use `exists:table,column` validation rule on all foreign keys |
| DTO | Every resource that has create/update operations MUST have a `final readonly class` DTO implementing `DTOInterface` |
| Service | Create/update/delete logic goes through a Service class, never directly in controller |
| Translations | All `__()` message keys must exist in `lang/en/auth.php` and `lang/ar/auth.php` |
| Permissions | Every new controller endpoint must be registered in `config/permissions.php` `resources` array |