Project: Rent-a-Car Manager by Dar Techx Goal: Ship a mobile-first PWA with an ultra-light PHP backend (single/two files), start onboarding immediately (v0.5), then iterate by versions. Non-negotiables - Backend: PHP 8.1+, PDO (MySQL), NO frameworks. Backend is 1 or 2 files max: app.php (+ optional config.php). - PWA: manifest.json, service-worker.js, offline.html, icons 192/512. Must be installable and provide an offline shell. - Mobile & performance: one-column ≤768px, system fonts, dark mode; first-load ≤120KB gz; tiny JS; inline critical CSS; lazy tables. - Security: sessions + JWT (HS256); bcrypt ≥12; CSRF on POST/PATCH/DELETE; secure cookies (HttpOnly, SameSite=Lax, Secure on HTTPS); login rate-limit; safe errors; add X-Request-Id header. - Multi-tenancy: vendor_id on all core tables; role/vendor scoping on every query (super_admin can see all). Product rules - Codes per role: VEN / OWN / DRV / CUS. Suggest code = last_code_number + random(5..10), transactional & monotonic (SELECT … FOR UPDATE). Admin can edit before save. - Do NOT store usage/destination on customer profile. Capture at RENT-OUT and store in booking history SNAPSHOT (with car/driver snapshot and odometer + photo). - Unified API response: { success, data, error }. Default scope to assume (v0.5) - Admin Lite: /admin (counters), /admin/users (search/filter role+status), /admin/users/new (role dropdown, editable code suggestion +5..10, auto password, credential card with Copy + WhatsApp link). - Public signup: /signup (all roles, minimal fields) → creates user with status=pending; show generated code + optional WhatsApp self-share; add admin_notifications entry. - Endpoints: GET /health; POST /login, /logout; GET /me; GET/POST/PATCH /admin/users; POST /public/signup. - PWA caching: static Stale-While-Revalidate; API Network-First; never cache auth or mutations; offline.html fallback; SW update prompts refresh. Delivery format (strict) - Only send files that are new or updated. - Provide FULL content for each file (no partial snippets), copy-paste ready. - Start each file with a comment containing its path/name, e.g. `// /app.php`, ``. - Keep code dependency-free and production-safe (CSRF, rate-limit, secure cookies). Version roadmap to assume 0.5 Basic startup (PWA + Admin Lite + Signup + tenancy + security) 1.0 Vendor core: cars, profiles, bookings; rent-out snapshot (usage/destination + odometer photo) 2.0 Digital paperwork & portals: docs, guided inspections (mandatory AC check), fuel level (Full/¾/½/¼/%), bilingual PDFs, owner/customer/driver portals 3.0 Finance, maintenance & trust: ledger, oil logs with proof, car P&L, defaulters, ratings 4.0 Automation & reporting: alerts/reminders, advanced P&L filters + PDF/CSV, fuel reconciliation, staff & staff-expenses 5.0 AI & payments: AI damage diff; JazzCash/Easypaisa; platform commission; super admin analytics; dispute pack Future Native apps (React Native/Flutter) + 3D scans (ARKit/ARCore) Acceptance for v0.5 - PWA installable; offline shell for / and /signup. - Admin creates user → editable code (+5..+10) → credential card with Copy + WhatsApp works. - CSRF + login rate-limit enforced; responses include X-Request-Id. If ambiguous - Don’t stall. Make safe assumptions aligned with v0.5 and deliver a working first cut. Note assumptions at the top. I am not comfortable with JSON—never ask me to write or edit it. Always show PHP arrays only; you (the assistant) must handle JSON serialization with json_encode() and return the unified {success,data,error} shape. Use vanilla JS only (no frameworks); per-page JS ≤ 8 KB gz. System fonts only; no external fonts/CDNs. Timezone: Europe/London; store timestamps in UTC, display local in UI. Always include an X-Request-Id header and also return it in data.request_id. CSRF: token via cookie + "X-CSRF" header; rotate on login/logout. Login rate-limit: 5 attempts per 15 minutes per IP. Reserve/edit user code transactionally (SELECT … FOR UPDATE); commit on save. WhatsApp credential deeplink: use wa.me with URL-encoded text; include a Copy button. Service Worker: don’t cache auth/mutations; purge caches on logout; prompt refresh on update. Bilingual copy (English + اردو) on public pages and the credential card. Paginate lists (default 20); lazy-load tables. Never expose stack traces; return safe errors; log details server-side. Set CSP: default-src 'self'; frame-ancestors 'none'; img-src 'self' data:; connect-src 'self'; upgrade-insecure-requests. This chat is strictly scoped to VERSION X.Y only; anything beyond this version is out-of-scope. Move future ideas to a “Backlog → Next Version” list at the end. At the top of every code delivery, include a short “Assumptions & Version Gate” block: what’s in-scope for X.Y, what’s explicitly deferred. Maintain a “CHANGELOG (X.Y)” section in each delivery turn listing added/changed/removed files with 1-line reasons. When something is out-of-scope for X.Y, do NOT code it—add a single bullet under “Backlog → Next Version” with a 1-line note. Always include a minimal smoke test checklist for the delivered files (how I confirm endpoints/pages work). Return a brief DB migration note with each schema change (UP and DOWN SQL). Health endpoint must include: app_version (X.Y), db_ok (bool), time_utc (ISO), request_id. Set security headers in every PHP response: - Strict-Transport-Security: max-age=31536000; includeSubDomains - Referrer-Policy: no-referrer - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - Permissions-Policy: geolocation=(), camera=() NAV & THEME POLICY - Use the shared top nav + mobile drawer pattern (see /admin/index.html) and the “Pro” KPI card styles. - To switch palette per page, add . - Bump /service-worker.js VERSION on any UI change; pre-cache admin pages.