#!/usr/bin/env bash # ───────────────────────────────────────────────────────────── # Parsec Sdn. Bhd. · AMIR # Generated by the Parsec Sdn. Bhd. AI Development Framework v2 # © 2026 Parsec Sdn. Bhd. All rights reserved. # Internal use only. Unauthorised use outside Parsec Sdn. Bhd.-authorised # projects is prohibited. # ───────────────────────────────────────────────────────────── # bootstrap.sh — AMIR project bootstrap # # Run this once on Day 1. It: # 1. Asks where to install (existing cloned repo OR new folder) # 2. Confirms with you (you must type 'bootstrap' to proceed) # 3. Verifies prerequisites (PHP 8.3+, Composer, Node 22+, npm, git, claude) # 4. Scaffolds Laravel 12 # 5. Creates the AMIR domain folder structure # 6. Writes every framework file (CLAUDE.md, slash commands, hooks, skills, # rules, agents, settings.json, .ai/guidelines/, dispatch.sh, review.sh, # tmux-work, .cursorrules, docs/living/ stubs, GitHub Actions CI) # 7. Copies .sprint-backlog.json (sibling file — must be present alongside this script) # 8. Installs composer + npm dependencies # 9. Sets up .env from template + generates APP_KEY # 10. Makes initial commit on main, creates dev/staging/prod branches # 11. Pushes (Path A) or prints push instructions (Path B) # 12. Creates 4 agent worktrees (b/c/d/q) # 13. Adds shell aliases (za/zb/zc/zd/zq) to ~/.zshrc # # Hybrid distribution model: this script + .sprint-backlog.json (2.7 MB) # must be in the SAME directory when you run bootstrap.sh. # # After completion: open a new terminal, type 'za', then '/sprint-status'. set -euo pipefail # Colours for terminal output GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' BLUE='\033[0;34m' BOLD='\033[1m' NC='\033[0m' # No Color # ── Helpers ───────────────────────────────────────────────── say() { echo -e "${BLUE}→${NC} $*"; } ok() { echo -e "${GREEN}✓${NC} $*"; } warn() { echo -e "${YELLOW}⚠${NC} $*"; } fail() { echo -e "${RED}✗${NC} $*" >&2; exit 1; } check_command() { command -v "$1" &> /dev/null || fail "Missing required tool: $1. $2" } # ── Variables ──────────────────────────────────────────────── PROJECT_NAME="amir" PROJECT_DISPLAY="AMIR" PROJECT_SNAKE="amir" STACK="laravel" GITHUB_ORG="parsec-my" DEVELOPMENT_LEVEL=3 YEAR="$(date +%Y)" # Path to this script (so we can find sibling .sprint-backlog.json) SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SPRINT_BACKLOG_SOURCE="$SCRIPT_DIR/.sprint-backlog.json" # ── Step 1: Repo path question ─────────────────────────────── echo "" echo -e "${BOLD}Have you already created a GitHub repo and cloned it locally?${NC}" echo "" echo " [y] Yes — I am inside the cloned (empty) repo directory right now" echo " [n] No — I will create the local project folder and push to GitHub later" echo "" read -rp "Enter y or n: " REPO_ANSWER case "$REPO_ANSWER" in y|Y) git rev-parse --git-dir > /dev/null 2>&1 || fail "Not inside a git repository. Clone your empty GitHub repo first, then re-run." TARGET_DIR="$(pwd)" PUSH_REMOTE=true PATH_MODE="A" ok "Path A: existing cloned repo at $TARGET_DIR" ;; n|N) read -rp "Enter your project folder name (e.g. amir): " FOLDER_NAME [[ -n "$FOLDER_NAME" ]] || fail "Folder name cannot be empty." TARGET_DIR="$(pwd)/$FOLDER_NAME" [[ -e "$TARGET_DIR" ]] && fail "Folder $TARGET_DIR already exists. Choose a different name or use Path A." PUSH_REMOTE=false PATH_MODE="B" ok "Path B: new folder will be created at $TARGET_DIR" ;; *) fail "Invalid answer. Type y or n." ;; esac # ── Step 2: Confirmation gate ──────────────────────────────── cat <= 8.3 PHP_VERSION_FULL="$(php -r 'echo PHP_VERSION;')" PHP_MAJOR_MINOR="$(echo "$PHP_VERSION_FULL" | awk -F. '{print $1"."$2}')" if [[ "$(printf '%s\n' "8.3" "$PHP_MAJOR_MINOR" | sort -V | head -n1)" != "8.3" ]]; then fail "PHP $PHP_VERSION_FULL is too old. AMIR requires PHP 8.3+." fi ok "PHP $PHP_VERSION_FULL detected" # Verify Node version >= 22 NODE_VERSION_FULL="$(node --version | sed 's/v//')" NODE_MAJOR="$(echo "$NODE_VERSION_FULL" | awk -F. '{print $1}')" if [[ "$NODE_MAJOR" -lt 22 ]]; then fail "Node $NODE_VERSION_FULL is too old. AMIR requires Node 22+." fi ok "Node $NODE_VERSION_FULL detected" # Verify required PHP extensions — uses PHP's authoritative extension_loaded() # instead of grep'ing `php -m` (which can false-positive on whitespace/CR endings) say "Checking PHP extensions..." REQUIRED_EXT="pdo_pgsql redis mbstring intl bcmath gd sodium openssl" MISSING_EXT="" for ext in $REQUIRED_EXT; do if ! php -r "exit(extension_loaded('$ext') ? 0 : 1);" 2>/dev/null; then MISSING_EXT="$MISSING_EXT $ext" fi done if [[ -n "$MISSING_EXT" ]]; then warn "PHP extensions missing:$MISSING_EXT (install via Herd UI or pecl before running tests)" else ok "PHP extensions: all required loaded" fi # Claude Code — install if missing (do not abort) if ! command -v claude &> /dev/null; then warn "Claude Code not found. Installing..." npm install -g @anthropic-ai/claude-code ok "Claude Code installed" else ok "Claude Code: $(claude --version 2>/dev/null || echo 'installed')" fi # Verify .sprint-backlog.json exists alongside this script [[ -f "$SPRINT_BACKLOG_SOURCE" ]] || fail "Missing sibling file: .sprint-backlog.json must be in the same directory as bootstrap.sh. Re-extract the bootstrap package." SPRINT_BACKLOG_SIZE="$(wc -c < "$SPRINT_BACKLOG_SOURCE" | tr -d ' ')" ok ".sprint-backlog.json found (${SPRINT_BACKLOG_SIZE} bytes)" ok "All prerequisites OK" # ── Step 4: Repo setup (Path A only — Path B handled in Step 5) ─────── if [[ "$PATH_MODE" == "A" ]]; then cd "$TARGET_DIR" ok "Working in existing repo at $TARGET_DIR" fi # ── Step 5: Framework scaffold (Laravel 12) ────────────────── # Critical ordering: composer create-project refuses non-empty directories # (a .git folder counts as non-empty). For Path B: scaffold first, then git init. if [[ "$PATH_MODE" == "B" ]]; then say "Creating project folder $TARGET_DIR..." mkdir -p "$TARGET_DIR" cd "$TARGET_DIR" ok "Folder created" say "Scaffolding Laravel 12 (this takes 1-2 minutes)..." composer create-project laravel/laravel . --prefer-dist ok "Laravel scaffolded" say "Initialising git repository..." git init git checkout -b main ok "Git initialised on main" else # Path A — check if already scaffolded if [[ -f "artisan" && -f "composer.json" ]]; then ok "Laravel already scaffolded — skipping create-project" else say "Scaffolding Laravel 12 into existing repo..." # Composer create-project refuses non-empty directories. Park bootstrap files # (and .git, .nvmrc, anything else hanging around) so the dir looks empty, # then move them all back after scaffolding completes. PARK_DIR="$(mktemp -d -t amir-bootstrap-park.XXXXXX)" say "Parking bootstrap files in $PARK_DIR..." # Move every dotfile and bootstrap artifact out — leave only `.` and `..` for f in bootstrap.sh .sprint-backlog.json .nvmrc .git .DS_Store .editorconfig; do [[ -e "$f" ]] && mv "$f" "$PARK_DIR/" || true done # Run composer create-project into the now-empty directory composer create-project laravel/laravel . --prefer-dist say "Restoring bootstrap files from $PARK_DIR..." # Move everything back. Laravel's scaffold may have created its own .gitignore # and .editorconfig — for those, we keep Laravel's version (don't overwrite). # For everything else, we restore. for f in bootstrap.sh .sprint-backlog.json .nvmrc .git .DS_Store; do if [[ -e "$PARK_DIR/$f" ]]; then mv "$PARK_DIR/$f" "./$f" fi done # Special case: if Laravel scaffolded a .editorconfig but we had one parked, # keep Laravel's. Discard ours silently. [[ -e "$PARK_DIR/.editorconfig" ]] && rm "$PARK_DIR/.editorconfig" || true rmdir "$PARK_DIR" 2>/dev/null || true # SPRINT_BACKLOG_SOURCE points at a path that just got moved — recompute it # to the post-restore location (which is the same physical path since we # moved it back to where it started). SPRINT_BACKLOG_SOURCE="$SCRIPT_DIR/.sprint-backlog.json" ok "Laravel scaffolded" fi fi # ── Step 6: Domain folder structure ────────────────────────── say "Creating AMIR domain folder structure..." # 15 domains from ARCHITECTURE.md Phase 6 DOMAINS=(Tenant Auth COA Journal Invoice Bill Payment Bank Tax Reporting Member Loan ArRahnu Notification PDPA) for d in "${DOMAINS[@]}"; do mkdir -p "app/Domain/$d"/{Actions,Events,Models,Enums,Resources,Requests,Listeners} done mkdir -p app/Http/Controllers/Api/V1 mkdir -p app/Http/Controllers/Web mkdir -p app/Http/Middleware mkdir -p app/Http/Resources mkdir -p app/Casts mkdir -p app/Models/Concerns mkdir -p app/Scopes mkdir -p tests/Unit/Domain mkdir -p tests/Feature/Api/V1 mkdir -p tests/Feature/Invariants mkdir -p tests/Browser mkdir -p resources/js/Pages mkdir -p resources/js/Components mkdir -p resources/js/Layouts mkdir -p resources/js/lib mkdir -p logs ok "Domain folders created (${#DOMAINS[@]} domains)" # Write .nvmrc — pins Node 22 for this folder and all worktrees (per-folder via nvm) # Idempotent: only writes if not already present (preserves any nvm version override) if [[ ! -f .nvmrc ]]; then echo "22" > .nvmrc ok ".nvmrc written (Node 22 pinned)" else ok ".nvmrc already exists ($(cat .nvmrc | tr -d '\n'))" fi # ── Step 7+8: Write all framework files ────────────────────── say "Writing framework files..." mkdir -p .claude/{commands,hooks,rules,skills,agents} mkdir -p .team-plans # Level 5+ — team lead plan persistence mkdir -p docs/living mkdir -p docs/runbooks mkdir -p .ai/guidelines mkdir -p .github/workflows # ─── Step 7+8 — Write framework files ───────────────────────────── echo "→ Writing framework files (this may take a moment)..." echo " → writing CLAUDE.md (22,899 bytes)" cat > 'CLAUDE.md' << '__AMIR_BOOTSTRAP_EOF_SENTINEL__' # CLAUDE.md — AMIR Project Memory ## Behavioral Guidelines **Tradeoff:** These guidelines bias toward caution over speed. For trivial tasks, use judgment. ### Think Before Coding **Don't assume. Don't hide confusion. Surface tradeoffs.** Before implementing: - State your assumptions explicitly. If uncertain, ask. - If multiple interpretations exist, present them — don't pick silently. - If a simpler approach exists, say so. Push back when warranted. - If something is unclear, stop. Name what's confusing. Ask. ### Simplicity First **Minimum code that solves the problem. Nothing speculative.** - No features beyond what was asked. - No abstractions for single-use code. - No "flexibility" or "configurability" that wasn't requested. - No error handling for impossible scenarios. - If you write 200 lines and it could be 50, rewrite it. Ask yourself: "Would a senior engineer say this is overcomplicated?" If yes, simplify. ### Surgical Changes **Touch only what you must. Clean up only your own mess.** When editing existing code: - Don't "improve" adjacent code, comments, or formatting. - Don't refactor things that aren't broken. - Match existing style, even if you'd do it differently. - If you notice unrelated dead code, mention it — don't delete it. When your changes create orphans: - Remove imports/variables/functions that YOUR changes made unused. - Don't remove pre-existing dead code unless asked. The test: Every changed line should trace directly to the user's request. ### Goal-Driven Execution **Define success criteria. Loop until verified.** Transform tasks into verifiable goals: - "Add validation" → "Write tests for invalid inputs, then make them pass" - "Fix the bug" → "Write a test that reproduces it, then make it pass" - "Refactor X" → "Ensure tests pass before and after" For multi-step tasks, state a brief plan: 1. [Step] → verify: [check] 2. [Step] → verify: [check] 3. [Step] → verify: [check] Strong success criteria let you loop independently. Weak criteria ("make it work") require constant clarification. --- ## Before Writing Any Code **Read these files first** — they are auto-loaded by Laravel Boost on every session start, and they encode every architectural rule that applies to AMIR: 1. `.ai/guidelines/project-architecture.md` — Action class pattern, controller rules, domain events, model rules, API resources, Spatie policies, queue/Horizon structure for AMIR specifically. 2. `.ai/guidelines/data-conventions.md` — money (cents), IDs (UUID v7), phones (E.164), timestamps (timestampsTz), enums, encrypted fields, migrations. 3. `.ai/guidelines/testing-standards.md` — `AssertsQueryPerformance` trait, Pest patterns, factory conventions, test folder structure, query-count assertions. Then run **Boost's live introspection tools** before planning: - `database_schema` — read the actual current schema; don't assume. - `application_info` — installed packages and versions. - `tinker` — verify model relationships and queries before writing code. Read **`docs/living/`** (all seven files) before planning or troubleshooting. They reflect the actual current state of the codebase, updated every sprint-close. --- ## 1. Project Overview **AMIR** is an AI-native, Malaysia-first SME accounting SaaS — built first for koperasi (cooperative societies) under SKM regulation. The product is multi-tenant, packs-based (Core + Koperasi Pack #1, with Sukmk and Sukkk packs to follow), and delivered as a single Laravel + Inertia + React app with three role contexts (Tenant Admin, Tenant User, Platform Operator). The koperasi pack is the v1 commercial entry point and the SKM tender (S005/2026) deliverable. Solo founder + AI-assisted development. Pre-tender demo deadline: 21 May 2026. Full v1 (production koperasi pilot) target: ~25 August 2026. --- ## 2. Tech Stack (versions are read live by Boost — recorded here for reference) | Layer | Choice | Notes | |---|---|---| | Language | PHP 8.3 | Strict types enabled in every domain file | | Framework | Laravel 12 | Composer `"laravel/framework": "^12.0"` | | Database | PostgreSQL 16 | Malaysia residency (AWS ap-southeast-3) | | Cache + Queue | Redis 7 | Sessions, cache, Horizon queue | | Frontend | Inertia + React 18 + Tailwind 3 | Single-page app, server-rendered routes | | Auth | Sanctum (stateful sessions) + Spatie Permission v6 + Fortify | Cookie-based, CSRF-protected | | Queue | Laravel Horizon | Single Redis-backed queue, multiple supervisors | | Storage | S3-compatible | Malaysia region preferred | | Audit log | spatie/laravel-activitylog v4 | Auto-logging on configured models | | Testing | Pest | Browser tests via Playwright | | Error tracking | Sentry (managed) | PII-scrubbed via beforeSend; replays disabled | --- ## 3. Domain Folder Structure Every business domain owns a folder under `app/Domain/[Name]/`. The 20 modules from ARCHITECTURE.md map to these domains: ``` app/Domain/ Auth/ (Module A — auth, sessions, MFA, login audit) Onboarding/ (Module B — tenant setup wizard) Parties/ (Module C — debtors, creditors, banks, auditors) Accounting/ (Module D — CoA, periods, journal entries, trial balance) Transactions/ (Module E — receipt, payment, journal, contra) Banking/ (Module F — bank reconciliation) FixedAssets/ (Module G — assets + depreciation) Inventory/ (Module H) Members/ (Module I — Koperasi pack: members, shares, subscriptions) ArRahnu/ (Module J — Islamic pawn, gold valuation, auctions) EInvoice/ (Module K — MyInvois, LHDN integration) Reporting/ (Module L — Penyata Kewangan, Trial Balance, P&L, etc.) Surplus/ (Module M — Koperasi pack: surplus distribution, AGM) Signals/ (Module N — anomaly + health-score + LLM explanations) Oversight/ (Module O — PO cross-tenant view, SKM-facing) Operations/ (Module P — PO ops: tenants, packs, billing, alerts) Integrations/ (Module Q — generic integration framework) DataMigration/ (Module R — import/export, opening balances) Pdpa/ (Module S — DSAR, breach, retention, portability) Tax/ (Module T — Cukai Pendapatan + Zakat draft computation) ``` Inside each domain folder: ``` app/Domain/[Name]/ Actions/ — single-purpose action classes (one per business operation) Events/ — domain events emitted by actions Models/ — Eloquent models for this domain only Enums/ — backed enums for status/type values Resources/ — API/Inertia resources Requests/ — FormRequest classes for input validation Policies/ — Spatie-aware authorisation policies Jobs/ — queued jobs (one per async operation) Listeners/ — domain event listeners Services/ — only for genuinely shared logic (avoid; prefer actions) ``` **Cross-domain calls are explicit via Actions, never via direct model coupling.** `Members\Actions\CreateMember` may dispatch a `MemberRegistered` event that `Accounting\Listeners\AllocateMemberAccount` listens to — but `Members\Models\Member` does not import `Accounting\Models\Account`. --- ## 4. Code Pattern Examples ### Controller (thin — delegates to Action) ```php execute( tenantId: $request->user()->currentTenantId(), data: $request->validated(), ); return MemberResource::make($member)->response()->setStatusCode(201); } } ``` ### Action class (single public `execute` method, transactional) ```php $tenantId, 'ic_no_encrypted' => $data['ic_number'], // input field 'ic_number' → storage column 'ic_no_encrypted' (per E3) 'full_name' => $data['full_name'], 'phone_e164' => $data['phone_e164'], 'shares_held' => 0, 'subscription_balance_cents' => 0, 'status' => MemberStatus::Active, ]); event(new MemberRegistered($member->id, $tenantId)); return $member->fresh(); }); } } ``` ### FormRequest (validation only — no business logic) ```php user()->can('create', \App\Domain\Members\Models\Member::class); } public function rules(): array { return [ 'ic_number' => ['required', 'string', 'regex:/^\d{6}-\d{2}-\d{4}$/'], 'full_name' => ['required', 'string', 'max:255'], 'phone_e164' => ['required', 'string', 'regex:/^\+60\d{9,10}$/'], ]; } } ``` --- ## 5. Data Conventions Summary | Convention | Rule | Example | |---|---|---| | Money | Always integer **cents** in `BIGINT` columns named `*_cents`. Never `decimal(N,2)`. | `total_amount_cents BIGINT NOT NULL` | | IDs | **UUID v7** primary keys, generated application-side via `HasUuids` trait override. Never auto-increment. | `id UUID PRIMARY KEY` | | Foreign keys | UUID FKs with explicit `ON DELETE` strategy (RESTRICT default, CASCADE only when child cannot exist independently). | `tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE RESTRICT` | | Status | Backed PHP enum + `string` column; never raw strings in code. | `MemberStatus::Active`, column `status VARCHAR(32)` | | Phones | E.164 format in `phone_e164` columns, `+60123456789` style. | Validated by regex `/^\+60\d{9,10}$/` | | Timestamps | `timestampsTz()` on every table — always timezone-aware. UTC in DB, MYT for display. | `created_at TIMESTAMPTZ NOT NULL` | | Soft deletes | `softDeletes()` on entities with audit-trail lifecycle. | `deleted_at TIMESTAMPTZ NULL` | | Tenant scope | Every tenant-scoped table has `tenant_id UUID NOT NULL`. Use `BelongsToTenant` trait — never manual `where('tenant_id', ...)`. | See `app/Concerns/BelongsToTenant.php` | | Encrypted fields | Sensitive identifiers (NRIC, bank account numbers, TINs) use the **two-column pattern from E3**: `*_encrypted` for ciphertext + `*_hash` for SHA-256 lookup with per-tenant salt. MFA secrets and integration credentials use the single-column `'encrypted'` cast. | `protected $casts = ['ic_no_encrypted' => 'encrypted']` | | Audit | spatie/laravel-activitylog v4 on every model that needs an audit trail. Configured via `LogsActivity` trait. | `use LogsActivity;` | Full rules in `.ai/guidelines/data-conventions.md`. --- ## 6. Git Rules ### Branch naming `feature/s{N}-{NN}-{slug}` — example: `feature/s06-01-member-master-crud` `fix/{slug}` for bug-fix branches off `dev` `hotfix/{slug}` for emergency patches off `main` ### Commit message format ``` [type]([scope]): [description] .--. .- .-. ... . -.-. [body — optional, only if context > 1 line] ``` The `.--. .- .-. ... . -.-.` Morse separator is **mandatory** on every commit. The pre-commit guard hook hard-blocks commits without it. `[type]` ∈ `feat`, `fix`, `chore`, `refactor`, `docs`, `test`, `style`, `build`, `ci`. `[scope]` is the domain folder (e.g. `members`, `accounting`) or `core` for cross-cutting. **Forbidden:** - `Co-Authored-By:` lines (hard-blocked by pre-commit guard) - Commits referencing the agent in the message body - Commits with debug artifacts (`dd()`, `dump()`, `console.log`, `var_dump()`) — hard-blocked ### PR rules - Every PR closes one task in `.sprint-backlog.json` - PR description follows the template in `.claude/skills/writing-pr-descriptions.md` - Run `/verify` before opening the PR — 13 steps, mandatory - Every PR must have an associated test (no test = no merge) --- ## 7. DO NOT List (architecture violations specific to AMIR) - ❌ Never query a tenant-scoped model without `BelongsToTenant` trait (silent data leak across tenants) - ❌ Never use `decimal` for money — only integer cents in `BIGINT` - ❌ Never store NRIC in plaintext — use `encrypted` cast - ❌ Never skip `tenant_id` on a new tenant-scoped table (caught by `post-edit-tenant-scope-check.sh` hook) - ❌ Never mutate financial data (transactions, journal entries, posted amounts) directly — always via the appropriate Action class so audit log fires - ❌ Never use raw `where('status', 'XYZ')` — use the backed enum: `where('status', MemberStatus::Active)` - ❌ Never reproduce song lyrics, copyrighted material, real public-figure quotes anywhere in the codebase including comments and seed data - ❌ Never let frontend ALL-CAPS strings drift from PHP enums (caught by `post-edit-enum-sync-check.sh` hook) - ❌ Never write a migration that drops a column without a deprecation sprint first (see `.claude/skills/writing-migrations.md`) - ❌ Never use `console.log` / `dd()` / `dump()` in code that goes to PR — hard-blocked at commit - ❌ Never include PII in analytics events or Sentry breadcrumbs (caught by `PIIGuard` service + `beforeSend` scrubber) - ❌ Never bypass `TenantScope` without the explicit `withoutGlobalScope(TenantScope::class)` call AND a justification comment --- ## 8. Design System Compliance **Before building any page or UI component, read `UI_UX_SPEC.md` Section 7.4 (Component Inventory).** ### Component Usage (mandatory) - Use design system components for ALL UI. Never build raw HTML when a component exists. Use `