# Zavvion Events Codex Project Instructions

These rules apply inside the `zavvion-events` application.

- Build with PHP 8.2+, Yii 3 packages, MySQL/XAMPP, Apache, MVC boundaries, Bootstrap 5, Composer, and clear dependency injection.
- Keep controllers thin. Put event, ticketing, payment, seat-hold, tax, fee, scanner, privacy, and permission rules in focused services and domain objects.
- Never commit secrets. Use `.env.example` only and keep real credentials out of Git.
- Do not store card data. Stripe integration must use Checkout Sessions or PaymentIntents with Connect application fees and signed webhooks.
- Treat checkout, seat holds, payment webhooks, QR validation, RBAC, uploads, and privacy flows as high-risk areas requiring tests or explicit validation notes.
- Preserve a mobile-first, accessible Bootstrap 5 UI.
- Use migrations for schema changes and seed safe local development data.
- Before destructive actions or production dependency changes, ask for approval.

## Multi-Agent Delivery Setup

Use specialist Codex agents where they reduce delivery time without reducing quality. The lead Codex session remains the architect and final integrator.

- Start with a short dependency map before spawning agents: which work can run in parallel, which files each agent owns, and which checks prove the change.
- Prefer read-only `codebase_explorer` agents for mapping unfamiliar areas, then bounded implementation agents with non-overlapping write scopes.
- Use `frontend_engineer` for isolated UI/page work, `backend_engineer` for services/API/schema work, `integration_engineer` for frontend/backend wiring, `qa_test_engineer` for regression coverage, `security_reviewer` for auth/payments/uploads/privacy/finance paths, and `final_reviewer` before handoff.
- Do not let multiple agents edit the same file area unless the lead has explicitly sequenced the changes.
- Do not install production dependencies, change payment credentials, alter secrets, or change deployment settings from an agent without explicit approval.
- Every agent handoff must list files read, files changed, checks run, risks, and remaining dependencies.
- The lead must integrate, run the relevant XAMPP/PHP/JS checks, and update handoff documentation before claiming completion.