v1.0.0

create full backend PHP files
Clean modular backend
Secure login system
Android-ready JSON responses
Role-based access control
Audit ready architecture
Reserved DB expansion fields
Offline-friendly auth design
CSRF Tokens
    Protect web forms
    ignore CSRF for Android API calls
    Token rotation
    Zero framework dependancy
Password Reset (email + token)
    Secure reset tokens
    Expiring links
    One-time use
    Email-ready (SMTP or cPanel mail)
    Android + web compatible
    No framework dependancy
Token entropy 256-bit
token expiry = 1 hour
Module Permissions Matrix (Role + Module Access)
    Role-based access
    Per-module enable/disable
    Subscription ready
    Android + Web compatible
    Server-authoritive (no trust in client)
Subscription & Billing Layer
    Company → Subscription Plan → Enabled Modules → Permissions
    Load billing status
    load system modules
    hide locked modules visually
    still rely on server enforcement
API Rate Limiting & Abuse Protection
    IP-based + User-based throttling
    Different limits per endpoint type
    Login brute-force protection
    Lightweight (My-SQ-backed)
    Framework-free
    Android + web safe
Email Verification System
    Prevents fake accounts
    Ensures valid email ownership
    One-time expiring verification tokens
    Android + Web compatible
    Works with your existing auth + rate limiting
Full Audit Trail Expansion (Immutable + Signed Logs)
    Immutable audit records
    Cryptographic chaining (tamper detection)
    Actor + IP + device context
    Covers API + admin actions
    Android + Web compatible
    Zero framework dependancy
PayFast Payment Gateway
    loaded JB26 payfast LIVE & Sandbox (to be re-done!!!) - review all PayFast files for detail
Admin Billing Dashboard (Web UI)
    Full backend Saas Billing
    Secure fast payments
    Subscription enforcement
    Audit-grade history
    Admin billing control panel
Final v1 Security Hardening & Deployment checklist

***Companies - no delete data/page completed - this is disallowed for audit history


SQL SEEDS:
EXECUTION ORDER (IMPORTANT)
Step	File	Environment
1	schema.sql	ALL
2	01_modules.sql	ALL
3	02_permissions.sql	ALL
4	03_subscription_plans.sql	ALL
5	04_plan_modules.sql	ALL
6	05_system_company.sql	ALL
7	06_admin_user.sql	ALL
8	07_demo_data.sql	DEV ONLY


Create User roles before creating modules (access determined viewable modules - RBAC)
    User role table in APK Version legend
    SQL TABLES Created
        Roles
        Permissions
        role_permissions
        user_roles
        Insert Roles
Create requirePermission() Middleware
Load permissions at login
    Android:
        Store locally
        Render dashboard dynamically
        Works offline
        Server still enforces
        Scales to 100k+ users
Add defauilt role on user creation
    Safeguards:
        Prevent login without role
        Prevent role-less users
        Graceful permission failure handling
    Company isolation enforced
    Cleaar error signalling
    Safe dashboard rendering
    Strong RBAC gaurantees
Module system
    A logical feature group (e.g. Users, Billing, Audit, Tyre Inspection)
    Backed by permissions
    Enabled per company
    Optionally tied to subscription plans
    Used by frontend to render dashboard widgets
    List Modules (* = Light; ** = Basic; *** = Pro; **** = Enterprise) - pricing per year? - see subscription by module plan!
        1. dashboard (*)
        2. users (*)
        3. billing (*)
        4. audit (*)
        5. tyres (**)
        6. Miner Declarations (***)
        7. VFL (****)
        8. Mini Risk Assessments (***)
        9. Mine Rescue Service (****)
        10. PTO (***)
        11. SWP (***)
        12. IsoMetrix (****)
        13. Safety Inspections (***)
        14. Message Inbox (*)
        with 10 spaces reserved for future use
        
        SQL Query:
            
Company Modules
    Enable Modules by Company
    Per company module enablement
    Login-time moduyle loading
    Runtime API enforcement
    dashboard feature gating
    Subscription-ready hook
    Subscription with per-module add-ons (authoritive design)

Admin UI Pricing + trials (authoritive)
    Module pricing (monthly/annual)
    Trial configuration (6 months)??
    Admin pricing UI APIs
    UI behavioural rules
    Safe enforcement (no billing bypass or loopholes)
    Trial enforcement - Trial period set on 61 days
    Android & web compatible
    
    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 199.00, 2299.00, 61 FROM modules WHERE module_key = 'tyres';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1299.00, 12999.00, 61 FROM modules WHERE module_key = 'miner_declarations';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1399.00, 13999.00, 61 FROM modules WHERE module_key = 'vfl';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1699.00, 16999.00, 61 FROM modules WHERE module_key = 'mini_risk_assessments';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1499.00, 14999.00, 61 FROM modules WHERE module_key = 'mine_rescue_service';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1699.00, 16999, 61 FROM modules WHERE module_key = 'pto';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1799.00, 17999.00, 61 FROM modules WHERE module_key = 'swp';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1499.00, 14999.00, 61 FROM modules WHERE module_key = 'isometrix';

    INSERT INTO module_pricing (module_id, monthly_price, annual_price, trial_days)
    SELECT id, 1499.00, 14999.00, 61 FROM modules WHERE module_key = 'safety_inspections';
