# Kevron Suites and Apartments — Guest Account Dashboard Implementation Notes ## Architecture Overview The Guest Account Dashboard for **Kevron Suites and Apartments** is a secure, authenticated, mobile-first, and highly optimized guest portal. It bridges the gap between verified booking transactions, customer support, and tailored concierge requests (airport transfers, car rentals, en-suite requests, smart door lock PIN codes, and digital emergency manuals). --- ## 1. Database Schema & Models The guest dashboard ecosystem is backed by sequence-compliant, relational migrations: * **`guest_profiles`** * Linked to `users` via `user_id`. * Fields: `phone`, `whatsapp`, `preferred_contact_method` (email, phone, whatsapp), `notification_preferences` (JSON). * **`guest_booking_links`** * Links transactions to authenticated guest users. * Fields: `booking_id`, `booking_reference`, `verification_method`, `verified_at`. * **`support_tickets`** * Concierge support threads. * Fields: `ticket_number`, `category` (booking, payment, transport, general, complaints, maintenance), `subject`, `status` (new, received, assigned, in_progress, waiting_for_guest, resolved, closed). * **`support_ticket_messages`** * Message log with support ticket attachments. * Fields: `sender_type` (guest, admin), `message`, `attachment_path`. * **`guest_notifications`** * Dashboard alerts. * Fields: `title`, `message`, `type`, `read_at`. * **`guest_activity_logs`** * Audits user action telemetry. * Fields: `activity_type`, `description`, `ip_address`, `user_agent`. * **`guest_manual_access_logs`** * Logs sensitive data access (e.g. Wi-Fi credentials). * Fields: `section_title`, `ip_address`. --- ## 2. Security & Access-Control Pipeline This private guest portal enforces strict security protocols: * **Intended Route Guards**: * All `/guest/*` sub-routes are guarded by `auth` session middlewares. * **Preventing Session Fixation**: * `GuestAuthController::login()` performs `$request->session()->regenerate()` upon successful authentication. * **Brute-Force Rate Limiting**: * Guest login is rate-limited. * Booking reference linking (`GuestDashboardController::linkBooking()`) is rate-limited to 3 attempts every 5 minutes per IP/User to prevent reference enumerations. * **Strict IDOR Protection**: * All queries (e.g., booking details, support threads, billing list) filter by `GuestBookingLink::where('user_id', Auth::id())` or policies. * Intruders attempting to view other guests' bookings or download invoices receive a `403 Forbidden` response. * **Gated Sensitive Manuals**: * Emergency contacts, smart door PINs, and Wi-Fi passcodes are strictly gated. They are only rendered if the guest has an active stay with a status of `checked_in`. * **Noindex robots directives**: * All dashboard views contain `` to prevent indexing by crawlers. --- ## 3. Brand & Visual System Conformity The guest dashboard UI is built mobile-first, ensuring high premium visual appeal: * **Branding Palette**: * Kevron Royal Blue (`#2B3192`), Kevron Sky Cyan (`#1FADEA`), Champagne Gold (`#D6A84F`), Midnight Navy (`#080D2B`), Soft Ice Blue (`#F4F8FF`). * **Typography**: * Marcellus (Headings), Inter (UI & Body Copy). Font sizes strictly capped at `1.8rem` for H1 and under `0.875rem` for body copy. * **Button Pill Borders**: * All call-to-action buttons use `border-radius: 50px`. * **Components & Cards**: * Cards feature a `border-radius: 0.1rem` with `box-shadow: rgba(0, 0, 0, 0.05) 0px 0px 0px 1px`. * **Ambient Depth**: * Section backgrounds are styled with Soft Ice Blue/slate gradients to differ from page body backgrounds. --- ## 4. Filament Admin CRUD Management Nine distinct Filament resources are registered to manage the guest dashboard operations inside the admin area: 1. **`GuestResource`**: Manage guest accounts. 2. **`GuestProfileResource`**: Manage preferred contact and communications options. 3. **`GuestBookingLinkResource`**: Manage linked booking reference records. 4. **`InvoiceResource`**: Handle room invoices, taxes, and pricing adjustments. 5. **`ReceiptResource`**: Manage receipts linked to paid invoices. 6. **`SupportTicketResource`**: Handle concierge chat responses and status changes. 7. **`GuestNotificationResource`**: Dispatch in-app notifications. 8. **`GuestActivityLogResource`**: Read-only telemetry audit viewer. 9. **`GuestDocumentResource`**: Manage uploaded private guest files. --- ## 5. Private PDF Invoices & Receipts * **Storage Isolation**: * Invoices and receipts are served dynamically through authorized controller streaming rather than public directory mapping. * **Printable Stylesheets**: * High-fidelity, print-ready, modern templates mapped in `guest.pdf.invoice` and `guest.pdf.receipt`. --- ## 6. Verification & Automated Test Suites A complete test suite is available under `tests/Feature/GuestDashboardTest.php` and achieves 100% success rate: * `test_auth_pages_load_successfully`: Asserts login/register load with 200 OK. * `test_dashboard_requires_authentication`: Asserts guest panels require session locks. * `test_dashboard_loads_for_authenticated_guest`: Verifies overview metric display and Robots headers. * `test_bookings_list_renders_correctly`: Checks stays listings. * `test_booking_details_and_idor_protection`: Verifies that unauthorized reference attempts return `403 Forbidden`. * `test_invoice_download_and_idor_protection`: Asserts private invoice IDOR protection blocks intruders with `403`. * `test_sensitive_manual_credentials_gating`: Asserts Wi-Fi and smart lock codes are hidden unless booking status is `checked_in`. * `test_stay_extension_submits_successfully`: Asserts modification requests store properly. * `test_airport_pickup_submits_successfully`: Verifies transport concierge scheduler. * `test_special_request_submits_successfully`: Checks en-suite requests flow. * `test_stays_review_submits_successfully_and_blocks_duplicates`: Checks star ratings and blocks duplicate reviews.