create-sales 1.0.0

package/.gitignore

@@ -0,0 +1,19 @@
+node_modules/
+dist/
+build/
+.env
+.env.local
+.env.*.local
+coverage/
+.DS_Store
+Thumbs.db
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+frontend-project/node_modules/
+frontend-project/dist/
+frontend-project/.env
+backend-project/node_modules/
+backend-project/.env

package/README.md

@@ -0,0 +1,40 @@
+# create-sales
+
+This repository is prepared as an npm create initializer for a full-stack bus reservation system.
+
+Use it with:
+
+```bash
+npm create sales my-app
+```
+
+## What is included
+
+- `frontend-project/` - React + Vite + TypeScript + Tailwind CSS client
+- `backend-project/` - Express + MySQL + session-auth API
+- Shared template documentation and workspace scripts at the repository root
+
+## Publishing notes
+
+The repository root is the npm package entry point. It is configured with workspaces so the frontend and backend can be installed and run from one place.
+
+The published package name must be `create-sales` so npm can resolve `npm create sales` correctly.
+
+## Getting started after unpacking the template
+
+```bash
+npm install
+npm run dev:backend
+npm run dev:frontend
+```
+
+## Backend environment
+
+Copy `backend-project/.env.example` to `backend-project/.env` and adjust the values for your local MySQL server.
+
+## Available root scripts
+
+- `npm run dev:frontend`
+- `npm run build:frontend`
+- `npm run dev:backend`
+- `npm run start:backend`

package/backend-project/.env.example

@@ -0,0 +1,11 @@
+DB_HOST=localhost
+DB_USER=root
+DB_PASS=
+DB_NAME=y_bus_booking
+SESSION_SECRET=ybus_secret_key_2026
+PORT=5000DB_HOST=localhost
+DB_USER=root
+DB_PASS=your_mysql_password
+DB_NAME=y_bus_booking
+SESSION_SECRET=ybus_super_secret_key_2026
+PORT=5000

package/backend-project/database/schema.sql

@@ -0,0 +1,101 @@
+-- ============================================================
+-- Y Bus Reservation System - Database Schema
+-- Database: y_bus_booking
+-- ============================================================
+
+CREATE DATABASE IF NOT EXISTS y_bus_booking
+  CHARACTER SET utf8mb4
+  COLLATE utf8mb4_unicode_ci;
+
+USE y_bus_booking;
+
+-- ─── Table: yk_buses ────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS yk_buses (
+  BusID       INT AUTO_INCREMENT PRIMARY KEY,
+  PlateNumber VARCHAR(20) NOT NULL UNIQUE,
+  TotalSeats  INT NOT NULL DEFAULT 30,
+  BusType     ENUM('Standard', 'Express', 'Luxury', 'Mini') NOT NULL DEFAULT 'Standard',
+  CreatedAt   TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- ─── Table: yk_users ────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS yk_users (
+  UserID    INT AUTO_INCREMENT PRIMARY KEY,
+  UserName  VARCHAR(100) NOT NULL UNIQUE,
+  Password  VARCHAR(255) NOT NULL,
+  UserRole  ENUM('admin', 'agent') NOT NULL DEFAULT 'agent',
+  CreatedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- ─── Table: yk_schedules ─────────────────────────────────────
+CREATE TABLE IF NOT EXISTS yk_schedules (
+  ScheduleID            INT AUTO_INCREMENT PRIMARY KEY,
+  BusID                 INT NOT NULL,
+  RouteName             VARCHAR(150) NOT NULL,
+  DeparturePoint        VARCHAR(150) NOT NULL,
+  Destination           VARCHAR(150) NOT NULL,
+  DepartureTime         DATETIME NOT NULL,
+  EstimatedArrivalTime  DATETIME NOT NULL,
+  TicketPrice           DECIMAL(10,2) NOT NULL DEFAULT 0.00,
+  ScheduleStatus        ENUM('Active', 'Inactive', 'Cancelled') NOT NULL DEFAULT 'Active',
+  CreatedAt             TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT fk_schedule_bus FOREIGN KEY (BusID) REFERENCES yk_buses(BusID)
+    ON UPDATE CASCADE ON DELETE RESTRICT
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- ─── Table: yk_bookings ──────────────────────────────────────
+CREATE TABLE IF NOT EXISTS yk_bookings (
+  BookingID       INT AUTO_INCREMENT PRIMARY KEY,
+  ScheduleID      INT NOT NULL,
+  UserID          INT NOT NULL,
+  PassengerName   VARCHAR(150) NOT NULL,
+  PassengerGender ENUM('Male', 'Female', 'Other') NOT NULL,
+  PassengerPhone  VARCHAR(20) NOT NULL,
+  SeatNumber      VARCHAR(10) NOT NULL,
+  PaymentStatus   ENUM('Pending', 'Paid', 'Cancelled') NOT NULL DEFAULT 'Pending',
+  BookingDate     DATE NOT NULL,
+  CreatedAt       TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT fk_booking_schedule FOREIGN KEY (ScheduleID) REFERENCES yk_schedules(ScheduleID)
+    ON UPDATE CASCADE ON DELETE RESTRICT,
+  CONSTRAINT fk_booking_user FOREIGN KEY (UserID) REFERENCES yk_users(UserID)
+    ON UPDATE CASCADE ON DELETE RESTRICT
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- ─── Indexes for performance ─────────────────────────────────
+CREATE INDEX idx_bookings_schedule ON yk_bookings(ScheduleID);
+CREATE INDEX idx_bookings_user ON yk_bookings(UserID);
+CREATE INDEX idx_schedules_bus ON yk_schedules(BusID);
+CREATE INDEX idx_schedules_status ON yk_schedules(ScheduleStatus);
+
+-- ─── Seed Data ───────────────────────────────────────────────
+
+-- Default admin user (password: admin123)
+INSERT INTO yk_users (UserName, Password, UserRole) VALUES
+  ('admin', '$2a$10$rBnT2rqbZTMcFKRnVpeTG.qvdV.LKQEm/5DYuCNiUEFbCGVgD/Yme', 'admin'),
+  ('agent1', '$2a$10$rBnT2rqbZTMcFKRnVpeTG.qvdV.LKQEm/5DYuCNiUEFbCGVgD/Yme', 'agent');
+-- Both passwords above are hashed 'admin123'
+
+-- Sample Buses
+INSERT INTO yk_buses (PlateNumber, TotalSeats, BusType) VALUES
+  ('RAD 123 A', 45, 'Standard'),
+  ('RAB 456 B', 30, 'Express'),
+  ('RAC 789 C', 55, 'Luxury'),
+  ('RAE 012 D', 20, 'Mini');
+
+-- Sample Schedules
+INSERT INTO yk_schedules (BusID, RouteName, DeparturePoint, Destination, DepartureTime, EstimatedArrivalTime, TicketPrice, ScheduleStatus) VALUES
+  (1, 'KGL-BTR Route 1', 'Nyabugogo', 'Butare', '2026-02-01 06:00:00', '2026-02-01 09:00:00', 5000.00, 'Active'),
+  (2, 'KGL-MUS Route 1', 'Nyabugogo', 'Musanze', '2026-02-01 07:30:00', '2026-02-01 10:30:00', 4500.00, 'Active'),
+  (3, 'KGL-GHY Route 1', 'Downtown Kigali', 'Gisenyi', '2026-02-01 08:00:00', '2026-02-01 12:00:00', 7000.00, 'Active'),
+  (4, 'KGL-RWM Route 1', 'Nyabugogo', 'Rwamagana', '2026-02-01 09:00:00', '2026-02-01 10:30:00', 2500.00, 'Active');
+
+-- Sample Bookings
+INSERT INTO yk_bookings (ScheduleID, UserID, PassengerName, PassengerGender, PassengerPhone, SeatNumber, PaymentStatus, BookingDate) VALUES
+  (1, 1, 'Jean Pierre Habimana', 'Male', '+250788123456', 'A1', 'Paid', '2026-01-28'),
+  (1, 1, 'Marie Claire Uwimana', 'Female', '+250788654321', 'A2', 'Paid', '2026-01-28'),
+  (1, 2, 'Alexis Nkurunziza', 'Male', '+250789123456', 'B1', 'Pending', '2026-01-29'),
+  (2, 1, 'Diane Mukamana', 'Female', '+250788999111', 'A1', 'Paid', '2026-01-29'),
+  (2, 2, 'Patrick Mugisha', 'Male', '+250788444555', 'A2', 'Cancelled', '2026-01-30'),
+  (3, 1, 'Sandrine Uwase', 'Female', '+250789777888', 'C1', 'Paid', '2026-01-30'),
+  (3, 2, 'Eric Nshimiyimana', 'Male', '+250788333222', 'C2', 'Pending', '2026-01-31'),
+  (4, 1, 'Claudine Ingabire', 'Female', '+250789555666', 'A1', 'Paid', '2026-01-31');

package/backend-project/db.js

@@ -0,0 +1,13 @@
+const mysql = require('mysql2/promise');
+
+const pool = mysql.createPool({
+  host: process.env.DB_HOST || 'localhost',
+  user: process.env.DB_USER || 'root',
+  password: process.env.DB_PASS || '',
+  database: process.env.DB_NAME || 'y_bus_booking',
+  waitForConnections: true,
+  connectionLimit: 10,
+  queueLimit: 0,
+});
+
+module.exports = pool;

package/backend-project/middleware/auth.js

@@ -0,0 +1,24 @@
+/**
+ * Middleware: Require authenticated session
+ */
+const requireAuth = (req, res, next) => {
+  if (!req.session || !req.session.user) {
+    return res.status(401).json({ message: 'Unauthorized. Please log in.' });
+  }
+  next();
+};
+
+/**
+ * Middleware: Require admin role
+ */
+const requireAdmin = (req, res, next) => {
+  if (!req.session || !req.session.user) {
+    return res.status(401).json({ message: 'Unauthorized. Please log in.' });
+  }
+  if (req.session.user.UserRole !== 'admin') {
+    return res.status(403).json({ message: 'Forbidden. Admin access required.' });
+  }
+  next();
+};
+
+module.exports = { requireAuth, requireAdmin };

package/backend-project/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "backend-project",
+  "version": "1.0.0",
+  "description": "Y Bus Reservation System - Backend API",
+  "main": "server.js",
+  "type": "commonjs",
+  "scripts": {
+    "start": "node server.js",
+    "dev": "nodemon server.js"
+  },
+  "dependencies": {
+    "bcryptjs": "^2.4.3",
+    "cors": "^2.8.5",
+    "express": "^4.18.2",
+    "express-session": "^1.17.3",
+    "mysql2": "^3.6.5"
+  },
+  "devDependencies": {
+    "nodemon": "^3.0.2"
+  }
+}

package/backend-project/routes/auth.js

@@ -0,0 +1,55 @@
+const express = require('express');
+const router = express.Router();
+const bcrypt = require('bcryptjs');
+const pool = require('../db');
+
+// POST /api/auth/login
+router.post('/login', async (req, res) => {
+  const { UserName, Password } = req.body;
+  if (!UserName || !Password) {
+    return res.status(400).json({ message: 'Username and password are required.' });
+  }
+  try {
+    const [rows] = await pool.execute(
+      'SELECT * FROM yk_users WHERE UserName = ?',
+      [UserName]
+    );
+    if (rows.length === 0) {
+      return res.status(401).json({ message: 'Invalid username or password.' });
+    }
+    const user = rows[0];
+    const isMatch = await bcrypt.compare(Password, user.Password);
+    if (!isMatch) {
+      return res.status(401).json({ message: 'Invalid username or password.' });
+    }
+    // Create session
+    req.session.user = {
+      UserID: user.UserID,
+      UserName: user.UserName,
+      UserRole: user.UserRole,
+    };
+    res.json({ message: 'Login successful', user: req.session.user });
+  } catch (err) {
+    console.error(err);
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// POST /api/auth/logout
+router.post('/logout', (req, res) => {
+  req.session.destroy((err) => {
+    if (err) return res.status(500).json({ message: 'Logout failed' });
+    res.clearCookie('connect.sid');
+    res.json({ message: 'Logged out successfully' });
+  });
+});
+
+// GET /api/auth/session
+router.get('/session', (req, res) => {
+  if (req.session && req.session.user) {
+    return res.json({ user: req.session.user });
+  }
+  res.status(401).json({ message: 'No active session' });
+});
+
+module.exports = router;

package/backend-project/routes/bookings.js

@@ -0,0 +1,151 @@
+const express = require('express');
+const router = express.Router();
+const pool = require('../db');
+const { requireAuth } = require('../middleware/auth');
+
+// GET /api/bookings/report/passengers — Report grouped by schedule
+router.get('/report/passengers', requireAuth, async (req, res) => {
+  try {
+    const [rows] = await pool.execute(`
+      SELECT 
+        b.*,
+        s.RouteName, s.DeparturePoint, s.Destination, s.DepartureTime,
+        s.TicketPrice, s.ScheduleStatus,
+        bs.PlateNumber, bs.BusType,
+        u.UserName
+      FROM yk_bookings b
+      LEFT JOIN yk_schedules s ON b.ScheduleID = s.ScheduleID
+      LEFT JOIN yk_buses bs ON s.BusID = bs.BusID
+      LEFT JOIN yk_users u ON b.UserID = u.UserID
+      ORDER BY s.ScheduleID, b.BookingDate
+    `);
+    res.json(rows);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// GET /api/bookings — Get all bookings
+router.get('/', requireAuth, async (req, res) => {
+  try {
+    const [rows] = await pool.execute(`
+      SELECT 
+        b.*,
+        s.RouteName, s.DeparturePoint, s.Destination, s.DepartureTime,
+        s.TicketPrice,
+        bs.PlateNumber,
+        u.UserName
+      FROM yk_bookings b
+      LEFT JOIN yk_schedules s ON b.ScheduleID = s.ScheduleID
+      LEFT JOIN yk_buses bs ON s.BusID = bs.BusID
+      LEFT JOIN yk_users u ON b.UserID = u.UserID
+      ORDER BY b.BookingID DESC
+    `);
+    res.json(rows);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// GET /api/bookings/:id — Get single booking
+router.get('/:id', requireAuth, async (req, res) => {
+  try {
+    const [rows] = await pool.execute(`
+      SELECT 
+        b.*,
+        s.RouteName, s.DeparturePoint, s.Destination, s.DepartureTime,
+        s.TicketPrice,
+        bs.PlateNumber,
+        u.UserName
+      FROM yk_bookings b
+      LEFT JOIN yk_schedules s ON b.ScheduleID = s.ScheduleID
+      LEFT JOIN yk_buses bs ON s.BusID = bs.BusID
+      LEFT JOIN yk_users u ON b.UserID = u.UserID
+      WHERE b.BookingID = ?
+    `, [req.params.id]);
+    if (rows.length === 0) return res.status(404).json({ message: 'Booking not found' });
+    res.json(rows[0]);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// POST /api/bookings — Create booking
+router.post('/', requireAuth, async (req, res) => {
+  const { ScheduleID, PassengerName, PassengerGender, PassengerPhone, SeatNumber, PaymentStatus, BookingDate } = req.body;
+  const UserID = req.session.user.UserID;
+
+  if (!ScheduleID || !PassengerName || !PassengerGender || !PassengerPhone || !SeatNumber) {
+    return res.status(400).json({ message: 'All required fields must be provided.' });
+  }
+
+  try {
+    // Check if seat is already taken for this schedule
+    const [existing] = await pool.execute(
+      'SELECT BookingID FROM yk_bookings WHERE ScheduleID = ? AND SeatNumber = ? AND PaymentStatus != ?',
+      [ScheduleID, SeatNumber, 'Cancelled']
+    );
+    if (existing.length > 0) {
+      return res.status(409).json({ message: `Seat ${SeatNumber} is already booked for this schedule.` });
+    }
+
+    const [result] = await pool.execute(
+      `INSERT INTO yk_bookings (ScheduleID, UserID, PassengerName, PassengerGender, PassengerPhone, SeatNumber, PaymentStatus, BookingDate)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+      [ScheduleID, UserID, PassengerName, PassengerGender, PassengerPhone, SeatNumber, PaymentStatus || 'Pending', BookingDate || new Date()]
+    );
+
+    const [newBooking] = await pool.execute(`
+      SELECT b.*, s.RouteName, s.DeparturePoint, s.Destination, s.DepartureTime, s.TicketPrice,
+             bs.PlateNumber, u.UserName
+      FROM yk_bookings b
+      LEFT JOIN yk_schedules s ON b.ScheduleID = s.ScheduleID
+      LEFT JOIN yk_buses bs ON s.BusID = bs.BusID
+      LEFT JOIN yk_users u ON b.UserID = u.UserID
+      WHERE b.BookingID = ?
+    `, [result.insertId]);
+
+    res.status(201).json(newBooking[0]);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// PUT /api/bookings/:id — Update booking
+router.put('/:id', requireAuth, async (req, res) => {
+  const { ScheduleID, PassengerName, PassengerGender, PassengerPhone, SeatNumber, PaymentStatus, BookingDate } = req.body;
+  try {
+    const [result] = await pool.execute(
+      `UPDATE yk_bookings SET ScheduleID=?, PassengerName=?, PassengerGender=?, PassengerPhone=?,
+       SeatNumber=?, PaymentStatus=?, BookingDate=? WHERE BookingID=?`,
+      [ScheduleID, PassengerName, PassengerGender, PassengerPhone, SeatNumber, PaymentStatus, BookingDate, req.params.id]
+    );
+    if (result.affectedRows === 0) return res.status(404).json({ message: 'Booking not found' });
+
+    const [updated] = await pool.execute(`
+      SELECT b.*, s.RouteName, s.DeparturePoint, s.Destination, s.DepartureTime, s.TicketPrice,
+             bs.PlateNumber, u.UserName
+      FROM yk_bookings b
+      LEFT JOIN yk_schedules s ON b.ScheduleID = s.ScheduleID
+      LEFT JOIN yk_buses bs ON s.BusID = bs.BusID
+      LEFT JOIN yk_users u ON b.UserID = u.UserID
+      WHERE b.BookingID = ?
+    `, [req.params.id]);
+    res.json(updated[0]);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// DELETE /api/bookings/:id — Delete booking
+router.delete('/:id', requireAuth, async (req, res) => {
+  try {
+    const [result] = await pool.execute('DELETE FROM yk_bookings WHERE BookingID = ?', [req.params.id]);
+    if (result.affectedRows === 0) return res.status(404).json({ message: 'Booking not found' });
+    res.json({ message: 'Booking deleted successfully' });
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+module.exports = router;

package/backend-project/routes/buses.js

@@ -0,0 +1,81 @@
+const express = require('express');
+const router = express.Router();
+const pool = require('../db');
+const { requireAuth } = require('../middleware/auth');
+
+// GET /api/buses — Get all buses
+router.get('/', requireAuth, async (req, res) => {
+  try {
+    const [rows] = await pool.execute('SELECT * FROM yk_buses ORDER BY BusID DESC');
+    res.json(rows);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// GET /api/buses/:id — Get single bus
+router.get('/:id', requireAuth, async (req, res) => {
+  try {
+    const [rows] = await pool.execute('SELECT * FROM yk_buses WHERE BusID = ?', [req.params.id]);
+    if (rows.length === 0) return res.status(404).json({ message: 'Bus not found' });
+    res.json(rows[0]);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// POST /api/buses — Create bus
+router.post('/', requireAuth, async (req, res) => {
+  const { PlateNumber, TotalSeats, BusType } = req.body;
+  if (!PlateNumber || !TotalSeats || !BusType) {
+    return res.status(400).json({ message: 'PlateNumber, TotalSeats, and BusType are required.' });
+  }
+  try {
+    const [result] = await pool.execute(
+      'INSERT INTO yk_buses (PlateNumber, TotalSeats, BusType) VALUES (?, ?, ?)',
+      [PlateNumber, TotalSeats, BusType]
+    );
+    const [newBus] = await pool.execute('SELECT * FROM yk_buses WHERE BusID = ?', [result.insertId]);
+    res.status(201).json(newBus[0]);
+  } catch (err) {
+    if (err.code === 'ER_DUP_ENTRY') {
+      return res.status(409).json({ message: 'A bus with this plate number already exists.' });
+    }
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// PUT /api/buses/:id — Update bus
+router.put('/:id', requireAuth, async (req, res) => {
+  const { PlateNumber, TotalSeats, BusType } = req.body;
+  try {
+    const [result] = await pool.execute(
+      'UPDATE yk_buses SET PlateNumber = ?, TotalSeats = ?, BusType = ? WHERE BusID = ?',
+      [PlateNumber, TotalSeats, BusType, req.params.id]
+    );
+    if (result.affectedRows === 0) return res.status(404).json({ message: 'Bus not found' });
+    const [updated] = await pool.execute('SELECT * FROM yk_buses WHERE BusID = ?', [req.params.id]);
+    res.json(updated[0]);
+  } catch (err) {
+    if (err.code === 'ER_DUP_ENTRY') {
+      return res.status(409).json({ message: 'A bus with this plate number already exists.' });
+    }
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// DELETE /api/buses/:id — Delete bus
+router.delete('/:id', requireAuth, async (req, res) => {
+  try {
+    const [result] = await pool.execute('DELETE FROM yk_buses WHERE BusID = ?', [req.params.id]);
+    if (result.affectedRows === 0) return res.status(404).json({ message: 'Bus not found' });
+    res.json({ message: 'Bus deleted successfully' });
+  } catch (err) {
+    if (err.code === 'ER_ROW_IS_REFERENCED_2') {
+      return res.status(409).json({ message: 'Cannot delete bus. It is used in one or more schedules.' });
+    }
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+module.exports = router;

package/backend-project/routes/schedules.js

@@ -0,0 +1,95 @@
+const express = require('express');
+const router = express.Router();
+const pool = require('../db');
+const { requireAuth } = require('../middleware/auth');
+
+// GET /api/schedules — Get all schedules with bus info
+router.get('/', requireAuth, async (req, res) => {
+  try {
+    const [rows] = await pool.execute(`
+      SELECT s.*, b.PlateNumber, b.BusType, b.TotalSeats
+      FROM yk_schedules s
+      LEFT JOIN yk_buses b ON s.BusID = b.BusID
+      ORDER BY s.ScheduleID DESC
+    `);
+    res.json(rows);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// GET /api/schedules/:id — Get single schedule
+router.get('/:id', requireAuth, async (req, res) => {
+  try {
+    const [rows] = await pool.execute(`
+      SELECT s.*, b.PlateNumber, b.BusType, b.TotalSeats
+      FROM yk_schedules s
+      LEFT JOIN yk_buses b ON s.BusID = b.BusID
+      WHERE s.ScheduleID = ?
+    `, [req.params.id]);
+    if (rows.length === 0) return res.status(404).json({ message: 'Schedule not found' });
+    res.json(rows[0]);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// POST /api/schedules — Create schedule
+router.post('/', requireAuth, async (req, res) => {
+  const { BusID, RouteName, DeparturePoint, Destination, DepartureTime, EstimatedArrivalTime, TicketPrice, ScheduleStatus } = req.body;
+  if (!BusID || !RouteName || !DeparturePoint || !Destination || !DepartureTime || !EstimatedArrivalTime || TicketPrice == null) {
+    return res.status(400).json({ message: 'All fields are required.' });
+  }
+  try {
+    const [result] = await pool.execute(
+      `INSERT INTO yk_schedules (BusID, RouteName, DeparturePoint, Destination, DepartureTime, EstimatedArrivalTime, TicketPrice, ScheduleStatus)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+      [BusID, RouteName, DeparturePoint, Destination, DepartureTime, EstimatedArrivalTime, TicketPrice, ScheduleStatus || 'Active']
+    );
+    const [newRow] = await pool.execute(`
+      SELECT s.*, b.PlateNumber, b.BusType, b.TotalSeats
+      FROM yk_schedules s LEFT JOIN yk_buses b ON s.BusID = b.BusID
+      WHERE s.ScheduleID = ?
+    `, [result.insertId]);
+    res.status(201).json(newRow[0]);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// PUT /api/schedules/:id — Update schedule
+router.put('/:id', requireAuth, async (req, res) => {
+  const { BusID, RouteName, DeparturePoint, Destination, DepartureTime, EstimatedArrivalTime, TicketPrice, ScheduleStatus } = req.body;
+  try {
+    const [result] = await pool.execute(
+      `UPDATE yk_schedules SET BusID=?, RouteName=?, DeparturePoint=?, Destination=?,
+       DepartureTime=?, EstimatedArrivalTime=?, TicketPrice=?, ScheduleStatus=? WHERE ScheduleID=?`,
+      [BusID, RouteName, DeparturePoint, Destination, DepartureTime, EstimatedArrivalTime, TicketPrice, ScheduleStatus, req.params.id]
+    );
+    if (result.affectedRows === 0) return res.status(404).json({ message: 'Schedule not found' });
+    const [updated] = await pool.execute(`
+      SELECT s.*, b.PlateNumber, b.BusType, b.TotalSeats
+      FROM yk_schedules s LEFT JOIN yk_buses b ON s.BusID = b.BusID
+      WHERE s.ScheduleID = ?
+    `, [req.params.id]);
+    res.json(updated[0]);
+  } catch (err) {
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+// DELETE /api/schedules/:id — Delete schedule
+router.delete('/:id', requireAuth, async (req, res) => {
+  try {
+    const [result] = await pool.execute('DELETE FROM yk_schedules WHERE ScheduleID = ?', [req.params.id]);
+    if (result.affectedRows === 0) return res.status(404).json({ message: 'Schedule not found' });
+    res.json({ message: 'Schedule deleted successfully' });
+  } catch (err) {
+    if (err.code === 'ER_ROW_IS_REFERENCED_2') {
+      return res.status(409).json({ message: 'Cannot delete schedule. It has existing bookings.' });
+    }
+    res.status(500).json({ message: 'Server error', error: err.message });
+  }
+});
+
+module.exports = router;