start-vibing-stacks 2.8.0 → 2.9.0

package/stacks/php/skills/api-design/SKILL.md

@@ -1,70 +1,279 @@
 ---
 name: api-design
-version: 1.0.0
+version: 2.0.0
+description: PHP/Laravel REST API design contract — endpoint shape, pagination,
+  filtering, sorting, dates, idempotency, error response envelope. The contract
+  the React+Axios SPA expects on the wire. Use when designing any new API
+  surface. Pairs with `laravel-api-architecture` (the implementation pipeline)
+  and `axios-laravel-api` (the consumer).
 ---
 
-# PHP API Design Standards
+# Laravel REST API Design Contract
+
+**ALWAYS invoke when designing or naming endpoints, response shapes, pagination,
+or filters. This is the contract — the implementation pipeline is in
+`laravel-api-architecture`.**
 
 ## RESTful Principles
 
-### Endpoint Design
+### Endpoint Naming
 
 ```
-GET    /api/users              # List (paginated)
-GET    /api/users/{id}         # Show
-POST   /api/users              # Create
-PUT    /api/users/{id}         # Full update
-PATCH  /api/users/{id}         # Partial update
-DELETE /api/users/{id}         # Delete
+GET    /api/users                # List (paginated)
+GET    /api/users/{id}           # Show
+POST   /api/users                # Create
+PUT    /api/users/{id}           # Replace (full update)
+PATCH  /api/users/{id}           # Partial update
+DELETE /api/users/{id}           # Delete
+```
+
+### Action Endpoints (NOT generic PATCH)
 
-# Business action endpoints (NOT generic PATCH)
+```
 POST   /api/leads/{id}/reset-attempts
 POST   /api/domains/{id}/refresh-list
+POST   /api/orders/{id}/cancel
 POST   /api/reports/{id}/regenerate
 ```
 
-**Rule:** Specific business actions get dedicated `POST` endpoints, not generic `PUT/PATCH`.
+**Rule:** Specific business actions get dedicated `POST` endpoints. Don't
+overload `PATCH` with side-effects.
+
+## Response Envelope
+
+### Success (single resource)
+
+Use Laravel's `JsonResource` directly — Laravel wraps it automatically:
+
+```json
+{
+    "data": {
+        "id": "9b8c...",
+        "name": "Order #1234",
+        "status": "paid",
+        "created_at": "2026-05-13T12:34:56-03:00"
+    }
+}
+```
+
+### Success (collection / paginated)
+
+```json
+{
+    "data": [ { "id": "..." }, { "id": "..." } ],
+    "links": {
+        "first": "https://api.example.com/api/orders?page=1",
+        "last":  "https://api.example.com/api/orders?page=4",
+        "prev":  null,
+        "next":  "https://api.example.com/api/orders?page=2"
+    },
+    "meta": {
+        "current_page": 1,
+        "from": 1,
+        "to": 25,
+        "last_page": 4,
+        "per_page": 25,
+        "total": 92,
+        "path": "https://api.example.com/api/orders"
+    }
+}
+```
+
+**Rule:** Get this for free with Laravel's `->paginate($perPage)`. Don't
+hand-roll pagination.
+
+### Error envelope
+
+Laravel returns these natively — match them:
+
+```json
+// 401 Unauthenticated
+{ "message": "Unauthenticated." }
+
+// 403 Forbidden (Policy denied)
+{ "message": "This action is unauthorized." }
+
+// 404 Not Found
+{ "message": "No query results for model [App\\Models\\Order] 123." }
+
+// 419 CSRF Token Mismatch
+{ "message": "CSRF token mismatch." }
+
+// 422 Validation
+{
+    "message": "The given data was invalid.",
+    "errors": {
+        "email":   ["The email field is required."],
+        "password":["The password must be at least 8 characters."]
+    }
+}
+
+// 429 Too Many Requests (also returns header Retry-After)
+{ "message": "Too Many Requests" }
+
+// 500
+{ "message": "Server Error" }
+```
+
+**Rule:** Don't reinvent. The frontend's Axios interceptor (see
+`axios-laravel-api`) is built around exactly these shapes. Adding a custom
+envelope (`{success, data, errors}`) requires updating BOTH layers — keep
+Laravel defaults unless you have a hard reason not to.
+
+## Pagination Contract
+
+```php
+// Controller
+public function index(IndexOrderRequest $request): AnonymousResourceCollection
+{
+    $perPage = (int) ($request->validated('per_page') ?? 25);
+    $perPage = min($perPage, 100);              // hard cap
+    return OrderResource::collection(
+        $this->orders->listFor($request->user(), $request->validated())->paginate($perPage)
+    );
+}
+```
+
+```php
+// FormRequest
+'page'     => ['nullable', 'integer', 'min:1'],
+'per_page' => ['nullable', 'integer', 'min:1', 'max:100'],
+```
+
+**Rules:**
+- Default `per_page = 25`. Hard cap = 100.
+- Always validate `page` and `per_page` to prevent abuse.
+- Use `->paginate()` for offset pagination (default), `->cursorPaginate()`
+  for high-volume cursors (>100k rows, infinite scroll).
+
+## Filter & Sort Contract
+
+```
+GET /api/orders?status=paid&q=acme&sort=-created_at&page=2&per_page=25
+```
+
+```php
+// FormRequest
+'status'   => ['nullable', 'string', 'in:pending,paid,shipped,cancelled'],
+'q'        => ['nullable', 'string', 'max:255'],
+'sort'     => ['nullable', 'string', 'in:created_at,-created_at,total,-total'],
+'page'     => ['nullable', 'integer', 'min:1'],
+'per_page' => ['nullable', 'integer', 'min:1', 'max:100'],
+```
+
+```php
+// Service
+if ($status = $filters['status'] ?? null) $query->where('status', $status);
+if ($q      = $filters['q']      ?? null) $query->where('reference', 'like', "%{$q}%");
+
+if ($sort = $filters['sort'] ?? null) {
+    $direction = str_starts_with($sort, '-') ? 'desc' : 'asc';
+    $column    = ltrim($sort, '-');
+    $query->orderBy($column, $direction);
+}
+```
+
+**Rules:**
+- Sort syntax: `sort=field` (asc), `sort=-field` (desc). Allowed columns
+  whitelisted in FormRequest.
+- Filter values whitelisted via `in:...` in FormRequest — never trust
+  enum-like params.
+- `q` (free-text search) is `LIKE`/`ILIKE`. For real search, use scout +
+  Meilisearch / Typesense.
 
 ## Date Handling
 
 ```
-Client → API: ISO 8601 (UTC or with timezone offset)
-Database: UTC always
-API → Client: UTC, converted to user timezone in Resource/Response only
+Client → API:   ISO 8601 (UTC or with timezone offset)
+Database:        UTC always
+API → Client:    ISO 8601, converted to caller's timezone in Resource only
+```
+
+```php
+// app/Traits/FormatsDatesForApi.php
+trait FormatsDatesForApi
+{
+    protected function formatDateTime(?Carbon $date, Request $request): ?string
+    {
+        if (! $date) return null;
+        $tz = $request->header('X-Timezone', $request->user()?->timezone ?? 'UTC');
+        return $date->copy()->setTimezone($tz)->toISOString();
+    }
+}
 ```
 
 **Rules:**
-- Backend/DB stores **UTC always**
-- Timezone conversion **only** in API response layer
-- Use trait/helper for consistent formatting
-- Accept timezone via header (`X-Timezone`) or user profile
+- Backend / DB stores **UTC always**.
+- Timezone conversion **only** in API Resource layer.
+- Accept timezone via `X-Timezone` header or fall back to user profile.
+
+## Idempotency for Unsafe Methods
+
+For external integrations (webhooks, payment endpoints), accept an
+`Idempotency-Key` header and de-dupe:
+
+```php
+public function store(StoreLeadRequest $request): JsonResource
+{
+    $key = $request->header('Idempotency-Key');
+    if ($key && $existing = Lead::where('idempotency_key', $key)->first()) {
+        return LeadResource::make($existing);
+    }
+    $lead = $this->leads->create([...$request->validated(), 'idempotency_key' => $key]);
+    return LeadResource::make($lead);
+}
+```
+
+**Rule:** All public webhook receivers MUST be idempotent (assume retries).
+
+## Authentication Contract (Sanctum SPA + Optional Token)
+
+| Caller | Auth | Header / Cookie |
+|--------|------|------------------|
+| Same-origin React SPA | Session cookie + CSRF | `XSRF-TOKEN` cookie → `X-XSRF-TOKEN` header |
+| Cross-origin React SPA | Session cookie + CSRF (CORS w/ credentials) | Same |
+| Mobile / 3rd-party | Personal access token | `Authorization: Bearer <token>` |
+
+`auth:sanctum` accepts BOTH transparently. See `axios-laravel-api` for the
+Axios setup and `api-security` for token issuing/scopes.
 
-## Authorization Patterns
+## Authorization Pattern
 
-### User-Scoped Resources
+### User-Scoped Resources (default)
+
+Every collection endpoint MUST scope by user (admins may see everything):
 
 ```php
-// Every list endpoint must scope by user (unless admin)
-public function index(): JsonResponse
+// In the Service (NOT controller, NOT resource)
+public function listFor(User $user, array $filters): Builder
 {
-    $query = Resource::query();
-    
-    if (!auth()->user()->isAdmin()) {
-        $query->where('user_id', auth()->id());
+    $query = Order::query();
+    if (! $user->isAdmin()) {
+        $query->where('user_id', $user->id);
     }
-    
-    return ResourceCollection::make($query->paginate());
+    // ...
+    return $query;
 }
 ```
 
-**Rule:** Never return unscoped queries. Always filter by authenticated user.
+### Per-Resource via Policy
+
+```php
+public function show(Order $order): OrderResource
+{
+    $this->authorize('view', $order);
+    return OrderResource::make($order);
+}
+```
+
+**Rule:** Never return unscoped queries from a Service. Scoping = security.
 
 ## Caching Strategy
 
 ```php
 // User-specific cache keys
 $key = "domains:user:{$userId}";
-$ttl = 900; // 15 minutes default
+$ttl = now()->addMinutes(15);
 
 $data = Cache::remember($key, $ttl, fn () => $query->get());
 
@@ -73,25 +282,21 @@ Cache::forget("domains:user:{$userId}");
 ```
 
 **Rules:**
-- Cache keys MUST include user ID for isolation
-- Default TTL: 15 minutes
-- Invalidate cache on any write operation
-- Use Redis for user-specific, frequently accessed data
+- Cache keys MUST include user ID for isolation (avoid one user seeing another's data).
+- Default TTL: 15 minutes.
+- Invalidate on any write operation (in the Service that performed the write).
+- Use Redis for user-specific, frequently accessed data.
+- For collections that mutate constantly, prefer ETag/conditional GET over cache.
 
 ## Job & Queue Patterns
 
 ### Idempotency
 
 ```php
-// Check state BEFORE processing
 public function handle(): void
 {
-    if ($this->record->already_processed) {
-        return; // Skip — idempotent
-    }
-    
-    // Process...
-    
+    if ($this->record->already_processed) return;        // skip — idempotent
+    $this->process();
     $this->record->update(['already_processed' => true]);
 }
 ```
@@ -99,7 +304,6 @@ public function handle(): void
 ### Batch Processing
 
 ```php
-// Process in chunks for memory control
 Lead::query()
     ->where('status', 'pending')
     ->chunkById(100, function ($leads) {
@@ -110,10 +314,9 @@ Lead::query()
 ```
 
 **Rules:**
-- Jobs MUST be idempotent (safe to retry)
-- Use unique keys for external API calls
-- Reset jobs: set status to `pending` + reset counters
-- Batch/chunk for high-volume data
+- Jobs MUST be idempotent (safe to retry).
+- Use unique keys for external API calls.
+- Batch / chunk for high-volume data.
 
 ## Data Integrity
 
@@ -136,6 +339,37 @@ protected $casts = [
 
 Before sending data to external partners (Google, Meta, etc.):
 1. Validate data status
-2. Filter bots/invalid entries
+2. Filter bots / invalid entries
 3. Apply quality thresholds
 4. Use unique keys to prevent duplicates
+
+## Versioning (when you outgrow `/api`)
+
+```
+/api/v1/orders     # current
+/api/v2/orders     # breaking changes
+```
+
+**Rule:** Add a version prefix only when breaking changes are imminent. Don't
+preemptively version every endpoint.
+
+## Checklist — Designing Any New Endpoint
+
+- [ ] Verb + URL match REST conventions (or it's an explicit action endpoint)
+- [ ] Behind `auth:sanctum` (and `throttle:api`) by default
+- [ ] FormRequest with `rules()` + `authorize()` (Policy)
+- [ ] Service does the work; Controller just orchestrates
+- [ ] Returns `JsonResource` / `JsonResource::collection`
+- [ ] Pagination uses `->paginate()` returning `data + meta + links`
+- [ ] Dates formatted via `FormatsDatesForApi`
+- [ ] Sensitive fields hidden (`$hidden` on model + whitelist in Resource)
+- [ ] PHPUnit feature test for happy + 422 + 403 + 401 cases
+
+## See Also
+
+- `laravel-api-architecture` — the full Controller→Service→Resource pipeline
+- `axios-laravel-api` — frontend client + CSRF/cookie + interceptors
+- `react-api-standards` — page contract that consumes these endpoints
+- `api-security` — Sanctum config, CORS, rate limiting, token abilities
+- `external-api-patterns` — consuming OTHER APIs from your Laravel app
+- `openapi-design` — describing the contract in OpenAPI 3.1

package/stacks/php/skills/api-security/SKILL.md

@@ -1,58 +1,124 @@
 ---
 name: api-security
-version: 1.0.0
+version: 2.0.0
+description: Laravel 12 + Sanctum + Octane API hardening — cookie-based SPA auth
+  by default, token auth for mobile/3rd-party, CORS/CSRF/HSTS/CSP, rate limiting,
+  brute-force protection, audit logging, encryption at rest. Use when building
+  any auth endpoint, public API, or handling user input. Pairs with
+  `laravel-api-architecture` and `axios-laravel-api`.
 ---
 
-# API Security — NSA-Level Hardening for Laravel + Octane
+# API Security — NSA-Level Hardening for Laravel 12 + Octane
 
 **ALWAYS invoke when building APIs, auth endpoints, or handling user input.**
 
 ## Security Layers
 
 ```
-Internet → Cloudflare WAF → Rate Limiting → CORS → Auth Middleware
-  → Input Validation → Business Logic → Output Sanitization → Response
+Internet → CDN/WAF → Rate Limiter → CORS → Auth Middleware
+  → CSRF (cookie clients) → FormRequest validation → Policy
+  → Service business logic → Resource output sanitization → JSON
 
 Every layer is a wall. Assume the previous one failed.
 ```
 
-## 1. Authentication (Sanctum + Octane)
+## 1. Authentication
 
-### Token-Based (API)
+### Choose ONE per client type
+
+| Client | Mode | Why |
+|--------|------|-----|
+| **Same / cross-origin React SPA** | **Sanctum SPA (cookie)** | XSS-safe HttpOnly cookie; no token storage in JS |
+| Mobile app | Sanctum personal access token | No browser cookie context |
+| 3rd-party server-to-server | Sanctum token (scoped abilities) | Long-lived; per-key access |
+
+### A. Sanctum SPA (Cookie) — DEFAULT for React
 
 ```php
+// bootstrap/app.php
+->withMiddleware(function (Middleware $middleware) {
+    $middleware->statefulApi();      // accepts session cookie on /api/*
+})
+
 // config/sanctum.php
-'expiration' => 60 * 24,     // 24h token expiry (MANDATORY)
-'token_prefix' => 'flk_',    // Prefix for easy log scanning
+'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS',
+    'localhost,localhost:5173,127.0.0.1,127.0.0.1:8000'
+)),
+'guard' => ['web'],
+
+// config/session.php — production
+'driver'    => 'cookie',
+'http_only' => true,                  // MANDATORY: blocks JS access
+'secure'    => true,                  // MANDATORY in HTTPS prod
+'same_site' => 'lax',                 // 'none' only if cross-origin AND HTTPS
+'domain'    => '.example.com',        // shared across subdomains
+
+// config/cors.php
+'paths' => ['api/*', 'sanctum/csrf-cookie', 'login', 'logout'],
+'allowed_origins' => [env('FRONTEND_URL')],
+'supports_credentials' => true,       // MANDATORY for cookie auth
+```
+
+```php
+// routes/web.php — login on web so session middleware runs
+Route::post('/login',  [AuthController::class, 'login'])->middleware('throttle:auth');
+Route::post('/logout', [AuthController::class, 'logout'])->middleware('auth:sanctum');
+
+// routes/api.php — protected JSON endpoints
+Route::middleware(['auth:sanctum', 'throttle:api'])->group(function () {
+    Route::apiResource('orders', OrderController::class);
+});
+```
+
+```php
+// AuthController::login (regenerate session = anti-fixation)
+if (! Auth::attempt($request->validated(), remember: true)) {
+    return response()->json(['message' => 'Invalid credentials'], 422);
+}
+$request->session()->regenerate();
+return response()->json(['data' => UserResource::make($request->user())]);
+```
+
+**Rules:**
+- `http_only: true` is non-negotiable — XSS cannot read the session cookie.
+- `secure: true` in any HTTPS environment (so dev = false, prod = true).
+- `SameSite=Lax` for same-origin SPAs. `SameSite=None; Secure` for cross-origin.
+- Always `regenerate()` after login.
+- Frontend must set `withCredentials: true` and `withXSRFToken: true` (Axios).
+  See `axios-laravel-api`.
+
+### B. Sanctum Token (Mobile / 3rd-Party)
+
+```php
+// config/sanctum.php
+'expiration'   => 60 * 24,    // 24h token expiry (MANDATORY for tokens)
+'token_prefix' => 'app_',     // prefix for log scanning + secret-scanner tools
 
 // Issue token with abilities (least privilege)
 $token = $user->createToken('api-client', [
     'read:leads',
     'write:leads',
-    // NOT '*' — never wildcard abilities
+    // NEVER '*' — no wildcard abilities
 ])->plainTextToken;
 
-// Middleware: check specific ability
+// Per-route ability check
 Route::middleware(['auth:sanctum', 'ability:read:leads'])->group(function () {
     Route::get('/api/v1/leads', [LeadController::class, 'index']);
 });
 ```
 
-### Token Rotation
+### Token Rotation (sensitive actions)
 
 ```php
-// Rotate on every sensitive action
-public function changePassword(Request $request): JsonResponse
+public function changePassword(ChangePasswordRequest $request): JsonResponse
 {
     // ... change password logic
 
-    // Revoke ALL tokens (force re-login everywhere)
-    $request->user()->tokens()->delete();
-
-    // Issue fresh token
+    $request->user()->tokens()->delete();                            // revoke all
     $newToken = $request->user()->createToken('session', ['*'])->plainTextToken;
 
-    return $this->success(['token' => $newToken]);
+    return response()->json(['token' => $newToken]);                 // token clients
+    // Cookie clients: also call $request->session()->regenerate()
 }
 ```
 
@@ -64,7 +130,6 @@ use Laravel\Octane\Facades\Octane;
 
 public function boot(): void
 {
-    // MANDATORY: flush auth state between requests
     Octane::prepare(function ($sandbox) {
         $sandbox->forgetScopedInstances();
         $sandbox->flushDatabaseConnections();
@@ -184,27 +249,33 @@ Route::middleware('throttle:sensitive')->group(function () {
 });
 ```
 
-## 4. CORS (Restrictive)
+## 4. CORS (Restrictive — credentials-aware)
 
 ```php
 // config/cors.php
 return [
-    'paths' => ['api/*'],
-    'allowed_methods' => ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
+    'paths' => ['api/*', 'sanctum/csrf-cookie', 'login', 'logout'],
+    'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
     'allowed_origins' => [
-        env('APP_URL'),                           // Only your domain
-        // NOT '*' — NEVER wildcard in production
+        env('FRONTEND_URL', env('APP_URL')),    // SPECIFIC origin, never '*'
+    ],
+    'allowed_origins_patterns' => [
+        // optional: '#^https://([a-z0-9-]+\.)?example\.com$#'
     ],
     'allowed_headers' => [
         'Content-Type', 'Authorization', 'X-Requested-With',
-        'X-Timezone', 'Accept', 'X-CSRF-TOKEN',
+        'X-Timezone', 'Accept', 'X-XSRF-TOKEN', 'X-CSRF-TOKEN',
     ],
     'exposed_headers' => ['X-Request-ID', 'Retry-After'],
-    'max_age' => 86400,                           // 24h preflight cache
-    'supports_credentials' => true,
+    'max_age' => 86400,                          // 24h preflight cache
+    'supports_credentials' => true,              // MANDATORY for cookie auth
 ];
 ```
 
+**Critical:** `supports_credentials: true` is INCOMPATIBLE with
+`allowed_origins: ['*']`. Browsers will reject the response. Always list
+specific origins. For multiple subdomains, use `allowed_origins_patterns`.
+
 ## 5. Security Headers Middleware
 
 ```php
@@ -402,35 +473,43 @@ class RequestId
 
 ## Security Checklist — Before Deploy
 
-- [ ] All endpoints have auth middleware
-- [ ] All input validated via FormRequest
-- [ ] Rate limiting on auth + sensitive endpoints
-- [ ] CORS restricted to your domain only
-- [ ] Security headers middleware active
+- [ ] `statefulApi()` middleware enabled in `bootstrap/app.php`
+- [ ] `SANCTUM_STATEFUL_DOMAINS` lists exact frontend hostnames
+- [ ] `config/session.php`: `http_only=true`, `secure=true` (prod), `same_site=lax`
+- [ ] `config/cors.php`: `supports_credentials=true`, specific `allowed_origins`
+- [ ] All endpoints have `auth:sanctum` middleware (or explicit public reasoning)
+- [ ] All input validated via FormRequest with Policy in `authorize()`
+- [ ] Rate limiting: `throttle:auth` on `/login`, `throttle:api` on protected
+- [ ] Brute force protection on login (progressive lockout)
 - [ ] Sensitive fields `$hidden` on models
-- [ ] API keys encrypted at rest
-- [ ] Audit logging on sensitive models
-- [ ] Brute force protection on login
-- [ ] Request ID tracking in all logs
-- [ ] No `env()` in code (only `config()`)
+- [ ] API tokens encrypted at rest (`'encrypted'` cast on `ApiCredential`)
+- [ ] Audit logging on sensitive models (Auditable trait)
+- [ ] Request ID tracking in all logs (X-Request-ID middleware)
+- [ ] Security headers middleware (CSP, HSTS, X-Frame-Options, X-Content-Type)
+- [ ] No `env()` outside `config/*.php`
 - [ ] No `*` in token abilities
 - [ ] No `$guarded = []` on models
-- [ ] CSP headers configured
-- [ ] HSTS enabled
-- [ ] Webhook signatures verified
-- [ ] Error responses don't expose internals
+- [ ] No `Inertia::render()` for new endpoints (use API + Resource)
+- [ ] No tokens in `localStorage` (cookie auth for SPAs)
+- [ ] Webhook signatures verified before processing
+- [ ] Error responses don't expose stack traces in production
 
 ## FORBIDDEN
 
 | ❌ Don't | ✅ Do |
 |---|---|
+| Store JWT/Sanctum token in `localStorage` | HttpOnly session cookie (Sanctum SPA) |
+| `'allowed_origins' => ['*']` with credentials | Specific origins or patterns |
+| `axios.defaults.withCredentials = false` | `true` is MANDATORY for cookie auth |
+| `same_site=none` over HTTP | `none` requires `secure=true` (HTTPS) |
 | `$guarded = []` | Explicit `$fillable` |
-| `'allowed_origins' => ['*']` | Your domain only |
-| `createToken('x', ['*'])` | Specific abilities |
-| `"WHERE email = '$email'"` | Parameterized queries |
-| `dd($user)` in production | `Log::info()` structured |
-| Generic error messages with stack traces | Clean error + request_id for debugging |
-| Store API keys in plaintext | `'encrypted'` cast |
+| `createToken('x', ['*'])` | Specific abilities (least privilege) |
+| `"WHERE email = '$email'"` | Parameterized queries / Eloquent |
+| `dd($user)` in production | Structured `Log::info()` |
+| Generic error responses leaking stack trace | Clean message + `request_id` for support |
+| Store API keys in plaintext | `'encrypted'` cast on the column |
 | Same rate limit for all endpoints | Progressive: auth(5/min) < api(60/min) |
-| Trust `X-Forwarded-For` directly | Use trusted proxies config |
-| No token expiry | 24h max, rotate on sensitive actions |
+| Trust `X-Forwarded-For` directly | Use Laravel's trusted proxies config |
+| No token expiry | 24h max + rotate on sensitive actions |
+| Login route on `/api/*` | Login goes on `routes/web.php` (session middleware) |
+| `Inertia::render()` for new endpoints | API + Resource consumed by Axios |