Cachet runs as a Laravel 11 app. Application services live in app/ (HTTP controllers, jobs, notifications), while settings reside in config/. API and web entry points are defined in routes/ (web.php, console.php, middleware.php). Blade templates ship in resources/views/. Database migrations and seeders sit in database/migrations/ and database/seeders/. Automated checks live in tests/ with Feature/ for HTTP flows and Unit/ for isolated logic.
Run composer install to pull PHP dependencies and the cachethq/core package. Copy .env.example to .env, set credentials, then execute php artisan key:generate and php artisan migrate --seed. Start a local stack with composer run dev, which spins up the HTTP server, queue listener, log tailer, and Vite watcher; ensure Node deps are installed via npm install --prefix vendor/cachethq/core. Use php artisan test (or ./vendor/bin/pest) for a full suite run.
Follow PSR-12/Laravel conventions: four-space indentation, UTF-8, LF endings, and descriptive class names in StudlyCase. Controllers, jobs, and listeners mirror their target domains (e.g., app/Http/Controllers/IncidentController.php). Keep Blade components snake-cased under resources/views/components. Run ./vendor/bin/pint before submitting to enforce formatting across PHP and Blade assets; front-end JS uses Prettier via npm run fix:prettier --prefix vendor/cachethq/core.
Write new tests in Pest, preferring the it() style for readability. Group API and UI scenarios under tests/Feature, and keep pure business rules in tests/Unit. Use database factories and seeders to produce fixtures; the test harness defaults to an evolving SQLite database (phpunit.xml). Aim to cover both success and failure paths, and document any long-running suites in the PR notes.
Use short, imperative commit subjects (e.g., “Add maintenance incident model”), matching the existing log. Each PR should describe the change, note migrations or breaking config, and link relevant issues. Include test evidence (php artisan test) and screenshots or curl transcripts when behaviour changes. Reference SECURITY.md for reporting vulnerabilities rather than opening issues.