# Backend Notes

## Current state
- Phone-first auth is canonical (`/api/auth/phone/request`, `/api/auth/phone/verify`).
- Password token endpoint `/api/auth/token/` is intentionally deprecated (`410`).
- Moyasar payment create/webhook flow implemented.
- Booking integrity checks + lifecycle notifications implemented.

## Run
- `cd backend`
- `python3 manage.py migrate`
- `python3 manage.py runserver`

## Test
- `cd backend && python3 -m pytest`
- external-only: `PYTEST_ADDOPTS='' python3 -m pytest -m external`

## Pointers
- Architecture: `docs/architecture.md`
- Active plan: `docs/execplans/auth-phone-first-hardening.md`
- Risks: `docs/risks.md`