diff --git a/custom-rules/DB Protection Rules.md b/custom-rules/DB Protection Rules.md
new file mode 100644
index 0000000..fb3b1be
--- /dev/null
+++ b/custom-rules/DB Protection Rules.md	
@@ -0,0 +1,209 @@
+---
+alwaysApply: true
+---
+Don't use "npm run dev" or other command to run website, i don't need that, instead just run lint error check
+
+Don't ever do ```npx prisma db push``` command, YOU MUST NOT DO THAT or mess with database related migrations
+
+
+
+!!! YOU MUST KEEP DATABASE SAFE !!!
+
+LLM System Prompt: Command Execution Safety Protocol
+You are a highly capable AI assistant with access to a shell or command-line interface. Your primary directive is to assist the user while ensuring the absolute safety and integrity of their system, data, and code. You must operate under the following strict set of safety protocols and blacklisted command patterns. These rules are non-negotiable.
+
+<DatabaseOperations>
+This category prevents you from wiping, resetting, or destructively altering any database schema or data.
+
+Schema & Migration Commands:
+
+* db:push (e.g., npm run db:push, npx prisma db push)
+
+* db:reset
+
+* migrate:reset
+
+* migrate:rollback
+
+* schema:drop
+
+* db:drop
+
+Direct Database CLI Commands:
+
+mysql * --execute="DROP *"
+
+psql * --command="DROP *"
+
+psql * --command="TRUNCATE *"
+
+sqlite3 * "DROP *"
+
+mongo * --eval "db.dropDatabase()"
+
+redis-cli FLUSHALL
+
+redis-cli FLUSHDB
+</DatabaseOperations>
+
+<VersionControl>
+This category prevents you from losing commit history, force-pushing over team members' work, or deleting branches.
+
+History Alteration & Force Pushes:
+
+git push --force
+
+git push --force-with-lease
+
+git reset --hard *
+
+Data Deletion:
+
+git clean -fdx
+
+git clean -f
+
+Branch & Tag Deletion:
+
+git branch -D *
+
+git push * --delete *
+
+git tag -d *
+
+git push origin :<branch_name>
+
+History Rewriting:
+
+git rebase *
+
+git filter-branch *
+
+git commit --amend
+</VersionControl>
+
+<PackageManagement>
+This category prevents you from publishing packages, altering global configurations, or managing user authentication for package registries.
+
+npm publish
+
+yarn publish
+
+npm unpublish *
+
+npm owner add/rm *
+
+npm adduser / npm login
+
+npm logout
+
+npm config delete *
+</PackageManagement>
+
+<FilesystemOperations>
+This category prevents the deletion or destructive modification of source code, environment files, or other critical system files.
+
+Recursive & Wildcard Deletion:
+
+rm -rf *
+
+rm -r *
+
+find . -delete
+
+Overwriting Critical Files:
+
+> .env
+
+> *config.json
+
+mv * .env
+
+Moving Core Directories:
+
+mv node_modules/* *
+
+mv .git/* *
+</FilesystemOperations>
+
+<CloudInfrastructureDeployment>
+This category prevents you from destroying cloud resources, running up huge bills, or deploying untested code to production environments.
+
+Infrastructure as Code:
+
+terraform destroy
+
+pulumi destroy
+
+Cloud Provider CLIs:
+
+aws * terminate-*
+
+aws * delete-*
+
+aws * remove-*
+
+gcloud * delete
+
+gcloud * disable
+
+az * delete
+
+Deployment Scripts:
+
+sls remove / serverless remove
+
+Any script with :prod or :production suffix (e.g., npm run deploy:prod)
+</CloudInfrastructureDeployment>
+
+<SystemPermissionsSecrets>
+This category prevents you from escalating privileges, changing file permissions insecurely, or exposing sensitive secrets.
+
+Privilege Escalation:
+
+sudo *
+
+su
+
+Permissions & Ownership:
+
+chmod -R *
+
+chown -R *
+
+Exposing Secrets:
+
+cat .env
+
+printenv
+
+cat ~/.ssh/id_rsa
+
+cat ~/.aws/credentials
+
+history
+
+System Commands:
+
+shutdown
+
+reboot
+
+halt
+
+kill *
+
+pkill *
+</SystemPermissionsSecrets>
+
+<CoreSafetyPrinciples>
+Beyond specific commands, you must adhere to these guiding principles.
+
+Confirmation First: For any action that modifies the filesystem, network state, or system configuration (even if not explicitly blacklisted), you must first state the exact command you intend to run and ask the user for explicit confirmation (y/n) before proceeding.
+
+Assume Least Privilege: Operate as if you are in a sandboxed environment. Do not attempt actions that require elevated permissions.
+
+Prioritize Reversibility: When possible, prefer non-destructive commands over destructive ones. For example, favor renaming a file (mv old new) over deleting it (rm old).
+</CoreSafetyPrinciples>
+
+Final Instruction: If a user requests a command that matches or resembles any pattern on this blacklist, you must refuse and explain that the action is restricted for safety reasons. Prioritize data integrity and system stability above all else.
diff --git a/custom-rules/Error Handling Logging.md b/custom-rules/Error Handling Logging.md
new file mode 100644
index 0000000..f7af510
--- /dev/null
+++ b/custom-rules/Error Handling Logging.md	
@@ -0,0 +1,757 @@
+# Error Handling & Logging Rules
+
+## Overview
+
+This document establishes mandatory rules for error handling and logging in the MBG Apply application. Proper error handling and logging are critical for debugging, monitoring, and maintaining application health.
+
+## Error Handling Rules
+
+### 1. Error Handling Layers
+
+**MANDATORY**: Implement error handling at all layers:
+
+```typescript
+// API Route Layer
+export async function GET(request: NextRequest) {
+  try {
+    // Business logic
+  } catch (error) {
+    console.error('[API ERROR]', error)
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}
+
+// Service Layer
+export async function getUserData(userId: string) {
+  try {
+    return await prisma.user.findUnique({ where: { id: userId } })
+  } catch (error) {
+    console.error('[SERVICE ERROR] getUserData:', error)
+    throw new Error('Failed to fetch user data')
+  }
+}
+
+// Database Layer
+// Prisma handles errors - catch at service layer
+```
+
+### 2. Error Response Format
+
+**MANDATORY** standard error response:
+
+```typescript
+interface ErrorResponse {
+  success: false
+  error: string           // User-friendly message
+  errorCode?: string      // Machine-readable code
+  details?: any           // Development only
+  timestamp?: string      // ISO timestamp
+}
+
+// Example
+return NextResponse.json({
+  success: false,
+  error: 'Application not found',
+  errorCode: 'NOT_FOUND',
+  timestamp: new Date().toISOString()
+}, { status: 404 })
+```
+
+### 3. Error Categories
+
+**MUST** categorize errors appropriately:
+
+#### Validation Errors (400)
+```typescript
+return NextResponse.json({
+  success: false,
+  error: 'Validation failed',
+  errorCode: 'VALIDATION_ERROR',
+  details: {
+    fields: {
+      email: 'Invalid email format',
+      phone: 'Phone number required'
+    }
+  }
+}, { status: 400 })
+```
+
+#### Authentication Errors (401)
+```typescript
+return NextResponse.json({
+  success: false,
+  error: 'Authentication required',
+  errorCode: 'UNAUTHORIZED'
+}, { status: 401 })
+```
+
+#### Authorization Errors (403)
+```typescript
+return NextResponse.json({
+  success: false,
+  error: 'Insufficient permissions',
+  errorCode: 'FORBIDDEN'
+}, { status: 403 })
+```
+
+#### Not Found Errors (404)
+```typescript
+return NextResponse.json({
+  success: false,
+  error: 'Resource not found',
+  errorCode: 'NOT_FOUND'
+}, { status: 404 })
+```
+
+#### Conflict Errors (409)
+```typescript
+return NextResponse.json({
+  success: false,
+  error: 'Resource already exists',
+  errorCode: 'CONFLICT'
+}, { status: 409 })
+```
+
+#### Server Errors (500)
+```typescript
+return NextResponse.json({
+  success: false,
+  error: 'Internal server error',
+  errorCode: 'INTERNAL_ERROR'
+}, { status: 500 })
+```
+
+### 4. Error Messages
+
+**MUST** follow these rules:
+
+✅ **DO**:
+- Use clear, user-friendly messages
+- Be specific about what went wrong
+- Suggest solutions when possible
+- Use consistent terminology
+
+❌ **DON'T**:
+- Expose internal implementation details
+- Include stack traces in production
+- Reveal database structure
+- Expose file paths
+
+```typescript
+// GOOD
+"Email address is already registered"
+"Password must be at least 8 characters"
+"Application not found"
+
+// BAD
+"Prisma error P2002: Unique constraint failed on users.email"
+"Error in /app/api/users/route.ts line 42"
+"SELECT * FROM users failed with code ECONNREFUSED"
+```
+
+### 5. Error Propagation
+
+**MUST** handle errors at appropriate level:
+
+```typescript
+// Service Layer - Transform and throw
+export async function createUser(data: UserData) {
+  try {
+    return await prisma.user.create({ data })
+  } catch (error) {
+    if (error.code === 'P2002') {
+      throw new ConflictError('Email already exists')
+    }
+    throw new DatabaseError('Failed to create user')
+  }
+}
+
+// API Layer - Catch and respond
+export async function POST(request: NextRequest) {
+  try {
+    const user = await createUser(data)
+    return NextResponse.json({ success: true, user })
+  } catch (error) {
+    if (error instanceof ConflictError) {
+      return NextResponse.json(
+        { success: false, error: error.message },
+        { status: 409 }
+      )
+    }
+    return NextResponse.json(
+      { success: false, error: 'Failed to create user' },
+      { status: 500 }
+    )
+  }
+}
+```
+
+### 6. Async Error Handling
+
+**MANDATORY** for promises:
+
+```typescript
+// GOOD - Proper async/await with try/catch
+async function fetchData() {
+  try {
+    const data = await someAsyncOperation()
+    return data
+  } catch (error) {
+    console.error('Fetch failed:', error)
+    throw error
+  }
+}
+
+// GOOD - Promise.all with error handling
+try {
+  const [users, apps] = await Promise.all([
+    fetchUsers(),
+    fetchApplications()
+  ])
+} catch (error) {
+  console.error('Parallel fetch failed:', error)
+}
+
+// BAD - Unhandled promise rejection
+someAsyncOperation() // No await, no catch
+```
+
+### 7. Database Error Handling
+
+**MUST** handle Prisma errors:
+
+```typescript
+try {
+  await prisma.user.create({ data })
+} catch (error) {
+  // Prisma error codes
+  if (error.code === 'P2002') {
+    // Unique constraint violation
+    return { error: 'Email already exists' }
+  }
+  if (error.code === 'P2025') {
+    // Record not found
+    return { error: 'User not found' }
+  }
+  if (error.code === 'P2003') {
+    // Foreign key constraint failed
+    return { error: 'Invalid reference' }
+  }
+  
+  // Unknown error
+  console.error('Database error:', error)
+  return { error: 'Database operation failed' }
+}
+```
+
+### 8. Validation Error Handling
+
+**MUST** validate inputs and return detailed errors:
+
+```typescript
+import { z } from 'zod'
+
+const userSchema = z.object({
+  email: z.string().email('Invalid email format'),
+  firstName: z.string().min(1, 'First name required'),
+  age: z.number().min(18, 'Must be at least 18 years old')
+})
+
+try {
+  const validated = userSchema.parse(data)
+} catch (error) {
+  if (error instanceof z.ZodError) {
+    return NextResponse.json({
+      success: false,
+      error: 'Validation failed',
+      details: error.errors.map(e => ({
+        field: e.path.join('.'),
+        message: e.message
+      }))
+    }, { status: 400 })
+  }
+}
+```
+
+---
+
+## Logging Rules
+
+### 1. Log Levels
+
+**MUST** use appropriate log levels:
+
+```typescript
+// ERROR - Critical issues requiring immediate attention
+console.error('[ERROR]', 'Payment processing failed:', error)
+
+// WARN - Potential issues that should be monitored
+console.warn('[WARN]', 'API rate limit approaching threshold')
+
+// INFO - Important business events
+console.log('[INFO]', 'User registered:', userId)
+
+// DEBUG - Detailed debugging information (development only)
+if (process.env.NODE_ENV === 'development') {
+  console.log('[DEBUG]', 'Request payload:', body)
+}
+```
+
+### 2. Structured Logging
+
+**MUST** use structured log format:
+
+```typescript
+// GOOD - Structured logging
+console.log('[API]', {
+  event: 'user_login',
+  userId: 'user_123',
+  timestamp: new Date().toISOString(),
+  ipAddress: '192.168.1.1'
+})
+
+// BAD - Unstructured logging
+console.log('User user_123 logged in from 192.168.1.1')
+```
+
+### 3. Log Context
+
+**MUST** include context in logs:
+
+```typescript
+// Request context
+console.log('[API]', {
+  method: request.method,
+  path: request.url,
+  userId: session?.userId,
+  duration: Date.now() - startTime
+})
+
+// Error context
+console.error('[ERROR]', {
+  error: error.message,
+  stack: error.stack,
+  context: {
+    userId,
+    applicationId,
+    action: 'createApplication'
+  }
+})
+```
+
+### 4. Sensitive Data
+
+**NEVER** log sensitive information:
+
+❌ **DON'T LOG**:
+- Passwords (plain or hashed)
+- Session tokens
+- API keys
+- Credit card numbers
+- Full email addresses
+- Phone numbers
+- Personal identification numbers
+
+✅ **DO LOG** (masked):
+```typescript
+// GOOD - Masked sensitive data
+console.log('[AUTH]', {
+  email: email.replace(/(.{3}).*@/, '$1***@'),
+  phone: phone.replace(/\d(?=\d{4})/g, '*')
+})
+
+// BAD - Exposing sensitive data
+console.log('[AUTH]', {
+  email: 'user@example.com',
+  password: 'password123'
+})
+```
+
+### 5. Production vs Development
+
+**MUST** differentiate logging by environment:
+
+```typescript
+const isDevelopment = process.env.NODE_ENV === 'development'
+
+// Development - verbose logging
+if (isDevelopment) {
+  console.log('[DEBUG] Request:', request)
+  console.log('[DEBUG] Response:', response)
+  console.log('[DEBUG] Query:', query)
+}
+
+// Production - essential logging only
+console.log('[INFO] Request completed:', {
+  path: request.url,
+  duration: Date.now() - startTime,
+  status: response.status
+})
+```
+
+### 6. API Request Logging
+
+**MUST** log API requests consistently:
+
+```typescript
+export async function GET(request: NextRequest) {
+  const startTime = Date.now()
+  const requestId = generateRequestId()
+  
+  console.log('[API] Request started:', {
+    requestId,
+    method: 'GET',
+    path: request.url,
+    timestamp: new Date().toISOString()
+  })
+  
+  try {
+    const result = await handleRequest()
+    
+    console.log('[API] Request completed:', {
+      requestId,
+      duration: Date.now() - startTime,
+      status: 200
+    })
+    
+    return NextResponse.json(result)
+  } catch (error) {
+    console.error('[API] Request failed:', {
+      requestId,
+      duration: Date.now() - startTime,
+      error: error.message
+    })
+    
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}
+```
+
+### 7. Database Query Logging
+
+**SHOULD** log slow queries:
+
+```typescript
+const startTime = Date.now()
+
+const users = await prisma.user.findMany()
+
+const duration = Date.now() - startTime
+
+if (duration > 1000) { // Slower than 1 second
+  console.warn('[DB] Slow query detected:', {
+    query: 'user.findMany',
+    duration,
+    threshold: 1000
+  })
+}
+```
+
+### 8. Business Event Logging
+
+**MUST** log important business events:
+
+```typescript
+// User registration
+console.log('[EVENT] User registered:', {
+  userId,
+  email: maskedEmail,
+  timestamp: new Date().toISOString()
+})
+
+// Application submission
+console.log('[EVENT] Application submitted:', {
+  applicationId,
+  userId,
+  major,
+  timestamp: new Date().toISOString()
+})
+
+// Status change
+console.log('[EVENT] Application status changed:', {
+  applicationId,
+  oldStatus: 'SUBMITTED',
+  newStatus: 'APPROVED',
+  changedBy: adminId
+})
+```
+
+### 9. Error Tracking
+
+**MUST** log errors with full context:
+
+```typescript
+try {
+  await criticalOperation()
+} catch (error) {
+  console.error('[ERROR] Critical operation failed:', {
+    error: error.message,
+    stack: error.stack,
+    context: {
+      userId,
+      operation: 'criticalOperation',
+      timestamp: new Date().toISOString(),
+      environment: process.env.NODE_ENV
+    }
+  })
+  
+  // Send to error tracking service (future)
+  // await reportError(error, context)
+}
+```
+
+### 10. Audit Logging
+
+**MUST** log admin actions for audit trail:
+
+```typescript
+import { createAuditLog } from '@/lib/audit'
+
+await createAuditLog(session, {
+  action: 'UPDATE',
+  entityType: 'Application',
+  entityId: applicationId,
+  entityTitle: `${user.firstName} ${user.lastName}`,
+  changes: {
+    status: { from: 'SUBMITTED', to: 'APPROVED' }
+  }
+})
+```
+
+---
+
+## Error Handling Patterns
+
+### 1. Try-Catch Wrapper
+
+```typescript
+async function withErrorHandling<T>(
+  operation: () => Promise<T>,
+  context: string
+): Promise<T> {
+  try {
+    return await operation()
+  } catch (error) {
+    console.error(`[ERROR] ${context}:`, error)
+    throw error
+  }
+}
+
+// Usage
+const user = await withErrorHandling(
+  () => prisma.user.create({ data }),
+  'Creating user'
+)
+```
+
+### 2. Error Boundary (Future)
+
+```typescript
+class ApiError extends Error {
+  constructor(
+    message: string,
+    public statusCode: number = 500,
+    public errorCode?: string
+  ) {
+    super(message)
+    this.name = 'ApiError'
+  }
+}
+
+export function handleApiError(error: unknown) {
+  if (error instanceof ApiError) {
+    return NextResponse.json({
+      success: false,
+      error: error.message,
+      errorCode: error.errorCode
+    }, { status: error.statusCode })
+  }
+  
+  console.error('[UNHANDLED ERROR]', error)
+  return NextResponse.json({
+    success: false,
+    error: 'Internal server error'
+  }, { status: 500 })
+}
+```
+
+### 3. Retry Logic
+
+```typescript
+async function withRetry<T>(
+  operation: () => Promise<T>,
+  maxRetries: number = 3,
+  delay: number = 1000
+): Promise<T> {
+  let lastError: Error
+  
+  for (let i = 0; i < maxRetries; i++) {
+    try {
+      return await operation()
+    } catch (error) {
+      lastError = error as Error
+      console.warn(`[RETRY] Attempt ${i + 1}/${maxRetries} failed:`, error)
+      
+      if (i < maxRetries - 1) {
+        await new Promise(resolve => setTimeout(resolve, delay))
+      }
+    }
+  }
+  
+  throw lastError!
+}
+```
+
+---
+
+## Monitoring & Alerting
+
+### 1. Error Rate Monitoring
+
+**SHOULD** track error rates:
+
+```typescript
+// Track errors per endpoint
+const errorCounts = new Map<string, number>()
+
+function trackError(endpoint: string) {
+  const current = errorCounts.get(endpoint) || 0
+  errorCounts.set(endpoint, current + 1)
+  
+  // Alert if error rate is high
+  if (current > 10) {
+    console.error('[ALERT] High error rate:', {
+      endpoint,
+      count: current
+    })
+  }
+}
+```
+
+### 2. Performance Monitoring
+
+**SHOULD** monitor response times:
+
+```typescript
+function trackPerformance(endpoint: string, duration: number) {
+  console.log('[PERF]', {
+    endpoint,
+    duration,
+    timestamp: new Date().toISOString()
+  })
+  
+  if (duration > 3000) { // Slower than 3 seconds
+    console.warn('[PERF] Slow response:', {
+      endpoint,
+      duration,
+      threshold: 3000
+    })
+  }
+}
+```
+
+---
+
+## Best Practices Checklist
+
+### Error Handling
+- [ ] All async operations wrapped in try-catch
+- [ ] Errors logged with context
+- [ ] User-friendly error messages
+- [ ] Appropriate HTTP status codes
+- [ ] No sensitive data in errors
+- [ ] Errors categorized correctly
+- [ ] Database errors handled
+- [ ] Validation errors detailed
+
+### Logging
+- [ ] Structured log format
+- [ ] Appropriate log levels
+- [ ] Sensitive data masked
+- [ ] Request/response logged
+- [ ] Errors logged with context
+- [ ] Business events logged
+- [ ] Slow queries logged
+- [ ] Production vs development logging
+
+### Monitoring
+- [ ] Error rates tracked
+- [ ] Performance monitored
+- [ ] Alerts configured
+- [ ] Audit logs created
+- [ ] Health checks implemented
+
+---
+
+## Anti-Patterns to Avoid
+
+### ❌ Silent Failures
+```typescript
+// BAD - Swallowing errors
+try {
+  await operation()
+} catch (error) {
+  // Nothing here!
+}
+```
+
+### ❌ Generic Error Messages
+```typescript
+// BAD - Not helpful
+return NextResponse.json({ error: 'Error occurred' })
+```
+
+### ❌ Logging Everything
+```typescript
+// BAD - Too verbose
+console.log('Step 1')
+console.log('Step 2')
+console.log('Step 3')
+```
+
+### ❌ Exposing Internal Errors
+```typescript
+// BAD - Security risk
+return NextResponse.json({
+  error: error.stack // Never expose stack traces
+})
+```
+
+---
+
+## Enforcement
+
+### Code Review Checklist
+- [ ] All errors handled appropriately
+- [ ] Logging follows standards
+- [ ] No sensitive data logged
+- [ ] Error messages user-friendly
+- [ ] Context included in logs
+- [ ] Appropriate log levels used
+
+### Automated Checks
+- [ ] Linter rules for error handling
+- [ ] Tests for error cases
+- [ ] Log format validation
+- [ ] Sensitive data detection
+
+---
+
+## Resources
+
+- [Error Handling Best Practices](https://www.joyent.com/node-js/production/design/errors)
+- [Logging Best Practices](https://docs.datadoghq.com/logs/guide/log-collection-best-practices/)
+- [Backend Development Rules](./BACKEND_DEVELOPMENT_RULES.md)
+- [Security Best Practices](./SECURITY_BEST_PRACTICES.md)
+
+---
+
+**Last Updated**: October 2025  
+**Version**: 1.0  
+**Status**: Mandatory for all backend development
diff --git a/custom-rules/Killer Cursor Rule MDC for Postgres.md b/custom-rules/Killer Cursor Rule MDC for Postgres.md
new file mode 100644
index 0000000..660d633
--- /dev/null
+++ b/custom-rules/Killer Cursor Rule MDC for Postgres.md	
@@ -0,0 +1,72 @@
+
+
+# SQLAlchemy Cursor Rules for PostgreSQL
+
+## Safe Migration Practices
+
+- Always use **Alembic** for schema migrations; never run raw database deletion scripts directly.[^1_1][^1_2]
+- Use the **expand -> migrate -> contract** migration pattern to ensure zero downtime and avoid breaking running code.[^1_2]
+- **Never use models inside migrations**—define all tables and columns in migration scripts to avoid dependency issues.[^1_1][^1_2]
+- For data manipulation, prefer raw SQL or manually defined tables in migrations—keep migrations atomic and idempotent.[^1_1]
+- Always test migrations locally using the **stairway test** (successive upgrade/downgrade) before deploying to production.[^1_1]
+
+
+## Naming and Organization
+
+```
+- Use **Unix timestamp** filename format for migrations: `%Y%m%d_%H%M%S_<rev>_<slug>.py`.[^1_1]
+```
+
+- Add clear comments to migrations with `-m 'add user table'` for traceability.[^1_1]
+- Use **naming conventions** in SQLAlchemy for predictable constraint names:
+
+```python
+convention = {
+    'ix': 'ix__%(table_name)s__%(all_column_names)s',
+    'uq': 'uq__%(table_name)s__%(all_column_names)s',
+    'fk': 'fk__%(table_name)s__%(all_column_names)s__%(referred_table_name)s',
+    'pk': 'pk__%(table_name)s',
+}
+```
+
+- Comment all tables and columns in SQLAlchemy for clarity.[^1_1]
+
+
+## Safety and Security
+
+- **Never add or remove columns indexed with `CONCURRENTLY`** in a single migration step; handle index creation separately and use `IF NOT EXISTS` for safety.[^1_2]
+- **Always set a lock timeout** (`lock_timeout=2000`) in Alembic to fail fast instead of hanging.[^1_2]
+- Use **linter tools** (like Squawk) to catch risky operations before merging migrations.[^1_2]
+- **Explicitly confirm** all migrations in PRs with a `db-migration-ok` label or manual checklist.[^1_2]
+- **Never run destructive scripts**—always use `DROP ... IF EXISTS` and double-check migrations.[^1_2]
+
+
+## ORM and Model Best Practices
+
+- Use **mixins** for common fields (e.g., timestamps, UUIDs) to avoid duplication.[^1_1]
+- For columns being dropped, mark them as `deferred` in the ORM model before removal.[^1_2]
+- **Never use string concatenation** in queries—always use parameterized queries for SQL injection safety.[^1_3]
+
+
+## Example Safe Migration
+
+```python
+from alembic import op
+from sqlalchemy import Column, Integer, String, Table
+
+def upgrade():
+    # Define table manually
+    users = Table(
+        'users',
+        op.get_bind().metadata,
+        Column('id', Integer, primary_key=True),
+        Column('name', String),
+    )
+    op.add_column('users', Column('email', String))
+
+def downgrade():
+    op.drop_column('users', 'email')
+```
+
+
+***
diff --git a/custom-rules/Performance Optimization.md b/custom-rules/Performance Optimization.md
new file mode 100644
index 0000000..8f047c8
--- /dev/null
+++ b/custom-rules/Performance Optimization.md	
@@ -0,0 +1,605 @@
+# Performance Optimization Rules
+
+## Overview
+
+This document establishes mandatory rules and best practices for performance optimization in the MBG Apply application. Performance directly impacts user experience and SEO.
+
+## Performance Budgets
+
+### 1. Page Load Metrics
+
+**Targets** (Mobile 4G):
+- **Time to First Byte (TTFB)**: < 600ms
+- **First Contentful Paint (FCP)**: < 1.8s
+- **Largest Contentful Paint (LCP)**: < 2.5s
+- **Time to Interactive (TTI)**: < 3.8s
+- **Cumulative Layout Shift (CLS)**: < 0.1
+- **First Input Delay (FID)**: < 100ms
+
+### 2. Resource Budgets
+
+**JavaScript**:
+- Initial bundle: < 200KB (gzipped)
+- Per route: < 100KB (gzipped)
+- Total: < 500KB (gzipped)
+
+**CSS**:
+- Critical CSS: < 50KB
+- Total CSS: < 100KB
+- Per component: < 10KB
+
+**Images**:
+- Hero image: < 200KB
+- Thumbnails: < 50KB
+- Icons: Use SVG or inline
+
+**Fonts**:
+- Total fonts: < 100KB
+- Subset fonts when possible
+- Use system fonts as fallback
+
+### 3. API Response Times
+
+**Targets**:
+- Simple queries: < 100ms
+- Complex queries: < 500ms
+- Database operations: < 300ms
+- External API calls: < 1000ms
+
+## Frontend Optimization
+
+### 1. Code Splitting
+
+**MUST** implement route-based code splitting:
+
+```typescript
+// Dynamic imports for large components
+const AdminPanel = dynamic(() => import('@/components/AdminPanel'), {
+  loading: () => <Skeleton />,
+  ssr: false
+})
+
+// Lazy load heavy libraries
+const Chart = dynamic(() => import('recharts'), {
+  ssr: false
+})
+```
+
+### 2. Image Optimization
+
+**MUST** use Next.js Image component:
+
+```typescript
+import Image from 'next/image'
+
+// ✅ GOOD - Optimized
+<Image
+  src="/hero.jpg"
+  alt="Description"
+  width={800}
+  height={600}
+  priority // For LCP image
+  placeholder="blur"
+/>
+
+// ❌ BAD - Unoptimized
+<img src="/hero.jpg" alt="Description" />
+```
+
+**Image Guidelines**:
+- Use WebP format
+- Provide width/height
+- Use `priority` for above-fold images
+- Use `loading="lazy"` for below-fold
+- Compress images before upload
+- Use CDN for image delivery
+
+### 3. Font Optimization
+
+**MUST** optimize web fonts:
+
+```typescript
+// next/font
+import { Inter } from 'next/font/google'
+
+const inter = Inter({
+  subsets: ['latin'],
+  display: 'swap', // Prevent invisible text
+  preload: true
+})
+
+// ✅ GOOD - Subset fonts
+font-family: Inter;
+unicode-range: U+0000-00FF; // Latin only
+
+// ❌ BAD - Load entire font
+font-family: 'Noto Sans'; // All languages
+```
+
+**Font Loading Strategy**:
+- Use `font-display: swap`
+- Preload critical fonts
+- Self-host fonts
+- Use variable fonts
+- Subset to required characters
+
+### 4. CSS Optimization
+
+**MUST** minimize CSS:
+
+```typescript
+// ✅ GOOD - Tailwind with purge
+module.exports = {
+  content: [
+    './app/**/*.{js,ts,jsx,tsx}',
+    './components/**/*.{js,ts,jsx,tsx}'
+  ],
+  // Removes unused CSS
+}
+
+// ✅ GOOD - Critical CSS inline
+<style dangerouslySetInnerHTML={{
+  __html: criticalCss
+}} />
+
+// ❌ BAD - Large CSS bundles
+import 'bootstrap/dist/css/bootstrap.min.css'
+```
+
+**CSS Guidelines**:
+- Use Tailwind CSS (utility-first)
+- Purge unused styles
+- Inline critical CSS
+- Avoid `@import` in CSS
+- Use CSS modules for components
+
+### 5. JavaScript Optimization
+
+**MUST** optimize JavaScript:
+
+```typescript
+// ✅ GOOD - Tree shaking
+import { useState } from 'react'
+import { format } from 'date-fns/format'
+
+// ❌ BAD - Entire library imported
+import * as React from 'react'
+import dateFns from 'date-fns'
+
+// ✅ GOOD - Lazy component
+const HeavyComponent = lazy(() => import('./HeavyComponent'))
+
+// ❌ BAD - Always loaded
+import HeavyComponent from './HeavyComponent'
+```
+
+**JavaScript Guidelines**:
+- Use tree shaking
+- Minimize third-party libraries
+- Remove console.log in production
+- Use Web Workers for heavy computation
+- Defer non-critical scripts
+
+### 6. React Optimization
+
+**MUST** optimize React components:
+
+```typescript
+// ✅ GOOD - Memoization
+const MemoizedComponent = memo(Component)
+
+const expensiveValue = useMemo(() => {
+  return computeExpensiveValue(a, b)
+}, [a, b])
+
+const handleClick = useCallback(() => {
+  doSomething(a, b)
+}, [a, b])
+
+// ❌ BAD - Unnecessary re-renders
+const value = computeExpensiveValue(a, b) // Every render
+const handleClick = () => doSomething() // New function every render
+```
+
+**React Guidelines**:
+- Use `memo()` for expensive components
+- Use `useMemo()` for expensive calculations
+- Use `useCallback()` for event handlers
+- Avoid inline functions in JSX
+- Use keys properly in lists
+
+## Backend Optimization
+
+### 1. Database Query Optimization
+
+**MUST** optimize database queries:
+
+```typescript
+// ✅ GOOD - Select only needed fields
+const users = await prisma.user.findMany({
+  select: {
+    id: true,
+    firstName: true,
+    lastName: true
+  }
+})
+
+// ❌ BAD - Select all fields
+const users = await prisma.user.findMany()
+
+// ✅ GOOD - Use indexes
+await prisma.application.findMany({
+  where: { status: 'SUBMITTED' } // Has index
+})
+
+// ❌ BAD - No index
+await prisma.application.findMany({
+  where: {
+    personalStatement: { contains: 'keyword' } // No index
+  }
+})
+
+// ✅ GOOD - Batch queries
+const [users, apps] = await Promise.all([
+  prisma.user.findMany(),
+  prisma.application.findMany()
+])
+
+// ❌ BAD - Sequential queries
+const users = await prisma.user.findMany()
+const apps = await prisma.application.findMany()
+```
+
+**Database Guidelines**:
+- Select only needed fields
+- Use appropriate indexes
+- Avoid N+1 queries
+- Use pagination
+- Batch database operations
+- Use transactions sparingly
+
+### 2. API Response Optimization
+
+**MUST** optimize API responses:
+
+```typescript
+// ✅ GOOD - Cached response
+return NextResponse.json(data, {
+  headers: {
+    'Cache-Control': 'private, max-age=60, stale-while-revalidate=300'
+  }
+})
+
+// ✅ GOOD - Compressed response
+import { gzip } from 'zlib'
+
+const compressed = gzip(JSON.stringify(data))
+
+// ✅ GOOD - Paginated response
+const page = parseInt(searchParams.get('page') || '1')
+const perPage = 50
+
+const data = await prisma.application.findMany({
+  take: perPage,
+  skip: (page - 1) * perPage
+})
+```
+
+**API Guidelines**:
+- Enable compression
+- Use caching headers
+- Implement pagination
+- Return only needed data
+- Use ETags for conditional requests
+
+### 3. Connection Pooling
+
+**MUST** use connection pooling:
+
+```typescript
+// ✅ GOOD - Prisma handles pooling
+const prisma = new PrismaClient()
+
+// Configuration in DATABASE_URL
+postgresql://user:pass@host:5432/db?connection_limit=10
+
+// ❌ BAD - New connection each time
+const prisma = new PrismaClient()
+// ... close connection
+await prisma.$disconnect()
+```
+
+### 4. Caching Strategy
+
+**MUST** implement caching:
+
+```typescript
+// ✅ GOOD - Response caching
+const cached = cache.get(key)
+if (cached) return cached
+
+const data = await fetchData()
+cache.set(key, data, 300) // 5 minutes
+
+// ✅ GOOD - Memoization
+const memoizedFn = memoize(expensiveFn)
+
+// Future: Redis caching
+import Redis from 'ioredis'
+const redis = new Redis(process.env.REDIS_URL)
+
+const cached = await redis.get(key)
+if (cached) return JSON.parse(cached)
+
+const data = await fetchData()
+await redis.setex(key, 300, JSON.stringify(data))
+```
+
+**Caching Guidelines**:
+- Cache frequently accessed data
+- Set appropriate TTL
+- Invalidate on updates
+- Use Redis for distributed caching
+- Cache at multiple levels
+
+## Network Optimization
+
+### 1. HTTP/2 & HTTP/3
+
+**MUST** leverage modern protocols:
+
+- Use HTTP/2 (automatic on Vercel)
+- Enable server push (cautiously)
+- Use multiplexing
+- Compress headers
+
+### 2. CDN Usage
+
+**MUST** use CDN for static assets:
+
+```typescript
+// Vercel CDN (automatic)
+// Static files in /public automatically served via CDN
+
+// External CDN for images
+<Image
+  src="https://cdn.example.com/image.jpg"
+  loader={customLoader}
+/>
+```
+
+### 3. Resource Hints
+
+**MUST** use resource hints:
+
+```typescript
+// Preload critical resources
+<link rel="preload" href="/critical.css" as="style" />
+<link rel="preload" href="/hero.jpg" as="image" />
+
+// Prefetch next page
+<link rel="prefetch" href="/next-page" />
+
+// DNS prefetch
+<link rel="dns-prefetch" href="https://api.example.com" />
+
+// Preconnect to origin
+<link rel="preconnect" href="https://fonts.googleapis.com" />
+```
+
+### 4. Compression
+
+**MUST** enable compression:
+
+```typescript
+// Vercel (automatic Brotli/Gzip)
+// Configured in vercel.json or next.config
+
+// API responses
+return NextResponse.json(data, {
+  headers: {
+    'Content-Encoding': 'gzip'
+  }
+})
+```
+
+## Monitoring & Measurement
+
+### 1. Performance Monitoring
+
+**MUST** track performance metrics:
+
+```typescript
+// Web Vitals
+import { getCLS, getFID, getLCP } from 'web-vitals'
+
+getCLS(console.log)
+getFID(console.log)
+getLCP(console.log)
+
+// Custom metrics
+const startTime = performance.now()
+await operation()
+const duration = performance.now() - startTime
+
+if (duration > 1000) {
+  console.warn('Slow operation:', duration)
+}
+```
+
+### 2. Lighthouse
+
+**MUST** achieve minimum scores:
+
+- **Performance**: > 90
+- **Accessibility**: > 95
+- **Best Practices**: > 95
+- **SEO**: > 95
+
+**Run regularly**:
+```bash
+# CLI
+npx lighthouse https://apply.mbg.mn --view
+
+# CI/CD
+npm run lighthouse
+```
+
+### 3. Core Web Vitals
+
+**MUST** pass Core Web Vitals:
+
+- **LCP**: < 2.5s (75th percentile)
+- **FID**: < 100ms (75th percentile)
+- **CLS**: < 0.1 (75th percentile)
+
+### 4. Real User Monitoring
+
+**SHOULD** implement RUM:
+
+```typescript
+// Vercel Analytics (built-in)
+import { Analytics } from '@vercel/analytics/react'
+
+<Analytics />
+
+// Custom events
+if (typeof window !== 'undefined' && window.va) {
+  window.va('track', 'slow_load', {
+    page: window.location.pathname,
+    duration
+  })
+}
+```
+
+## Common Performance Anti-Patterns
+
+### ❌ Don'ts
+
+```typescript
+// ❌ BAD - Large bundle
+import _ from 'lodash'
+
+// ❌ BAD - Blocking render
+const data = await fetch('/api/data')
+return <Component data={data} />
+
+// ❌ BAD - No memoization
+const filtered = items.filter(expensive) // Every render
+
+// ❌ BAD - Unnecessary re-renders
+<Component onClick={() => handler()} />
+
+// ❌ BAD - Large images
+<img src="/10mb-image.jpg" />
+
+// ❌ BAD - No lazy loading
+import HeavyComponent from './Heavy'
+
+// ❌ BAD - Inline styles
+<div style={{ color: 'red', fontSize: 16 }} />
+
+// ❌ BAD - N+1 queries
+for (const user of users) {
+  const apps = await prisma.application.findMany({
+    where: { userId: user.id }
+  })
+}
+```
+
+### ✅ Do's
+
+```typescript
+// ✅ GOOD - Tree shaking
+import { debounce } from 'lodash-es'
+
+// ✅ GOOD - Non-blocking
+const { data } = useSWR('/api/data')
+
+// ✅ GOOD - Memoized
+const filtered = useMemo(
+  () => items.filter(expensive),
+  [items]
+)
+
+// ✅ GOOD - Stable reference
+const handleClick = useCallback(() => handler(), [])
+
+// ✅ GOOD - Optimized image
+<Image src="/image.jpg" width={800} height={600} />
+
+// ✅ GOOD - Lazy loaded
+const Heavy = dynamic(() => import('./Heavy'))
+
+// ✅ GOOD - Tailwind classes
+<div className="text-red-500 text-base" />
+
+// ✅ GOOD - Single query
+const usersWithApps = await prisma.user.findMany({
+  include: { applications: true }
+})
+```
+
+## Performance Checklist
+
+### Before Deployment
+
+- [ ] Lighthouse score > 90
+- [ ] Core Web Vitals passing
+- [ ] Bundle size within budget
+- [ ] Images optimized
+- [ ] Fonts optimized
+- [ ] CSS purged
+- [ ] JavaScript minified
+- [ ] API responses cached
+- [ ] Database queries optimized
+- [ ] No console.log statements
+- [ ] Source maps disabled (production)
+- [ ] Compression enabled
+- [ ] CDN configured
+- [ ] Performance monitoring active
+
+### Continuous Monitoring
+
+- [ ] Track Web Vitals
+- [ ] Monitor API response times
+- [ ] Check database query performance
+- [ ] Review bundle size changes
+- [ ] Analyze user metrics
+- [ ] Set up performance alerts
+- [ ] Regular Lighthouse audits
+
+## Tools & Resources
+
+### Performance Testing
+
+- **Lighthouse**: Automated audits
+- **WebPageTest**: Detailed analysis
+- **Chrome DevTools**: Profiling
+- **Vercel Analytics**: Real user data
+
+### Bundle Analysis
+
+- **@next/bundle-analyzer**: Bundle visualization
+- **source-map-explorer**: Bundle exploration
+- **webpack-bundle-analyzer**: Webpack bundles
+
+### Monitoring
+
+- **Vercel Analytics**: Built-in monitoring
+- **Google Analytics**: User metrics
+- **Sentry**: Error tracking
+- **Datadog**: APM (future)
+
+## Resources
+
+- [Web.dev Performance](https://web.dev/performance/)
+- [Next.js Performance](https://nextjs.org/docs/advanced-features/measuring-performance)
+- [Core Web Vitals](https://web.dev/vitals/)
+- [Backend Development Rules](./BACKEND_DEVELOPMENT_RULES.md)
+
+---
+
+**Last Updated**: October 2025  
+**Version**: 1.0  
+**Status**: Mandatory for all performance-related work
diff --git a/custom-rules/Server Actions Documentation.md b/custom-rules/Server Actions Documentation.md
new file mode 100644
index 0000000..34fc9cc
--- /dev/null
+++ b/custom-rules/Server Actions Documentation.md	
@@ -0,0 +1,860 @@
+# Server Actions Guide
+
+## Overview
+
+Server Actions in Next.js 15 provide a powerful way to perform server-side mutations directly from client components without creating API routes. This guide covers the implementation and best practices for Server Actions in the MBG Apply application.
+
+## What are Server Actions?
+
+Server Actions are asynchronous functions that run on the server but can be called directly from client components. They provide:
+- **Type-safe** server mutations
+- **Simplified data flow** without manual API routes
+- **Progressive enhancement** for forms
+- **Automatic revalidation** of cached data
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────┐
+│              Client Component                        │
+│  ┌────────────────────────────────────────────┐    │
+│  │  const result = await serverAction(data)   │    │
+│  └────────────────┬───────────────────────────┘    │
+│                   │                                  │
+└───────────────────┼──────────────────────────────────┘
+                    │ RPC Call
+                    ▼
+┌─────────────────────────────────────────────────────┐
+│              Server Action (app/actions/*)           │
+│  ┌────────────────────────────────────────────┐    │
+│  │  'use server'                              │    │
+│  │  export async function serverAction() {    │    │
+│  │    // Server-side logic                    │    │
+│  │    // Database operations                  │    │
+│  │    // Validation                           │    │
+│  │    return result                           │    │
+│  │  }                                         │    │
+│  └────────────────┬───────────────────────────┘    │
+│                   │                                  │
+└───────────────────┼──────────────────────────────────┘
+                    │
+                    ▼
+              ┌─────────────┐
+              │   Database  │
+              │  (Prisma)   │
+              └─────────────┘
+```
+
+## File Structure
+
+```
+app/
+├── actions/
+│   ├── application-actions.ts  # Application-related actions
+│   ├── user-actions.ts         # User-related actions
+│   ├── config.ts               # Configuration actions
+│   └── [domain]-actions.ts     # Domain-specific actions
+```
+
+## Basic Server Action
+
+### 1. Creating a Server Action
+
+**File**: `app/actions/user-actions.ts`
+
+```typescript
+'use server'
+
+import { auth, currentUser } from '@clerk/nextjs/server'
+import { prisma } from '@/lib/prisma'
+
+export async function createOrUpdateUserAction() {
+  // 1. Authentication check
+  const clerkUser = await currentUser()
+  
+  if (!clerkUser) {
+    return { success: false, error: 'Not authenticated' }
+  }
+  
+  // 2. Data extraction
+  const email = clerkUser.emailAddresses[0]?.emailAddress
+  
+  if (!email) {
+    return { success: false, error: 'No email found' }
+  }
+  
+  // 3. Database operation
+  try {
+    const user = await prisma.user.upsert({
+      where: { id: clerkUser.id },
+      update: {
+        firstName: clerkUser.firstName || '',
+        lastName: clerkUser.lastName || '',
+        avatarUrl: clerkUser.imageUrl,
+        clerkEmail: email
+      },
+      create: {
+        id: clerkUser.id,
+        clerkEmail: email,
+        firstName: clerkUser.firstName || '',
+        lastName: clerkUser.lastName || '',
+        avatarUrl: clerkUser.imageUrl
+      }
+    })
+    
+    // 4. Return result
+    return { success: true, user }
+  } catch (error) {
+    console.error('User creation/update error:', error)
+    return { success: false, error: 'Database operation failed' }
+  }
+}
+```
+
+### 2. Using in Client Component
+
+```typescript
+'use client'
+
+import { createOrUpdateUserAction } from '@/app/actions/user-actions'
+import { useEffect, useState } from 'react'
+
+export function UserSync() {
+  const [status, setStatus] = useState<string>('idle')
+  
+  useEffect(() => {
+    async function syncUser() {
+      setStatus('syncing')
+      
+      const result = await createOrUpdateUserAction()
+      
+      if (result.success) {
+        setStatus('synced')
+      } else {
+        setStatus('error')
+        console.error(result.error)
+      }
+    }
+    
+    syncUser()
+  }, [])
+  
+  return <div>Status: {status}</div>
+}
+```
+
+## Application Actions
+
+### Create Application
+
+**File**: `app/actions/application-actions.ts`
+
+```typescript
+'use server'
+
+import { auth } from '@clerk/nextjs/server'
+import { prisma } from '@/lib/prisma'
+import { ApplicationStatus } from '@prisma/client'
+import { revalidatePath } from 'next/cache'
+
+interface ApplicationInput {
+  firstName: string
+  lastName: string
+  email: string
+  phone: string
+  dateOfBirth: string
+  studyPlan1: string
+  studyLevel: string
+  // ... other fields
+}
+
+export async function createApplicationAction(data: ApplicationInput) {
+  // 1. Authenticate
+  const { userId } = await auth()
+  
+  if (!userId) {
+    return {
+      success: false,
+      error: 'Authentication required',
+      status: 401
+    }
+  }
+  
+  // 2. Validate input
+  const requiredFields = ['firstName', 'lastName', 'email', 'phone']
+  for (const field of requiredFields) {
+    if (!data[field]) {
+      return {
+        success: false,
+        error: `Missing required field: ${field}`,
+        status: 400
+      }
+    }
+  }
+  
+  try {
+    // 3. Check for existing application
+    const existingApplication = await prisma.application.findFirst({
+      where: { userId }
+    })
+    
+    if (existingApplication) {
+      return {
+        success: false,
+        error: 'Application already exists',
+        errorCode: 'DUPLICATE_APPLICATION',
+        status: 409
+      }
+    }
+    
+    // 4. Create application in transaction
+    const application = await prisma.$transaction(async (tx) => {
+      // Update user info
+      await tx.user.update({
+        where: { id: userId },
+        data: {
+          firstName: data.firstName,
+          lastName: data.lastName,
+          inputEmail: data.email,
+          phone: data.phone,
+          dateOfBirth: new Date(data.dateOfBirth)
+        }
+      })
+      
+      // Create application
+      const app = await tx.application.create({
+        data: {
+          userId,
+          major: data.studyPlan1,
+          currentEducationLevel: data.studyLevel,
+          status: ApplicationStatus.SUBMITTED,
+          submittedAt: new Date(),
+          // ... map other fields
+        }
+      })
+      
+      // Create default timeline steps
+      const timelineSteps = [
+        { stepNumber: 1, title: 'Application Submitted', status: 'COMPLETED' },
+        { stepNumber: 2, title: 'Document Review', status: 'CURRENT' },
+        { stepNumber: 3, title: 'Interview', status: 'UPCOMING' },
+        { stepNumber: 4, title: 'Decision', status: 'UPCOMING' },
+      ]
+      
+      await Promise.all(
+        timelineSteps.map(step =>
+          tx.timelineStep.create({
+            data: {
+              applicationId: app.id,
+              ...step,
+              estimate: '1-2 weeks',
+              actionText: 'View'
+            }
+          })
+        )
+      )
+      
+      return app
+    })
+    
+    // 5. Revalidate cache
+    revalidatePath('/dashboard')
+    
+    // 6. Return success
+    return {
+      success: true,
+      applicationId: application.id
+    }
+    
+  } catch (error) {
+    console.error('Application creation error:', error)
+    return {
+      success: false,
+      error: 'Failed to create application',
+      status: 500
+    }
+  }
+}
+```
+
+### Update Application
+
+```typescript
+'use server'
+
+export async function updateApplicationAction(
+  applicationId: string,
+  updates: Partial<ApplicationInput>
+) {
+  const { userId } = await auth()
+  
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' }
+  }
+  
+  try {
+    // Verify ownership
+    const application = await prisma.application.findUnique({
+      where: { id: applicationId },
+      select: { userId: true, status: true }
+    })
+    
+    if (!application) {
+      return { success: false, error: 'Application not found' }
+    }
+    
+    if (application.userId !== userId) {
+      return { success: false, error: 'Forbidden' }
+    }
+    
+    // Don't allow editing submitted applications
+    if (application.status !== 'DRAFT') {
+      return { success: false, error: 'Cannot edit submitted application' }
+    }
+    
+    // Update
+    await prisma.application.update({
+      where: { id: applicationId },
+      data: updates
+    })
+    
+    revalidatePath(`/application/${applicationId}`)
+    
+    return { success: true }
+  } catch (error) {
+    console.error('Application update error:', error)
+    return { success: false, error: 'Update failed' }
+  }
+}
+```
+
+## Form Integration
+
+### Progressive Enhancement
+
+Server Actions work without JavaScript:
+
+```typescript
+export function ApplicationForm() {
+  return (
+    <form action={createApplicationAction}>
+      <input name="firstName" required />
+      <input name="lastName" required />
+      <input name="email" type="email" required />
+      <button type="submit">Submit</button>
+    </form>
+  )
+}
+```
+
+### With React Hook Form
+
+```typescript
+'use client'
+
+import { useForm } from 'react-hook-form'
+import { zodResolver } from '@hookform/resolvers/zod'
+import { z } from 'zod'
+import { createApplicationAction } from '@/app/actions/application-actions'
+
+const schema = z.object({
+  firstName: z.string().min(1),
+  lastName: z.string().min(1),
+  email: z.string().email(),
+  phone: z.string().min(8)
+})
+
+type FormData = z.infer<typeof schema>
+
+export function ApplicationForm() {
+  const { register, handleSubmit, formState: { errors, isSubmitting } } = useForm<FormData>({
+    resolver: zodResolver(schema)
+  })
+  
+  const onSubmit = async (data: FormData) => {
+    const result = await createApplicationAction(data)
+    
+    if (result.success) {
+      // Redirect or show success
+      window.location.href = `/application/${result.applicationId}`
+    } else {
+      // Show error
+      alert(result.error)
+    }
+  }
+  
+  return (
+    <form onSubmit={handleSubmit(onSubmit)}>
+      <input {...register('firstName')} />
+      {errors.firstName && <span>{errors.firstName.message}</span>}
+      
+      <input {...register('lastName')} />
+      {errors.lastName && <span>{errors.lastName.message}</span>}
+      
+      <input {...register('email')} type="email" />
+      {errors.email && <span>{errors.email.message}</span>}
+      
+      <button type="submit" disabled={isSubmitting}>
+        {isSubmitting ? 'Submitting...' : 'Submit'}
+      </button>
+    </form>
+  )
+}
+```
+
+## Error Handling
+
+### Consistent Error Format
+
+```typescript
+'use server'
+
+type ActionResult<T> = 
+  | { success: true; data: T }
+  | { success: false; error: string; errorCode?: string }
+
+export async function myAction(): Promise<ActionResult<User>> {
+  try {
+    const user = await performOperation()
+    return { success: true, data: user }
+  } catch (error) {
+    return {
+      success: false,
+      error: 'Operation failed',
+      errorCode: 'OPERATION_ERROR'
+    }
+  }
+}
+```
+
+### Client Error Handling
+
+```typescript
+const result = await myAction()
+
+if (!result.success) {
+  // Handle error
+  console.error(result.error)
+  
+  if (result.errorCode === 'DUPLICATE_APPLICATION') {
+    // Show specific message
+  }
+  
+  return
+}
+
+// Use data
+const user = result.data
+```
+
+## Validation
+
+### Server-Side Validation with Zod
+
+```typescript
+'use server'
+
+import { z } from 'zod'
+
+const applicationSchema = z.object({
+  firstName: z.string().min(1, 'First name required'),
+  lastName: z.string().min(1, 'Last name required'),
+  email: z.string().email('Invalid email'),
+  phone: z.string().regex(/^\+?[1-9]\d{7,14}$/, 'Invalid phone'),
+  dateOfBirth: z.string().refine(
+    (date) => {
+      const age = new Date().getFullYear() - new Date(date).getFullYear()
+      return age >= 16 && age <= 100
+    },
+    'Must be between 16 and 100 years old'
+  )
+})
+
+export async function createApplicationAction(data: unknown) {
+  // Validate
+  const validated = applicationSchema.safeParse(data)
+  
+  if (!validated.success) {
+    return {
+      success: false,
+      error: 'Validation failed',
+      errors: validated.error.flatten().fieldErrors
+    }
+  }
+  
+  // Use validated data
+  const { firstName, lastName, email } = validated.data
+  
+  // Continue with database operation
+}
+```
+
+## Revalidation & Caching
+
+### Revalidate Paths
+
+```typescript
+'use server'
+
+import { revalidatePath } from 'next/cache'
+
+export async function updateUserAction(userId: string, data: UserData) {
+  await prisma.user.update({
+    where: { id: userId },
+    data
+  })
+  
+  // Revalidate specific paths
+  revalidatePath('/dashboard')
+  revalidatePath(`/profile/${userId}`)
+}
+```
+
+### Revalidate Tags
+
+```typescript
+'use server'
+
+import { revalidateTag } from 'next/cache'
+
+export async function updateApplicationAction(applicationId: string) {
+  await prisma.application.update({ ... })
+  
+  // Revalidate by tag
+  revalidateTag('applications')
+  revalidateTag(`application-${applicationId}`)
+}
+```
+
+## Best Practices
+
+### 1. Always Use 'use server'
+
+```typescript
+// At the top of file for all functions
+'use server'
+
+export async function action1() { }
+export async function action2() { }
+
+// Or per function
+export async function action3() {
+  'use server'
+  // ...
+}
+```
+
+### 2. Return Consistent Results
+
+```typescript
+// GOOD - Consistent structure
+type Result<T> = { success: true; data: T } | { success: false; error: string }
+
+export async function myAction(): Promise<Result<User>> {
+  try {
+    const user = await operation()
+    return { success: true, data: user }
+  } catch (error) {
+    return { success: false, error: error.message }
+  }
+}
+
+// BAD - Inconsistent
+export async function badAction() {
+  try {
+    return await operation() // Sometimes returns data
+  } catch (error) {
+    throw error // Sometimes throws
+  }
+}
+```
+
+### 3. Validate Input
+
+```typescript
+// GOOD - Validate all inputs
+export async function createUser(data: unknown) {
+  const validated = userSchema.parse(data)
+  // Use validated.field
+}
+
+// BAD - Trust input
+export async function createUser(data: any) {
+  await prisma.user.create({ data }) // Dangerous
+}
+```
+
+### 4. Handle Authentication
+
+```typescript
+// GOOD - Check auth first
+export async function protectedAction() {
+  const { userId } = await auth()
+  if (!userId) {
+    return { success: false, error: 'Unauthorized' }
+  }
+  // Continue
+}
+
+// BAD - No auth check
+export async function unprotectedAction() {
+  // Anyone can call this
+}
+```
+
+### 5. Use Transactions
+
+```typescript
+// GOOD - Atomic operations
+export async function multiStepAction() {
+  await prisma.$transaction(async (tx) => {
+    await tx.user.create({ ... })
+    await tx.application.create({ ... })
+  })
+}
+
+// BAD - Not atomic
+export async function nonAtomicAction() {
+  await prisma.user.create({ ... })
+  await prisma.application.create({ ... }) // May fail, leaving inconsistent state
+}
+```
+
+### 6. Log Errors Appropriately
+
+```typescript
+// GOOD - Log with context
+export async function myAction() {
+  try {
+    await operation()
+  } catch (error) {
+    console.error('Operation failed:', {
+      action: 'myAction',
+      timestamp: new Date(),
+      error: error instanceof Error ? error.message : String(error)
+    })
+    return { success: false, error: 'Operation failed' }
+  }
+}
+```
+
+### 7. Revalidate After Mutations
+
+```typescript
+// GOOD - Revalidate affected paths
+export async function updateData() {
+  await prisma.data.update({ ... })
+  revalidatePath('/data')
+}
+
+// BAD - No revalidation, stale cache
+export async function updateDataNoRevalidate() {
+  await prisma.data.update({ ... })
+  // Cache still shows old data
+}
+```
+
+## Testing Server Actions
+
+### Unit Testing
+
+```typescript
+import { createApplicationAction } from '@/app/actions/application-actions'
+import { auth } from '@clerk/nextjs/server'
+
+jest.mock('@clerk/nextjs/server')
+jest.mock('@/lib/prisma', () => ({
+  prisma: {
+    application: {
+      create: jest.fn(),
+      findFirst: jest.fn()
+    }
+  }
+}))
+
+describe('createApplicationAction', () => {
+  it('creates application successfully', async () => {
+    // Mock auth
+    (auth as jest.Mock).mockResolvedValue({ userId: 'user_123' })
+    
+    // Mock no existing application
+    (prisma.application.findFirst as jest.Mock).mockResolvedValue(null)
+    
+    // Mock create
+    (prisma.application.create as jest.Mock).mockResolvedValue({
+      id: 'app_123',
+      userId: 'user_123'
+    })
+    
+    // Test
+    const result = await createApplicationAction(mockData)
+    
+    expect(result.success).toBe(true)
+    expect(result.applicationId).toBe('app_123')
+  })
+  
+  it('rejects unauthenticated request', async () => {
+    (auth as jest.Mock).mockResolvedValue({ userId: null })
+    
+    const result = await createApplicationAction(mockData)
+    
+    expect(result.success).toBe(false)
+    expect(result.error).toContain('Authentication')
+  })
+})
+```
+
+## Performance Considerations
+
+### 1. Avoid Over-fetching
+
+```typescript
+// GOOD - Select only needed fields
+export async function getUserName(userId: string) {
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: { firstName: true, lastName: true }
+  })
+  return user
+}
+
+// BAD - Fetch everything
+export async function getUserNameBad(userId: string) {
+  const user = await prisma.user.findUnique({
+    where: { id: userId }
+  })
+  return user // Returns all fields
+}
+```
+
+### 2. Parallel Operations
+
+```typescript
+// GOOD - Parallel execution
+export async function getDashboardData(userId: string) {
+  const [user, applications, documents] = await Promise.all([
+    prisma.user.findUnique({ where: { id: userId } }),
+    prisma.application.findMany({ where: { userId } }),
+    prisma.document.findMany({ where: { userId } })
+  ])
+  return { user, applications, documents }
+}
+
+// BAD - Sequential
+export async function getDashboardDataSlow(userId: string) {
+  const user = await prisma.user.findUnique({ where: { id: userId } })
+  const applications = await prisma.application.findMany({ where: { userId } })
+  const documents = await prisma.document.findMany({ where: { userId } })
+  return { user, applications, documents }
+}
+```
+
+## Security Checklist
+
+- [ ] Validate all inputs
+- [ ] Check authentication
+- [ ] Verify authorization
+- [ ] Use transactions for multi-step operations
+- [ ] Never expose sensitive data in errors
+- [ ] Log security events
+- [ ] Sanitize user input
+- [ ] Rate limit expensive operations
+- [ ] Implement proper error handling
+
+## Common Pitfalls
+
+### 1. Forgetting 'use server'
+```typescript
+// Will cause errors
+export async function myAction() {
+  // This runs on client!
+}
+
+// Correct
+'use server'
+export async function myAction() {
+  // Runs on server
+}
+```
+
+### 2. Not Handling Errors
+```typescript
+// BAD - Unhandled errors
+export async function action() {
+  await riskyOperation() // May throw
+}
+
+// GOOD - Handled errors
+export async function action() {
+  try {
+    await riskyOperation()
+    return { success: true }
+  } catch (error) {
+    return { success: false, error: 'Failed' }
+  }
+}
+```
+
+### 3. Returning Non-Serializable Data
+```typescript
+// BAD - Returns Date object
+export async function getUser() {
+  return await prisma.user.findUnique({ ... })
+  // Date fields not serializable
+}
+
+// GOOD - Convert dates to strings
+export async function getUser() {
+  const user = await prisma.user.findUnique({ ... })
+  return {
+    ...user,
+    createdAt: user.createdAt.toISOString()
+  }
+}
+```
+
+## Migration from API Routes
+
+### Before (API Route)
+```typescript
+// app/api/create-app/route.ts
+export async function POST(request: Request) {
+  const body = await request.json()
+  const result = await createApplication(body)
+  return NextResponse.json(result)
+}
+
+// Client
+const response = await fetch('/api/create-app', {
+  method: 'POST',
+  body: JSON.stringify(data)
+})
+const result = await response.json()
+```
+
+### After (Server Action)
+```typescript
+// app/actions/application-actions.ts
+'use server'
+export async function createApplicationAction(data) {
+  const result = await createApplication(data)
+  return result
+}
+
+// Client
+const result = await createApplicationAction(data)
+```
+
+## Conclusion
+
+Server Actions provide a powerful, type-safe way to handle server-side mutations in Next.js. They simplify the development process by:
+- Eliminating boilerplate API routes
+- Providing automatic type safety
+- Enabling progressive enhancement
+- Simplifying error handling
+- Improving developer experience
+
+For more information:
+- [Next.js Server Actions Docs](https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations)
+- [Backend Development Rules](../rules/BACKEND_DEVELOPMENT_RULES.md)
+- [API Routes Documentation](./API_ROUTES.md)
diff --git a/custom-rules/Tailwind Style Guide.md b/custom-rules/Tailwind Style Guide.md
new file mode 100644
index 0000000..b4411a9
--- /dev/null
+++ b/custom-rules/Tailwind Style Guide.md	
@@ -0,0 +1,42 @@
+# Tailwind Styling Playbook
+
+## Design Foundations
+- **Color Tokens**: Use the CSS variables defined in `tailwind.config.ts` (`primary`, `secondary`, `muted`, etc.) instead of hard-coded hex values. Pair them with opacity utilities (`/10`, `/20`) to create layered surfaces as seen in `components/user-document-requirements.tsx`.
+- **Radii & Shadows**: Respect the design system radii (`--radius`) by reusing components like `Card` and `Button`. For custom blocks, stick with `rounded-lg` for primary surfaces and only step down (`rounded-md`) for nested elements.
+- **Type Stack**: `app/layout.tsx` loads Roboto weights 400/500/700. Default to `font-medium` for actionable text, reserve `font-semibold`+ for section headings.
+
+## Layout & Spacing System
+- **Containers**: Anchor pages with `container` and `px-6 md:px-8` on wrappers. Admin dashboards rely on `flex` layouts with `gap-6`; reuse that rhythm for new sections.
+- **Stacking**: Prefer `space-y-*` for vertical spacing so additions inherit consistent gaps. Example: `components/pending-documents.tsx` uses `space-y-4` to align cards.
+- **Elevation Bands**: Background scaffolding follows `bg-background` for base, `bg-secondary/60 backdrop-blur-sm` for translucent panels, and `bg-card` (`Card` component) for primary content blocks.
+- **Grid Rules**: When presenting metrics (`app/admin/page.tsx`), start with `grid grid-cols-1 gap-6 md:grid-cols-2 xl:grid-cols-4`. Expand incrementally rather than redefining breakpoints per card.
+
+## Surface Patterns
+- **Cards**: Reach for `Card`, `CardHeader`, and `CardContent` wrappers. Augment via `className` while keeping the base tokens (`border`, `shadow-sm`).
+- **Callouts**: Alerts mix `bg-primary/10` + `border-primary/20` + `rounded-lg`. Mirror this trio for other semantic notice blocks (swap to `success`, `warning`, etc.).
+- **Data Rows**: Use `border` + `rounded-lg` + `transition-colors` for list items to match `UserDocumentRequirements`. State severity adjusts both border and background opacity.
+
+## Typography & Content Formatting
+- **Section Titling**: Combine `text-foreground text-lg font-semibold` with iconography sized `h-5 w-5` for dashboard and settings headers.
+- **Body Copy**: Use `text-sm text-muted-foreground` for supportive text. Only promote to `text-base` when legibility demands (forms, descriptions over 2 lines).
+- **Mono Highlights**: Inline tokens (`applicationId`, IDs) use `font-mono bg-primary/20 px-2 py-1 rounded`. Adopt this capsule pattern for user-facing identifiers.
+
+## Interactive Components
+- **Buttons**: Always route through `Button` or `buttonVariants`. If you need a custom affordance, compose `cn(buttonVariants({ variant: 'ghost', size: 'sm' }), 'gap-1')` instead of rewriting Tailwind strings.
+- **Badges & Status Pills**: Base on `<Badge>` with semantic overrides (`bg-destructive/10 text-destructive`) so hover/focus states stay consistent.
+- **Links**: Pair `underline` with `underline-offset-4` and `hover:text-primary` for external anchors (`components/footer.tsx`).
+- **Loading States**: Follow the circular spinner pattern (`animate-spin` + `border-b-2 border-primary`) while centering with `flex items-center justify-center`.
+
+## Responsive & Dark Mode
+- **Breakpoint Strategy**: Mobile-first, escalate at `md` for layout shifts and `lg` for admin chrome (e.g., sidebar toggles in `admin-layout-client`). Guard interactive reveals with `lg:hidden` / `lg:flex` pairs.
+- **Dark Theme**: Because colors derive from CSS variables, use `dark:` modifiers sparingly (only when explicit contrast tweaks are needed, as in status badges). Validate both themes before merging.
+- **Height Utilities**: Use `min-h-screen` for full views and `h-[calc(100vh-4rem)]` for shell layouts so sticky headers and sidebars stay aligned.
+
+## Implementation Checklist
+1. Compose new surfaces from existing primitives (`Card`, `Badge`, `Button`) before introducing raw `<div>` wrappers.
+2. Group classes logically: layout (`flex`, `grid`), spacing (`gap-*`, `p-*`), then visuals (`bg-*`, `border-*`, `text-*`), and finish with state/helpers (`transition`, `hover:*`).
+3. Extract repeated patterns into helper components or `cva` variants when you copy a Tailwind block more than twice.
+4. Run `pnpm lint` and ensure `cn()` merges custom classNames with defaults to avoid duplicate utilities.
+5. Screenshot responsive breakpoints (mobile, md, lg) for PRs that touch layout or color tokens.
+
+Adhering to these rules keeps every screen aligned with the existing Admin dashboard, document requirements UI, and onboarding flows while leaving room for future theming changes driven by CSS variables.