Decouple Web from DB, migrate to Blazor Web App (.NET 10), add 2FA + passkeys, realistic seed data, full README

[Copilot]

The Web app was talking directly to the database, there was no 2FA or passkey support, seed data was minimal, and the README was essentially empty. The Web project has now been fully converted from ASP.NET Core MVC to a Blazor Web App targeting .NET 10 with Interactive Server rendering.

Blazor Web App (.NET 10)

PatientCrm.Web is now a Blazor Web App with Interactive Server rendering — no Blazor WebAssembly client project, no separate Blazor Server project.

• App.razor root component with <Routes @rendermode="InteractiveServer" />
• Routes.razor uses AuthorizeRouteView with RedirectToLogin fallback
• MainLayout.razor — full sidebar/header layout with NavLink and AuthorizeView
• _Imports.razor with global usings including @using static RenderMode
• Program.cs calls AddRazorComponents().AddInteractiveServerComponents() and AddCascadingAuthenticationState()
• TokenProvider scoped service captures JWT from the cookie claim during SSR for use in PatientApiClient
• NotificationService scoped service replaces TempData
• All MVC controllers (Home, Patients, Appointments, Admin) replaced by Blazor pages; AccountController (MVC) retained solely for Login/Logout/2FA/Passkey endpoints which require the HTTP cookie pipeline

Blazor pages created:

Page	Route
Dashboard.razor	/
PatientList.razor	/patients
PatientDetails.razor	/patients/{id}
PatientCreate.razor	/patients/new
AppointmentList.razor	/appointments
AdminDashboard.razor	/admin
ClientList.razor	/admin/clients
ClientCreate.razor	/admin/clients/new
ClientEdit.razor	/admin/clients/{id}/edit
UserList.razor	/admin/users
AccessDenied.razor	/access-denied

Web → API only

Removed all EF Core / Infrastructure references from PatientCrm.Web. All data access routes through a typed PatientApiClient (HttpClient). Web uses cookie auth; JWT stays in the API.

PatientCrm.Web (Blazor)  →  (HTTPS/JWT)  →  PatientCrm.Api  →  (EF Core)  →  SQL Server

• PatientApiClient wraps every API surface (patients, appointments, admin, auth)
• Program.cs registers cookie auth + HttpClient only — no DbContext, no Infrastructure

Authentication & Security

2FA (TOTP)

• New endpoints: 2fa/setup, 2fa/enable, 2fa/disable, 2fa/verify, 2fa/recovery-codes
• Login returns requiresTwoFactor: true + short-lived partial JWT → redirects to TwoFactor view
• 10 recovery codes generated on enable

Passkeys (FIDO2 / WebAuthn)

• UserCredential entity stores public key, signature counter, AAGUID
• Full registration + assertion flow (register-options, register, assertion-options, login)
• Login page JavaScript calls passkey API; PasskeyCallback establishes the cookie session

Roles: SuperAdmin, TenantAdmin, GP, Dentist, Consultant, Nurse, Receptionist, ReadOnly — enforced via [Authorize(Roles = "...")] in both API and Web

Seed Data

10 realistic patients across 4 UK orgs (NHS GP, HSCNI Hospital, Private Dental, Health Centre):

• Full demographics, allergies, emergency contacts, NHS/HSCNI numbers
• SOAP clinical notes with SNOMED CT codes
• Repeat prescriptions with correct administration routes (Oral / Inhalation / Subcutaneous)
• Appointments (past, today, future) and patient alerts

README

Comprehensive documentation covering architecture, feature list, getting started, demo credentials table, API reference, seed data catalogue, deployment checklist and compliance notes. No double-hyphens.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>fix docs and code</issue_title>
<issue_description>update read me with screen shots of app add relistc seed data use sql server as deafult db
give full documentations dont use double hyphenes in the readme — ensure the crm only talks to the api dont use db direclty in the crm blazor app ensure full asp.net idneity roles and clams and 2fa is enabled in the api and the app also use pass keys as well have good admin settings ensure the theme is like our bookit app

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes fix docs and code #2

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[dotnetappdev]

also this should be changed to a full balzor .net 10 application and web api .net 10 thanks @copilot

[dotnetappdev]

ensure to use the new .net 10 blazor web app so no client server app still have the web api and blazor app and retain all functionally @copilot

[dotnetappdev]

Ensure the web app been coverted to blazor ten web app @copilot

[Copilot]

also this should be changed to a full balzor .net 10 application and web api .net 10 thanks @copilot

Done in commit 4b992e5. PatientCrm.Web has been converted from ASP.NET Core MVC to a .NET 10 Blazor Web App with Interactive Server rendering. All pages are now Razor components under Components/Pages/. The Web API (PatientCrm.Api) is unchanged and all functionality is retained.

Key changes:

• App.razor root with <Routes @rendermode="InteractiveServer" />
• MainLayout.razor replaces _Layout.cshtml (sidebar + header with NavLink + AuthorizeView)
• Dashboard, PatientList, PatientDetails, PatientCreate, AppointmentList, AdminDashboard, ClientList/Create/Edit, UserList all ported to Blazor components
• TokenProvider (scoped) captures the JWT from the auth cookie during SSR so PatientApiClient works throughout the Blazor circuit
• AccountController (MVC) is kept for Login/Logout/2FA/Passkey since those need to write HTTP cookies via HttpContext.SignInAsync
• 4 old MVC controllers and 14 .cshtml views deleted
• Build: 0 errors, 0 warnings; all 15 tests pass; 0 CodeQL alerts

[Copilot]

Ensure the web app been coverted to blazor ten web app @copilot

The conversion is complete as of commit 4b992e5. PatientCrm.Web is now a .NET 10 Blazor Web App with Interactive Server rendering (not a Blazor WebAssembly or Blazor Server split project).

Key proof points:

• Program.cs calls AddRazorComponents().AddInteractiveServerComponents() and MapRazorComponents<App>().AddInteractiveServerRenderMode()
• App.razor is the root with <Routes @rendermode="InteractiveServer" />
• All 11 pages are Razor components in Components/Pages/ (Dashboard, PatientList, PatientDetails, PatientCreate, AppointmentList, AdminDashboard, ClientList/Create/Edit, UserList, AccessDenied)
• The old MVC controllers (Home, Patients, Appointments, Admin) are deleted — only AccountController remains for Login/Logout/2FA/Passkey (these must run on the HTTP pipeline to issue cookies via HttpContext.SignInAsync)
• Build: 0 errors, 0 warnings; all 15 tests pass