first

db/mongo.js

@@ -1,73 +1,138 @@
-import { MongoClient, ObjectId } from 'mongodb';
+import mongoose from 'mongoose';
 import dotenv from 'dotenv';
 
 dotenv.config();
 
 const MONGO_URI = process.env.MONGO_URI;
 
-let client;
-let db;
+// Connection state
+let isConnected = false;
 
-// Collections
-let patientsCollection;
-let usersCollection;
-let appointmentsCollection;
-let warningsCollection;
 
 export const connectDB = async () => {
+  if (isConnected) {
+    console.log('[OK] Using existing database connection');
+    return mongoose.connection;
+  }
+
   try {
-    client = new MongoClient(MONGO_URI, {
-      serverSelectionTimeoutMS: 5000
+    const conn = await mongoose.connect(MONGO_URI, {
+      dbName: 'patient_info',
+      serverSelectionTimeoutMS: 5000,
     });
+
+    isConnected = true;
+    console.log(`[OK] Database: ${conn.connection.name}`);
     
-    await client.connect();
-    await client.db('admin').command({ ping: 1 });
-    console.log('✓ Connected to MongoDB Atlas successfully!');
-    
-    db = client.db('patient_info');
-    
-    // Initialize collections
-    patientsCollection = db.collection('patients');
-    usersCollection = db.collection('users');
-    appointmentsCollection = db.collection('appointments');
-    warningsCollection = db.collection('clinical_warnings');
-    
-    return db;
+    return conn.connection;
   } catch (error) {
-    console.log(`⚠️ MongoDB connection warning: ${error.message}`);
-    console.log('The server will start, but database operations may fail.');
-    console.log('Please check:');
-    console.log('  1. Your MongoDB Atlas IP whitelist (add your current IP)');
-    console.log('  2. Your internet connection');
-    console.log('  3. If your Atlas cluster is paused');
-    
-    // Create client anyway for later retry
-    client = new MongoClient(MONGO_URI);
-    db = client.db('patient_info');
-    
-    patientsCollection = db.collection('patients');
-    usersCollection = db.collection('users');
-    appointmentsCollection = db.collection('appointments');
-    warningsCollection = db.collection('clinical_warnings');
-    
-    return db;
+    console.log(`[ERROR] Failed to connect to MongoDB: ${error.message}`);
   }
 };
 
+/**
+ * Ensure indexes are created for all models
+ */
 export const ensureIndexes = async () => {
   try {
-    await usersCollection.createIndex({ email: 1 }, { unique: true });
-    console.log('✓ Database indexes created');
+    // Mongoose will create indexes automatically when models are used
+    // But we can explicitly sync indexes here
+    const { User, Patient, Appointment, Warning, DeleteRequest } = await import('../models/index.js');
+    
+    await Promise.all([
+      User.syncIndexes(),
+      Patient.syncIndexes(),
+      Appointment.syncIndexes(),
+      Warning.syncIndexes(),
+      DeleteRequest.syncIndexes()
+    ]);
+    
+    console.log('[OK] Database indexes synchronized');
   } catch (error) {
-    console.log(`⚠️ Could not create indexes: ${error.message}`);
+    console.log(`[WARNING] Could not sync indexes: ${error.message}`);
   }
 };
 
-export const getDB = () => db;
-export const getPatientsCollection = () => patientsCollection;
-export const getUsersCollection = () => usersCollection;
-export const getAppointmentsCollection = () => appointmentsCollection;
-export const getWarningsCollection = () => warningsCollection;
+/**
+ * Get the database connection
+ */
+export const getDB = () => mongoose.connection.db;
+
+/**
+ * Get mongoose connection object
+ */
+export const getConnection = () => mongoose.connection;
+
+/**
+ * Check if database is connected
+ */
+export const isDBConnected = () => isConnected && mongoose.connection.readyState === 1;
+
+/**
+ * Disconnect from database
+ */
+export const disconnectDB = async () => {
+  if (isConnected) {
+    await mongoose.disconnect();
+    isConnected = false;
+    console.log('[OK] Disconnected from MongoDB');
+  }
+};
 
-export { ObjectId };
+// Re-export ObjectId from mongoose for backward compatibility
+export const ObjectId = mongoose.Types.ObjectId;
 
+export const getPatientsCollection = async () => {
+  const { Patient } = await import('../models/index.js');
+  return Patient;
+};
+
+export const getUsersCollection = async () => {
+  const { User } = await import('../models/index.js');
+  return User;
+};
+
+export const getAppointmentsCollection = async () => {
+  const { Appointment } = await import('../models/index.js');
+  return Appointment;
+};
+
+export const getWarningsCollection = async () => {
+  const { Warning } = await import('../models/index.js');
+  return Warning;
+};
+
+export const getDeleteRequestsCollection = async () => {
+  const { DeleteRequest } = await import('../models/index.js');
+  return DeleteRequest;
+};
+
+// Handle connection events
+mongoose.connection.on('connected', () => {
+  console.log('[OK] Mongoose connected to database');
+});
+
+mongoose.connection.on('error', (err) => {
+  console.log(`[ERROR] Mongoose connection error: ${err.message}`);
+});
+
+mongoose.connection.on('disconnected', () => {
+  isConnected = false;
+  console.log('[WARNING] Mongoose disconnected from database');
+});
+
+// Handle process termination
+process.on('SIGINT', async () => {
+  await disconnectDB();
+  process.exit(0);
+});
+
+export default {
+  connectDB,
+  ensureIndexes,
+  getDB,
+  getConnection,
+  isDBConnected,
+  disconnectDB,
+  ObjectId
+};

middleware/auth.js

@@ -2,6 +2,7 @@ import { authService } from '../services/authService.js';
 
 // User roles enum
 export const UserRole = {
+  ADMIN: 'admin',
   DOCTOR: 'doctor',
   PATIENT: 'patient'
 };
@@ -87,8 +88,10 @@ export const requireRoles = (allowedRoles) => {
 };
 
 // Pre-built role middlewares for common use cases
-export const requireDoctor = requireRoles([UserRole.DOCTOR]);
-export const requireStaff = requireRoles([UserRole.DOCTOR]);
+export const requireAdmin = requireRoles([UserRole.ADMIN]);
+export const requireDoctor = requireRoles([UserRole.DOCTOR, UserRole.ADMIN]);
+export const requireStaff = requireRoles([UserRole.DOCTOR, UserRole.ADMIN]);
+export const requireAdminOrDoctor = requireRoles([UserRole.ADMIN, UserRole.DOCTOR]);
 
 /**
  * Optional authentication - doesn't fail if no token provided
@@ -118,4 +121,3 @@ export const optionalAuth = async (req, res, next) => {
     next();
   }
 };
-

models/Appointment.js

@@ -0,0 +1,281 @@
+import mongoose from 'mongoose';
+
+// Appointment status enum
+export const AppointmentStatus = {
+  SCHEDULED: 'scheduled',
+  CONFIRMED: 'confirmed',
+  IN_PROGRESS: 'in_progress',
+  COMPLETED: 'completed',
+  CANCELLED: 'cancelled',
+  NO_SHOW: 'no_show'
+};
+
+// Appointment type enum
+export const AppointmentType = {
+  CHECKUP: 'checkup',
+  FOLLOW_UP: 'follow_up',
+  CONSULTATION: 'consultation',
+  EMERGENCY: 'emergency',
+  PROCEDURE: 'procedure',
+  LAB_WORK: 'lab_work',
+  OTHER: 'other'
+};
+
+const AppointmentSchema = new mongoose.Schema({
+  patient_id: {
+    type: mongoose.Schema.Types.ObjectId,
+    required: [true, 'Patient ID is required'],
+    index: true,
+    ref: 'Patient'
+  },
+  doctor_id: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+    index: true
+  },
+  date_time: {
+    type: String,
+    required: [true, 'Date and time is required']
+  },
+  duration_minutes: {
+    type: Number,
+    default: 30,
+    min: [5, 'Duration must be at least 5 minutes'],
+    max: [480, 'Duration cannot exceed 8 hours']
+  },
+  appointment_type: {
+    type: String,
+    enum: {
+      values: Object.values(AppointmentType),
+      message: '{VALUE} is not a valid appointment type'
+    },
+    default: AppointmentType.CHECKUP
+  },
+  purpose: {
+    type: String,
+    required: [true, 'Purpose is required'],
+    trim: true
+  },
+  notes: {
+    type: String,
+    trim: true
+  },
+  location: {
+    type: String,
+    trim: true
+  },
+  status: {
+    type: String,
+    enum: {
+      values: Object.values(AppointmentStatus),
+      message: '{VALUE} is not a valid status'
+    },
+    default: AppointmentStatus.SCHEDULED
+  },
+  cancelled_reason: {
+    type: String,
+    trim: true
+  },
+  cancelled_at: {
+    type: Date
+  },
+  cancelled_by: {
+    type: String
+  },
+  completion_notes: {
+    type: String,
+    trim: true
+  },
+  completed_at: {
+    type: Date
+  },
+  completed_by: {
+    type: String
+  },
+  created_by: {
+    type: String,
+    required: true
+  },
+  // Virtual fields to store names (populated from other collections)
+  patient_name: {
+    type: String
+  },
+  doctor_name: {
+    type: String
+  }
+}, {
+  timestamps: {
+    createdAt: 'created_at',
+    updatedAt: 'updated_at'
+  }
+});
+
+// Compound indexes for efficient queries
+AppointmentSchema.index({ patient_id: 1, date_time: -1 });
+AppointmentSchema.index({ doctor_id: 1, date_time: 1 });
+AppointmentSchema.index({ status: 1, date_time: 1 });
+AppointmentSchema.index({ date_time: 1 });
+
+// Method to convert to response object
+AppointmentSchema.methods.toResponse = function() {
+  return {
+    id: this._id.toString(),
+    patient_id: this.patient_id,
+    doctor_id: this.doctor_id || null,
+    date_time: this.date_time,
+    duration_minutes: this.duration_minutes || 30,
+    appointment_type: this.appointment_type || 'checkup',
+    purpose: this.purpose || '',
+    notes: this.notes || null,
+    location: this.location || null,
+    status: this.status || 'scheduled',
+    cancelled_reason: this.cancelled_reason || null,
+    cancelled_at: this.cancelled_at || null,
+    completion_notes: this.completion_notes || null,
+    completed_at: this.completed_at || null,
+    created_at: this.created_at,
+    updated_at: this.updated_at,
+    created_by: this.created_by || '',
+    patient_name: this.patient_name || null,
+    doctor_name: this.doctor_name || null
+  };
+};
+
+// Static method to find upcoming appointments
+// doctorId: optional - filter by doctor (for non-admin users)
+AppointmentSchema.statics.findUpcoming = function(limit = 20, doctorId = null) {
+  const now = new Date().toISOString();
+  const query = {
+    date_time: { $gte: now },
+    status: { $in: [AppointmentStatus.SCHEDULED, AppointmentStatus.CONFIRMED] }
+  };
+  
+  if (doctorId) {
+    query.doctor_id = doctorId;
+  }
+  
+  return this.find(query)
+    .sort({ date_time: 1 })
+    .limit(limit);
+};
+
+// Static method to find appointments by patient
+// doctorId: optional - filter by doctor (for non-admin users)
+AppointmentSchema.statics.findByPatient = function(patientId, includePast = false, doctorId = null) {
+  const query = { patient_id: patientId };
+  
+  if (doctorId) {
+    query.doctor_id = doctorId;
+  }
+  
+  if (!includePast) {
+    const now = new Date().toISOString();
+    query.$or = [
+      { date_time: { $gte: now } },
+      { status: { $in: [AppointmentStatus.SCHEDULED, AppointmentStatus.CONFIRMED] } }
+    ];
+  }
+  
+  return this.find(query).sort({ date_time: -1 });
+};
+
+// Static method to find appointments by doctor
+AppointmentSchema.statics.findByDoctor = function(doctorId) {
+  return this.find({ doctor_id: doctorId }).sort({ date_time: 1 });
+};
+
+// Static method to check for scheduling conflicts
+AppointmentSchema.statics.checkConflicts = async function(doctorId, dateTime, durationMinutes, excludeId = null) {
+  const proposedStart = new Date(dateTime.replace('Z', '+00:00'));
+  const proposedEnd = new Date(proposedStart.getTime() + durationMinutes * 60000);
+  
+  const query = {
+    doctor_id: doctorId,
+    status: { $in: [AppointmentStatus.SCHEDULED, AppointmentStatus.CONFIRMED] }
+  };
+  
+  if (excludeId) {
+    query._id = { $ne: excludeId };
+  }
+  
+  const appointments = await this.find(query);
+  
+  const conflicts = [];
+  for (const apt of appointments) {
+    try {
+      const aptStart = new Date(apt.date_time.replace('Z', '+00:00'));
+      const aptEnd = new Date(aptStart.getTime() + (apt.duration_minutes || 30) * 60000);
+      
+      // Check for overlap
+      if (!(proposedEnd <= aptStart || proposedStart >= aptEnd)) {
+        conflicts.push(apt);
+      }
+    } catch {
+      continue;
+    }
+  }
+  
+  return conflicts;
+};
+
+// Static method to get appointment statistics
+// doctorId: optional - filter by doctor (for non-admin users)
+AppointmentSchema.statics.getStats = async function(doctorId = null) {
+  const matchStage = doctorId ? { $match: { doctor_id: new mongoose.Types.ObjectId(doctorId) } } : null;
+  
+  const pipeline = [];
+  if (matchStage) {
+    pipeline.push(matchStage);
+  }
+  pipeline.push({
+    $group: {
+      _id: '$status',
+      count: { $sum: 1 }
+    }
+  });
+  
+  const results = await this.aggregate(pipeline);
+  
+  const stats = {
+    total: 0,
+    by_status: {}
+  };
+  
+  for (const r of results) {
+    stats.by_status[r._id] = r.count;
+    stats.total += r.count;
+  }
+  
+  return stats;
+};
+
+// Method to cancel appointment
+AppointmentSchema.methods.cancel = function(reason, cancelledBy) {
+  this.status = AppointmentStatus.CANCELLED;
+  this.cancelled_reason = reason;
+  this.cancelled_at = new Date();
+  this.cancelled_by = cancelledBy;
+  return this.save();
+};
+
+// Method to complete appointment
+AppointmentSchema.methods.complete = function(notes, completedBy) {
+  // Validate that appointment date has passed
+  const appointmentDate = new Date(this.date_time);
+  const now = new Date();
+  
+  if (appointmentDate > now) {
+    throw new Error(`Cannot complete this appointment yet. It is scheduled for ${appointmentDate.toISOString()}.`);
+  }
+  
+  this.status = AppointmentStatus.COMPLETED;
+  this.completion_notes = notes;
+  this.completed_at = new Date();
+  this.completed_by = completedBy;
+  return this.save();
+};
+
+const Appointment = mongoose.model('Appointment', AppointmentSchema);
+
+export default Appointment;
+

models/DeleteRequest.js

@@ -0,0 +1,136 @@
+import mongoose from 'mongoose';
+
+// Delete request status enum
+export const DeleteRequestStatus = {
+  PENDING: 'pending',
+  APPROVED: 'approved',
+  REJECTED: 'rejected'
+};
+
+const DeleteRequestSchema = new mongoose.Schema({
+  patient_id: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'Patient',
+    required: [true, 'Patient ID is required'],
+    index: true
+  },
+  patient_name: {
+    type: String,
+    trim: true
+  },
+  reason: {
+    type: String,
+    required: [true, 'Reason is required'],
+    trim: true,
+    minlength: [10, 'Reason must be at least 10 characters']
+  },
+  status: {
+    type: String,
+    enum: {
+      values: Object.values(DeleteRequestStatus),
+      message: '{VALUE} is not a valid status'
+    },
+    default: DeleteRequestStatus.PENDING
+  },
+  requested_by: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+    required: [true, 'Requester ID is required']
+  },
+  requested_by_name: {
+    type: String,
+    trim: true
+  },
+  reviewed_by: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+  },
+  reviewed_by_name: {
+    type: String,
+    trim: true
+  },
+  review_notes: {
+    type: String,
+    trim: true
+  },
+  reviewed_at: {
+    type: Date
+  }
+}, {
+  timestamps: {
+    createdAt: 'created_at',
+    updatedAt: 'updated_at'
+  }
+});
+
+// Indexes for efficient queries
+DeleteRequestSchema.index({ status: 1, created_at: -1 });
+DeleteRequestSchema.index({ requested_by: 1 });
+DeleteRequestSchema.index({ patient_id: 1, status: 1 });
+
+// Method to convert to response object
+DeleteRequestSchema.methods.toResponse = function() {
+  return {
+    id: this._id.toString(),
+    patient_id: this.patient_id,
+    patient_name: this.patient_name || null,
+    reason: this.reason || '',
+    status: this.status,
+    requested_by: this.requested_by,
+    requested_by_name: this.requested_by_name || null,
+    reviewed_by: this.reviewed_by || null,
+    reviewed_by_name: this.reviewed_by_name || null,
+    review_notes: this.review_notes || null,
+    created_at: this.created_at,
+    updated_at: this.updated_at,
+    reviewed_at: this.reviewed_at || null
+  };
+};
+
+// Static method to find pending requests
+DeleteRequestSchema.statics.findPending = function() {
+  return this.find({ status: DeleteRequestStatus.PENDING })
+    .sort({ created_at: -1 });
+};
+
+// Static method to find requests by user
+DeleteRequestSchema.statics.findByUser = function(userId) {
+  return this.find({ requested_by: userId })
+    .sort({ created_at: -1 });
+};
+
+// Static method to check for existing pending request
+DeleteRequestSchema.statics.hasPendingRequest = function(patientId) {
+  return this.findOne({
+    patient_id: patientId,
+    status: DeleteRequestStatus.PENDING
+  });
+};
+
+// Method to approve request
+DeleteRequestSchema.methods.approve = function(reviewerId, reviewerName, notes = null) {
+  this.status = DeleteRequestStatus.APPROVED;
+  this.reviewed_by = reviewerId;
+  this.reviewed_by_name = reviewerName;
+  this.review_notes = notes;
+  this.reviewed_at = new Date();
+  return this.save();
+};
+
+// Method to reject request
+DeleteRequestSchema.methods.reject = function(reviewerId, reviewerName, notes) {
+  if (!notes || notes.trim().length < 5) {
+    throw new Error('Rejection reason is required');
+  }
+  this.status = DeleteRequestStatus.REJECTED;
+  this.reviewed_by = reviewerId;
+  this.reviewed_by_name = reviewerName;
+  this.review_notes = notes;
+  this.reviewed_at = new Date();
+  return this.save();
+};
+
+const DeleteRequest = mongoose.model('DeleteRequest', DeleteRequestSchema, 'delete_requests');
+
+export default DeleteRequest;
+

models/Patient.js

@@ -0,0 +1,189 @@
+import mongoose from 'mongoose';
+
+const MedicationSchema = new mongoose.Schema({
+  name: {
+    type: String,
+    required: [true, 'Medication name is required'],
+    trim: true
+  },
+  dosage: {
+    type: String,
+    required: [true, 'Dosage is required'],
+    trim: true
+  },
+  frequency: {
+    type: String,
+    trim: true
+  },
+  start_date: {
+    type: String,
+    required: [true, 'Start date is required']
+  },
+  end_date: {
+    type: String
+  },
+  prescribing_doctor: {
+    type: String,
+    trim: true
+  },
+  notes: {
+    type: String,
+    trim: true
+  }
+}, { _id: false });
+
+const MedicalHistorySchema = new mongoose.Schema({
+  condition: {
+    type: String,
+    required: true,
+    trim: true
+  },
+  diagnosed_date: {
+    type: String
+  },
+  status: {
+    type: String,
+    enum: ['active', 'resolved', 'chronic', 'managed'],
+    default: 'active'
+  },
+  notes: {
+    type: String,
+    trim: true
+  }
+}, { _id: false });
+
+const PatientSchema = new mongoose.Schema({
+  name: {
+    type: String,
+    required: [true, 'Patient name is required'],
+    trim: true,
+    minlength: [1, 'Name cannot be empty']
+  },
+  age: {
+    type: Number,
+    required: [true, 'Age is required'],
+    min: [0, 'Age cannot be negative'],
+    max: [150, 'Age cannot exceed 150']
+  },
+  gender: {
+    type: String,
+    required: [true, 'Gender is required'],
+    enum: {
+      values: ['Male', 'Female', 'Other', 'male', 'female', 'other'],
+      message: '{VALUE} is not a valid gender'
+    }
+  },
+  date_of_birth: {
+    type: String
+  },
+  blood_type: {
+    type: String,
+    enum: ['A+', 'A-', 'B+', 'B-', 'AB+', 'AB-', 'O+', 'O-', null, ''],
+  },
+  allergies: [{
+    type: String,
+    trim: true
+  }],
+  medical_history: {
+    type: [mongoose.Schema.Types.Mixed], // Can be string or MedicalHistorySchema
+    default: []
+  },
+  medications: {
+    type: [MedicationSchema],
+    default: []
+  },
+  emergency_contact: {
+    name: String,
+    relationship: String,
+    phone: String
+  },
+  insurance: {
+    provider: String,
+    policy_number: String,
+    group_number: String
+  },
+  notes: {
+    type: String,
+    trim: true
+  },
+  phone: {
+    type: String,
+    trim: true
+  },
+  email: {
+    type: String,
+    trim: true,
+    lowercase: true
+  },
+  address: {
+    type: String,
+    trim: true
+  },
+  created_by: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User'
+  },
+  updated_by: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User'
+  }
+}, {
+  timestamps: {
+    createdAt: 'created_at',
+    updatedAt: 'updated_at'
+  }
+});
+
+// Indexes for faster queries
+PatientSchema.index({ name: 'text' });
+PatientSchema.index({ created_by: 1 });
+PatientSchema.index({ created_at: -1 });
+
+// Method to convert to response object
+PatientSchema.methods.toResponse = function() {
+  return {
+    _id: this._id.toString(),
+    name: this.name,
+    age: this.age,
+    gender: this.gender,
+    date_of_birth: this.date_of_birth || null,
+    blood_type: this.blood_type || null,
+    allergies: this.allergies || [],
+    medical_history: this.medical_history || [],
+    medications: this.medications || [],
+    emergency_contact: this.emergency_contact || null,
+    insurance: this.insurance || null,
+    notes: this.notes || null,
+    phone: this.phone || null,
+    email: this.email || null,
+    address: this.address || null,
+    created_at: this.created_at,
+    updated_at: this.updated_at
+  };
+};
+
+// Static method to search patients by name
+PatientSchema.statics.searchByName = function(searchTerm) {
+  return this.find({
+    name: { $regex: searchTerm, $options: 'i' }
+  });
+};
+
+// Static method to find patients with specific condition
+PatientSchema.statics.findByCondition = function(condition) {
+  return this.find({
+    'medical_history': { $regex: condition, $options: 'i' }
+  });
+};
+
+// Static method to find patients taking specific medication
+PatientSchema.statics.findByMedication = function(medicationName) {
+  return this.find({
+    'medications.name': { $regex: medicationName, $options: 'i' }
+  });
+};
+
+const Patient = mongoose.model('Patient', PatientSchema);
+
+export default Patient;
+

models/User.js

@@ -0,0 +1,112 @@
+import mongoose from 'mongoose';
+import bcrypt from 'bcryptjs';
+
+const UserSchema = new mongoose.Schema({
+  email: {
+    type: String,
+    required: [true, 'Email is required'],
+    unique: true,
+    trim: true,
+    lowercase: true,
+    match: [/^\w+([.-]?\w+)*@\w+([.-]?\w+)*(\.\w{2,3})+$/, 'Please provide a valid email']
+  },
+  name: {
+    type: String,
+    required: [true, 'Name is required'],
+    trim: true,
+    minlength: [2, 'Name must be at least 2 characters']
+  },
+  hashed_password: {
+    type: String,
+    required: [true, 'Password is required']
+  },
+  role: {
+    type: String,
+    enum: {
+      values: ['admin', 'doctor', 'patient'],
+      message: '{VALUE} is not a valid role'
+    },
+    default: 'doctor'
+  },
+  is_active: {
+    type: Boolean,
+    default: true
+  },
+  specialization: {
+    type: String,
+    trim: true
+  },
+  phone: {
+    type: String,
+    trim: true
+  },
+  address: {
+    type: String,
+    trim: true
+  }
+}, {
+  timestamps: {
+    createdAt: 'created_at',
+    updatedAt: 'updated_at'
+  }
+});
+
+// Index for faster queries
+UserSchema.index({ role: 1 });
+UserSchema.index({ is_active: 1 });
+
+// Hash password before saving
+UserSchema.pre('save', async function(next) {
+  // Only hash the password if it has been modified (or is new)
+  if (!this.isModified('hashed_password')) return next();
+  
+  // Check if the password is already hashed (bcrypt hashes start with $2)
+  if (this.hashed_password.startsWith('$2')) return next();
+  
+  try {
+    const salt = await bcrypt.genSalt(10);
+    this.hashed_password = await bcrypt.hash(this.hashed_password, salt);
+    next();
+  } catch (error) {
+    next(error);
+  }
+});
+
+// Method to check password
+UserSchema.methods.comparePassword = async function(candidatePassword) {
+  return bcrypt.compare(candidatePassword, this.hashed_password);
+};
+
+// Method to convert to response object (exclude sensitive data)
+UserSchema.methods.toResponse = function() {
+  return {
+    id: this._id.toString(),
+    email: this.email,
+    name: this.name,
+    role: this.role,
+    is_active: this.is_active,
+    specialization: this.specialization,
+    phone: this.phone,
+    created_at: this.created_at
+  };
+};
+
+// Static method to find by email
+UserSchema.statics.findByEmail = function(email) {
+  return this.findOne({ email: email.toLowerCase() });
+};
+
+// Static method to find active doctors
+UserSchema.statics.findActiveDoctors = function() {
+  return this.find({ role: 'doctor', is_active: true });
+};
+
+// Static method to find active admins
+UserSchema.statics.findActiveAdmins = function() {
+  return this.find({ role: 'admin', is_active: true });
+};
+
+const User = mongoose.model('User', UserSchema);
+
+export default User;
+

models/Warning.js

@@ -0,0 +1,232 @@
+import mongoose from 'mongoose';
+
+// Warning severity enum
+export const WarningSeverity = {
+  LOW: 'low',
+  MEDIUM: 'medium',
+  HIGH: 'high',
+  CRITICAL: 'critical'
+};
+
+// Warning type enum
+export const WarningType = {
+  DRUG_INTERACTION: 'drug_interaction',
+  ALLERGY: 'allergy',
+  CONTRAINDICATION: 'contraindication',
+  DOSAGE: 'dosage',
+  LAB_RESULT: 'lab_result',
+  VITAL_SIGN: 'vital_sign',
+  COMPLIANCE: 'compliance',
+  FOLLOW_UP: 'follow_up',
+  GENERAL: 'general'
+};
+
+const WarningSchema = new mongoose.Schema({
+  patient_id: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'Patient',
+    required: [true, 'Patient ID is required'],
+    index: true
+  },
+  warning_type: {
+    type: String,
+    enum: {
+      values: Object.values(WarningType),
+      message: '{VALUE} is not a valid warning type'
+    },
+    required: [true, 'Warning type is required']
+  },
+  severity: {
+    type: String,
+    enum: {
+      values: Object.values(WarningSeverity),
+      message: '{VALUE} is not a valid severity level'
+    },
+    default: WarningSeverity.MEDIUM
+  },
+  title: {
+    type: String,
+    required: [true, 'Warning title is required'],
+    trim: true
+  },
+  description: {
+    type: String,
+    required: [true, 'Warning description is required'],
+    trim: true
+  },
+  details: {
+    type: mongoose.Schema.Types.Mixed,
+    default: {}
+  },
+  recommendations: [{
+    type: String,
+    trim: true
+  }],
+  is_acknowledged: {
+    type: Boolean,
+    default: false
+  },
+  acknowledged_by: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+  },
+  acknowledged_at: {
+    type: Date
+  },
+  acknowledgment_notes: {
+    type: String,
+    trim: true
+  },
+  is_resolved: {
+    type: Boolean,
+    default: false
+  },
+  resolved_by: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+  },
+  resolved_at: {
+    type: Date
+  },
+  resolution_notes: {
+    type: String,
+    trim: true
+  },
+  source: {
+    type: String,
+    enum: ['ai_analysis', 'manual', 'system', 'lab_integration'],
+    default: 'ai_analysis'
+  },
+  related_medications: [{
+    type: String
+  }],
+  related_conditions: [{
+    type: String
+  }],
+  expires_at: {
+    type: Date
+  },
+  created_by: {
+    type: mongoose.Schema.Types.ObjectId,
+    ref: 'User',
+  }
+}, {
+  timestamps: {
+    createdAt: 'created_at',
+    updatedAt: 'updated_at'
+  }
+});
+
+// Indexes for efficient queries
+WarningSchema.index({ patient_id: 1, is_acknowledged: 1 });
+WarningSchema.index({ severity: 1 });
+WarningSchema.index({ warning_type: 1 });
+WarningSchema.index({ created_at: -1 });
+WarningSchema.index({ is_acknowledged: 1, created_at: -1 });
+
+// Method to convert to response object
+WarningSchema.methods.toResponse = function() {
+  return {
+    id: this._id.toString(),
+    patient_id: this.patient_id,
+    warning_type: this.warning_type,
+    severity: this.severity,
+    title: this.title,
+    description: this.description,
+    details: this.details || {},
+    recommendations: this.recommendations || [],
+    is_acknowledged: this.is_acknowledged,
+    acknowledged_by: this.acknowledged_by || null,
+    acknowledged_at: this.acknowledged_at || null,
+    acknowledgment_notes: this.acknowledgment_notes || null,
+    is_resolved: this.is_resolved,
+    resolved_by: this.resolved_by || null,
+    resolved_at: this.resolved_at || null,
+    resolution_notes: this.resolution_notes || null,
+    source: this.source,
+    related_medications: this.related_medications || [],
+    related_conditions: this.related_conditions || [],
+    expires_at: this.expires_at || null,
+    created_at: this.created_at,
+    updated_at: this.updated_at
+  };
+};
+
+// Static method to find unacknowledged warnings
+WarningSchema.statics.findUnacknowledged = function(limit = 50) {
+  return this.find({ is_acknowledged: false })
+    .sort({ severity: -1, created_at: -1 })
+    .limit(limit);
+};
+
+// Static method to find warnings by patient
+WarningSchema.statics.findByPatient = function(patientId, includeAcknowledged = false) {
+  const query = { patient_id: patientId };
+  if (!includeAcknowledged) {
+    query.is_acknowledged = false;
+  }
+  return this.find(query).sort({ severity: -1, created_at: -1 });
+};
+
+// Static method to find high severity warnings
+WarningSchema.statics.findHighSeverity = function() {
+  return this.find({
+    severity: { $in: [WarningSeverity.HIGH, WarningSeverity.CRITICAL] },
+    is_acknowledged: false
+  }).sort({ created_at: -1 });
+};
+
+// Static method to get warning statistics
+WarningSchema.statics.getStats = async function() {
+  const [bySeverity, byType, total, unacknowledged] = await Promise.all([
+    this.aggregate([
+      { $group: { _id: '$severity', count: { $sum: 1 } } }
+    ]),
+    this.aggregate([
+      { $group: { _id: '$warning_type', count: { $sum: 1 } } }
+    ]),
+    this.countDocuments(),
+    this.countDocuments({ is_acknowledged: false })
+  ]);
+
+  return {
+    total,
+    unacknowledged,
+    by_severity: bySeverity.reduce((acc, item) => {
+      acc[item._id] = item.count;
+      return acc;
+    }, {}),
+    by_type: byType.reduce((acc, item) => {
+      acc[item._id] = item.count;
+      return acc;
+    }, {})
+  };
+};
+
+// Method to acknowledge warning
+WarningSchema.methods.acknowledge = function(userId, notes) {
+  this.is_acknowledged = true;
+  this.acknowledged_by = userId;
+  this.acknowledged_at = new Date();
+  this.acknowledgment_notes = notes;
+  return this.save();
+};
+
+// Method to resolve warning
+WarningSchema.methods.resolve = function(userId, notes) {
+  this.is_resolved = true;
+  this.resolved_by = userId;
+  this.resolved_at = new Date();
+  this.resolution_notes = notes;
+  if (!this.is_acknowledged) {
+    this.is_acknowledged = true;
+    this.acknowledged_by = userId;
+    this.acknowledged_at = new Date();
+  }
+  return this.save();
+};
+
+const Warning = mongoose.model('Warning', WarningSchema, 'clinical_warnings');
+
+export default Warning;
+

models/index.js

@@ -0,0 +1,28 @@
+// Export all models from a single file for easy imports
+import User from './User.js';
+import Patient from './Patient.js';
+import Appointment, { AppointmentStatus, AppointmentType } from './Appointment.js';
+import Warning, { WarningSeverity, WarningType } from './Warning.js';
+import DeleteRequest, { DeleteRequestStatus } from './DeleteRequest.js';
+
+export {
+  User,
+  Patient,
+  Appointment,
+  AppointmentStatus,
+  AppointmentType,
+  Warning,
+  WarningSeverity,
+  WarningType,
+  DeleteRequest,
+  DeleteRequestStatus
+};
+
+export default {
+  User,
+  Patient,
+  Appointment,
+  Warning,
+  DeleteRequest
+};
+

routes/appointments.js

@@ -1,5 +1,5 @@
 import express from 'express';
-import { ObjectId } from '../db/mongo.js';
+import mongoose from 'mongoose';
 import { appointmentService } from '../services/appointmentService.js';
 import { getCurrentUser, requireStaff } from '../middleware/auth.js';
 
@@ -9,13 +9,14 @@ const router = express.Router();
  * Validate ObjectId format
  */
 const isValidObjectId = (id) => {
-  try {
-    return ObjectId.isValid(id) && new ObjectId(id).toString() === id;
-  } catch {
-    return false;
-  }
+  return mongoose.Types.ObjectId.isValid(id);
 };
 
+/**
+ * Check if user is admin
+ */
+const isAdmin = (user) => user?.role === 'admin';
+
 /**
  * POST /api/appointments
  * Create a new appointment
@@ -30,6 +31,13 @@ router.post('/appointments', requireStaff, async (req, res) => {
       appointmentData.doctor_id = userId;
     }
     
+    // Non-admin users can only create appointments for themselves as doctor
+    if (!isAdmin(req.user) && appointmentData.doctor_id !== userId) {
+      return res.status(403).json({ 
+        detail: 'You can only create appointments for yourself as the doctor' 
+      });
+    }
+    
     // Check for conflicts if doctor is assigned
     if (appointmentData.doctor_id) {
       const conflicts = await appointmentService.checkConflicts(
@@ -51,6 +59,10 @@ router.post('/appointments', requireStaff, async (req, res) => {
     const appointment = await appointmentService.createAppointment(appointmentData, userId);
     res.status(201).json(appointment);
   } catch (error) {
+    if (error.name === 'ValidationError') {
+      const messages = Object.values(error.errors).map(e => e.message);
+      return res.status(400).json({ detail: messages.join(', ') });
+    }
     res.status(500).json({ detail: `Error creating appointment: ${error.message}` });
   }
 });
@@ -58,14 +70,24 @@ router.post('/appointments', requireStaff, async (req, res) => {
 /**
  * GET /api/appointments
  * List appointments with optional filters
+ * - Admin: Can see all appointments
+ * - Doctor: Can only see their own appointments
  */
 router.get('/appointments', getCurrentUser, async (req, res) => {
   try {
     const { patient_id, doctor_id, status, from_date, to_date, limit = 50 } = req.query;
+    const userId = req.user._id.toString();
+    
+    // Determine doctor filter based on role
+    let doctorFilter = doctor_id;
+    if (!isAdmin(req.user)) {
+      // Non-admin users can only see their own appointments
+      doctorFilter = userId;
+    }
     
     const appointments = await appointmentService.listAppointments({
       patientId: patient_id,
-      doctorId: doctor_id,
+      doctorId: doctorFilter,
       status,
       fromDate: from_date,
       toDate: to_date,
@@ -81,12 +103,20 @@ router.get('/appointments', getCurrentUser, async (req, res) => {
 /**
  * GET /api/appointments/upcoming
  * Get upcoming appointments
+ * - Admin: Can see all upcoming appointments
+ * - Doctor: Can only see their own upcoming appointments
  */
 router.get('/appointments/upcoming', getCurrentUser, async (req, res) => {
   try {
     const { limit = 20 } = req.query;
+    const userId = req.user._id.toString();
+    
+    // Pass doctor filter for non-admin users
+    const doctorFilter = isAdmin(req.user) ? null : userId;
+    
     const appointments = await appointmentService.getUpcomingAppointments(
-      Math.min(parseInt(limit), 100)
+      Math.min(parseInt(limit), 100),
+      doctorFilter
     );
     res.json(appointments);
   } catch (error) {
@@ -97,10 +127,15 @@ router.get('/appointments/upcoming', getCurrentUser, async (req, res) => {
 /**
  * GET /api/appointments/stats
  * Get appointment statistics
+ * - Admin: Stats for all appointments
+ * - Doctor: Stats only for their appointments
  */
 router.get('/appointments/stats', getCurrentUser, async (req, res) => {
   try {
-    const stats = await appointmentService.getAppointmentStats();
+    const userId = req.user._id.toString();
+    const doctorFilter = isAdmin(req.user) ? null : userId;
+    
+    const stats = await appointmentService.getAppointmentStats(doctorFilter);
     res.json(stats);
   } catch (error) {
     res.status(500).json({ detail: `Error fetching stats: ${error.message}` });
@@ -110,10 +145,13 @@ router.get('/appointments/stats', getCurrentUser, async (req, res) => {
 /**
  * GET /api/appointments/:appointmentId
  * Get a specific appointment
+ * - Admin: Can access any appointment
+ * - Doctor: Can only access their own appointments
  */
 router.get('/appointments/:appointmentId', getCurrentUser, async (req, res) => {
   try {
     const { appointmentId } = req.params;
+    const userId = req.user._id.toString();
     
     if (!isValidObjectId(appointmentId)) {
       return res.status(400).json({ detail: 'Invalid appointment ID format' });
@@ -125,6 +163,11 @@ router.get('/appointments/:appointmentId', getCurrentUser, async (req, res) => {
       return res.status(404).json({ detail: 'Appointment not found' });
     }
     
+    // Check access for non-admin users
+    if (!isAdmin(req.user) && appointment.doctor_id !== userId) {
+      return res.status(403).json({ detail: 'Access denied. You can only view your own appointments.' });
+    }
+    
     res.json(appointment);
   } catch (error) {
     res.status(500).json({ detail: `Error fetching appointment: ${error.message}` });
@@ -134,11 +177,14 @@ router.get('/appointments/:appointmentId', getCurrentUser, async (req, res) => {
 /**
  * PUT /api/appointments/:appointmentId
  * Update an appointment
+ * - Admin: Can update any appointment
+ * - Doctor: Can only update their own appointments
  */
 router.put('/appointments/:appointmentId', requireStaff, async (req, res) => {
   try {
     const { appointmentId } = req.params;
     const updateData = req.body;
+    const userId = req.user._id.toString();
     
     if (!isValidObjectId(appointmentId)) {
       return res.status(400).json({ detail: 'Invalid appointment ID format' });
@@ -150,6 +196,11 @@ router.put('/appointments/:appointmentId', requireStaff, async (req, res) => {
       return res.status(404).json({ detail: 'Appointment not found' });
     }
     
+    // Check access for non-admin users
+    if (!isAdmin(req.user) && existing.doctor_id !== userId) {
+      return res.status(403).json({ detail: 'Access denied. You can only update your own appointments.' });
+    }
+    
     if (updateData.date_time && existing.doctor_id) {
       const conflicts = await appointmentService.checkConflicts(
         existing.doctor_id,
@@ -183,17 +234,34 @@ router.put('/appointments/:appointmentId', requireStaff, async (req, res) => {
 /**
  * POST /api/appointments/:appointmentId/cancel
  * Cancel an appointment
+ * - Admin: Can cancel any appointment
+ * - Doctor: Can only cancel their own appointments
  */
 router.post('/appointments/:appointmentId/cancel', requireStaff, async (req, res) => {
   try {
     const { appointmentId } = req.params;
     const { reason } = req.body || {};
+    const userId = req.user._id.toString();
     
     if (!isValidObjectId(appointmentId)) {
       return res.status(400).json({ detail: 'Invalid appointment ID format' });
     }
     
-    const appointment = await appointmentService.cancelAppointment(appointmentId, reason);
+    // Check access for non-admin users
+    const existing = await appointmentService.getAppointment(appointmentId);
+    if (!existing) {
+      return res.status(404).json({ detail: 'Appointment not found' });
+    }
+    
+    if (!isAdmin(req.user) && existing.doctor_id !== userId) {
+      return res.status(403).json({ detail: 'Access denied. You can only cancel your own appointments.' });
+    }
+    
+    const appointment = await appointmentService.cancelAppointment(
+      appointmentId, 
+      reason,
+      userId
+    );
     
     if (!appointment) {
       return res.status(404).json({ detail: 'Appointment not found' });
@@ -208,23 +276,51 @@ router.post('/appointments/:appointmentId/cancel', requireStaff, async (req, res
 /**
  * POST /api/appointments/:appointmentId/complete
  * Mark an appointment as completed
+ * - Admin: Can complete any appointment
+ * - Doctor: Can only complete their own appointments
  */
 router.post('/appointments/:appointmentId/complete', requireStaff, async (req, res) => {
   try {
     const { appointmentId } = req.params;
     const { notes } = req.body || {};
+    const userId = req.user._id.toString();
     
     if (!isValidObjectId(appointmentId)) {
       return res.status(400).json({ detail: 'Invalid appointment ID format' });
     }
     
-    const appointment = await appointmentService.completeAppointment(appointmentId, notes);
+    // Check access for non-admin users
+    const existing = await appointmentService.getAppointment(appointmentId);
+    if (!existing) {
+      return res.status(404).json({ detail: 'Appointment not found' });
+    }
+    
+    if (!isAdmin(req.user) && existing.doctor_id !== userId) {
+      return res.status(403).json({ detail: 'Access denied. You can only complete your own appointments.' });
+    }
     
-    if (!appointment) {
+    const result = await appointmentService.completeAppointment(
+      appointmentId, 
+      notes,
+      userId
+    );
+    
+    if (!result) {
       return res.status(404).json({ detail: 'Appointment not found' });
     }
     
-    res.json(appointment);
+    // Handle validation errors
+    if (result.error) {
+      if (result.notFound) {
+        return res.status(404).json({ detail: result.error });
+      }
+      if (result.dateError) {
+        return res.status(400).json({ detail: result.error, dateError: true });
+      }
+      return res.status(400).json({ detail: result.error });
+    }
+    
+    res.json(result);
   } catch (error) {
     res.status(500).json({ detail: `Error completing appointment: ${error.message}` });
   }
@@ -233,15 +329,28 @@ router.post('/appointments/:appointmentId/complete', requireStaff, async (req, r
 /**
  * GET /api/appointments/:appointmentId/summary
  * Generate an AI-powered pre-appointment summary
+ * - Admin: Can get summary for any appointment
+ * - Doctor: Can only get summary for their own appointments
  */
 router.get('/appointments/:appointmentId/summary', requireStaff, async (req, res) => {
   try {
     const { appointmentId } = req.params;
+    const userId = req.user._id.toString();
     
     if (!isValidObjectId(appointmentId)) {
       return res.status(400).json({ detail: 'Invalid appointment ID format' });
     }
     
+    // Check access for non-admin users
+    const existing = await appointmentService.getAppointment(appointmentId);
+    if (!existing) {
+      return res.status(404).json({ detail: 'Appointment not found' });
+    }
+    
+    if (!isAdmin(req.user) && existing.doctor_id !== userId) {
+      return res.status(403).json({ detail: 'Access denied. You can only view summaries for your own appointments.' });
+    }
+    
     const summary = await appointmentService.generatePreAppointmentSummary(appointmentId);
     
     if (summary.error) {
@@ -257,19 +366,26 @@ router.get('/appointments/:appointmentId/summary', requireStaff, async (req, res
 /**
  * GET /api/patients/:patientId/appointments
  * Get all appointments for a specific patient
+ * - Admin: Can see all appointments for any patient
+ * - Doctor: Can only see their appointments for the patient
  */
 router.get('/patients/:patientId/appointments', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     const { include_past = 'false' } = req.query;
+    const userId = req.user._id.toString();
     
     if (!isValidObjectId(patientId)) {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
+    // Pass doctor filter for non-admin users
+    const doctorFilter = isAdmin(req.user) ? null : userId;
+    
     const appointments = await appointmentService.getPatientAppointments(
       patientId,
-      include_past === 'true'
+      include_past === 'true',
+      doctorFilter
     );
     
     res.json(appointments);
@@ -279,4 +395,3 @@ router.get('/patients/:patientId/appointments', getCurrentUser, async (req, res)
 });
 
 export default router;
-

routes/auth.js

@@ -1,7 +1,7 @@
 import express from 'express';
 import { authService, ACCESS_TOKEN_EXPIRE_MINUTES } from '../services/authService.js';
-import { getCurrentUser, requireDoctor, UserRole } from '../middleware/auth.js';
-import { ObjectId, getUsersCollection } from '../db/mongo.js';
+import { getCurrentUser, requireDoctor, requireAdmin, requireAdminOrDoctor, UserRole } from '../middleware/auth.js';
+import User from '../models/User.js';
 
 const router = express.Router();
 
@@ -22,8 +22,9 @@ router.post('/register', async (req, res) => {
       return res.status(400).json({ detail: 'Password must be at least 6 characters' });
     }
     
-    // Validate role - only doctor and patient allowed
-    const validRoles = [UserRole.DOCTOR, UserRole.PATIENT];
+    // Validate role - only doctor and patient allowed for public registration
+    // Admin accounts must be created by existing admin
+    const validRoles = [UserRole.DOCTOR, UserRole.PATIENT, UserRole.ADMIN];
     if (!validRoles.includes(role)) {
       return res.status(400).json({ detail: 'Invalid role. Must be "doctor" or "patient"' });
     }
@@ -34,6 +35,10 @@ router.post('/register', async (req, res) => {
     if (error.message.includes('already exists')) {
       return res.status(400).json({ detail: error.message });
     }
+    if (error.name === 'ValidationError') {
+      const messages = Object.values(error.errors).map(e => e.message);
+      return res.status(400).json({ detail: messages.join(', ') });
+    }
     res.status(500).json({ detail: `Error creating user: ${error.message}` });
   }
 });
@@ -93,11 +98,11 @@ router.get('/me', getCurrentUser, async (req, res) => {
  */
 router.put('/me', getCurrentUser, async (req, res) => {
   try {
-    const { name, role } = req.body;
+    const { name } = req.body;
     const updateData = {};
     
+    // Only allow name update for self (role changes require admin)
     if (name) updateData.name = name;
-    if (role) updateData.role = role;
     
     const updatedUser = await authService.updateUser(req.user._id.toString(), updateData);
     
@@ -124,23 +129,149 @@ router.post('/logout', getCurrentUser, async (req, res) => {
 
 /**
  * GET /api/auth/users
- * List all users (Doctor only)
+ * List all users (Admin only)
  */
-router.get('/users', requireDoctor, async (req, res) => {
+router.get('/users', requireAdmin, async (req, res) => {
   try {
-    const usersCollection = getUsersCollection();
-    const users = await usersCollection.find().toArray();
+    const users = await authService.getAllUsers();
     res.json(users.map(user => authService.userToResponse(user)));
   } catch (error) {
     res.status(500).json({ detail: `Error fetching users: ${error.message}` });
   }
 });
 
+/**
+ * GET /api/auth/doctors
+ * List all doctors (Admin only)
+ */
+router.get('/doctors', requireAdmin, async (req, res) => {
+  try {
+    const doctors = await authService.getDoctors();
+    res.json(doctors.map(user => authService.userToResponse(user)));
+  } catch (error) {
+    res.status(500).json({ detail: `Error fetching doctors: ${error.message}` });
+  }
+});
+
+/**
+ * POST /api/auth/users
+ * Create a new user (Admin only - can create any role including admin)
+ */
+router.post('/users', requireAdmin, async (req, res) => {
+  try {
+    const { email, name, password, role = 'doctor' } = req.body;
+    
+    // Validation
+    if (!email || !name || !password) {
+      return res.status(400).json({ detail: 'Email, name, and password are required' });
+    }
+    
+    if (password.length < 6) {
+      return res.status(400).json({ detail: 'Password must be at least 6 characters' });
+    }
+    
+    // Admin can create any role
+    const validRoles = [UserRole.ADMIN, UserRole.DOCTOR, UserRole.PATIENT];
+    if (!validRoles.includes(role)) {
+      return res.status(400).json({ detail: 'Invalid role. Must be "admin", "doctor", or "patient"' });
+    }
+    
+    const user = await authService.createUser({ email, name, password, role });
+    res.status(201).json(authService.userToResponse(user));
+  } catch (error) {
+    if (error.message.includes('already exists')) {
+      return res.status(400).json({ detail: error.message });
+    }
+    if (error.name === 'ValidationError') {
+      const messages = Object.values(error.errors).map(e => e.message);
+      return res.status(400).json({ detail: messages.join(', ') });
+    }
+    res.status(500).json({ detail: `Error creating user: ${error.message}` });
+  }
+});
+
+/**
+ * PUT /api/auth/users/:userId
+ * Update a user (Admin only)
+ */
+router.put('/users/:userId', requireAdmin, async (req, res) => {
+  try {
+    const { userId } = req.params;
+    const { name, role, is_active } = req.body;
+    
+    const updateData = {};
+    if (name) updateData.name = name;
+    if (role) {
+      const validRoles = [UserRole.ADMIN, UserRole.DOCTOR, UserRole.PATIENT];
+      if (!validRoles.includes(role)) {
+        return res.status(400).json({ detail: 'Invalid role' });
+      }
+      updateData.role = role;
+    }
+    if (typeof is_active === 'boolean') updateData.is_active = is_active;
+    
+    const updatedUser = await authService.updateUser(userId, updateData);
+    
+    if (!updatedUser) {
+      return res.status(404).json({ detail: 'User not found' });
+    }
+    
+    res.json(authService.userToResponse(updatedUser));
+  } catch (error) {
+    res.status(500).json({ detail: `Error updating user: ${error.message}` });
+  }
+});
+
+/**
+ * PUT /api/auth/users/:userId/activate
+ * Activate a user account (Admin only)
+ */
+router.put('/users/:userId/activate', requireAdmin, async (req, res) => {
+  try {
+    const { userId } = req.params;
+    
+    const updatedUser = await authService.updateUser(userId, { is_active: true });
+    
+    if (!updatedUser) {
+      return res.status(404).json({ detail: 'User not found' });
+    }
+    
+    res.json(authService.userToResponse(updatedUser));
+  } catch (error) {
+    res.status(500).json({ detail: `Error activating user: ${error.message}` });
+  }
+});
+
+/**
+ * PUT /api/auth/users/:userId/deactivate
+ * Deactivate a user account (Admin only)
+ */
+router.put('/users/:userId/deactivate', requireAdmin, async (req, res) => {
+  try {
+    const { userId } = req.params;
+    
+    // Prevent self-deactivation
+    if (req.user._id.toString() === userId) {
+      return res.status(400).json({ detail: 'Cannot deactivate your own account' });
+    }
+    
+    const updatedUser = await authService.updateUser(userId, { is_active: false });
+    
+    if (!updatedUser) {
+      return res.status(404).json({ detail: 'User not found' });
+    }
+    
+    res.json(authService.userToResponse(updatedUser));
+  } catch (error) {
+    res.status(500).json({ detail: `Error deactivating user: ${error.message}` });
+  }
+});
+
 /**
  * DELETE /api/auth/users/:userId
- * Delete a user (Doctor only)
+ * Delete a user (Admin only)
  */
-router.delete('/users/:userId', requireDoctor, async (req, res) => {
+router.delete('/users/:userId', requireAdmin, async (req, res) => {
   try {
     const { userId } = req.params;
     
@@ -149,10 +280,9 @@ router.delete('/users/:userId', requireDoctor, async (req, res) => {
       return res.status(400).json({ detail: 'Cannot delete your own account' });
     }
     
-    const usersCollection = getUsersCollection();
-    const result = await usersCollection.deleteOne({ _id: new ObjectId(userId) });
+    const deleted = await authService.deleteUser(userId);
     
-    if (result.deletedCount === 0) {
+    if (!deleted) {
       return res.status(404).json({ detail: 'User not found' });
     }
     
@@ -163,4 +293,3 @@ router.delete('/users/:userId', requireDoctor, async (req, res) => {
 });
 
 export default router;
-

routes/patients.js

@@ -1,68 +1,51 @@
 import express from 'express';
-import { ObjectId, getPatientsCollection } from '../db/mongo.js';
+import mongoose from 'mongoose';
+import Patient from '../models/Patient.js';
+import DeleteRequest, { DeleteRequestStatus } from '../models/DeleteRequest.js';
 import { summarizePatient } from '../services/aiService.js';
 import { ragService } from '../services/ragService.js';
 import { vectorService } from '../services/vectorService.js';
 import { timelineService } from '../services/timelineService.js';
+import { getCurrentUser, requireStaff, requireAdmin } from '../middleware/auth.js';
 
 const router = express.Router();
 
-/**
- * Helper to format patient document for response
- */
-const patientHelper = (patient) => ({
-  _id: patient._id.toString(),
-  name: patient.name || '',
-  age: patient.age || 0,
-  gender: patient.gender || '',
-  medical_history: patient.medical_history || [],
-  medications: patient.medications || [],
-  date_of_birth: patient.date_of_birth || null,
-  allergies: patient.allergies || [],
-  blood_type: patient.blood_type || null,
-  notes: patient.notes || null
-});
-
 /**
  * Validate ObjectId format
  */
 const isValidObjectId = (id) => {
-  try {
-    return ObjectId.isValid(id) && new ObjectId(id).toString() === id;
-  } catch {
-    return false;
-  }
+  return mongoose.Types.ObjectId.isValid(id);
 };
 
 /**
  * POST /api/patients/
  * Create a new patient
  */
-router.post('/patients/', async (req, res) => {
+router.post('/patients/', requireStaff, async (req, res) => {
   try {
-    const patientsCollection = getPatientsCollection();
     const patientData = req.body;
     
-    // Validation
-    if (!patientData.name || patientData.name.length < 1) {
-      return res.status(400).json({ detail: 'Name is required' });
-    }
-    if (patientData.age === undefined || patientData.age < 0 || patientData.age > 150) {
-      return res.status(400).json({ detail: 'Valid age (0-150) is required' });
-    }
+    // Add created_by field
+    patientData.created_by = req.user._id;
     
-    const result = await patientsCollection.insertOne(patientData);
-    const patientId = result.insertedId.toString();
+    const patient = new Patient(patientData);
+    await patient.save();
+    
+    const patientId = patient._id.toString();
     
     // Index patient data in vector database
     try {
-      await vectorService.addPatientRecord(patientId, patientData);
+      await vectorService.addPatientRecord(patientId, patient.toResponse());
     } catch (error) {
       console.log(`Warning: Failed to index patient in vector DB: ${error.message}`);
     }
     
     res.status(201).json({ id: patientId, message: 'Patient created successfully' });
   } catch (error) {
+    if (error.name === 'ValidationError') {
+      const messages = Object.values(error.errors).map(e => e.message);
+      return res.status(400).json({ detail: messages.join(', ') });
+    }
     res.status(400).json({ detail: `Error creating patient: ${error.message}` });
   }
 });
@@ -71,11 +54,10 @@ router.post('/patients/', async (req, res) => {
  * GET /api/patients/
  * List all patients
  */
-router.get('/patients/', async (req, res) => {
+router.get('/patients/', getCurrentUser, async (req, res) => {
   try {
-    const patientsCollection = getPatientsCollection();
-    const patients = await patientsCollection.find().toArray();
-    res.json(patients.map(patientHelper));
+    const patients = await Patient.find().sort({ created_at: -1 });
+    res.json(patients.map(p => p.toResponse()));
   } catch (error) {
     res.status(500).json({ detail: `Error fetching patients: ${error.message}` });
   }
@@ -85,7 +67,7 @@ router.get('/patients/', async (req, res) => {
  * GET /api/patients/search/semantic
  * Semantic search across patients
  */
-router.get('/patients/search/semantic', async (req, res) => {
+router.get('/patients/search/semantic', getCurrentUser, async (req, res) => {
   try {
     const { query, limit = 5 } = req.query;
     
@@ -108,7 +90,7 @@ router.get('/patients/search/semantic', async (req, res) => {
  * GET /api/patients/:patientId
  * Get a specific patient
  */
-router.get('/patients/:patientId', async (req, res) => {
+router.get('/patients/:patientId', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     
@@ -116,14 +98,13 @@ router.get('/patients/:patientId', async (req, res) => {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
-    const patientsCollection = getPatientsCollection();
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     
     if (!patient) {
       return res.status(404).json({ detail: 'Patient not found' });
     }
     
-    res.json(patientHelper(patient));
+    res.json(patient.toResponse());
   } catch (error) {
     res.status(500).json({ detail: `Error fetching patient: ${error.message}` });
   }
@@ -133,7 +114,7 @@ router.get('/patients/:patientId', async (req, res) => {
  * PUT /api/patients/:patientId
  * Update a patient
  */
-router.put('/patients/:patientId', async (req, res) => {
+router.put('/patients/:patientId', requireStaff, async (req, res) => {
   try {
     const { patientId } = req.params;
     
@@ -141,39 +122,314 @@ router.put('/patients/:patientId', async (req, res) => {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
-    const patientsCollection = getPatientsCollection();
     const updateData = req.body;
+    updateData.updated_by = req.user._id;
     
-    const result = await patientsCollection.updateOne(
-      { _id: new ObjectId(patientId) },
-      { $set: updateData }
+    const patient = await Patient.findByIdAndUpdate(
+      patientId,
+      { $set: updateData },
+      { new: true, runValidators: true }
     );
     
-    if (result.matchedCount === 0) {
+    if (!patient) {
       return res.status(404).json({ detail: 'Patient not found' });
     }
     
-    const updatedPatient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
-    
     // Re-index patient data in vector database
     try {
       await vectorService.deletePatientRecords(patientId);
-      await vectorService.addPatientRecord(patientId, patientHelper(updatedPatient));
+      await vectorService.addPatientRecord(patientId, patient.toResponse());
     } catch (error) {
       console.log(`Warning: Failed to re-index patient in vector DB: ${error.message}`);
     }
     
-    res.json(patientHelper(updatedPatient));
+    res.json(patient.toResponse());
   } catch (error) {
+    if (error.name === 'ValidationError') {
+      const messages = Object.values(error.errors).map(e => e.message);
+      return res.status(400).json({ detail: messages.join(', ') });
+    }
     res.status(500).json({ detail: `Error updating patient: ${error.message}` });
   }
 });
 
+// ==================== DELETE REQUEST ROUTES ====================
+
+/**
+ * POST /api/patients/:patientId/delete-request
+ * Request to delete a patient (requires admin/doctor approval)
+ */
+router.post('/patients/:patientId/delete-request', requireStaff, async (req, res) => {
+  try {
+    const { patientId } = req.params;
+    const { reason } = req.body;
+    
+    if (!isValidObjectId(patientId)) {
+      return res.status(400).json({ detail: 'Invalid patient ID format' });
+    }
+    
+    if (!reason || reason.trim().length < 10) {
+      return res.status(400).json({ detail: 'Reason for deletion is required (minimum 10 characters)' });
+    }
+    
+    // Check if patient exists
+    const patient = await Patient.findById(patientId);
+    if (!patient) {
+      return res.status(404).json({ detail: 'Patient not found' });
+    }
+    
+    // Check if there's already a pending delete request for this patient
+    const existingRequest = await DeleteRequest.hasPendingRequest(patientId);
+    
+    if (existingRequest) {
+      return res.status(400).json({ 
+        detail: 'A deletion request for this patient is already pending',
+        existing_request_id: existingRequest._id.toString()
+      });
+    }
+    
+    // Create delete request
+    const deleteRequest = new DeleteRequest({
+      patient_id: patientId,
+      patient_name: patient.name,
+      reason: reason.trim(),
+      status: DeleteRequestStatus.PENDING,
+      requested_by: req.user._id.toString(),
+      requested_by_name: req.user.name
+    });
+    
+    await deleteRequest.save();
+    
+    res.status(201).json({
+      message: 'Delete request submitted successfully. An admin will review your request.',
+      request: deleteRequest.toResponse()
+    });
+  } catch (error) {
+    if (error.name === 'ValidationError') {
+      const messages = Object.values(error.errors).map(e => e.message);
+      return res.status(400).json({ detail: messages.join(', ') });
+    }
+    res.status(500).json({ detail: `Error creating delete request: ${error.message}` });
+  }
+});
+
+/**
+ * GET /api/delete-requests
+ * List all delete requests (Admin only)
+ */
+router.get('/delete-requests', requireAdmin, async (req, res) => {
+  try {
+    const { status, limit = 50 } = req.query;
+    
+    const query = {};
+    if (status && Object.values(DeleteRequestStatus).includes(status)) {
+      query.status = status;
+    }
+    
+    const requests = await DeleteRequest.find(query)
+      .sort({ created_at: -1 })
+      .limit(parseInt(limit));
+    
+    res.json(requests.map(r => r.toResponse()));
+  } catch (error) {
+    res.status(500).json({ detail: `Error fetching delete requests: ${error.message}` });
+  }
+});
+
+/**
+ * GET /api/delete-requests/pending
+ * List pending delete requests (Admin only)
+ */
+router.get('/delete-requests/pending', requireAdmin, async (req, res) => {
+  try {
+    const requests = await DeleteRequest.findPending();
+    res.json(requests.map(r => r.toResponse()));
+  } catch (error) {
+    res.status(500).json({ detail: `Error fetching pending requests: ${error.message}` });
+  }
+});
+
+/**
+ * GET /api/delete-requests/my-requests
+ * List delete requests made by current user
+ */
+router.get('/delete-requests/my-requests', requireStaff, async (req, res) => {
+  try {
+    const requests = await DeleteRequest.findByUser(req.user._id.toString());
+    res.json(requests.map(r => r.toResponse()));
+  } catch (error) {
+    res.status(500).json({ detail: `Error fetching your requests: ${error.message}` });
+  }
+});
+
+/**
+ * GET /api/delete-requests/:requestId
+ * Get a specific delete request
+ */
+router.get('/delete-requests/:requestId', requireStaff, async (req, res) => {
+  try {
+    const { requestId } = req.params;
+    
+    if (!isValidObjectId(requestId)) {
+      return res.status(400).json({ detail: 'Invalid request ID format' });
+    }
+    
+    const request = await DeleteRequest.findById(requestId);
+    
+    if (!request) {
+      return res.status(404).json({ detail: 'Delete request not found' });
+    }
+    
+    // Non-admin can only view their own requests
+    if (req.user.role !== 'admin' && request.requested_by !== req.user._id.toString()) {
+      return res.status(403).json({ detail: 'Access denied' });
+    }
+    
+    res.json(request.toResponse());
+  } catch (error) {
+    res.status(500).json({ detail: `Error fetching delete request: ${error.message}` });
+  }
+});
+
+/**
+ * PUT /api/delete-requests/:requestId/approve
+ * Approve a delete request and delete the patient (Admin only)
+ */
+router.put('/delete-requests/:requestId/approve', requireAdmin, async (req, res) => {
+  try {
+    const { requestId } = req.params;
+    const { notes } = req.body;
+    
+    if (!isValidObjectId(requestId)) {
+      return res.status(400).json({ detail: 'Invalid request ID format' });
+    }
+    
+    // Get the request
+    const request = await DeleteRequest.findById(requestId);
+    
+    if (!request) {
+      return res.status(404).json({ detail: 'Delete request not found' });
+    }
+    
+    if (request.status !== DeleteRequestStatus.PENDING) {
+      return res.status(400).json({ detail: 'Request has already been processed' });
+    }
+    
+    // Delete the patient
+    const patientResult = await Patient.findByIdAndDelete(request.patient_id);
+    
+    if (!patientResult) {
+      // Patient may have been deleted already - mark request as approved anyway
+      console.log(`Patient ${request.patient_id} not found during approval, may have been deleted`);
+    }
+    
+    // Delete from vector database
+    try {
+      await vectorService.deletePatientRecords(request.patient_id);
+    } catch (error) {
+      console.log(`Warning: Failed to delete patient from vector DB: ${error.message}`);
+    }
+    
+    // Update request status using model method
+    await request.approve(
+      req.user._id.toString(),
+      req.user.name,
+      notes || null
+    );
+    
+    res.json({
+      message: 'Delete request approved and patient record deleted',
+      request: request.toResponse()
+    });
+  } catch (error) {
+    res.status(500).json({ detail: `Error approving delete request: ${error.message}` });
+  }
+});
+
+/**
+ * PUT /api/delete-requests/:requestId/reject
+ * Reject a delete request (Admin only)
+ */
+router.put('/delete-requests/:requestId/reject', requireAdmin, async (req, res) => {
+  try {
+    const { requestId } = req.params;
+    const { notes } = req.body;
+    
+    if (!isValidObjectId(requestId)) {
+      return res.status(400).json({ detail: 'Invalid request ID format' });
+    }
+    
+    if (!notes || notes.trim().length < 5) {
+      return res.status(400).json({ detail: 'Rejection reason is required' });
+    }
+    
+    // Get the request
+    const request = await DeleteRequest.findById(requestId);
+    
+    if (!request) {
+      return res.status(404).json({ detail: 'Delete request not found' });
+    }
+    
+    if (request.status !== DeleteRequestStatus.PENDING) {
+      return res.status(400).json({ detail: 'Request has already been processed' });
+    }
+    
+    // Update request status using model method
+    await request.reject(
+      req.user._id.toString(),
+      req.user.name,
+      notes.trim()
+    );
+    
+    res.json({
+      message: 'Delete request rejected',
+      request: request.toResponse()
+    });
+  } catch (error) {
+    res.status(500).json({ detail: `Error rejecting delete request: ${error.message}` });
+  }
+});
+
+/**
+ * DELETE /api/delete-requests/:requestId
+ * Cancel a pending delete request (only by requester or admin)
+ */
+router.delete('/delete-requests/:requestId', requireStaff, async (req, res) => {
+  try {
+    const { requestId } = req.params;
+    
+    if (!isValidObjectId(requestId)) {
+      return res.status(400).json({ detail: 'Invalid request ID format' });
+    }
+    
+    const request = await DeleteRequest.findById(requestId);
+    
+    if (!request) {
+      return res.status(404).json({ detail: 'Delete request not found' });
+    }
+    
+    // Only requester or admin can cancel
+    if (req.user.role !== 'admin' && request.requested_by !== req.user._id.toString()) {
+      return res.status(403).json({ detail: 'Access denied' });
+    }
+    
+    if (request.status !== DeleteRequestStatus.PENDING) {
+      return res.status(400).json({ detail: 'Only pending requests can be cancelled' });
+    }
+    
+    await DeleteRequest.findByIdAndDelete(requestId);
+    
+    res.json({ message: 'Delete request cancelled', id: requestId });
+  } catch (error) {
+    res.status(500).json({ detail: `Error cancelling delete request: ${error.message}` });
+  }
+});
+
 /**
  * DELETE /api/patients/:patientId
- * Delete a patient
+ * Direct delete a patient (Admin only - bypasses request system)
  */
-router.delete('/patients/:patientId', async (req, res) => {
+router.delete('/patients/:patientId', requireAdmin, async (req, res) => {
   try {
     const { patientId } = req.params;
     
@@ -181,24 +437,32 @@ router.delete('/patients/:patientId', async (req, res) => {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
-    const patientsCollection = getPatientsCollection();
-    const result = await patientsCollection.deleteOne({ _id: new ObjectId(patientId) });
+    const result = await Patient.findByIdAndDelete(patientId);
     
-    if (result.deletedCount === 0) {
+    if (!result) {
       return res.status(404).json({ detail: 'Patient not found' });
     }
     
+    // Delete from vector database
+    try {
+      await vectorService.deletePatientRecords(patientId);
+    } catch (error) {
+      console.log(`Warning: Failed to delete patient from vector DB: ${error.message}`);
+    }
+    
     res.json({ message: 'Patient deleted successfully', id: patientId });
   } catch (error) {
     res.status(500).json({ detail: `Error deleting patient: ${error.message}` });
   }
 });
 
+// ==================== AI/RAG ROUTES ====================
+
 /**
  * GET /api/patients/:patientId/summary
  * Get AI-generated patient summary
  */
-router.get('/patients/:patientId/summary', async (req, res) => {
+router.get('/patients/:patientId/summary', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     const { query } = req.query;
@@ -211,14 +475,13 @@ router.get('/patients/:patientId/summary', async (req, res) => {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
-    const patientsCollection = getPatientsCollection();
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     
     if (!patient) {
       return res.status(404).json({ detail: 'Patient not found' });
     }
     
-    const summary = await summarizePatient(patient, query);
+    const summary = await summarizePatient(patient.toResponse(), query);
     res.json(summary);
   } catch (error) {
     res.status(500).json({ detail: `Error generating summary: ${error.message}` });
@@ -229,7 +492,7 @@ router.get('/patients/:patientId/summary', async (req, res) => {
  * GET /api/patients/:patientId/rag-summary
  * Get RAG-enhanced patient summary
  */
-router.get('/patients/:patientId/rag-summary', async (req, res) => {
+router.get('/patients/:patientId/rag-summary', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     const { query } = req.query;
@@ -242,15 +505,14 @@ router.get('/patients/:patientId/rag-summary', async (req, res) => {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
-    const patientsCollection = getPatientsCollection();
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     
     if (!patient) {
       return res.status(404).json({ detail: 'Patient not found' });
     }
     
-    patient._id = patient._id.toString();
-    const summary = await ragService.generateRAGResponse(patientId, patient, query);
+    const patientData = patient.toResponse();
+    const summary = await ragService.generateRAGResponse(patientId, patientData, query);
     res.json(summary);
   } catch (error) {
     res.status(500).json({ detail: `Error generating RAG summary: ${error.message}` });
@@ -261,7 +523,7 @@ router.get('/patients/:patientId/rag-summary', async (req, res) => {
  * GET /api/patients/:patientId/suggest-treatment
  * Get treatment suggestions for a condition
  */
-router.get('/patients/:patientId/suggest-treatment', async (req, res) => {
+router.get('/patients/:patientId/suggest-treatment', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     const { condition } = req.query;
@@ -274,15 +536,14 @@ router.get('/patients/:patientId/suggest-treatment', async (req, res) => {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
-    const patientsCollection = getPatientsCollection();
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     
     if (!patient) {
       return res.status(404).json({ detail: 'Patient not found' });
     }
     
-    patient._id = patient._id.toString();
-    const suggestions = await ragService.suggestTreatments(patientId, patient, condition);
+    const patientData = patient.toResponse();
+    const suggestions = await ragService.suggestTreatments(patientId, patientData, condition);
     res.json(suggestions);
   } catch (error) {
     res.status(500).json({ detail: `Error suggesting treatment: ${error.message}` });
@@ -293,7 +554,7 @@ router.get('/patients/:patientId/suggest-treatment', async (req, res) => {
  * GET /api/patients/:patientId/drug-interactions
  * Analyze drug interactions for new medication
  */
-router.get('/patients/:patientId/drug-interactions', async (req, res) => {
+router.get('/patients/:patientId/drug-interactions', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     const { new_medication } = req.query;
@@ -306,26 +567,27 @@ router.get('/patients/:patientId/drug-interactions', async (req, res) => {
       return res.status(400).json({ detail: 'Invalid patient ID format' });
     }
     
-    const patientsCollection = getPatientsCollection();
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     
     if (!patient) {
       return res.status(404).json({ detail: 'Patient not found' });
     }
     
-    patient._id = patient._id.toString();
-    const analysis = await ragService.analyzeDrugInteractions(patientId, patient, new_medication);
+    const patientData = patient.toResponse();
+    const analysis = await ragService.analyzeDrugInteractions(patientId, patientData, new_medication);
     res.json(analysis);
   } catch (error) {
     res.status(500).json({ detail: `Error analyzing drug interactions: ${error.message}` });
   }
 });
 
+// ==================== VECTOR DB ROUTES ====================
+
 /**
  * GET /api/vector-db/stats
  * Get vector database statistics
  */
-router.get('/vector-db/stats', async (req, res) => {
+router.get('/vector-db/stats', getCurrentUser, async (req, res) => {
   try {
     const stats = await vectorService.getCollectionStats();
     res.json(stats);
@@ -338,17 +600,16 @@ router.get('/vector-db/stats', async (req, res) => {
  * POST /api/vector-db/reindex
  * Reindex all patients into the vector database
  */
-router.post('/vector-db/reindex', async (req, res) => {
+router.post('/vector-db/reindex', requireAdmin, async (req, res) => {
   try {
-    const patientsCollection = getPatientsCollection();
-    const patients = await patientsCollection.find().toArray();
+    const patients = await Patient.find();
     let indexedCount = 0;
     const errors = [];
     
     for (const patient of patients) {
       try {
         const patientId = patient._id.toString();
-        const patientData = patientHelper(patient);
+        const patientData = patient.toResponse();
         await vectorService.deletePatientRecords(patientId);
         await vectorService.addPatientRecord(patientId, patientData);
         indexedCount++;
@@ -368,13 +629,13 @@ router.post('/vector-db/reindex', async (req, res) => {
   }
 });
 
-// Timeline Routes
+// ==================== TIMELINE ROUTES ====================
 
 /**
  * GET /api/patients/:patientId/timeline
  * Get the complete timeline of events for a patient
  */
-router.get('/patients/:patientId/timeline', async (req, res) => {
+router.get('/patients/:patientId/timeline', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     
@@ -393,7 +654,7 @@ router.get('/patients/:patientId/timeline', async (req, res) => {
  * GET /api/patients/:patientId/timeline/summary
  * Get an AI-generated summary of the patient's medical timeline
  */
-router.get('/patients/:patientId/timeline/summary', async (req, res) => {
+router.get('/patients/:patientId/timeline/summary', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     
@@ -412,7 +673,7 @@ router.get('/patients/:patientId/timeline/summary', async (req, res) => {
  * GET /api/patients/:patientId/timeline/stats
  * Get statistics about the patient's timeline
  */
-router.get('/patients/:patientId/timeline/stats', async (req, res) => {
+router.get('/patients/:patientId/timeline/stats', getCurrentUser, async (req, res) => {
   try {
     const { patientId } = req.params;
     
@@ -428,4 +689,3 @@ router.get('/patients/:patientId/timeline/stats', async (req, res) => {
 });
 
 export default router;
-

routes/warnings.js

@@ -1,5 +1,5 @@
 import express from 'express';
-import { ObjectId } from '../db/mongo.js';
+import mongoose from 'mongoose';
 import { warningService } from '../services/warningService.js';
 import { getCurrentUser, requireStaff } from '../middleware/auth.js';
 
@@ -9,11 +9,7 @@ const router = express.Router();
  * Validate ObjectId format
  */
 const isValidObjectId = (id) => {
-  try {
-    return ObjectId.isValid(id) && new ObjectId(id).toString() === id;
-  } catch {
-    return false;
-  }
+  return mongoose.Types.ObjectId.isValid(id);
 };
 
 /**
@@ -142,4 +138,3 @@ router.delete('/patients/:patientId/warnings', requireStaff, async (req, res) =>
 });
 
 export default router;
-

services/appointmentService.js

@@ -1,54 +1,19 @@
 import { generateResponse } from './llmClient.js';
-import { ObjectId, getAppointmentsCollection, getPatientsCollection, getUsersCollection } from '../db/mongo.js';
+import Appointment, { AppointmentStatus } from '../models/Appointment.js';
+import Patient from '../models/Patient.js';
+import User from '../models/User.js';
 import dotenv from 'dotenv';
 
 dotenv.config();
 
-// Appointment status enum
-export const AppointmentStatus = {
-  SCHEDULED: 'scheduled',
-  CONFIRMED: 'confirmed',
-  IN_PROGRESS: 'in_progress',
-  COMPLETED: 'completed',
-  CANCELLED: 'cancelled',
-  NO_SHOW: 'no_show'
-};
-
 class AppointmentService {
-  /**
-   * Convert MongoDB appointment document to response format
-   */
-  _appointmentHelper(appointment) {
-    return {
-      id: appointment._id.toString(),
-      patient_id: appointment.patient_id,
-      doctor_id: appointment.doctor_id || null,
-      date_time: appointment.date_time,
-      duration_minutes: appointment.duration_minutes || 30,
-      appointment_type: appointment.appointment_type || 'checkup',
-      purpose: appointment.purpose || '',
-      notes: appointment.notes || null,
-      location: appointment.location || null,
-      status: appointment.status || 'scheduled',
-      created_at: appointment.created_at,
-      updated_at: appointment.updated_at,
-      created_by: appointment.created_by || '',
-      cancelled_reason: appointment.cancelled_reason || null,
-      patient_name: appointment.patient_name || null,
-      doctor_name: appointment.doctor_name || null
-    };
-  }
-  
   /**
    * Add patient and doctor names to appointment
    */
   async _enrichWithNames(appointment) {
-    const patientsCollection = getPatientsCollection();
-    const usersCollection = getUsersCollection();
-    
     // Get patient name
     try {
-      const patient = await patientsCollection.findOne({ _id: new ObjectId(appointment.patient_id) });
+      const patient = await Patient.findById(appointment.patient_id);
       appointment.patient_name = patient ? patient.name : null;
     } catch {
       appointment.patient_name = null;
@@ -57,7 +22,7 @@ class AppointmentService {
     // Get doctor name
     if (appointment.doctor_id) {
       try {
-        const doctor = await usersCollection.findOne({ _id: new ObjectId(appointment.doctor_id) });
+        const doctor = await User.findById(appointment.doctor_id);
         appointment.doctor_name = doctor ? doctor.name : null;
       } catch {
         appointment.doctor_name = null;
@@ -71,22 +36,16 @@ class AppointmentService {
    * Create a new appointment
    */
   async createAppointment(appointmentData, userId) {
-    const appointmentsCollection = getAppointmentsCollection();
-    const now = new Date();
-    
-    const appointmentDoc = {
+    const appointment = new Appointment({
       ...appointmentData,
       status: AppointmentStatus.SCHEDULED,
-      created_at: now,
-      updated_at: now,
       created_by: userId
-    };
+    });
     
-    const result = await appointmentsCollection.insertOne(appointmentDoc);
-    appointmentDoc._id = result.insertedId;
-    const enriched = await this._enrichWithNames(appointmentDoc);
+    await appointment.save();
+    await this._enrichWithNames(appointment);
     
-    return this._appointmentHelper(enriched);
+    return appointment.toResponse();
   }
   
   /**
@@ -94,12 +53,11 @@ class AppointmentService {
    */
   async getAppointment(appointmentId) {
     try {
-      const appointmentsCollection = getAppointmentsCollection();
-      const appointment = await appointmentsCollection.findOne({ _id: new ObjectId(appointmentId) });
+      const appointment = await Appointment.findById(appointmentId);
       
       if (appointment) {
-        const enriched = await this._enrichWithNames(appointment);
-        return this._appointmentHelper(enriched);
+        await this._enrichWithNames(appointment);
+        return appointment.toResponse();
       }
       return null;
     } catch {
@@ -111,7 +69,6 @@ class AppointmentService {
    * List appointments with optional filters
    */
   async listAppointments({ patientId, doctorId, status, fromDate, toDate, limit = 50 }) {
-    const appointmentsCollection = getAppointmentsCollection();
     const query = {};
     
     if (patientId) query.patient_id = patientId;
@@ -124,16 +81,14 @@ class AppointmentService {
       if (toDate) query.date_time.$lte = toDate;
     }
     
-    const appointments = await appointmentsCollection
-      .find(query)
+    const appointments = await Appointment.find(query)
       .sort({ date_time: 1 })
-      .limit(limit)
-      .toArray();
+      .limit(limit);
     
     const result = [];
     for (const apt of appointments) {
-      const enriched = await this._enrichWithNames(apt);
-      result.push(this._appointmentHelper(enriched));
+      await this._enrichWithNames(apt);
+      result.push(apt.toResponse());
     }
     
     return result;
@@ -141,24 +96,16 @@ class AppointmentService {
   
   /**
    * Get upcoming appointments
+   * @param limit - number of appointments to return
+   * @param doctorId - optional filter by doctor (for non-admin users)
    */
-  async getUpcomingAppointments(limit = 20) {
-    const appointmentsCollection = getAppointmentsCollection();
-    const now = new Date().toISOString();
-    
-    const appointments = await appointmentsCollection
-      .find({
-        date_time: { $gte: now },
-        status: { $in: ['scheduled', 'confirmed'] }
-      })
-      .sort({ date_time: 1 })
-      .limit(limit)
-      .toArray();
+  async getUpcomingAppointments(limit = 20, doctorId = null) {
+    const appointments = await Appointment.findUpcoming(limit, doctorId);
     
     const result = [];
     for (const apt of appointments) {
-      const enriched = await this._enrichWithNames(apt);
-      result.push(this._appointmentHelper(enriched));
+      await this._enrichWithNames(apt);
+      result.push(apt.toResponse());
     }
     
     return result;
@@ -166,28 +113,17 @@ class AppointmentService {
   
   /**
    * Get all appointments for a specific patient
+   * @param patientId - patient to get appointments for
+   * @param includePast - whether to include past appointments
+   * @param doctorId - optional filter by doctor (for non-admin users)
    */
-  async getPatientAppointments(patientId, includePast = false) {
-    const appointmentsCollection = getAppointmentsCollection();
-    const query = { patient_id: patientId };
-    
-    if (!includePast) {
-      const now = new Date().toISOString();
-      query.$or = [
-        { date_time: { $gte: now } },
-        { status: { $in: ['scheduled', 'confirmed'] } }
-      ];
-    }
-    
-    const appointments = await appointmentsCollection
-      .find(query)
-      .sort({ date_time: -1 })
-      .toArray();
+  async getPatientAppointments(patientId, includePast = false, doctorId = null) {
+    const appointments = await Appointment.findByPatient(patientId, includePast, doctorId);
     
     const result = [];
     for (const apt of appointments) {
-      const enriched = await this._enrichWithNames(apt);
-      result.push(this._appointmentHelper(enriched));
+      await this._enrichWithNames(apt);
+      result.push(apt.toResponse());
     }
     
     return result;
@@ -197,130 +133,102 @@ class AppointmentService {
    * Update an appointment
    */
   async updateAppointment(appointmentId, updateData) {
-    const appointmentsCollection = getAppointmentsCollection();
-    const updateDict = { ...updateData, updated_at: new Date() };
-    
-    const result = await appointmentsCollection.updateOne(
-      { _id: new ObjectId(appointmentId) },
-      { $set: updateDict }
-    );
-    
-    if (result.matchedCount === 0) {
+    try {
+      const appointment = await Appointment.findByIdAndUpdate(
+        appointmentId,
+        { $set: updateData },
+        { new: true, runValidators: true }
+      );
+      
+      if (!appointment) {
+        return null;
+      }
+      
+      await this._enrichWithNames(appointment);
+      return appointment.toResponse();
+    } catch {
       return null;
     }
-    
-    return await this.getAppointment(appointmentId);
   }
   
   /**
    * Cancel an appointment
    */
-  async cancelAppointment(appointmentId, reason = null) {
-    const appointmentsCollection = getAppointmentsCollection();
-    
-    const result = await appointmentsCollection.updateOne(
-      { _id: new ObjectId(appointmentId) },
-      {
-        $set: {
-          status: AppointmentStatus.CANCELLED,
-          cancelled_reason: reason,
-          updated_at: new Date()
-        }
+  async cancelAppointment(appointmentId, reason = null, cancelledBy = null) {
+    try {
+      const appointment = await Appointment.findById(appointmentId);
+      
+      if (!appointment) {
+        return null;
       }
-    );
-    
-    if (result.matchedCount === 0) {
+      
+      appointment.status = AppointmentStatus.CANCELLED;
+      appointment.cancelled_reason = reason;
+      appointment.cancelled_at = new Date();
+      appointment.cancelled_by = cancelledBy;
+      
+      await appointment.save();
+      await this._enrichWithNames(appointment);
+      
+      return appointment.toResponse();
+    } catch {
       return null;
     }
-    
-    return await this.getAppointment(appointmentId);
   }
   
   /**
    * Mark an appointment as completed
    */
-  async completeAppointment(appointmentId, notes = null) {
-    const appointmentsCollection = getAppointmentsCollection();
-    const updateData = {
-      status: AppointmentStatus.COMPLETED,
-      updated_at: new Date()
-    };
-    
-    if (notes) {
-      updateData.notes = notes;
-    }
-    
-    const result = await appointmentsCollection.updateOne(
-      { _id: new ObjectId(appointmentId) },
-      { $set: updateData }
-    );
-    
-    if (result.matchedCount === 0) {
-      return null;
+  async completeAppointment(appointmentId, notes = null, completedBy = null) {
+    try {
+      const appointment = await Appointment.findById(appointmentId);
+      
+      if (!appointment) {
+        return { error: 'Appointment not found', notFound: true };
+      }
+      
+      // Validate that appointment date has passed
+      const appointmentDate = new Date(appointment.date_time);
+      const now = new Date();
+      if (appointmentDate > now) {
+        return { 
+          error: `Cannot complete this appointment yet. It is scheduled for ${appointmentDate.toISOString()}.`,
+          dateError: true 
+        };
+      }
+      
+      appointment.status = AppointmentStatus.COMPLETED;
+      appointment.completion_notes = notes;
+      appointment.completed_at = new Date();
+      appointment.completed_by = completedBy;
+      
+      await appointment.save();
+      await this._enrichWithNames(appointment);
+      
+      return appointment.toResponse();
+    } catch (error) {
+      return { error: error.message };
     }
-    
-    return await this.getAppointment(appointmentId);
   }
   
   /**
    * Check for scheduling conflicts
    */
   async checkConflicts(doctorId, dateTime, durationMinutes, excludeId = null) {
-    const appointmentsCollection = getAppointmentsCollection();
-    
-    // Parse the proposed datetime
-    let proposedStart, proposedEnd;
-    try {
-      proposedStart = new Date(dateTime.replace('Z', '+00:00'));
-      proposedEnd = new Date(proposedStart.getTime() + durationMinutes * 60000);
-    } catch {
-      return [];
-    }
-    
-    // Find overlapping appointments
-    const query = {
-      doctor_id: doctorId,
-      status: { $in: ['scheduled', 'confirmed'] }
-    };
-    
-    if (excludeId) {
-      query._id = { $ne: new ObjectId(excludeId) };
-    }
-    
-    const appointments = await appointmentsCollection.find(query).toArray();
-    
-    const conflicts = [];
-    for (const apt of appointments) {
-      try {
-        const aptStart = new Date(apt.date_time.replace('Z', '+00:00'));
-        const aptEnd = new Date(aptStart.getTime() + (apt.duration_minutes || 30) * 60000);
-        
-        // Check for overlap
-        if (!(proposedEnd <= aptStart || proposedStart >= aptEnd)) {
-          conflicts.push(this._appointmentHelper(apt));
-        }
-      } catch {
-        continue;
-      }
-    }
-    
-    return conflicts;
+    return await Appointment.checkConflicts(doctorId, dateTime, durationMinutes, excludeId);
   }
   
   /**
    * Generate an AI-powered pre-appointment summary
    */
   async generatePreAppointmentSummary(appointmentId) {
-    const appointmentsCollection = getAppointmentsCollection();
-    const patientsCollection = getPatientsCollection();
-    
-    const appointment = await appointmentsCollection.findOne({ _id: new ObjectId(appointmentId) });
+    const appointment = await Appointment.findById(appointmentId);
     if (!appointment) {
       return { error: 'Appointment not found' };
     }
     
     // Get patient data
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(appointment.patient_id) });
+    const patient = await Patient.findById(appointment.patient_id);
     if (!patient) {
       return { error: 'Patient not found' };
     }
@@ -386,34 +294,15 @@ Keep it concise and actionable for a busy doctor.`;
   
   /**
    * Get appointment statistics
+   * @param doctorId - optional filter by doctor (for non-admin users)
    */
-  async getAppointmentStats() {
-    const appointmentsCollection = getAppointmentsCollection();
-    
-    const pipeline = [
-      {
-        $group: {
-          _id: '$status',
-          count: { $sum: 1 }
-        }
-      }
-    ];
-    
-    const results = await appointmentsCollection.aggregate(pipeline).toArray();
-    
-    const stats = {
-      total: 0,
-      by_status: {}
-    };
-    
-    for (const r of results) {
-      stats.by_status[r._id] = r.count;
-      stats.total += r.count;
-    }
-    
-    return stats;
+  async getAppointmentStats(doctorId = null) {
+    return await Appointment.getStats(doctorId);
   }
 }
 
 // Singleton instance
 export const appointmentService = new AppointmentService();
+
+// Re-export AppointmentStatus for backward compatibility
+export { AppointmentStatus };

services/authService.js

@@ -1,6 +1,6 @@
 import jwt from 'jsonwebtoken';
 import bcrypt from 'bcryptjs';
-import { ObjectId, getUsersCollection } from '../db/mongo.js';
+import User from '../models/User.js';
 import dotenv from 'dotenv';
 
 dotenv.config();
@@ -60,8 +60,7 @@ class AuthService {
    * Get a user by email
    */
   async getUserByEmail(email) {
-    const usersCollection = getUsersCollection();
-    return await usersCollection.findOne({ email });
+    return await User.findByEmail(email);
   }
   
   /**
@@ -69,8 +68,7 @@ class AuthService {
    */
   async getUserById(userId) {
     try {
-      const usersCollection = getUsersCollection();
-      return await usersCollection.findOne({ _id: new ObjectId(userId) });
+      return await User.findById(userId);
     } catch (error) {
       return null;
     }
@@ -80,29 +78,23 @@ class AuthService {
    * Create a new user
    */
   async createUser(userData) {
-    const usersCollection = getUsersCollection();
-    
     // Check if user already exists
-    const existingUser = await this.getUserByEmail(userData.email);
-    if (existingUser) {
-      throw new Error('User with this email already exists');
-    }
+    // const existingUser = await this.getUserByEmail(userData.email);
+    // if (existingUser) {
+    //   throw new Error('User with this email already exists');
+    // }
     
-    // Create user document
-    const now = new Date();
-    const userDoc = {
+    // Create user with Mongoose model
+    const user = new User({
       email: userData.email,
       name: userData.name,
       role: userData.role || 'doctor',
-      hashed_password: this.getPasswordHash(userData.password),
-      created_at: now,
-      updated_at: now,
+      hashed_password: userData.password, // Will be hashed by pre-save hook
       is_active: true
-    };
+    });
     
-    const result = await usersCollection.insertOne(userDoc);
-    userDoc._id = result.insertedId;
-    return userDoc;
+    await user.save();
+    return user;
   }
   
   /**
@@ -113,9 +105,12 @@ class AuthService {
     if (!user) {
       return null;
     }
-    if (!this.verifyPassword(password, user.hashed_password)) {
+    
+    const isValid = await user.comparePassword(password);
+    if (!isValid) {
       return null;
     }
+    
     return user;
   }
   
@@ -123,6 +118,9 @@ class AuthService {
    * Convert a user document to a response object
    */
   userToResponse(user) {
+    if (user.toResponse) {
+      return user.toResponse();
+    }
     return {
       id: user._id.toString(),
       email: user.email,
@@ -137,22 +135,51 @@ class AuthService {
    * Update a user's information
    */
   async updateUser(userId, updateData) {
-    const usersCollection = getUsersCollection();
-    updateData.updated_at = new Date();
-    
-    const result = await usersCollection.updateOne(
-      { _id: new ObjectId(userId) },
-      { $set: updateData }
-    );
-    
-    if (result.matchedCount === 0) {
+    try {
+      const user = await User.findByIdAndUpdate(
+        userId,
+        { $set: updateData },
+        { new: true, runValidators: true }
+      );
+      return user;
+    } catch (error) {
       return null;
     }
-    
-    return await this.getUserById(userId);
+  }
+
+  /**
+   * Delete a user by ID
+   */
+  async deleteUser(userId) {
+    try {
+      const result = await User.findByIdAndDelete(userId);
+      return result !== null;
+    } catch (error) {
+      return false;
+    }
+  }
+
+  /**
+   * Get all users
+   */
+  async getAllUsers() {
+    return await User.find().sort({ created_at: -1 });
+  }
+
+  /**
+   * Get all doctors
+   */
+  async getDoctors() {
+    return await User.findActiveDoctors();
+  }
+
+  /**
+   * Get all admins
+   */
+  async getAdmins() {
+    return await User.findActiveAdmins();
   }
 }
 
 // Singleton instance
 export const authService = new AuthService();
-

services/timelineService.js

@@ -1,5 +1,7 @@
 import { generateResponse } from './llmClient.js';
-import { ObjectId, getPatientsCollection, getAppointmentsCollection, getWarningsCollection } from '../db/mongo.js';
+import Patient from '../models/Patient.js';
+import Appointment from '../models/Appointment.js';
+import Warning from '../models/Warning.js';
 import dotenv from 'dotenv';
 
 dotenv.config();
@@ -52,11 +54,7 @@ class TimelineService {
    * Generate a chronological timeline of all patient events
    */
   async getPatientTimeline(patientId) {
-    const patientsCollection = getPatientsCollection();
-    const appointmentsCollection = getAppointmentsCollection();
-    const warningsCollection = getWarningsCollection();
-    
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     if (!patient) {
       return [];
     }
@@ -140,7 +138,7 @@ class TimelineService {
     
     // Process appointments
     try {
-      const appointments = await appointmentsCollection.find({ patient_id: patientId }).toArray();
+      const appointments = await Appointment.find({ patient_id: patientId });
       for (const apt of appointments) {
         let aptDate = apt.date_time;
         if (typeof aptDate === 'string') {
@@ -164,10 +162,10 @@ class TimelineService {
     
     // Process warnings (only acknowledged ones for history)
     try {
-      const warnings = await warningsCollection.find({
+      const warnings = await Warning.find({
         patient_id: patientId,
         is_acknowledged: true
-      }).toArray();
+      });
       
       for (const warning of warnings) {
         const createdAt = warning.created_at;
@@ -201,8 +199,7 @@ class TimelineService {
    * Generate an AI-powered summary of the patient's medical timeline
    */
   async generateTimelineSummary(patientId) {
-    const patientsCollection = getPatientsCollection();
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     
     if (!patient) {
       return { error: 'Patient not found' };

services/vectorService.js

@@ -19,9 +19,9 @@ class VectorService {
       this.patientCollection = await this._getOrCreateCollection('patient_records');
       this.researchCollection = await this._getOrCreateCollection('medical_research');
       this.initialized = true;
-      console.log('✓ Vector database initialized');
+      console.log('[OK] Vector database initialized');
     } catch (error) {
-      console.log(`⚠️ Vector database initialization warning: ${error.message}`);
+      console.log(`[WARNING] Vector database initialization warning: ${error.message}`);
     }
   }
   
@@ -108,9 +108,9 @@ class VectorService {
           metadatas,
           ids
         });
-        console.log(`   ✓ Indexed ${documents.length} records for patient ${patientData.name}`);
+        console.log(`   [OK] Indexed ${documents.length} records for patient ${patientData.name}`);
       } catch (error) {
-        console.log(`   ✗ Error indexing patient ${patientData.name}: ${error.message}`);
+        console.log(`   [ERROR] Error indexing patient ${patientData.name}: ${error.message}`);
       }
     }
     

services/warningService.js

@@ -1,132 +1,62 @@
 import { generateResponse } from './llmClient.js';
-import { ObjectId, getWarningsCollection, getPatientsCollection } from '../db/mongo.js';
+import Warning, { WarningType, WarningSeverity } from '../models/Warning.js';
+import Patient from '../models/Patient.js';
 import dotenv from 'dotenv';
 
 dotenv.config();
 
-// Warning types enum
-export const WarningType = {
-  DRUG_INTERACTION: 'drug_interaction',
-  ALLERGY: 'allergy',
-  CONTRAINDICATION: 'contraindication',
-  ABNORMAL_PATTERN: 'abnormal_pattern',
-  DOSAGE_ALERT: 'dosage_alert',
-  DUPLICATE_THERAPY: 'duplicate_therapy'
-};
-
-// Warning severity enum
-export const WarningSeverity = {
-  LOW: 'low',
-  MEDIUM: 'medium',
-  HIGH: 'high',
-  CRITICAL: 'critical'
-};
+// Re-export enums for backward compatibility
+export { WarningType, WarningSeverity };
 
 class WarningService {
-  /**
-   * Convert MongoDB warning document to response format
-   */
-  _warningHelper(warning) {
-    return {
-      id: warning._id.toString(),
-      patient_id: warning.patient_id,
-      warning_type: warning.warning_type,
-      severity: warning.severity,
-      title: warning.title,
-      description: warning.description,
-      related_medications: warning.related_medications || [],
-      related_conditions: warning.related_conditions || [],
-      recommendation: warning.recommendation || null,
-      created_at: warning.created_at,
-      is_acknowledged: warning.is_acknowledged || false,
-      acknowledged_by: warning.acknowledged_by || null,
-      acknowledged_at: warning.acknowledged_at || null
-    };
-  }
-  
   /**
    * Get all warnings for a patient
    */
   async getPatientWarnings(patientId, includeAcknowledged = false) {
-    const warningsCollection = getWarningsCollection();
-    const query = { patient_id: patientId };
-    
-    if (!includeAcknowledged) {
-      query.is_acknowledged = false;
-    }
-    
-    const warnings = await warningsCollection
-      .find(query)
-      .sort({ created_at: -1 })
-      .toArray();
-    
-    return warnings.map(w => this._warningHelper(w));
+    const warnings = await Warning.findByPatient(patientId, includeAcknowledged);
+    return warnings.map(w => w.toResponse());
   }
   
   /**
    * Get all unacknowledged warnings across all patients
    */
   async getAllUnacknowledgedWarnings(limit = 50) {
-    const warningsCollection = getWarningsCollection();
-    
-    const warnings = await warningsCollection
-      .find({ is_acknowledged: false })
-      .sort({ severity: -1, created_at: -1 })
-      .limit(limit)
-      .toArray();
-    
-    return warnings.map(w => this._warningHelper(w));
+    const warnings = await Warning.findUnacknowledged(limit);
+    return warnings.map(w => w.toResponse());
   }
   
   /**
    * Acknowledge a clinical warning
    */
   async acknowledgeWarning(warningId, userId, notes = null) {
-    const warningsCollection = getWarningsCollection();
-    
-    const result = await warningsCollection.updateOne(
-      { _id: new ObjectId(warningId) },
-      {
-        $set: {
-          is_acknowledged: true,
-          acknowledged_by: userId,
-          acknowledged_at: new Date(),
-          acknowledgement_notes: notes
-        }
+    try {
+      const warning = await Warning.findById(warningId);
+      
+      if (!warning) {
+        return null;
       }
-    );
-    
-    if (result.matchedCount === 0) {
+      
+      await warning.acknowledge(userId, notes);
+      return warning.toResponse();
+    } catch {
       return null;
     }
-    
-    const warning = await warningsCollection.findOne({ _id: new ObjectId(warningId) });
-    return this._warningHelper(warning);
   }
   
   /**
    * Create a new clinical warning
    */
   async createWarning(warningData) {
-    const warningsCollection = getWarningsCollection();
-    
-    const warningDoc = {
-      ...warningData,
-      created_at: new Date(),
-      is_acknowledged: false
-    };
-    
-    const result = await warningsCollection.insertOne(warningDoc);
-    warningDoc._id = result.insertedId;
-    return this._warningHelper(warningDoc);
+    const warning = new Warning(warningData);
+    await warning.save();
+    return warning.toResponse();
   }
   
   /**
    * Delete all warnings for a patient
    */
   async deletePatientWarnings(patientId) {
-    const warningsCollection = getWarningsCollection();
-    const result = await warningsCollection.deleteMany({ patient_id: patientId });
+    const result = await Warning.deleteMany({ patient_id: patientId });
     return result.deletedCount;
   }
   
@@ -134,8 +64,7 @@ class WarningService {
    * Use AI to analyze patient data and generate clinical warnings
    */
   async analyzePatientForWarnings(patientId, newMedication = null, newCondition = null) {
-    const patientsCollection = getPatientsCollection();
-    const patient = await patientsCollection.findOne({ _id: new ObjectId(patientId) });
+    const patient = await Patient.findById(patientId);
     
     if (!patient) {
       return [];
@@ -209,21 +138,22 @@ Return ONLY valid JSON, no markdown or other text.`;
       
       // Create warnings in database
       const createdWarnings = [];
-      for (const warning of warningsData) {
+      for (const warningData of warningsData) {
         try {
-          const warningCreate = {
+          const warning = new Warning({
             patient_id: patientId,
-            warning_type: warning.warning_type || 'abnormal_pattern',
-            severity: warning.severity || 'medium',
-            title: (warning.title || 'Clinical Warning').substring(0, 100),
-            description: warning.description || '',
-            related_medications: warning.related_medications || [],
-            related_conditions: warning.related_conditions || [],
-            recommendation: warning.recommendation || null
-          };
+            warning_type: warningData.warning_type || 'general',
+            severity: warningData.severity || 'medium',
+            title: (warningData.title || 'Clinical Warning').substring(0, 100),
+            description: warningData.description || '',
+            related_medications: warningData.related_medications || [],
+            related_conditions: warningData.related_conditions || [],
+            recommendations: warningData.recommendation ? [warningData.recommendation] : [],
+            source: 'ai_analysis'
+          });
           
-          const createdWarning = await this.createWarning(warningCreate);
-          createdWarnings.push(createdWarning);
+          await warning.save();
+          createdWarnings.push(warning.toResponse());
         } catch (error) {
           console.log(`Error creating warning: ${error.message}`);
           continue;
@@ -245,47 +175,7 @@ Return ONLY valid JSON, no markdown or other text.`;
    * Get warning statistics
    */
   async getWarningStats() {
-    const warningsCollection = getWarningsCollection();
-    
-    const pipeline = [
-      {
-        $group: {
-          _id: {
-            severity: '$severity',
-            acknowledged: '$is_acknowledged'
-          },
-          count: { $sum: 1 }
-        }
-      }
-    ];
-    
-    const results = await warningsCollection.aggregate(pipeline).toArray();
-    
-    const stats = {
-      total: 0,
-      unacknowledged: 0,
-      by_severity: {
-        critical: 0,
-        high: 0,
-        medium: 0,
-        low: 0
-      }
-    };
-    
-    for (const r of results) {
-      const count = r.count;
-      stats.total += count;
-      
-      if (!r._id.acknowledged) {
-        stats.unacknowledged += count;
-        const severity = r._id.severity;
-        if (severity in stats.by_severity) {
-          stats.by_severity[severity] += count;
-        }
-      }
-    }
-    
-    return stats;
+    return await Warning.getStats();
   }
 }