feat(loyalty): cross-persona page alignment with shared components

Align loyalty pages across admin, merchant, and store personas so each sees the same page set scoped to their access level. Admin acts as a superset of merchant with "on behalf" capabilities. New pages: - Store: Staff PINs management (CRUD) - Merchant: Cards, Card Detail, Transactions, Staff PINs (CRUD), Settings (read-only) - Admin: Merchant Cards, Card Detail, Transactions, PINs (read-only) Architecture: - 4 shared Jinja2 partials (cards-list, card-detail, transactions, pins) - 4 shared JS factory modules parameterized by apiPrefix/scope - Persona templates are thin wrappers including shared partials - PinDetailResponse schema for cross-store PIN listings API: 17 new endpoints (11 merchant, 6 admin on-behalf) Tests: 38 new integration tests, arch-check green i18n: ~130 new keys across en/fr/de/lb Docs: pages-and-navigation.md with full page matrix Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 19:28:07 +01:00
parent f41f72b86f
commit 6161d69ba2
49 changed files with 4385 additions and 14 deletions
--- a/app/modules/loyalty/tests/integration/test_admin_api.py
+++ b/app/modules/loyalty/tests/integration/test_admin_api.py
@@ -532,3 +532,122 @@ class TestAdminCreateProgramDuplicate:
        )
        # Should fail — merchant already has admin_program
        assert response.status_code in [409, 422]
+
+
+# ============================================================================
+# GET /merchants/{merchant_id}/cards (On Behalf)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestAdminListMerchantCards:
+    """Tests for GET /api/v1/admin/loyalty/merchants/{merchant_id}/cards."""
+
+    def test_list_merchant_cards(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """Returns cards list for a merchant."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/cards",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert "cards" in data
+        assert "total" in data
+
+    def test_list_merchant_cards_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/merchants/{admin_merchant.id}/cards")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /merchants/{merchant_id}/transactions (On Behalf)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestAdminListMerchantTransactions:
+    """Tests for GET /api/v1/admin/loyalty/merchants/{merchant_id}/transactions."""
+
+    def test_list_merchant_transactions(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """Returns transactions for a merchant."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/transactions",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert "transactions" in data
+        assert "total" in data
+
+    def test_list_merchant_transactions_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/merchants/{admin_merchant.id}/transactions")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /merchants/{merchant_id}/pins (On Behalf, Read-Only)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestAdminListMerchantPins:
+    """Tests for GET /api/v1/admin/loyalty/merchants/{merchant_id}/pins."""
+
+    def test_list_merchant_pins(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """Returns PINs for a merchant."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/pins",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert "pins" in data
+        assert "total" in data
+
+    def test_list_merchant_pins_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/merchants/{admin_merchant.id}/pins")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /merchants/{merchant_id}/locations (On Behalf)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestAdminListMerchantLocations:
+    """Tests for GET /api/v1/admin/loyalty/merchants/{merchant_id}/locations."""
+
+    def test_list_merchant_locations(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """Returns store locations for a merchant."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/locations",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert isinstance(data, list)
+
+    def test_list_merchant_locations_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/merchants/{admin_merchant.id}/locations")
+        assert response.status_code in [401, 403]
--- a/app/modules/loyalty/tests/integration/test_admin_pages.py
+++ b/app/modules/loyalty/tests/integration/test_admin_pages.py
@@ -217,3 +217,117 @@ class TestAdminMerchantSettingsPage:
            f"{BASE}/merchants/{admin_merchant.id}/settings"
        )
        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Merchant Cards Page (On Behalf)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestAdminMerchantCardsPage:
+    """Tests for GET /loyalty/merchants/{merchant_id}/cards."""
+
+    def test_merchant_cards_page_renders(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """Merchant cards page returns HTML."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/cards",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_merchant_cards_page_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/merchants/{admin_merchant.id}/cards")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Merchant Card Detail Page (On Behalf)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestAdminMerchantCardDetailPage:
+    """Tests for GET /loyalty/merchants/{merchant_id}/cards/{card_id}."""
+
+    def test_merchant_card_detail_page_renders(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """Card detail page returns HTML (even with non-existent card_id)."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/cards/99999",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_merchant_card_detail_page_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/cards/99999"
+        )
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Merchant Transactions Page (On Behalf)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestAdminMerchantTransactionsPage:
+    """Tests for GET /loyalty/merchants/{merchant_id}/transactions."""
+
+    def test_merchant_transactions_page_renders(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """Transactions page returns HTML."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/transactions",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_merchant_transactions_page_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/transactions"
+        )
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Merchant PINs Page (On Behalf, Read-Only)
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestAdminMerchantPinsPage:
+    """Tests for GET /loyalty/merchants/{merchant_id}/pins."""
+
+    def test_merchant_pins_page_renders(
+        self, client, super_admin_headers, admin_merchant
+    ):
+        """PINs page returns HTML."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/pins",
+            headers=super_admin_headers,
+        )
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_merchant_pins_page_requires_auth(self, client, admin_merchant):
+        """Unauthenticated request is rejected."""
+        response = client.get(
+            f"{BASE}/merchants/{admin_merchant.id}/pins"
+        )
+        assert response.status_code in [401, 403]
--- a/app/modules/loyalty/tests/integration/test_merchant_api.py
+++ b/app/modules/loyalty/tests/integration/test_merchant_api.py
@@ -372,3 +372,138 @@ class TestMerchantGetStats:
        assert data["total_cards"] == 0
        assert data["program"] is None
        assert data["locations"] == []
+
+
+# ============================================================================
+# GET /cards
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantListCards:
+    """Tests for GET /api/v1/merchants/loyalty/cards."""
+
+    def test_list_cards_success(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns cards list for the merchant."""
+        response = client.get(f"{BASE}/cards", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert "cards" in data
+        assert "total" in data
+        assert isinstance(data["cards"], list)
+
+    def test_list_cards_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/cards")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /transactions
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantListTransactions:
+    """Tests for GET /api/v1/merchants/loyalty/transactions."""
+
+    def test_list_transactions_empty(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns empty list when no transactions exist."""
+        response = client.get(f"{BASE}/transactions", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert data["transactions"] == []
+        assert data["total"] == 0
+
+    def test_list_transactions_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/transactions")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /pins
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantListPins:
+    """Tests for GET /api/v1/merchants/loyalty/pins."""
+
+    def test_list_pins_empty(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns empty list when no PINs exist."""
+        response = client.get(f"{BASE}/pins", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert data["pins"] == []
+        assert data["total"] == 0
+
+    def test_list_pins_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/pins")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /settings
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantGetSettings:
+    """Tests for GET /api/v1/merchants/loyalty/settings."""
+
+    def test_get_settings_success(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns merchant loyalty settings."""
+        response = client.get(f"{BASE}/settings", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert "staff_pin_policy" in data
+
+    def test_get_settings_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/settings")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# GET /locations
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestMerchantGetLocations:
+    """Tests for GET /api/v1/merchants/loyalty/locations."""
+
+    def test_get_locations_success(
+        self, client, loyalty_merchant_headers, loyalty_store_setup
+    ):
+        """Returns merchant's store locations."""
+        response = client.get(f"{BASE}/locations", headers=loyalty_merchant_headers)
+        assert response.status_code == 200
+        data = response.json()
+        assert isinstance(data, list)
+        assert len(data) >= 1
+
+    def test_get_locations_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/locations")
+        assert response.status_code in [401, 403]
--- a/app/modules/loyalty/tests/integration/test_merchant_pages.py
+++ b/app/modules/loyalty/tests/integration/test_merchant_pages.py
@@ -158,3 +158,113 @@ class TestMerchantAnalyticsPage:
        """Unauthenticated request is rejected."""
        response = client.get(f"{BASE}/analytics")
        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Cards Page
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestMerchantCardsPage:
+    """Tests for GET /merchants/loyalty/cards."""
+
+    def test_cards_page_renders(self, client, merchant_page_headers):
+        """Cards page returns HTML."""
+        response = client.get(f"{BASE}/cards", headers=merchant_page_headers)
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_cards_page_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/cards")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Card Detail Page
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestMerchantCardDetailPage:
+    """Tests for GET /merchants/loyalty/cards/{card_id}."""
+
+    def test_card_detail_page_renders(self, client, merchant_page_headers):
+        """Card detail page returns HTML (even with non-existent card_id)."""
+        response = client.get(f"{BASE}/cards/99999", headers=merchant_page_headers)
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_card_detail_page_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/cards/1")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Transactions Page
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestMerchantTransactionsPage:
+    """Tests for GET /merchants/loyalty/transactions."""
+
+    def test_transactions_page_renders(self, client, merchant_page_headers):
+        """Transactions page returns HTML."""
+        response = client.get(f"{BASE}/transactions", headers=merchant_page_headers)
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_transactions_page_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/transactions")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Staff PINs Page
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestMerchantPinsPage:
+    """Tests for GET /merchants/loyalty/pins."""
+
+    def test_pins_page_renders(self, client, merchant_page_headers):
+        """PINs page returns HTML."""
+        response = client.get(f"{BASE}/pins", headers=merchant_page_headers)
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_pins_page_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/pins")
+        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Settings Page
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestMerchantSettingsPage:
+    """Tests for GET /merchants/loyalty/settings."""
+
+    def test_settings_page_renders(self, client, merchant_page_headers):
+        """Settings page returns HTML."""
+        response = client.get(f"{BASE}/settings", headers=merchant_page_headers)
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_settings_page_requires_auth(self, client):
+        """Unauthenticated request is rejected."""
+        response = client.get(f"{BASE}/settings")
+        assert response.status_code in [401, 403]
--- a/app/modules/loyalty/tests/integration/test_store_pages.py
+++ b/app/modules/loyalty/tests/integration/test_store_pages.py
@@ -266,3 +266,32 @@ class TestStoreEnrollPage:
        store_code = loyalty_store_setup["store"].subdomain
        response = client.get(f"{_base(store_code)}/enroll")
        assert response.status_code in [401, 403]
+
+
+# ============================================================================
+# Staff PINs Page
+# ============================================================================
+
+
+@pytest.mark.integration
+@pytest.mark.loyalty
+class TestStorePinsPage:
+    """Tests for GET /store/{store_code}/loyalty/pins."""
+
+    def test_pins_page_renders(
+        self, client, loyalty_store_headers, loyalty_store_setup
+    ):
+        """PINs page returns HTML."""
+        store_code = loyalty_store_setup["store"].subdomain
+        response = client.get(
+            f"{_base(store_code)}/pins",
+            headers=loyalty_store_headers,
+        )
+        assert response.status_code == 200
+        assert "text/html" in response.headers["content-type"]
+
+    def test_pins_page_requires_auth(self, client, loyalty_store_setup):
+        """Unauthenticated request is rejected."""
+        store_code = loyalty_store_setup["store"].subdomain
+        response = client.get(f"{_base(store_code)}/pins")
+        assert response.status_code in [401, 403]