Replace N+1 per-platform API calls on merchant detail page with a single
GET /admin/subscriptions/merchants/{id} endpoint. Extract shared
subscription+usage aggregation logic into a reusable service method and
refactor the store endpoint to use it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add /admin/merchant-users/{id}/edit page route and template
- Replace toggle-status button with edit button on merchant-users list
- Editable fields: username, email, first name, last name
- Quick actions: toggle status, delete (with double confirm)
- Move RBAC two-phase plan to docs/proposals/
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The admin-user-edit page had display-only fields for username, email,
first name, and last name. Convert to editable form inputs with:
- Dirty detection (unsaved changes indicator)
- Only sends changed fields in PUT payload
- Validation error display per field
- Save button disabled when no changes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The User Type status card used owned_merchants_count to determine
Owner vs Team Member. Now uses user.role directly. Label changed
from "User Type" to "Role".
The other owned_merchants_count references (delete guards in
user-edit.js and user-detail.js, count display card, debug log)
are correct — they use the actual count for business logic, not
role derivation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Role column was deriving Owner/Team Member from owned_merchants_count
which was unreliable. Now uses user.role directly (merchant_owner vs
store_member) which is the source of truth after RBAC Phase 1.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add validate-security, validate-performance, validate-audit hooks
to .pre-commit-config.yaml (previously only architecture was checked)
- Break single "Run all validators" CI step into 4 explicit steps
(architecture, security, performance, audit) for clearer pipeline output
- Add noqa: SEC001 suppressions for test fixture hashed_password values
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds SEC001 (hardcoded password) and SEC021 (password in print output)
suppressions for the loyalty admin seed data, consistent with existing
patterns in seed_demo.py.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Completes middleware test coverage (11/11 files) with 19 cloudflare tests
(dispatch, get_real_client_ip, get_client_country) and 23 language tests
(admin/store/storefront/platform dispatch, helpers, private methods).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cover all 12 methods: constructor, password hashing, authenticate_user,
create_access_token, verify_token, get_current_user, RBAC decorators,
and create_default_admin_user. Achieves 96.45% coverage on auth.py.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cover all core authentication paths: helpers (_get_token_from_request,
_validate_user_token, _get_user_model, _validate_customer_token),
admin/store/merchant/customer auth (cookie + header + API variants),
optional auth, store permission factories, and store ownership checks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prevents reintroduction of native browser confirm() dialogs by flagging
them as architecture errors during pre-commit validation. Points
developers to use confirm_modal/confirm_modal_dynamic Jinja2 macros.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The previous fix added the fields to the API response but missed mapping
them in loadEmailSettings() where the response is stored into
emailSettings. The values were dropped before reaching populateEmailForm.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The EmailStatusResponse didn't include smtp_use_tls/smtp_use_ssl fields,
and the JavaScript hardcoded defaults (TLS=true, SSL=false) instead of
reading from the API response. Now the API returns the effective values
and the UI displays them correctly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The StorefrontAccessMiddleware was blocking middleware test routes
(/middleware-test/*) with 403 because test stores have no subscriptions.
These tests verify store context detection and theme loading, not
subscription access. Patch SKIP_PATH_PREFIXES in the test conftest to
let test routes through.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add EmailVerificationToken and UserPasswordResetToken models with migration
- Add email verification flow: verify-email page route, resend-verification API
- Block login for unverified users (EmailNotVerifiedException in auth_service)
- Add forgot-password/reset-password endpoints for merchant and store auth
- Add "Forgot Password?" links to merchant and store login pages
- Send welcome email with verification link on merchant creation
- Seed email_verification and merchant_password_reset email templates
- Fix db-reset Makefile to run all init-prod seed scripts
- Add UserAuthService to satisfy architecture validation rules
- Add 52 new tests (unit + integration) with full coverage
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add LoyaltyFeatureProvider with 11 BINARY/MERCHANT features for billing
feature gating, wired into loyalty module definition
- Fix subscription-tiers admin page showing 0 features by populating
feature_codes from tier relationship in all admin tier endpoints
- Fix merchants admin page showing 0 stores and N/A owner by adding
store_count and owner_email to MerchantResponse and eager-loading owner
- Add "no tiers" warning with link in subscription creation modal when
platform has no configured tiers
- Add missing mobile menu panel to storefront base template so hamburger
toggle actually shows navigation links
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add StorefrontAccessMiddleware that blocks storefront access for stores
without an active subscription, returning a multilingual unavailable page
(en/fr/de/lb) for page requests and JSON 403 for API requests. Multi-platform
aware: resolves subscription for detected platform with fallback to primary.
Also includes yesterday's session work:
- Module-driven storefront navigation via FrontendType.STOREFRONT menu declarations
- shop/ → storefront/ URL rename across 30+ templates
- Subscription context (tier_code) passed to storefront templates
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename platforms: Orion OMS → OMS, Orion → Wizard, Loyalty+ → Loyalty
- Per-platform module assignment: core modules always enabled, optional
modules selectively enabled per platform instead of enabling all 18
- Rename demo store Orion → WizaTech to avoid confusion with app name
- Fix false "already exist" warnings for customers/products in seed
(broken post-flush id detection replaced with simple counter)
- Make dev port use API_PORT from .env instead of hardcoded 9999
- Add platforms section with dev URLs to init-prod summary
- Add merchant panel and customer login URLs to seed next steps
- Merge alembic heads (z_store_domain_platform_id + tenancy_001)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Inline scripts calling I18n.init() ran before the deferred i18n.js
loaded. Wrap in DOMContentLoaded so deferred scripts execute first.
Regression from 8ee8c39 (add defer to scripts).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Mark all server-side tasks as complete (fail2ban, Flower password,
unattended-upgrades, verification script)
- Correct memory limits: celery-beat and flower bumped to 256m after OOM
- Update scaling guide memory budget to match actual limits
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove set -e so script continues through all checks
- Use POSIX arithmetic to avoid exit code 1 from (( ))
- Bump flower and celery-beat mem_limit from 128m to 256m (OOM killed)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add defer attribute to 145 <script> tags across 103 template files
(PERF-067) and loading="lazy" to 22 <img> tags across 13 template
files (PERF-058). Both improve page load performance.
Validator totals: 0 errors, 2 warnings, 1360 info (down from 1527).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Captures all server-side work completed on 2026-02-16:
- Cloudflare Full setup for wizard.lu, omsflow.lu, rewardflow.lu (NS, SSL, origin certs)
- SendGrid SMTP configured for Alertmanager and app transactional emails
- Caddyfile updated with origin certs and tls issuer acme for git.wizard.lu
- Alertmanager v2 API for test alerts, multi-domain email strategy documented
- Cloudflare security: bot protection, DDoS, rate limiting on /api/ paths
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add safe-pattern exceptions to the x-html check in validate_security.py
for $icon(), $store methods, and window.icons lookups. Suppress remaining
8 legitimate x-html uses (admin-authored content, app-controlled JS) with
noqa comments. Security validator now reports 0 errors, 0 warnings, 0 info.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reflect resolved architecture warnings, performance warnings, and
current info-only findings (3127) from validate_all output.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SendGrid handles both transactional emails and marketing campaigns
under one account. Updated alertmanager SMTP placeholders, hetzner
setup guide (Step 19.5), and environment reference to recommend
SendGrid as the primary email provider.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Refactor 10 db.add() loops to db.add_all() in services (menu, admin,
orders, dev_tools), suppress 65 in tests/seeds/complex patterns with
noqa: PERF006, suppress 2 polling interval warnings with noqa: PERF062,
and add JS comment noqa support to base validator.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The catalog module imports inventory schemas/models for response
enrichment but the real dependency direction is inventory→catalog.
Add noqa comments with explanation instead of declaring a circular
requires dependency. Architecture validator now passes with 0 warnings.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Delete .gitlab-ci.yml (replaced by .gitea/workflows/ci.yml)
- Delete docs/deployment/gitlab.md (superseded by gitea.md)
- Update audit rules to reference .gitea/workflows/*.yml
- Update validate_audit.py to check Gitea CI paths
- Clean up GitLab references in gitea.md, mkdocs.yml, .dockerignore
- Mark IPv6 AAAA records as completed in hetzner docs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Mark Steps 1-18 as fully complete (R2 offsite backups operational)
- Fix awscli install instructions: pip3 instead of apt (Ubuntu 24.04)
- Add Environment PATH to systemd service for ~/.local/bin/aws
- Add --upload flag to systemd ExecStart now that R2 is configured
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All three platforms live with auto-SSL (wizard.lu, omsflow.lu, rewardflow.lu).
Monitoring stack deployed with Grafana dashboards. Hetzner backups active.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update observability.md with production container table, actual init code,
and correct env var names. Update docker.md with full 10-service table and
backup/monitoring cross-references. Add explicit AAAA records to DNS tables.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix test_inventory_service.py: replace model .location with .bin_location
- Fix test_product_model.py: remove location= from Inventory constructors
- Add grafana_admin_user/password to Settings for production Grafana config
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Clean up 28 backward compatibility instances identified in the codebase.
The app is not live, so all shims are replaced with the target architecture:
- Remove legacy Inventory.location column (use bin_location exclusively)
- Remove dashboard _extract_metric_value helper (use flat metrics dict)
- Remove legacy stat field duplicates (total_stores, total_imports, etc.)
- Remove 13 re-export shims and class aliases across modules
- Remove module-enabling JSON fallback (use PlatformModule junction table)
- Remove menu_to_legacy_format() conversion (return dataclasses directly)
- Remove title/description from MarketplaceProductBase schema
- Clean billing convenience method docstrings
- Clean test fixtures and backward-compat comments
- Add PlatformModule seeding to init_production.py
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Audit of all 28 "backward compatibility" instances across the codebase,
grouped into 7 cleanup tasks prioritized by impact. App is not live yet
so all compat shims should be removed to build clean target state.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Backups: pg_dump scripts with daily/weekly rotation and Cloudflare R2 offsite sync.
Monitoring: Prometheus, Grafana, node-exporter, cAdvisor in docker-compose; /metrics
endpoint activated via prometheus_client.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove upload-artifact step (unsupported on Gitea GHES)
- Replace architecture+audit jobs with unified validate job running validate_all.py
- Update docs: DEPLOY_HOST must be 172.17.0.1 (Docker bridge), not 127.0.0.1
- Add ufw rule for Docker bridge network SSH access
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix `ContentPage.store_id is None` (Python identity check, always
False) → use `.is_(None)` for proper SQLAlchemy NULL filtering
- Create pages for ALL platforms instead of only OMS
- Merge create_platform_pages.py into create_default_content_pages.py
(5 overlapping pages, only platform_homepage was unique)
- Delete redundant create_platform_pages.py
- Update Makefile, install.py, and docs references
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
