Security:
- Fix TOCTOU race conditions: move balance/limit checks after row lock in redeem_points, add_stamp, redeem_stamps
- Add PIN ownership verification to update/delete/unlock store routes
- Gate adjust_points endpoint to merchant_owner role only
Data integrity:
- Track total_points_voided in void_points
- Add order_reference idempotency guard in earn_points
Correctness:
- Fix LoyaltyProgramAlreadyExistsException to use merchant_id parameter
- Add StorefrontProgramResponse excluding wallet IDs from public API
- Add bounds (±100000) to PointsAdjustRequest.points_delta
Audit & config:
- Add CARD_REACTIVATED transaction type with audit record
- Improve admin audit logging with actor identity and old values
- Use merchant-specific PIN lockout settings with global fallback
- Guard MerchantLoyaltySettings creation with get_or_create pattern
Tests: 27 new tests (265 total) covering all 12 items — unit and integration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix rate limiter to extract real client IP and handle sync/async endpoints
- Rate-limit public enrollment (10/min) and program info (30/min) endpoints
- Add 409 Conflict to non-retryable status codes in retry decorator
- Cache private key in get_save_url() to avoid re-reading JSON per call
- Make update_class() return bool success status with error-level logging
- Move Google Wallet config from core to loyalty module config
- Document time.sleep() safety in retry decorator (threadpool execution)
- Add per-card retry (1 retry, 2s delay) to wallet sync task
- Add logo URL reachability check (HEAD request) to validate_config()
- Add 26 comprehensive unit tests for GoogleWalletService
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix IPv6 host parsing with _strip_port() utility
- Remove dangerous StorePlatform→Store.subdomain silent fallback
- Close storefront gate bypass when frontend_type is None
- Add custom subdomain management UI and API for stores
- Add domain health diagnostic tool
- Convert db.add() in loops to db.add_all() (24 PERF-006 fixes)
- Add tests for all new functionality (18 subdomain service tests)
- Add .github templates for validator compliance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a new "Tenant Isolation" diagnostic tool that scans all stores and
reports where configuration values come from — flagging silent inheritance,
missing data, and potential data commingling. Also fix merchant dashboard
and onboarding integration tests that were missing require_platform
dependency override.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two bugs causing "Program Not Available" on storefront enrollment:
1. extract_store_from_referer() was not platform-aware — used
settings.main_domain (wizard.lu) instead of platform.domain
(rewardflow.lu) for subdomain detection, and restricted path-based
extraction to localhost only. Now mirrors the platform-aware logic
from _detect_store_from_host_and_path(): checks platform.domain for
subdomain detection (fashionhub.rewardflow.lu → fashionhub) and
allows path-based extraction on platform domains
(rewardflow.lu/storefront/FASHIONHUB/... → FASHIONHUB).
2. Storefront JS scripts (enroll, dashboard, history) were missing
defer attribute, causing them to execute before log-config.js and
crash on window.LogConfig access. Also fix quote escaping in
server-side rendered x-text expressions for French translations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Convert storefront enrollment $t() calls to server-side _() to silence
dev-toolbar warnings (welcome bonus + join button)
- Fix store base template I18n.init() to use current_language (from middleware)
instead of dashboard_language (hardcoded store config) so language changes
take effect immediately
- Switch admin loyalty routes to use get_admin_context() for proper i18n support
- Switch store loyalty routes to use core get_store_context() from page_context
- Pass program object to storefront enrollment context for server-side rendering
- Add LANG-011 architecture rule: enforce $t()/_() over I18n.t() in templates
- Fix duplicate file_pattern key in LANG-004 rule (YAML validation error)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds WizaMart S.à r.l. as a demo merchant with:
- OMS platform subscription (essential tier, 30-day trial)
- Custom domain wizamart.com linked to OMS platform
- Idempotent: safe to run multiple times
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Update origin cert config: wildcards for omsflow.lu, rewardflow.lu, hostwizard.lu
- Add wildcard Caddy blocks to production Caddyfile example
- Replace "Future" section with actionable runbooks:
- Add a Store Subdomain (self-service, no infra changes)
- Add a Custom Store Domain (Cloudflare + Caddy + DB)
- Add a New Platform Domain (full setup)
- Document wizard.lu exception (no wildcard due to git.wizard.lu DNS-only)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Register Alpine magic $t() for reactive translations in templates
- Dispatch i18n:ready event when translations load
- Fix base.html to use current_language instead of storefront_language
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Removed the duplicated store detection logic in the debug trace endpoint
and calls StoreContextManager._detect_store_from_host_and_path() directly,
which also picks up the platform domain guards.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The setting `settings.platform_domain` (the global/main domain like "wizard.lu")
was easily confused with `platform.domain` (per-platform domain like "rewardflow.lu").
Renamed to `settings.main_domain` / `MAIN_DOMAIN` env var across the entire codebase.
Also updated docs to reflect the refactored store detection logic with
`is_platform_domain` / `is_subdomain_of_platform` guards.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add pessimistic locking (SELECT FOR UPDATE) on card write operations
to prevent race conditions in stamp_service and points_service
- Replace 16 console.log/error/warn calls with LogConfig.createLogger()
in 3 storefront JS files (dashboard, history, enroll)
- Delete all stale lu.json locale files across 8 modules (lb is the
correct ISO 639-1 code for Luxembourgish)
- Update architecture rules and docs to reference lb.json not lu.json
- Add production-readiness.md report for loyalty module
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
StoreContextMiddleware was treating platform domains (e.g. rewardflow.lu)
as custom store domains, causing store lookup to fail before reaching
path-based detection (/storefront/FASHIONHUB/...). Now skips custom
domain detection when the host matches the platform's own domain.
Also fixes menu tests to use loyalty-program instead of loyalty-overview,
and adds LOYALTY_DEFAULT_LOGO_URL and LOYALTY_GOOGLE_WALLET_ORIGINS to
Hetzner deployment docs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace hardcoded English strings across all 22 templates, 10 JS files,
and 4 locale files (en/fr/de/lb) with ~300 translation keys per language.
Uses server-side _() for Jinja2 templates and I18n.t() for JS toast
messages and dynamic Alpine.js expressions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove marketplace page redirect-to-onboarding tests that no longer
match the route behavior. Add can_create_store mock to tenancy store
creation tests to bypass billing limit checks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
RSASigner doesn't expose a .key attribute. Load the private key string
directly from the service account JSON file for PyJWT encoding. Also
adds fat JWT fallback for demo mode where DRAFT classes reject object
creation via REST API.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add run_affected_tests.py script that uses module dependency graph to
run only tests for changed modules and their dependents. Fix CI and
Makefile to use pyproject.toml testpaths (was missing 9 of 18 modules).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The test was failing because can_create_store() called the billing
module's check_resource_limit() which returned False for the test
merchant (no subscription). Patched the limit check since billing
is not what this unit test exercises.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- API-004: Add noqa for factory-pattern auth in user_account routes and payments admin
- MDL-003: Add from_attributes to MerchantStoreDetailResponse schema
- EXC-003: Suppress broad except in merchant_store_service and admin_subscription_service
(intentional fallbacks for optional billing module)
- NAM-002: Rename onboarding files to *_service.py suffix and update all imports
- JS-001: Add file-level noqa for dev-toolbar.js (console interceptor by design)
- JS-005: Add init guards to dashboard.js and customer-detail.js
- IMPORT-004: Break circular deps by removing orders from inventory requires and
marketplace from orders requires; add IMPORT-002 suppression for lazy cross-imports
- MOD-025: Remove unused OnboardingAlreadyCompletedException
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace console.error with centralized transLog logger (JS-001)
- Add try/catch to saveEdit in translation editor (JS-006)
- Replace inline SVG with $icon() helper in platform-debug (FE-002)
- Add noqa comments for intentional broad exception and unscoped query (EXC-003, SVC-005)
- Add unit tests for sql_query_service validation (MOD-024)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace `except Exception` with specific exception types in
google_wallet_service.py (requests.RequestException, ValueError, etc.)
and apple_wallet_service.py (httpx.HTTPError, OSError, ssl.SSLError)
- Rename loyalty_onboarding.py -> loyalty_onboarding_service.py to
match NAM-002 naming convention (+ test file + imports)
- Add PasswordChangeResponse Pydantic model to user_account API,
removing raw dict return and noqa suppression
Resolves 12 EXC-003 + 1 NAM-002 architecture warnings in loyalty module.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes deployment test failures where get_store_usage() and get_merchant_usage()
were called with db=None but attempted to run queries.
Also adds noqa suppressions for pre-existing security validator findings
in dev-toolbar (innerHTML with trusted content) and test fixtures
(hardcoded test passwords).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Logo URL is required by Google Wallet API for LoyaltyClass creation.
Added validation across all three program edit screens (admin, merchant, store)
with a helpful hint explaining the requirement.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix Google Wallet class creation: add required issuerName field (merchant name),
programLogo with default logo fallback, hexBackgroundColor default
- Add default loyalty logo assets (200px + 512px) for programs without custom logos
- Smart retry: skip retries on 400/401/403/404 client errors (not transient)
- Fix enrollment success page: use sessionStorage for wallet URLs instead of
authenticated API call (self-enrolled customers have no session)
- Hide wallet section on success page when no wallet URLs available
- Wire up T&C modal on enrollment page with program.terms_text
- Add startup validation for Google/Apple Wallet configs in lifespan
- Add admin wallet status dashboard endpoint and UI (moved to service layer)
- Fix Apple Wallet push notifications with real APNs HTTP/2 implementation
- Fix docs: correct enrollment URLs (port, path segments, /v1 prefix)
- Fix test assertion: !loyalty-enroll! → !enrollment!
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The toolbar was only included in the store base template. Add it to all
frontends so developers can use Ctrl+Alt+D everywhere in dev.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Evolve the platform-debug page into a diagnostics hub with sidebar
explorer layout. Add permissions audit API that introspects all
registered page routes and reports auth/permission enforcement status.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add merchant stats API tests (GET /merchants/loyalty/stats) with 7 test cases
- Add merchant page route tests (program, program-edit, analytics) with 6 test cases
- Add store page route tests (terminal, cards, card-detail, program, program-edit, analytics, enroll) with 16 test cases
- Add unit tests for get_merchant_stats() enhanced fields (new_this_month, estimated_liability_cents, location breakdown) with 6 test cases
- Add unit tests for get_platform_stats() enhanced fields (total_points_issued/redeemed, total_points_balance, new_this_month, estimated_liability_cents) with 4 test cases
- Total: 38 new tests (174 -> 212 passing)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extract analytics stat cards, points activity, and location breakdown
into a shared partial used by admin, merchant, and store dashboards.
Add merchant stats API endpoint and client-side merchant filter on admin
analytics page. Extend stats schema with new_this_month and
estimated_liability_cents fields.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add Loyalty and Billing SQL query presets to dev tools
- Extract shared program-form.html partial and loyalty-program-form.js mixin
- Refactor admin program-edit to use shared form partial
- Add store loyalty API endpoints for program management
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Standardize naming (Program for view/edit, Analytics for stats), create shared
read-only program-view partial, fix admin edit field population bug (14 missing
fields), add store Program menu item, and rename merchant Overview→Program,
Settings→Analytics.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New admin page to browse, search, compare, and inline-edit translation
keys across all modules and languages from the browser.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add admin SQL query tool with saved queries, schema explorer presets,
and collapsible category sections (dev_tools module)
- Add platform debug tool for admin diagnostics
- Add loyalty settings page with owner-only access control
- Fix loyalty settings owner check (use currentUser instead of window.__userData)
- Replace HTTPException with AuthorizationException in loyalty routes
- Expand loyalty module with PIN service, Apple Wallet, program management
- Improve store login with platform detection and multi-platform support
- Update billing feature gates and subscription services
- Add store platform sync improvements and remove is_primary column
- Add unit tests for loyalty (PIN, points, stamps, program services)
- Update i18n translations across dev_tools locales
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix platform-grouped merchant sidebar menu with core items at root level
- Add merchant store management (detail page, create store, team page)
- Fix store settings 500 error by removing dead stripe/API tab
- Move onboarding translations to module-owned locale files
- Fix onboarding banner i18n with server-side rendering + context inheritance
- Refactor login language selectors to use languageSelector() function (LANG-002)
- Move HTTPException handling to global exception handler in merchant routes (API-003)
- Add language selector to all login pages and portal headers
- Fix customer module: drop order stats from customer model, add to orders module
- Fix admin menu config visibility for super admin platform context
- Fix storefront auth and layout issues
- Add missing i18n translations for onboarding steps (en/fr/de/lb)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move 39 documentation files from top-level docs/ into each module's
docs/ folder, accessible via symlinks from docs/modules/. Create
data-model.md files for 10 modules with full schema documentation.
Replace originals with redirect stubs. Remove empty guide stubs.
Modules migrated: tenancy, billing, loyalty, marketplace, orders,
messaging, cms, catalog, inventory, hosting, prospecting.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add 55 unit tests for hosting module (hosted site service, client
service service, stats service) with full fixture setup
- Fix table_empty_state macro: add x_message param for dynamic Alpine.js
expressions rendered via x-text instead of server-side Jinja
- Fix hosting templates (sites, clients) using message= with Alpine
expressions that rendered as literal text
- Fix prospecting templates (leads, scan-jobs, prospects) using
nonexistent subtitle= param, migrated to x_message=
- Align hosting and prospecting admin templates with shared design system
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
celery-beat: check that the schedule file was modified within the last
120 seconds (confirms beat is ticking).
node-exporter: check /metrics endpoint for build_info metric.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add 16 missing translations for: subscription_welcome, payment_failed,
subscription_cancelled, trial_ending, team_invite (fr/de/lb each) and
team_invitation (lb). All 11 email templates now have full coverage
across all 4 supported languages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The pagination() macro expects startIndex, endIndex, pageNumbers, totalPages,
nextPage(), and previousPage() to be defined in the Alpine.js component.
Added these to scan-jobs.js, prospects.js, and leads.js.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The API router was missing prefix="/prospecting", causing all endpoints to
register at /api/v1/admin/stats instead of /api/v1/admin/prospecting/stats.
Also fix 500 errors on prospects, leads, and scan-jobs pages caused by
importing non-existent macro names (table_empty → table_empty_state,
pagination_controls → pagination).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Flower: use /healthcheck endpoint (auth-exempt) instead of root URL.
Redis-exporter: switch to alpine image (has wget) and verify redis_up
in /metrics instead of non-existent /health endpoint.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove duplicate Tom Select dark mode CSS (~280 lines) from customers,
orders, store-product-create, marketplace-letzshop, and marketplace-products
pages. Replace inline store select elements and selected badges with
entity_selector() and entity_selected_badge() macros.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move platforms menu from CMS to Platform Admin section with create/edit
- Add platform create page, API endpoint, and service method
- Remove CMS-specific content from platform list and detail pages
- Create shared entity_selector + entity_selected_badge Jinja macros
- Create entity-selector.js generalizing store-selector.js for any entity
- Add Tom Select merchant filter to stores page with localStorage persistence
- Migrate store-products page to use shared macros (remove 53 lines of duped CSS)
- Fix broken icons: puzzle→puzzle-piece, building-storefront→store, language→translate, server→cube
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The footer and meta description tag used platform.description (raw column)
instead of platform.get_translated_description(), so DE and LB translations
were never displayed. FR/EN appeared to work because the base description
field was synced from the default language on admin save.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
