chore: Update changelog with Bandit security scan remediation details

feat: Implement random password and token generation for tests
fix: Update Bandit command in CI workflows to run checks on tests directory
2025-11-12 11:56:05 +01:00 · 2025-11-12 11:53:44 +01:00 · 2025-11-12 11:53:34 +01:00 · 2025-11-12 11:44:09 +01:00 · 2025-11-12 11:43:57 +01:00 · 2025-11-12 11:36:19 +01:00
272 changed files with 21759 additions and 12601 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -10,6 +10,8 @@ venv/
 .vscode
 .git
 .gitignore
 .gitea
 .github
 .DS_Store
 dist
 build
@@ -17,5 +19,9 @@ build
 *.sqlite3
 .env
 .env.*
-.Dockerfile
+coverage/
-.dockerignore
+logs/
 backups/
 tests/e2e/artifacts/
 scripts/__pycache__/
 reports/
--- a/.env.development
+++ b/.env.development
@@ -0,0 +1,25 @@
 # Development Environment Configuration
 ENVIRONMENT=development
 DEBUG=true
 LOG_LEVEL=DEBUG
 # Database Configuration
 DATABASE_HOST=postgres
 DATABASE_PORT=5432
 DATABASE_USER=calminer
 DATABASE_PASSWORD=calminer_password
 DATABASE_NAME=calminer_db
 DATABASE_DRIVER=postgresql
 # Application Settings
 CALMINER_EXPORT_MAX_ROWS=1000
 CALMINER_IMPORT_MAX_ROWS=10000
 CALMINER_EXPORT_METADATA=true
 CALMINER_IMPORT_STAGING_TTL=300
 # Admin Seeding (for development)
 CALMINER_SEED_ADMIN_EMAIL=admin@calminer.local
 CALMINER_SEED_ADMIN_USERNAME=admin
 CALMINER_SEED_ADMIN_PASSWORD=ChangeMe123!
 CALMINER_SEED_ADMIN_ROLES=admin
 CALMINER_SEED_FORCE=false
--- a/.env.example
+++ b/.env.example
@@ -10,5 +10,13 @@ DATABASE_NAME=calminer
 # Optional: set a schema (comma-separated for multiple entries)
 # DATABASE_SCHEMA=public
-# Legacy fallback (still supported, but granular settings are preferred)
+# Default administrative credentials are provided at deployment time through environment variables
-# DATABASE_URL=postgresql://<user>:<password>@localhost:5432/calminer
+# (`CALMINER_SEED_ADMIN_EMAIL`, `CALMINER_SEED_ADMIN_USERNAME`, `CALMINER_SEED_ADMIN_PASSWORD`, `CALMINER_SEED_ADMIN_ROLES`).
 # These values are consumed by a shared bootstrap helper on application startup, ensuring mandatory roles and the administrator account exist before any user interaction.
 CALMINER_SEED_ADMIN_EMAIL=<email>
 CALMINER_SEED_ADMIN_USERNAME=<username>
 CALMINER_SEED_ADMIN_PASSWORD=<password>
 CALMINER_SEED_ADMIN_ROLES=<roles>
 # Operators can request a managed credential reset by setting `CALMINER_SEED_FORCE=true`.
 # On the next startup the helper rotates the admin password and reapplies role assignments, so downstream environments must update stored secrets immediately after the reset.
 # CALMINER_SEED_FORCE=false
--- a/.env.production
+++ b/.env.production
@@ -0,0 +1,25 @@
 # Production Environment Configuration
 ENVIRONMENT=production
 DEBUG=false
 LOG_LEVEL=WARNING
 # Database Configuration (MUST be set externally - no defaults)
 DATABASE_HOST=
 DATABASE_PORT=5432
 DATABASE_USER=
 DATABASE_PASSWORD=
 DATABASE_NAME=
 DATABASE_DRIVER=postgresql
 # Application Settings
 CALMINER_EXPORT_MAX_ROWS=100000
 CALMINER_IMPORT_MAX_ROWS=100000
 CALMINER_EXPORT_METADATA=true
 CALMINER_IMPORT_STAGING_TTL=3600
 # Admin Seeding (for production - set strong password)
 CALMINER_SEED_ADMIN_EMAIL=admin@calminer.com
 CALMINER_SEED_ADMIN_USERNAME=admin
 CALMINER_SEED_ADMIN_PASSWORD=CHANGE_THIS_VERY_STRONG_PASSWORD
 CALMINER_SEED_ADMIN_ROLES=admin
 CALMINER_SEED_FORCE=false
--- a/.env.staging
+++ b/.env.staging
@@ -0,0 +1,25 @@
 # Staging Environment Configuration
 ENVIRONMENT=staging
 DEBUG=false
 LOG_LEVEL=INFO
 # Database Configuration (override with actual staging values)
 DATABASE_HOST=postgres
 DATABASE_PORT=5432
 DATABASE_USER=calminer_staging
 DATABASE_PASSWORD=CHANGE_THIS_STRONG_PASSWORD
 DATABASE_NAME=calminer_staging_db
 DATABASE_DRIVER=postgresql
 # Application Settings
 CALMINER_EXPORT_MAX_ROWS=50000
 CALMINER_IMPORT_MAX_ROWS=50000
 CALMINER_EXPORT_METADATA=true
 CALMINER_IMPORT_STAGING_TTL=600
 # Admin Seeding (for staging)
 CALMINER_SEED_ADMIN_EMAIL=admin@staging.calminer.com
 CALMINER_SEED_ADMIN_USERNAME=admin
 CALMINER_SEED_ADMIN_PASSWORD=CHANGE_THIS_STRONG_PASSWORD
 CALMINER_SEED_ADMIN_ROLES=admin
 CALMINER_SEED_FORCE=false
--- a/.gitea/workflows/build-and-push.yml
+++ b/.gitea/workflows/build-and-push.yml
@@ -1,59 +0,0 @@
 name: Build and Push Docker Image
 on:
  push:
    branches:
      - main
 jobs:
  build-and-push:
    runs-on: ubuntu-latest
    env:
      DEFAULT_BRANCH: main
      REGISTRY_ORG: allucanget
      REGISTRY_IMAGE_NAME: calminer
      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
      REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Collect workflow metadata
        id: meta
        shell: bash
        run: |
          ref_name="${GITHUB_REF_NAME:-${GITHUB_REF##*/}}"
          event_name="${GITHUB_EVENT_NAME:-}"
          sha="${GITHUB_SHA:-}"
          if [ "$ref_name" = "${DEFAULT_BRANCH:-main}" ]; then
            echo "on_default=true" >> "$GITHUB_OUTPUT"
          else
            echo "on_default=false" >> "$GITHUB_OUTPUT"
          fi
          echo "ref_name=$ref_name" >> "$GITHUB_OUTPUT"
          echo "event_name=$event_name" >> "$GITHUB_OUTPUT"
          echo "sha=$sha" >> "$GITHUB_OUTPUT"
      - name: Set up QEMU and Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Gitea registry
        if: ${{ steps.meta.outputs.on_default == 'true' }}
        uses: docker/login-action@v3
        continue-on-error: true
        with:
          registry: ${{ env.REGISTRY_URL }}
          username: ${{ env.REGISTRY_USERNAME }}
          password: ${{ env.REGISTRY_PASSWORD }}
      - name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          context: .
          file: Dockerfile
          push: ${{ steps.meta.outputs.on_default == 'true' && steps.meta.outputs.event_name != 'pull_request' && (env.REGISTRY_URL != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '') }}
          tags: |
            ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_ORG }}/${{ env.REGISTRY_IMAGE_NAME }}:latest
            ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_ORG }}/${{ env.REGISTRY_IMAGE_NAME }}:${{ steps.meta.outputs.sha }}
--- a/.gitea/workflows/ci_backup.yml
+++ b/.gitea/workflows/ci_backup.yml
@@ -0,0 +1,212 @@
 name: CI
 on:
  push:
    branches: [main, develop, v2]
  pull_request:
    branches: [main, develop]
 jobs:
  lint:
    runs-on: ubuntu-latest
    env:
      APT_CACHER_NG: http://192.168.88.14:3142
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.12"
      # - name: Cache pip dependencies
      #   uses: actions/cache@v4
      #   with:
      #     path: /root/.cache/pip
      #     key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'requirements-test.txt', 'pyproject.toml') }}
      #     restore-keys: |
      #       ${{ runner.os }}-pip-
      - name: Configure apt proxy
        run: |
          if [ -n \"${APT_CACHER_NG}\" ]; then
            echo "Acquire::http::Proxy \"${APT_CACHER_NG}\";" | tee /etc/apt/apt.conf.d/01apt-cacher-ng
          fi
      - name: Install system packages
        run: |
          apt-get update
          apt-get install -y build-essential libpq-dev
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt
          pip install -r requirements-test.txt
      - name: Run Ruff
        run: ruff check .
      - name: Run Black
        run: black --check .
      - name: Run bandit
        run: bandit -c pyproject.toml -r tests
  test:
    runs-on: ubuntu-latest
    needs: lint
    env:
      APT_CACHER_NG: http://192.168.88.14:3142
      DB_DRIVER: postgresql+psycopg2
      DB_HOST: 192.168.88.35
      DB_NAME: calminer_test
      DB_USER: calminer
      DB_PASSWORD: calminer_password
    services:
      postgres:
        image: postgres:17
        env:
          POSTGRES_USER: ${{ env.DB_USER }}
          POSTGRES_PASSWORD: ${{ env.DB_PASSWORD }}
          POSTGRES_DB: ${{ env.DB_NAME }}
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.12"
      - name: Get pip cache dir
        id: pip-cache
        run: |
          echo \"path=$(pip cache dir)\" >> $GITEA_OUTPUT
          echo \"Pip cache dir: $(pip cache dir)\"
      # - name: Cache pip dependencies
      #   uses: actions/cache@v4
      #   with:
      #     path: /root/.cache/pip
      #     key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'requirements-test.txt', 'pyproject.toml') }}
      #     restore-keys: |
      #       ${{ runner.os }}-pip-
      - name: Configure apt proxy
        run: |
          if [ -n \"${APT_CACHER_NG}\" ]; then
            echo "Acquire::http::Proxy \"${APT_CACHER_NG}\";" | tee /etc/apt/apt.conf.d/01apt-cacher-ng
          fi
      - name: Install system packages
        run: |
          apt-get update
          apt-get install -y build-essential libpq-dev
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt
          pip install -r requirements-test.txt
      - name: Run tests
        env:
          DATABASE_DRIVER: ${{ env.DB_DRIVER }}
          DATABASE_HOST: postgres
          DATABASE_PORT: 5432
          DATABASE_USER: ${{ env.DB_USER }}
          DATABASE_PASSWORD: ${{ env.DB_PASSWORD }}
          DATABASE_NAME: ${{ env.DB_NAME }}
        run: |
          pytest --cov=. --cov-report=term-missing --cov-report=xml --junitxml=pytest-report.xml
      - name: Upload test artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: test-artifacts
          path: |
            coverage.xml
            pytest-report.xml
  build:
    runs-on: ubuntu-latest
    needs:
      - lint
      - test
    env:
      DEFAULT_BRANCH: main
      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
      REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
      REGISTRY_CONTAINER_NAME: calminer
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Collect workflow metadata
        id: meta
        shell: bash
        run: |
          ref_name=\"${GITHUB_REF_NAME:-${GITHUB_REF##*/}}\"
          event_name=\"${GITHUB_EVENT_NAME:-}\"
          sha=\"${GITHUB_SHA:-}\"
          if [ \"$ref_name\" = \"${DEFAULT_BRANCH:-main}\" ]; then
            echo \"on_default=true\" >> \"$GITHUB_OUTPUT\"
          else
            echo \"on_default=false\" >> \"$GITHUB_OUTPUT\"
          fi
          echo \"ref_name=$ref_name\" >> \"$GITHUB_OUTPUT\"
          echo \"event_name=$event_name\" >> \"$GITHUB_OUTPUT\"
          echo \"sha=$sha\" >> \"$GITHUB_OUTPUT\"
      - name: Set up QEMU and Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to gitea registry
        if: ${{ steps.meta.outputs.on_default == 'true' }}
        uses: docker/login-action@v3
        continue-on-error: true
        with:
          registry: ${{ env.REGISTRY_URL }}
          username: ${{ env.REGISTRY_USERNAME }}
          password: ${{ env.REGISTRY_PASSWORD }}
      - name: Build image
        id: build-image
        env:
          REGISTRY_URL: ${{ env.REGISTRY_URL }}
          REGISTRY_CONTAINER_NAME: ${{ env.REGISTRY_CONTAINER_NAME }}
          SHA_TAG: ${{ steps.meta.outputs.sha }}
          PUSH_IMAGE: ${{ steps.meta.outputs.on_default == 'true' && steps.meta.outputs.event_name != 'pull_request' && env.REGISTRY_URL != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}
        run: |
          set -eo pipefail
          LOG_FILE=build.log
          if [ \"${PUSH_IMAGE}\" = \"true\" ]; then
            docker buildx build \
              --push \
              --tag \"${REGISTRY_URL}/allucanget/${REGISTRY_CONTAINER_NAME}:latest\" \
              --tag \"${REGISTRY_URL}/allucanget/${REGISTRY_CONTAINER_NAME}:${SHA_TAG}\" \
              --file Dockerfile \
              . 2>&1 | tee \"${LOG_FILE}\"
          else
            docker buildx build \
              --load \
              --tag \"${REGISTRY_CONTAINER_NAME}:ci\" \
              --file Dockerfile \
              . 2>&1 | tee \"${LOG_FILE}\"
          fi
      - name: Upload docker build logs
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: docker-build-logs
          path: build.log
--- a/.gitea/workflows/cicache.yml
+++ b/.gitea/workflows/cicache.yml
@@ -0,0 +1,298 @@
 name: CI
 on:
  push:
    branches: [main, develop, v2]
  pull_request:
    branches: [main, develop]
 jobs:
  lint:
    runs-on: ubuntu-latest
    env:
      APT_CACHER_NG: http://192.168.88.14:3142
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.12"
      # - name: Get pip cache dir
      #   id: pip-cache
      #   run: |
      #     echo "path=$(pip cache dir)" >> $GITEA_OUTPUT
      #     echo "Pip cache dir: $(pip cache dir)"
      # - name: Cache pip dependencies
      #   uses: actions/cache@v4
      #   with:
      #     path: ${{ steps.pip-cache.outputs.path }}
      #     key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'requirements-test.txt', 'pyproject.toml') }}
      #     restore-keys: |
      #       ${{ runner.os }}-pip-
      - name: Configure apt proxy
        run: |
          if [ -n "${APT_CACHER_NG}" ]; then
            echo "Acquire::http::Proxy \"${APT_CACHER_NG}\";" | tee /etc/apt/apt.conf.d/01apt-cacher-ng
          fi
      - name: Install system packages
        run: |
          apt-get update
          apt-get install -y build-essential libpq-dev
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt
          pip install -r requirements-test.txt
      - name: Run Ruff
        run: ruff check .
      - name: Run Black
        run: black --check .
      - name: Run Bandit
        run: bandit -c pyproject.toml -r tests
  test:
    runs-on: ubuntu-latest
    needs: lint
    env:
      APT_CACHER_NG: http://192.168.88.14:3142
      DB_DRIVER: postgresql+psycopg2
      DB_HOST: 192.168.88.35
      DB_NAME: calminer_test
      DB_USER: calminer
      DB_PASSWORD: calminer_password
    services:
      postgres:
        image: postgres:17
        env:
          POSTGRES_USER: ${{ env.DB_USER }}
          POSTGRES_PASSWORD: ${{ env.DB_PASSWORD }}
          POSTGRES_DB: ${{ env.DB_NAME }}
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.12"
      # - name: Get pip cache dir
      #   id: pip-cache
      #   run: |
      #     echo "path=$(pip cache dir)" >> $GITEA_OUTPUT
      #     echo "Pip cache dir: $(pip cache dir)"
      # - name: Cache pip dependencies
      #   uses: actions/cache@v4
      #   with:
      #     path: ${{ steps.pip-cache.outputs.path }}
      #     key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'requirements-test.txt', 'pyproject.toml') }}
      #     restore-keys: |
      #       ${{ runner.os }}-pip-
      - name: Configure apt proxy
        run: |
          if [ -n "${APT_CACHER_NG}" ]; then
            echo "Acquire::http::Proxy \"${APT_CACHER_NG}\";" | tee /etc/apt/apt.conf.d/01apt-cacher-ng
          fi
      - name: Install system packages
        run: |
          apt-get update
          apt-get install -y build-essential libpq-dev
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt
          pip install -r requirements-test.txt
      - name: Install Playwright system dependencies
        run: playwright install-deps
      - name: Install Playwright browsers
        run: playwright install
      - name: Run tests
        env:
          DATABASE_DRIVER: ${{ env.DB_DRIVER }}
          DATABASE_HOST: postgres
          DATABASE_PORT: 5432
          DATABASE_USER: ${{ env.DB_USER }}
          DATABASE_PASSWORD: ${{ env.DB_PASSWORD }}
          DATABASE_NAME: ${{ env.DB_NAME }}
        run: |
          pytest --cov=. --cov-report=term-missing --cov-report=xml --cov-fail-under=80 --junitxml=pytest-report.xml
      - name: Upload test artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: test-artifacts
          path: |
            coverage.xml
            pytest-report.xml
  build:
    runs-on: ubuntu-latest
    needs:
      - lint
      - test
    env:
      DEFAULT_BRANCH: main
      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
      REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
      REGISTRY_CONTAINER_NAME: calminer
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Collect workflow metadata
        id: meta
        shell: bash
        run: |
          ref_name="${GITHUB_REF_NAME:-${GITHUB_REF##*/}}"
          event_name="${GITHUB_EVENT_NAME:-}"
          sha="${GITHUB_SHA:-}"
          if [ "$ref_name" = "${DEFAULT_BRANCH:-main}" ]; then
            echo "on_default=true" >> "$GITHUB_OUTPUT"
          else
            echo "on_default=false" >> "$GITHUB_OUTPUT"
          fi
          echo "ref_name=$ref_name" >> "$GITHUB_OUTPUT"
          echo "event_name=$event_name" >> "$GITHUB_OUTPUT"
          echo "sha=$sha" >> "$GITHUB_OUTPUT"
      - name: Set up QEMU and Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to gitea registry
        if: ${{ steps.meta.outputs.on_default == 'true' }}
        uses: docker/login-action@v3
        continue-on-error: true
        with:
          registry: ${{ env.REGISTRY_URL }}
          username: ${{ env.REGISTRY_USERNAME }}
          password: ${{ env.REGISTRY_PASSWORD }}
      - name: Build image
        id: build-image
        env:
          REGISTRY_URL: ${{ env.REGISTRY_URL }}
          REGISTRY_CONTAINER_NAME: ${{ env.REGISTRY_CONTAINER_NAME }}
          SHA_TAG: ${{ steps.meta.outputs.sha }}
          PUSH_IMAGE: ${{ steps.meta.outputs.on_default == 'true' && steps.meta.outputs.event_name != 'pull_request' && env.REGISTRY_URL != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}
        run: |
          set -eo pipefail
          LOG_FILE=build.log
          if [ "${PUSH_IMAGE}" = "true" ]; then
            docker buildx build \
              --push \
              --tag "${REGISTRY_URL}/allucanget/${REGISTRY_CONTAINER_NAME}:latest" \
              --tag "${REGISTRY_URL}/allucanget/${REGISTRY_CONTAINER_NAME}:${SHA_TAG}" \
              --file Dockerfile \
              . 2>&1 | tee "${LOG_FILE}"
          else
            docker buildx build \
              --load \
              --tag "${REGISTRY_CONTAINER_NAME}:ci" \
              --file Dockerfile \
              . 2>&1 | tee "${LOG_FILE}"
          fi
      - name: Upload docker build logs
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: docker-build-logs
          path: build.log
  deploy:
    runs-on: ubuntu-latest
    needs: build
    if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
    env:
      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
      REGISTRY_CONTAINER_NAME: calminer
      KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
      STAGING_KUBE_CONFIG: ${{ secrets.STAGING_KUBE_CONFIG }}
      PROD_KUBE_CONFIG: ${{ secrets.PROD_KUBE_CONFIG }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up kubectl for staging
        if: github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[deploy staging]')
        uses: azure/k8s-set-context@v3
        with:
          method: kubeconfig
          kubeconfig: ${{ env.STAGING_KUBE_CONFIG }}
      - name: Set up kubectl for production
        if: github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[deploy production]')
        uses: azure/k8s-set-context@v3
        with:
          method: kubeconfig
          kubeconfig: ${{ env.PROD_KUBE_CONFIG }}
      - name: Deploy to staging
        if: github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[deploy staging]')
        run: |
          # Update image in deployment
          kubectl set image deployment/calminer-app calminer=${REGISTRY_URL}/allucanget/${REGISTRY_CONTAINER_NAME}:latest
          # Apply any config changes
          kubectl apply -f k8s/configmap.yaml
          kubectl apply -f k8s/secret.yaml
          # Wait for rollout
          kubectl rollout status deployment/calminer-app
      - name: Collect staging deployment logs
        if: github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[deploy staging]')
        run: |
          mkdir -p logs/deployment/staging
          kubectl get pods -o wide > logs/deployment/staging/pods.txt
          kubectl get deployment calminer-app -o yaml > logs/deployment/staging/deployment.yaml
          kubectl logs deployment/calminer-app --all-containers=true --tail=500 > logs/deployment/staging/calminer-app.log
      - name: Deploy to production
        if: github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[deploy production]')
        run: |
          # Update image in deployment
          kubectl set image deployment/calminer-app calminer=${REGISTRY_URL}/allucanget/${REGISTRY_CONTAINER_NAME}:latest
          # Apply any config changes
          kubectl apply -f k8s/configmap.yaml
          kubectl apply -f k8s/secret.yaml
          # Wait for rollout
          kubectl rollout status deployment/calminer-app
      - name: Collect production deployment logs
        if: github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[deploy production]')
        run: |
          mkdir -p logs/deployment/production
          kubectl get pods -o wide > logs/deployment/production/pods.txt
          kubectl get deployment calminer-app -o yaml > logs/deployment/production/deployment.yaml
          kubectl logs deployment/calminer-app --all-containers=true --tail=500 > logs/deployment/production/calminer-app.log
      - name: Upload deployment logs
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: deployment-logs
          path: logs/deployment
          if-no-files-found: ignore
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,36 +0,0 @@
 name: Deploy to Server
 on:
  push:
    branches:
      - main
 jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      DEFAULT_BRANCH: main
      REGISTRY_ORG: allucanget
      REGISTRY_IMAGE_NAME: calminer
      REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
      REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
    steps:
      - name: SSH and deploy
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USERNAME }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          script: |
            docker pull ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_ORG }}/${{ env.REGISTRY_IMAGE_NAME }}:latest
            docker stop calminer || true
            docker rm calminer || true
            docker run -d --name calminer -p 8000:8000 \
              -e DATABASE_DRIVER=${{ secrets.DATABASE_DRIVER }} \
              -e DATABASE_HOST=${{ secrets.DATABASE_HOST }} \
              -e DATABASE_PORT=${{ secrets.DATABASE_PORT }} \
              -e DATABASE_USER=${{ secrets.DATABASE_USER }} \
              -e DATABASE_PASSWORD=${{ secrets.DATABASE_PASSWORD }} \
              -e DATABASE_NAME=${{ secrets.DATABASE_NAME }} \
              -e DATABASE_SCHEMA=${{ secrets.DATABASE_SCHEMA }} \
              ${{ secrets.REGISTRY_URL }}/${{ secrets.REGISTRY_USERNAME }}/calminer:latest
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -1,125 +0,0 @@
 name: Run Tests
 on: [push]
 jobs:
  test:
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_DB: calminer_ci
          POSTGRES_USER: calminer
          POSTGRES_PASSWORD: secret
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U calminer -d calminer_ci"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 10
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.10"
      - name: Configure apt proxy
        run: |
          set -euo pipefail
          PROXY_HOST="http://apt-cacher:3142"
          if ! curl -fsS --connect-timeout 3 "${PROXY_HOST}" >/dev/null; then
            PROXY_HOST="http://192.168.88.14:3142"
          fi
          echo "Using APT proxy ${PROXY_HOST}"
          echo "http_proxy=${PROXY_HOST}" >> "$GITHUB_ENV"
          echo "https_proxy=${PROXY_HOST}" >> "$GITHUB_ENV"
          echo "HTTP_PROXY=${PROXY_HOST}" >> "$GITHUB_ENV"
          echo "HTTPS_PROXY=${PROXY_HOST}" >> "$GITHUB_ENV"
          sudo tee /etc/apt/apt.conf.d/01proxy >/dev/null <<EOF
          Acquire::http::Proxy "${PROXY_HOST}";
          Acquire::https::Proxy "${PROXY_HOST}";
          EOF
      # - name: Cache pip
      #   uses: actions/cache@v4
      #   with:
      #     path: ~/.cache/pip
      #     key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'requirements-test.txt') }}
      #     restore-keys: |
      #       ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
      #       ${{ runner.os }}-pip-
      - name: Install dependencies
        run: |
          pip install -r requirements.txt
          pip install -r requirements-test.txt
      - name: Install Playwright browsers
        run: |
          python -m playwright install --with-deps
      - name: Wait for database service
        env:
          DATABASE_DRIVER: postgresql
          DATABASE_HOST: postgres
          DATABASE_PORT: "5432"
          DATABASE_NAME: calminer_ci
          DATABASE_USER: calminer
          DATABASE_PASSWORD: secret
          DATABASE_SCHEMA: public
          DATABASE_SUPERUSER: calminer
          DATABASE_SUPERUSER_PASSWORD: secret
          DATABASE_SUPERUSER_DB: calminer_ci
        run: |
          python - <<'PY'
          import os
          import time
          import psycopg2
          dsn = (
              f"dbname={os.environ['DATABASE_SUPERUSER_DB']} "
              f"user={os.environ['DATABASE_SUPERUSER']} "
              f"password={os.environ['DATABASE_SUPERUSER_PASSWORD']} "
              f"host={os.environ['DATABASE_HOST']} "
              f"port={os.environ['DATABASE_PORT']}"
          )
          for attempt in range(30):
              try:
                  with psycopg2.connect(dsn):
                      break
              except psycopg2.OperationalError:
                  time.sleep(2)
          else:
              raise SystemExit("Postgres service did not become available")
          PY
      - name: Run database setup (dry run)
        env:
          DATABASE_DRIVER: postgresql
          DATABASE_HOST: postgres
          DATABASE_PORT: "5432"
          DATABASE_NAME: calminer_ci
          DATABASE_USER: calminer
          DATABASE_PASSWORD: secret
          DATABASE_SCHEMA: public
          DATABASE_SUPERUSER: calminer
          DATABASE_SUPERUSER_PASSWORD: secret
          DATABASE_SUPERUSER_DB: calminer_ci
        run: python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data --dry-run -v
      - name: Run database setup
        env:
          DATABASE_DRIVER: postgresql
          DATABASE_HOST: postgres
          DATABASE_PORT: "5432"
          DATABASE_NAME: calminer_ci
          DATABASE_USER: calminer
          DATABASE_PASSWORD: secret
          DATABASE_SCHEMA: public
          DATABASE_SUPERUSER: calminer
          DATABASE_SUPERUSER_PASSWORD: secret
          DATABASE_SUPERUSER_DB: calminer_ci
        run: python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data -v
      - name: Run tests
        env:
          DATABASE_URL: postgresql+psycopg2://calminer:secret@postgres:5432/calminer_ci
          DATABASE_SCHEMA: public
        run: pytest
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,7 @@ env/
 # environment variables
 .env
 *.env
 .env.*
 # except example files
 !config/*.env.example
@@ -38,6 +39,9 @@ htmlcov/
 # Mypy cache
 .mypy_cache/
 # Linting cache
 .ruff_cache/
 # Logs
 *.log
 logs/
@@ -45,3 +49,6 @@ logs/
 # SQLite database
 *.sqlite3
 test*.db
 # Act runner files
 .runner
--- a/131
+++ b/131
@@ -1,35 +1,114 @@
-# Multi-stage Dockerfile to keep final image small
+# syntax=docker/dockerfile:1.7
 FROM python:3.10-slim AS builder
-# Install build-time packages and Python dependencies in one layer
+ARG PYTHON_VERSION=3.11-slim
-WORKDIR /app
+ARG APT_CACHE_URL=http://192.168.88.14:3142
-COPY requirements.txt /app/requirements.txt
+
-RUN echo 'Acquire::http::Proxy "http://192.168.88.14:3142";' > /etc/apt/apt.conf.d/90proxy
+FROM python:${PYTHON_VERSION} AS builder
-RUN apt-get update \
+ARG APT_CACHE_URL
-    && apt-get install -y --no-install-recommends build-essential gcc libpq-dev \
+
-    && python -m pip install --upgrade pip \
+ENV \
-    && pip install --no-cache-dir --prefix=/install -r /app/requirements.txt \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
-    && apt-get purge -y --auto-remove build-essential gcc \
+    PIP_NO_CACHE_DIR=1 \
-    && rm -rf /var/lib/apt/lists/*
+    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1
 FROM python:3.10-slim
 WORKDIR /app
-# Copy installed packages from builder
+COPY requirements.txt ./requirements.txt
 COPY --from=builder /install /usr/local
-# Assume environment variables for DB config will be set at runtime
+RUN --mount=type=cache,target=/root/.cache/pip /bin/bash <<'EOF'
-# ENV DATABASE_HOST=your_db_host
+set -e
-# ENV DATABASE_PORT=your_db_port
+
-# ENV DATABASE_NAME=your_db_name
+python3 <<'PY'
-# ENV DATABASE_USER=your_db_user
+import os, socket, urllib.parse
-# ENV DATABASE_PASSWORD=your_db_password
+
 url = os.environ.get('APT_CACHE_URL', '').strip()
 if url:
    parsed = urllib.parse.urlparse(url)
    host = parsed.hostname
    port = parsed.port or (80 if parsed.scheme == 'http' else 443)
    if host:
        sock = socket.socket()
        sock.settimeout(1)
        try:
            sock.connect((host, port))
        except OSError:
            pass
        else:
            with open('/etc/apt/apt.conf.d/01proxy', 'w', encoding='utf-8') as fh:
                fh.write(f"Acquire::http::Proxy \"{url}\";\n")
                fh.write(f"Acquire::https::Proxy \"{url}\";\n")
        finally:
            sock.close()
 PY
 apt-get update
 apt-get install -y --no-install-recommends build-essential gcc libpq-dev
 pip install --upgrade pip
 pip wheel --no-deps --wheel-dir /wheels -r requirements.txt
 apt-get purge -y --auto-remove build-essential gcc
 rm -rf /var/lib/apt/lists/*
 EOF
 FROM python:${PYTHON_VERSION} AS runtime
 ARG APT_CACHE_URL
 ENV \
    PIP_DISABLE_PIP_VERSION_CHECK=1 \
    PIP_NO_CACHE_DIR=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PATH="/home/appuser/.local/bin:${PATH}"
 WORKDIR /app
 RUN groupadd --system app && useradd --system --create-home --gid app appuser
 RUN /bin/bash <<'EOF'
 set -e
 python3 <<'PY'
 import os, socket, urllib.parse
 url = os.environ.get('APT_CACHE_URL', '').strip()
 if url:
    parsed = urllib.parse.urlparse(url)
    host = parsed.hostname
    port = parsed.port or (80 if parsed.scheme == 'http' else 443)
    if host:
        sock = socket.socket()
        sock.settimeout(1)
        try:
            sock.connect((host, port))
        except OSError:
            pass
        else:
            with open('/etc/apt/apt.conf.d/01proxy', 'w', encoding='utf-8') as fh:
                fh.write(f"Acquire::http::Proxy \"{url}\";\n")
                fh.write(f"Acquire::https::Proxy \"{url}\";\n")
        finally:
            sock.close()
 PY
 apt-get update
 apt-get install -y --no-install-recommends libpq5
 rm -rf /var/lib/apt/lists/*
 EOF
 COPY --from=builder /wheels /wheels
 COPY --from=builder /app/requirements.txt /tmp/requirements.txt
 RUN pip install --upgrade pip \
    && pip install --no-cache-dir --find-links=/wheels -r /tmp/requirements.txt \
    && rm -rf /wheels /tmp/requirements.txt
 # Copy application code
 COPY . /app
-# Expose service port
+RUN chown -R appuser:app /app \
-EXPOSE 8000
+    && chmod +x /app/scripts/docker-entrypoint.sh
-# Run the FastAPI app with uvicorn
+USER appuser
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
+
 EXPOSE 8003
 ENTRYPOINT ["/app/scripts/docker-entrypoint.sh"]
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8003", "--workers", "4"]
--- a/README.md
+++ b/README.md
@@ -6,81 +6,6 @@ Focuses on ore mining operations and covering parameters such as capital and ope
 The system is designed to help mining companies make informed decisions by simulating various scenarios and analyzing potential outcomes based on stochastic variables.
 A range of features are implemented to support these functionalities.
 ## Features
 - **Scenario Management**: Manage multiple mining scenarios with independent parameter sets and outputs.
 - **Process Parameters**: Define and persist process inputs via FastAPI endpoints and template-driven forms.
 - **Cost Tracking**: Capture capital (`capex`) and operational (`opex`) expenditures per scenario.
 - **Consumption Tracking**: Record resource consumption (chemicals, fuel, water, scrap) tied to scenarios.
 - **Production Output**: Store production metrics such as tonnage, recovery, and revenue drivers.
 - **Equipment Management**: Register scenario-specific equipment inventories.
 - **Maintenance Logging**: Log maintenance events against equipment with dates and costs.
 - **Reporting Dashboard**: Surface aggregated statistics for simulation outputs with an interactive Chart.js dashboard.
 - **Unified UI Shell**: Server-rendered templates extend a shared base layout with a persistent left sidebar linking scenarios, parameters, costs, consumption, production, equipment, maintenance, simulations, and reporting views.
 - **Operations Overview Dashboard**: The root route (`/`) surfaces cross-scenario KPIs, charts, and maintenance reminders with a one-click refresh backed by aggregated loaders.
 - **Theming Tokens**: Shared CSS variables in `static/css/main.css` centralize the UI color palette for consistent styling and rapid theme tweaks.
 - **Modular Frontend Scripts**: Page-specific interactions now live in `static/js/` modules, keeping templates lean while enabling browser caching and reuse.
 - **Monte Carlo Simulation (in progress)**: Services and routes are scaffolded for future stochastic analysis.
 ## Documentation & quickstart
-This repository contains detailed developer and architecture documentation in the `docs/` folder.
+This repository contains only code. See detailed developer and architecture documentation in the [Docs](https://git.allucanget.biz/allucanget/calminer-docs) repository.
 [Quickstart](docs/quickstart.md) contains developer quickstart, migrations, testing and current status.
 Key architecture documents: see [architecture](docs/architecture/README.md) for the arc42-based architecture documentation.
 For contributors: the `routes/`, `models/` and `services/` folders contain the primary application code. Tests and E2E specs are in `tests/`.
 ## Run with Docker
 The repository ships with a multi-stage `Dockerfile` that produces a slim runtime image.
 ### Build container
 ```powershell
 # Build the image locally
 docker build -t calminer:latest .
 ```
 ### Push to registry
 ```powershell
 # Tag and push the image to your registry
 docker login your-registry.com -u your-username -p your-password
 docker tag calminer:latest your-registry.com/your-namespace/calminer:latest
 docker push your-registry.com/your-namespace/calminer:latest
 ```
 ### Run container
 Expose FastAPI on <http://localhost:8000> with database configuration via granular environment variables:
 ```powershell
 # Provide database configuration via granular environment variables
 docker run --rm -p 8000:8000 ^
  -e DATABASE_DRIVER="postgresql" ^
  -e DATABASE_HOST="db.host" ^
  -e DATABASE_PORT="5432" ^
  -e DATABASE_USER="calminer" ^
  -e DATABASE_PASSWORD="s3cret" ^
  -e DATABASE_NAME="calminer" ^
  -e DATABASE_SCHEMA="public" ^
  calminer:latest
 ```
 ### Orchestrated Deployment
 Use `docker compose` or an orchestrator of your choice to co-locate PostgreSQL/Redis alongside the app when needed. The image expects migrations to be applied before startup.
 ## CI/CD expectations
 CalMiner uses Gitea Actions workflows stored in `.gitea/workflows/`:
 - `test.yml` runs style/unit/e2e suites on every push with cached Python dependencies.
 - `build-and-push.yml` builds the Docker image, reuses cached layers, and pushes to the configured registry.
 - `deploy.yml` pulls the pushed image on the target host and restarts the container.
 Pipelines assume the following secrets are provisioned in the Gitea instance: `REGISTRY_USERNAME`, `REGISTRY_PASSWORD`, `REGISTRY_URL`, `SSH_HOST`, `SSH_USERNAME`, and `SSH_PRIVATE_KEY`.
--- a/alembic.ini
+++ b/alembic.ini
@@ -0,0 +1,35 @@
 [alembic]
 script_location = alembic
 sqlalchemy.url = %(DATABASE_URL)s
 [loggers]
 keys = root,sqlalchemy,alembic
 [handlers]
 keys = console
 [formatters]
 keys = generic
 [logger_root]
 level = WARN
 handlers = console
 [logger_sqlalchemy]
 level = WARN
 handlers =
 qualname = sqlalchemy.engine
 [logger_alembic]
 level = INFO
 handlers =
 qualname = alembic
 [handler_console]
 class = StreamHandler
 args = (sys.stderr,)
 level = NOTSET
 formatter = generic
 [formatter_generic]
 format = %(levelname)-5.5s [%(name)s] %(message)s
--- a/alembic/env.py
+++ b/alembic/env.py
@@ -0,0 +1,62 @@
 from __future__ import annotations
 from logging.config import fileConfig
 from alembic import context
 from sqlalchemy import engine_from_config, pool
 from config.database import Base, DATABASE_URL
 from models import *  # noqa: F401,F403 - ensure models are imported for metadata registration
 # this is the Alembic Config object, which provides access to the values within the .ini file.
 config = context.config
 if config.config_file_name is not None:
    fileConfig(config.config_file_name)
 # Interpret the config file for Python logging.
 # This line sets up loggers basically.
 config.set_main_option("sqlalchemy.url", DATABASE_URL)
 target_metadata = Base.metadata
 def run_migrations_offline() -> None:
    """Run migrations in 'offline' mode."""
    url = config.get_main_option("sqlalchemy.url")
    context.configure(
        url=url,
        target_metadata=target_metadata,
        literal_binds=True,
        dialect_opts={"paramstyle": "named"},
    )
    with context.begin_transaction():
        context.run_migrations()
 def run_migrations_online() -> None:
    """Run migrations in 'online' mode."""
    connectable = engine_from_config(
        config.get_section(config.config_ini_section, {}),
        prefix="sqlalchemy.",
        poolclass=pool.NullPool,
    )
    with connectable.connect() as connection:
        context.configure(connection=connection, target_metadata=target_metadata)
        with context.begin_transaction():
            context.run_migrations()
 def run_migrations() -> None:
    if context.is_offline_mode():
        run_migrations_offline()
    else:
        run_migrations_online()
 run_migrations()
--- a/alembic/script.py.mako
+++ b/alembic/script.py.mako
@@ -0,0 +1,17 @@
 """${message}"""
 revision = ${repr(revision)}
 down_revision = ${repr(down_revision)}
 branch_labels = ${repr(branch_labels)}
 depends_on = ${repr(depends_on)}
 from alembic import op
 import sqlalchemy as sa
 def upgrade() -> None:
    ${upgrades if upgrades else "pass"}
 def downgrade() -> None:
    ${downgrades if downgrades else "pass"}
--- a/alembic/versions/20251111_00_initial_schema.py
+++ b/alembic/versions/20251111_00_initial_schema.py
@@ -0,0 +1,718 @@
 """Combined initial schema"""
 from __future__ import annotations
 from datetime import datetime, timezone
 from alembic import op
 import sqlalchemy as sa
 from passlib.context import CryptContext
 from sqlalchemy.sql import column, table
 # revision identifiers, used by Alembic.
 revision = "20251111_00"
 down_revision = None
 branch_labels = None
 depends_on = None
 password_context = CryptContext(schemes=["argon2"], deprecated="auto")
 mining_operation_type = sa.Enum(
    "open_pit",
    "underground",
    "in_situ_leach",
    "placer",
    "quarry",
    "mountaintop_removal",
    "other",
    name="miningoperationtype",
 )
 scenario_status = sa.Enum(
    "draft",
    "active",
    "archived",
    name="scenariostatus",
 )
 financial_category = sa.Enum(
    "capex",
    "opex",
    "revenue",
    "contingency",
    "other",
    name="financialcategory",
 )
 cost_bucket = sa.Enum(
    "capital_initial",
    "capital_sustaining",
    "operating_fixed",
    "operating_variable",
    "maintenance",
    "reclamation",
    "royalties",
    "general_admin",
    name="costbucket",
 )
 distribution_type = sa.Enum(
    "normal",
    "triangular",
    "uniform",
    "lognormal",
    "custom",
    name="distributiontype",
 )
 stochastic_variable = sa.Enum(
    "ore_grade",
    "recovery_rate",
    "metal_price",
    "operating_cost",
    "capital_cost",
    "discount_rate",
    "throughput",
    name="stochasticvariable",
 )
 resource_type = sa.Enum(
    "diesel",
    "electricity",
    "water",
    "explosives",
    "reagents",
    "labor",
    "equipment_hours",
    "tailings_capacity",
    name="resourcetype",
 )
 DEFAULT_PRICING_SLUG = "default"
 def _ensure_default_pricing_settings(connection) -> int:
    settings_table = table(
        "pricing_settings",
        column("id", sa.Integer()),
        column("slug", sa.String()),
        column("name", sa.String()),
        column("description", sa.Text()),
        column("default_currency", sa.String()),
        column("default_payable_pct", sa.Numeric()),
        column("moisture_threshold_pct", sa.Numeric()),
        column("moisture_penalty_per_pct", sa.Numeric()),
        column("created_at", sa.DateTime(timezone=True)),
        column("updated_at", sa.DateTime(timezone=True)),
    )
    existing = connection.execute(
        sa.select(settings_table.c.id).where(
            settings_table.c.slug == DEFAULT_PRICING_SLUG
        )
    ).scalar_one_or_none()
    if existing is not None:
        return existing
    now = datetime.now(timezone.utc)
    insert_stmt = settings_table.insert().values(
        slug=DEFAULT_PRICING_SLUG,
        name="Default Pricing",
        description="Automatically generated default pricing settings.",
        default_currency="USD",
        default_payable_pct=100.0,
        moisture_threshold_pct=8.0,
        moisture_penalty_per_pct=0.0,
        created_at=now,
        updated_at=now,
    )
    result = connection.execute(insert_stmt)
    default_id = result.inserted_primary_key[0]
    if default_id is None:
        default_id = connection.execute(
            sa.select(settings_table.c.id).where(
                settings_table.c.slug == DEFAULT_PRICING_SLUG
            )
        ).scalar_one()
    return default_id
 def upgrade() -> None:
    bind = op.get_bind()
    # Enumerations
    mining_operation_type.create(bind, checkfirst=True)
    scenario_status.create(bind, checkfirst=True)
    financial_category.create(bind, checkfirst=True)
    cost_bucket.create(bind, checkfirst=True)
    distribution_type.create(bind, checkfirst=True)
    stochastic_variable.create(bind, checkfirst=True)
    resource_type.create(bind, checkfirst=True)
    # Pricing settings core tables
    op.create_table(
        "pricing_settings",
        sa.Column("id", sa.Integer(), primary_key=True),
        sa.Column("name", sa.String(length=128), nullable=False),
        sa.Column("slug", sa.String(length=64), nullable=False),
        sa.Column("description", sa.Text(), nullable=True),
        sa.Column("default_currency", sa.String(length=3), nullable=True),
        sa.Column(
            "default_payable_pct",
            sa.Numeric(precision=5, scale=2),
            nullable=False,
            server_default=sa.text("100.00"),
        ),
        sa.Column(
            "moisture_threshold_pct",
            sa.Numeric(precision=5, scale=2),
            nullable=False,
            server_default=sa.text("8.00"),
        ),
        sa.Column(
            "moisture_penalty_per_pct",
            sa.Numeric(precision=14, scale=4),
            nullable=False,
            server_default=sa.text("0.0000"),
        ),
        sa.Column("metadata", sa.JSON(), nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.UniqueConstraint("name", name="uq_pricing_settings_name"),
        sa.UniqueConstraint("slug", name="uq_pricing_settings_slug"),
    )
    op.create_index(
        op.f("ix_pricing_settings_id"),
        "pricing_settings",
        ["id"],
        unique=False,
    )
    op.create_table(
        "pricing_metal_settings",
        sa.Column("id", sa.Integer(), primary_key=True),
        sa.Column(
            "pricing_settings_id",
            sa.Integer(),
            sa.ForeignKey("pricing_settings.id", ondelete="CASCADE"),
            nullable=False,
        ),
        sa.Column("metal_code", sa.String(length=32), nullable=False),
        sa.Column("payable_pct", sa.Numeric(
            precision=5, scale=2), nullable=True),
        sa.Column(
            "moisture_threshold_pct",
            sa.Numeric(precision=5, scale=2),
            nullable=True,
        ),
        sa.Column(
            "moisture_penalty_per_pct",
            sa.Numeric(precision=14, scale=4),
            nullable=True,
        ),
        sa.Column("data", sa.JSON(), nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.UniqueConstraint(
            "pricing_settings_id",
            "metal_code",
            name="uq_pricing_metal_settings_code",
        ),
    )
    op.create_index(
        op.f("ix_pricing_metal_settings_id"),
        "pricing_metal_settings",
        ["id"],
        unique=False,
    )
    op.create_index(
        op.f("ix_pricing_metal_settings_pricing_settings_id"),
        "pricing_metal_settings",
        ["pricing_settings_id"],
        unique=False,
    )
    op.create_table(
        "pricing_impurity_settings",
        sa.Column("id", sa.Integer(), primary_key=True),
        sa.Column(
            "pricing_settings_id",
            sa.Integer(),
            sa.ForeignKey("pricing_settings.id", ondelete="CASCADE"),
            nullable=False,
        ),
        sa.Column("impurity_code", sa.String(length=32), nullable=False),
        sa.Column(
            "threshold_ppm",
            sa.Numeric(precision=14, scale=4),
            nullable=False,
            server_default=sa.text("0.0000"),
        ),
        sa.Column(
            "penalty_per_ppm",
            sa.Numeric(precision=14, scale=4),
            nullable=False,
            server_default=sa.text("0.0000"),
        ),
        sa.Column("notes", sa.Text(), nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.UniqueConstraint(
            "pricing_settings_id",
            "impurity_code",
            name="uq_pricing_impurity_settings_code",
        ),
    )
    op.create_index(
        op.f("ix_pricing_impurity_settings_id"),
        "pricing_impurity_settings",
        ["id"],
        unique=False,
    )
    op.create_index(
        op.f("ix_pricing_impurity_settings_pricing_settings_id"),
        "pricing_impurity_settings",
        ["pricing_settings_id"],
        unique=False,
    )
    # Core domain tables
    op.create_table(
        "projects",
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("name", sa.String(length=255), nullable=False),
        sa.Column("location", sa.String(length=255), nullable=True),
        sa.Column("operation_type", mining_operation_type, nullable=False),
        sa.Column("description", sa.Text(), nullable=True),
        sa.Column(
            "pricing_settings_id",
            sa.Integer(),
            sa.ForeignKey("pricing_settings.id", ondelete="SET NULL"),
            nullable=True,
        ),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.PrimaryKeyConstraint("id"),
        sa.UniqueConstraint("name"),
    )
    op.create_index(op.f("ix_projects_id"), "projects", ["id"], unique=False)
    op.create_index(
        "ix_projects_pricing_settings_id",
        "projects",
        ["pricing_settings_id"],
        unique=False,
    )
    op.create_table(
        "scenarios",
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("project_id", sa.Integer(), nullable=False),
        sa.Column("name", sa.String(length=255), nullable=False),
        sa.Column("description", sa.Text(), nullable=True),
        sa.Column("status", scenario_status, nullable=False),
        sa.Column("start_date", sa.Date(), nullable=True),
        sa.Column("end_date", sa.Date(), nullable=True),
        sa.Column("discount_rate", sa.Numeric(
            precision=5, scale=2), nullable=True),
        sa.Column("currency", sa.String(length=3), nullable=True),
        sa.Column("primary_resource", resource_type, nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.ForeignKeyConstraint(
            ["project_id"], ["projects.id"], ondelete="CASCADE"),
        sa.PrimaryKeyConstraint("id"),
    )
    op.create_index(op.f("ix_scenarios_id"), "scenarios", ["id"], unique=False)
    op.create_index(
        op.f("ix_scenarios_project_id"),
        "scenarios",
        ["project_id"],
        unique=False,
    )
    op.create_table(
        "financial_inputs",
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("scenario_id", sa.Integer(), nullable=False),
        sa.Column("name", sa.String(length=255), nullable=False),
        sa.Column("category", financial_category, nullable=False),
        sa.Column("cost_bucket", cost_bucket, nullable=True),
        sa.Column("amount", sa.Numeric(precision=18, scale=2), nullable=False),
        sa.Column("currency", sa.String(length=3), nullable=True),
        sa.Column("effective_date", sa.Date(), nullable=True),
        sa.Column("notes", sa.Text(), nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.ForeignKeyConstraint(
            ["scenario_id"], ["scenarios.id"], ondelete="CASCADE"),
        sa.PrimaryKeyConstraint("id"),
    )
    op.create_index(
        op.f("ix_financial_inputs_id"),
        "financial_inputs",
        ["id"],
        unique=False,
    )
    op.create_index(
        op.f("ix_financial_inputs_scenario_id"),
        "financial_inputs",
        ["scenario_id"],
        unique=False,
    )
    op.create_table(
        "simulation_parameters",
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("scenario_id", sa.Integer(), nullable=False),
        sa.Column("name", sa.String(length=255), nullable=False),
        sa.Column("distribution", distribution_type, nullable=False),
        sa.Column("variable", stochastic_variable, nullable=True),
        sa.Column("resource_type", resource_type, nullable=True),
        sa.Column("mean_value", sa.Numeric(
            precision=18, scale=4), nullable=True),
        sa.Column(
            "standard_deviation",
            sa.Numeric(precision=18, scale=4),
            nullable=True,
        ),
        sa.Column(
            "minimum_value",
            sa.Numeric(precision=18, scale=4),
            nullable=True,
        ),
        sa.Column(
            "maximum_value",
            sa.Numeric(precision=18, scale=4),
            nullable=True,
        ),
        sa.Column("unit", sa.String(length=32), nullable=True),
        sa.Column("configuration", sa.JSON(), nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            server_default=sa.func.now(),
            nullable=False,
        ),
        sa.ForeignKeyConstraint(
            ["scenario_id"], ["scenarios.id"], ondelete="CASCADE"),
        sa.PrimaryKeyConstraint("id"),
    )
    op.create_index(
        op.f("ix_simulation_parameters_id"),
        "simulation_parameters",
        ["id"],
        unique=False,
    )
    op.create_index(
        op.f("ix_simulation_parameters_scenario_id"),
        "simulation_parameters",
        ["scenario_id"],
        unique=False,
    )
    # Authentication and RBAC tables
    op.create_table(
        "users",
        sa.Column("id", sa.Integer(), primary_key=True),
        sa.Column("email", sa.String(length=255), nullable=False),
        sa.Column("username", sa.String(length=128), nullable=False),
        sa.Column("password_hash", sa.String(length=255), nullable=False),
        sa.Column("is_active", sa.Boolean(),
                  nullable=False, server_default=sa.true()),
        sa.Column(
            "is_superuser",
            sa.Boolean(),
            nullable=False,
            server_default=sa.false(),
        ),
        sa.Column("last_login_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.UniqueConstraint("email", name="uq_users_email"),
        sa.UniqueConstraint("username", name="uq_users_username"),
    )
    op.create_index(
        "ix_users_active_superuser",
        "users",
        ["is_active", "is_superuser"],
        unique=False,
    )
    op.create_table(
        "roles",
        sa.Column("id", sa.Integer(), primary_key=True),
        sa.Column("name", sa.String(length=64), nullable=False),
        sa.Column("display_name", sa.String(length=128), nullable=False),
        sa.Column("description", sa.Text(), nullable=True),
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.UniqueConstraint("name", name="uq_roles_name"),
    )
    op.create_table(
        "user_roles",
        sa.Column("user_id", sa.Integer(), nullable=False),
        sa.Column("role_id", sa.Integer(), nullable=False),
        sa.Column(
            "granted_at",
            sa.DateTime(timezone=True),
            nullable=False,
            server_default=sa.func.now(),
        ),
        sa.Column("granted_by", sa.Integer(), nullable=True),
        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
        sa.ForeignKeyConstraint(["role_id"], ["roles.id"], ondelete="CASCADE"),
        sa.ForeignKeyConstraint(
            ["granted_by"], ["users.id"], ondelete="SET NULL"),
        sa.PrimaryKeyConstraint("user_id", "role_id"),
        sa.UniqueConstraint("user_id", "role_id",
                            name="uq_user_roles_user_role"),
    )
    op.create_index(
        "ix_user_roles_role_id",
        "user_roles",
        ["role_id"],
        unique=False,
    )
    # Seed roles and default admin
    roles_table = table(
        "roles",
        column("id", sa.Integer()),
        column("name", sa.String()),
        column("display_name", sa.String()),
        column("description", sa.Text()),
    )
    op.bulk_insert(
        roles_table,
        [
            {
                "id": 1,
                "name": "admin",
                "display_name": "Administrator",
                "description": "Full platform access with user management rights.",
            },
            {
                "id": 2,
                "name": "project_manager",
                "display_name": "Project Manager",
                "description": "Manage projects, scenarios, and associated data.",
            },
            {
                "id": 3,
                "name": "analyst",
                "display_name": "Analyst",
                "description": "Review dashboards and scenario outputs.",
            },
            {
                "id": 4,
                "name": "viewer",
                "display_name": "Viewer",
                "description": "Read-only access to assigned projects and reports.",
            },
        ],
    )
    admin_password_hash = password_context.hash("ChangeMe123!")
    users_table = table(
        "users",
        column("id", sa.Integer()),
        column("email", sa.String()),
        column("username", sa.String()),
        column("password_hash", sa.String()),
        column("is_active", sa.Boolean()),
        column("is_superuser", sa.Boolean()),
    )
    op.bulk_insert(
        users_table,
        [
            {
                "id": 1,
                "email": "admin@calminer.local",
                "username": "admin",
                "password_hash": admin_password_hash,
                "is_active": True,
                "is_superuser": True,
            }
        ],
    )
    user_roles_table = table(
        "user_roles",
        column("user_id", sa.Integer()),
        column("role_id", sa.Integer()),
        column("granted_by", sa.Integer()),
    )
    op.bulk_insert(
        user_roles_table,
        [
            {
                "user_id": 1,
                "role_id": 1,
                "granted_by": 1,
            }
        ],
    )
    # Ensure a default pricing settings record exists for future project linkage
    _ensure_default_pricing_settings(bind)
 def downgrade() -> None:
    # Drop RBAC
    op.drop_index("ix_user_roles_role_id", table_name="user_roles")
    op.drop_table("user_roles")
    op.drop_table("roles")
    op.drop_index("ix_users_active_superuser", table_name="users")
    op.drop_table("users")
    # Drop domain tables
    op.drop_index(
        op.f("ix_simulation_parameters_scenario_id"),
        table_name="simulation_parameters",
    )
    op.drop_index(op.f("ix_simulation_parameters_id"),
                  table_name="simulation_parameters")
    op.drop_table("simulation_parameters")
    op.drop_index(
        op.f("ix_financial_inputs_scenario_id"), table_name="financial_inputs"
    )
    op.drop_index(op.f("ix_financial_inputs_id"),
                  table_name="financial_inputs")
    op.drop_table("financial_inputs")
    op.drop_index(op.f("ix_scenarios_project_id"), table_name="scenarios")
    op.drop_index(op.f("ix_scenarios_id"), table_name="scenarios")
    op.drop_table("scenarios")
    op.drop_index("ix_projects_pricing_settings_id", table_name="projects")
    op.drop_index(op.f("ix_projects_id"), table_name="projects")
    op.drop_table("projects")
    # Drop pricing settings ancillary tables
    op.drop_index(
        op.f("ix_pricing_impurity_settings_pricing_settings_id"),
        table_name="pricing_impurity_settings",
    )
    op.drop_index(
        op.f("ix_pricing_impurity_settings_id"),
        table_name="pricing_impurity_settings",
    )
    op.drop_table("pricing_impurity_settings")
    op.drop_index(
        op.f("ix_pricing_metal_settings_pricing_settings_id"),
        table_name="pricing_metal_settings",
    )
    op.drop_index(
        op.f("ix_pricing_metal_settings_id"),
        table_name="pricing_metal_settings",
    )
    op.drop_table("pricing_metal_settings")
    op.drop_index(op.f("ix_pricing_settings_id"),
                  table_name="pricing_settings")
    op.drop_table("pricing_settings")
    # Drop enumerations
    resource_type.drop(op.get_bind(), checkfirst=True)
    stochastic_variable.drop(op.get_bind(), checkfirst=True)
    distribution_type.drop(op.get_bind(), checkfirst=True)
    cost_bucket.drop(op.get_bind(), checkfirst=True)
    financial_category.drop(op.get_bind(), checkfirst=True)
    scenario_status.drop(op.get_bind(), checkfirst=True)
    mining_operation_type.drop(op.get_bind(), checkfirst=True)
--- a/alembic/versions/20251111_01_add_performance_metrics_table.py
+++ b/alembic/versions/20251111_01_add_performance_metrics_table.py
@@ -0,0 +1,38 @@
 """Add performance_metrics table"""
 from __future__ import annotations
 import sqlalchemy as sa
 from alembic import op
 # revision identifiers, used by Alembic.
 revision = "20251111_01"
 down_revision = "20251111_00"
 branch_labels = None
 depends_on = None
 def upgrade() -> None:
    op.create_table(
        "performance_metrics",
        sa.Column("id", sa.Integer(), nullable=False),
        sa.Column("timestamp", sa.DateTime(), nullable=True),
        sa.Column("metric_name", sa.String(), nullable=True),
        sa.Column("value", sa.Float(), nullable=True),
        sa.Column("labels", sa.String(), nullable=True),
        sa.Column("endpoint", sa.String(), nullable=True),
        sa.Column("method", sa.String(), nullable=True),
        sa.Column("status_code", sa.Integer(), nullable=True),
        sa.Column("duration_seconds", sa.Float(), nullable=True),
        sa.PrimaryKeyConstraint("id"),
    )
    op.create_index(op.f("ix_performance_metrics_timestamp"), "performance_metrics", ["timestamp"], unique=False)
    op.create_index(op.f("ix_performance_metrics_metric_name"), "performance_metrics", ["metric_name"], unique=False)
    op.create_index(op.f("ix_performance_metrics_endpoint"), "performance_metrics", ["endpoint"], unique=False)
 def downgrade() -> None:
    op.drop_index(op.f("ix_performance_metrics_endpoint"), table_name="performance_metrics")
    op.drop_index(op.f("ix_performance_metrics_metric_name"), table_name="performance_metrics")
    op.drop_index(op.f("ix_performance_metrics_timestamp"), table_name="performance_metrics")
    op.drop_table("performance_metrics")
--- a/alembic/versions/20251112_00_add_roles_metadata_columns.py
+++ b/alembic/versions/20251112_00_add_roles_metadata_columns.py
@@ -0,0 +1,134 @@
 """Add metadata columns to roles table"""
 from __future__ import annotations
 import sqlalchemy as sa
 from alembic import op
 # revision identifiers, used by Alembic.
 revision = "20251112_00_add_roles_metadata_columns"
 down_revision = "20251111_01"
 branch_labels = None
 depends_on = None
 ROLE_BACKFILL = (
    ("admin", "Administrator", "Full platform access with user management rights."),
    (
        "project_manager",
        "Project Manager",
        "Manage projects, scenarios, and associated data.",
    ),
    ("analyst", "Analyst", "Review dashboards and scenario outputs."),
    (
        "viewer",
        "Viewer",
        "Read-only access to assigned projects and reports.",
    ),
 )
 def upgrade() -> None:
    op.add_column(
        "roles",
        sa.Column("display_name", sa.String(length=128), nullable=True),
    )
    op.add_column(
        "roles",
        sa.Column("description", sa.Text(), nullable=True),
    )
    op.add_column(
        "roles",
        sa.Column(
            "created_at",
            sa.DateTime(timezone=True),
            nullable=True,
            server_default=sa.text("timezone('UTC', now())"),
        ),
    )
    op.add_column(
        "roles",
        sa.Column(
            "updated_at",
            sa.DateTime(timezone=True),
            nullable=True,
            server_default=sa.text("timezone('UTC', now())"),
        ),
    )
    connection = op.get_bind()
    for name, display_name, description in ROLE_BACKFILL:
        connection.execute(
            sa.text(
                """
                UPDATE roles
                   SET display_name = :display_name,
                       description = COALESCE(description, :description)
                 WHERE name = :name
                   AND display_name IS NULL
                """
            ),
            {
                "name": name,
                "display_name": display_name,
                "description": description,
            },
        )
    connection.execute(
        sa.text(
            """
            UPDATE roles
               SET display_name = INITCAP(REPLACE(name, '_', ' '))
             WHERE display_name IS NULL
            """
        )
    )
    connection.execute(
        sa.text(
            """
            UPDATE roles
               SET created_at = timezone('UTC', now())
             WHERE created_at IS NULL
            """
        )
    )
    connection.execute(
        sa.text(
            """
            UPDATE roles
               SET updated_at = timezone('UTC', now())
             WHERE updated_at IS NULL
            """
        )
    )
    op.alter_column(
        "roles",
        "display_name",
        existing_type=sa.String(length=128),
        nullable=False,
    )
    op.alter_column(
        "roles",
        "created_at",
        existing_type=sa.DateTime(timezone=True),
        nullable=False,
        server_default=sa.text("timezone('UTC', now())"),
    )
    op.alter_column(
        "roles",
        "updated_at",
        existing_type=sa.DateTime(timezone=True),
        nullable=False,
        server_default=sa.text("timezone('UTC', now())"),
    )
 def downgrade() -> None:
    op.drop_column("roles", "updated_at")
    op.drop_column("roles", "created_at")
    op.drop_column("roles", "description")
    op.drop_column("roles", "display_name")
--- a/alembic_test.db
+++ b/alembic_test.db
--- a/backups/.gitkeep
+++ b/backups/.gitkeep
--- a/changelog.md
+++ b/changelog.md
@@ -0,0 +1,85 @@
 # Changelog
 ## 2025-11-13
 - Eliminated Bandit hardcoded-secret findings by replacing literal JWT tokens and passwords across auth/security tests with randomized helpers drawn from `tests/utils/security.py`, ensuring fixtures still assert expected behaviours.
 - Centralized Bandit configuration in `pyproject.toml`, reran `bandit -c pyproject.toml -r calminer tests`, and verified the scan now reports zero issues.
 - Updated `.github/instructions/TODO.md` and `.github/instructions/DONE.md` to reflect the completed security scan remediation workflow.
 ## 2025-11-12
 - Diagnosed admin bootstrap failure caused by legacy `roles` schema, added Alembic migration `20251112_00_add_roles_metadata_columns.py` to backfill `display_name`, `description`, `created_at`, and `updated_at`, and verified the migration via full pytest run in the activated `.venv`.
 - Resolved Ruff E402 warnings by moving module docstrings ahead of `from __future__ import annotations` across currency and pricing service modules, dropped the unused `HTTPException` import in `monitoring/__init__.py`, and confirmed a clean `ruff check .` run.
 - Enhanced the deploy job in `.gitea/workflows/cicache.yml` to capture Kubernetes pod, deployment, and container logs into `/logs/deployment/` for staging/production rollouts and publish them via a `deployment-logs` artifact, updating CI/CD documentation with retrieval instructions.
 - Fixed CI dashboard template lookup failures by renaming `templates/Dashboard.html` to `templates/dashboard.html` and verifying `tests/test_dashboard_route.py` locally to ensure TemplateNotFound no longer occurs on case-sensitive filesystems.
 ## 2025-11-11
 - Implemented base URL routing to redirect unauthenticated users to login and authenticated users to dashboard.
 - Added comprehensive end-to-end tests for login flow, including redirects, session handling, and error messaging for invalid/inactive accounts.
 - Updated header and footer templates to consistently use `logo_big.png` image instead of text logo, with appropriate CSS styling for sizing.
 - Centralised ISO-4217 currency validation across scenarios, imports, and export filters (`models/scenario.py`, `routes/scenarios.py`, `schemas/scenario.py`, `schemas/imports.py`, `services/export_query.py`) so malformed codes are rejected consistently at every entry point.
 - Updated scenario services and UI flows to surface friendly validation errors and added regression coverage for imports, exports, API creation, and lifecycle flows ensuring currencies are normalised end-to-end.
 - Recorded the completed “Ensure currency is used consistently” work in `.github/instructions/DONE.md` and ran the full pytest suite (150 tests) to verify the refactor.
 - Linked projects to their pricing settings by updating SQLAlchemy models, repositories, seeding utilities, and migrations, and added regression tests to cover the new association and default backfill.
 - Bootstrapped database-stored pricing settings at application startup, aligned initial data seeding with the database-first metadata flow, and added tests covering pricing bootstrap creation, project assignment, and idempotency.
 - Extended pricing configuration support to prefer persisted metadata via `dependencies.get_pricing_metadata`, added retrieval tests for project/default fallbacks, and refreshed docs (`calminer-docs/specifications/price_calculation.md`, `pricing_settings_data_model.md`) to describe the database-backed workflow and bootstrap behaviour.
 - Added `services/financial.py` NPV, IRR, and payback helpers with robust cash-flow normalisation, convergence safeguards, and fractional period support, plus comprehensive pytest coverage exercising representative project scenarios and failure modes.
 - Authored `calminer-docs/specifications/financial_metrics.md` capturing DCF assumptions, solver behaviours, and worked examples, and cross-linked the architecture concepts to the new reference for consistent navigation.
 - Implemented `services/simulation.py` Monte Carlo engine with configurable distributions, summary aggregation, and reproducible RNG seeding, introduced regression tests in `tests/test_simulation.py`, and documented configuration/usage in `calminer-docs/specifications/monte_carlo_simulation.md` with architecture cross-links.
 - Polished reporting HTML contexts by cleaning stray fragments in `routes/reports.py`, adding download action metadata for project and scenario pages, and generating scenario comparison download URLs with correctly serialised repeated `scenario_ids` parameters.
 - Consolidated Alembic history into a single initial migration (`20251111_00_initial_schema.py`), removed superseded revision files, and ensured Alembic metadata still references the project metadata for clean bootstrap.
 - Added `scripts/run_migrations.py` and a Docker entrypoint wrapper to run Alembic migrations before `uvicorn` starts, removed the fallback `Base.metadata.create_all` call, and updated `calminer-docs/admin/installation.md` so developers know how to apply migrations locally or via Docker.
 - Configured pytest defaults to collect coverage (`--cov`) with an 80% fail-under gate, excluded entrypoint/reporting scaffolds from the calculation, updated contributor docs with the standard `pytest` command, and verified the suite now reports 83% coverage.
 - Standardized color scheme and typography by moving alert styles to `main.css`, adding typography rules with CSS variables, updating auth templates for consistent button classes, and ensuring all templates use centralized color and spacing variables.
 - Improved navigation flow by adding two big chevron buttons on top of the navigation sidebar to allow users to navigate to the previous and next page in the page navigation list, including JavaScript logic for determining current page and handling navigation.
 - Established pytest-based unit and integration test suites with coverage thresholds, achieving 83% coverage across 181 tests, with configuration in pyproject.toml and documentation in CONTRIBUTING.md.
 - Configured CI pipelines to run tests, linting, and security checks on each change, adding Bandit security scanning to the workflow and verifying execution on pushes and PRs to main/develop branches.
 - Added deployment automation with Docker Compose for local development and Kubernetes manifests for production, ensuring environment parity and documenting processes in calminer-docs/admin/installation.md.
 - Completed monitoring instrumentation by adding business metrics observation to project and scenario repository operations, and simulation performance tracking to Monte Carlo service with success/error status and duration metrics.
 - Updated TODO list to reflect completed monitoring implementation tasks and validated changes with passing simulation tests.
 - Implemented comprehensive performance monitoring for scalability (FR-006) with Prometheus metrics collection for HTTP requests, import/export operations, and general application metrics.
 - Added database model for persistent metric storage with aggregation endpoints for KPIs like request latency, error rates, and throughput.
 - Created FastAPI middleware for automatic request metric collection and background persistence to database.
 - Extended monitoring router with performance metrics API endpoints and detailed health checks.
 - Added Alembic migration for performance_metrics table and updated model imports.
 - Completed concurrent interaction testing implementation, validating database transaction isolation under threading and establishing async testing framework for future concurrency enhancements.
 - Implemented comprehensive deployment automation with Docker Compose configurations for development, staging, and production environments ensuring environment parity.
 - Set up Kubernetes manifests with resource limits, health checks, and secrets management for production deployment.
 - Configured CI/CD workflows for automated Docker image building, registry pushing, and Kubernetes deployment to staging/production environments.
 - Documented deployment processes, environment configurations, and CI/CD workflows in project documentation.
 - Validated deployment automation through Docker Compose configuration testing and CI/CD pipeline structure.
 ## 2025-11-10
 - Added dedicated pytest coverage for guard dependencies, exercising success plus failure paths (missing session, inactive user, missing roles, project/scenario access errors) via `tests/test_dependencies_guards.py`.
 - Added integration tests in `tests/test_authorization_integration.py` verifying anonymous 401 responses, role-based 403s, and authorized project manager flows across API and UI endpoints.
 - Implemented environment-driven admin bootstrap settings, wired the `bootstrap_admin` helper into FastAPI startup, added pytest coverage for creation/idempotency/reset logic, and documented operational guidance in the RBAC plan and security concept.
 - Retired the legacy authentication RBAC implementation plan document after migrating its guidance into live documentation and synchronized the contributor instructions to reflect the removal.
 - Completed the Authentication & RBAC checklist by shipping the new models, migrations, repositories, guard dependencies, and integration tests.
 - Documented the project/scenario import/export field mapping and file format guidelines in `calminer-docs/requirements/FR-008.md`, and introduced `schemas/imports.py` with Pydantic models that normalise incoming CSV/Excel rows for projects and scenarios.
 - Added `services/importers.py` to load CSV/XLSX files into the new import schemas, pulled in `openpyxl` for Excel support, and covered the parsing behaviour with `tests/test_import_parsing.py`.
 - Expanded the import ingestion workflow with staging previews, transactional persistence commits, FastAPI preview/commit endpoints under `/imports`, and new API tests (`tests/test_import_ingestion.py`, `tests/test_import_api.py`) ensuring end-to-end coverage.
 - Added persistent audit logging via `ImportExportLog`, structured log emission, Prometheus metrics instrumentation, `/metrics` endpoint exposure, and updated operator/deployment documentation to guide monitoring setup.
 ## 2025-11-09
 - Captured current implementation status, requirements coverage, missing features, and prioritized roadmap in `calminer-docs/implementation_status.md` to guide future development.
 - Added core SQLAlchemy domain models, shared metadata descriptors, and Alembic migration setup (with initial schema snapshot) to establish the persistence layer foundation.
 - Introduced repository and unit-of-work helpers for projects, scenarios, financial inputs, and simulation parameters to support service-layer operations.
 - Added SQLite-backed pytest coverage for repository and unit-of-work behaviours to validate persistence interactions.
 - Exposed project and scenario CRUD APIs with validated schemas and integrated them into the FastAPI application.
 - Connected project and scenario routers to new Jinja2 list/detail/edit views with HTML forms and redirects.
 - Implemented FR-009 client-side enhancements with responsive navigation toggle, mobile-first scenario tables, and shared asset loading across templates.
 - Added scenario comparison validator, FastAPI comparison endpoint, and comprehensive unit tests to enforce FR-009 validation rules through API errors.
 - Delivered a new dashboard experience with `templates/dashboard.html`, dedicated styling, and a FastAPI route supplying real project/scenario metrics via repository helpers.
 - Extended repositories with count/recency utilities and added pytest coverage, including a dashboard rendering smoke test validating empty-state messaging.
 - Brought project and scenario detail pages plus their forms in line with the dashboard visuals, adding metric cards, layout grids, and refreshed CTA styles.
 - Reordered project route registration to prioritize static UI paths, eliminating 422 errors on `/projects/ui` and `/projects/create`, and added pytest smoke coverage for the navigation endpoints.
 - Added end-to-end integration tests for project and scenario lifecycles, validating HTML redirects, template rendering, and API interactions, and updated `ProjectRepository.get` to deduplicate joined loads for detail views.
 - Updated all Jinja2 template responses to the new Starlette signature to eliminate deprecation warnings while keeping request-aware context available to the templates.
 - Introduced `services/security.py` to centralize Argon2 password hashing utilities and JWT creation/verification with typed payloads, and added pytest coverage for hashing, expiry, tampering, and token type mismatch scenarios.
 - Added `routes/auth.py` with registration, login, and password reset flows, refreshed auth templates with error messaging, wired navigation links, and introduced end-to-end pytest coverage for the new forms and token flows.
 - Implemented cookie-based authentication session middleware with automatic access token refresh, logout handling, navigation adjustments, and documentation/test updates capturing the new behaviour.
 - Delivered idempotent seeding utilities with `scripts/initial_data.py`, entry-point runner `scripts/00_initial_data.py`, documentation updates, and pytest coverage to verify role/admin provisioning.
 - Secured project and scenario routers with RBAC guard dependencies, enforced repository access checks via helper utilities, and aligned template routes with FastAPI dependency injection patterns.
--- a/config/init.py
+++ b/config/init.py
@@ -0,0 +1 @@
 """Configuration package."""
--- a/config/database.py
+++ b/config/database.py
@@ -56,3 +56,11 @@ DATABASE_URL = _build_database_url()
 engine = create_engine(DATABASE_URL, echo=True, future=True)
 SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
 Base = declarative_base()
 def get_db():
    db = SessionLocal()
    try:
        yield db
    finally:
        db.close()
--- a/config/settings.py
+++ b/config/settings.py
@@ -0,0 +1,233 @@
 from __future__ import annotations
 import os
 from dataclasses import dataclass
 from datetime import timedelta
 from functools import lru_cache
 from typing import Optional
 from services.pricing import PricingMetadata
 from services.security import JWTSettings
@dataclass(frozen=True, slots=True)
 class AdminBootstrapSettings:
    """Default administrator bootstrap configuration."""
    email: str
    username: str
    password: str
    roles: tuple[str, ...]
    force_reset: bool
@dataclass(frozen=True, slots=True)
 class SessionSettings:
    """Cookie and header configuration for session token transport."""
    access_cookie_name: str
    refresh_cookie_name: str
    cookie_secure: bool
    cookie_domain: Optional[str]
    cookie_path: str
    header_name: str
    header_prefix: str
    allow_header_fallback: bool
@dataclass(frozen=True, slots=True)
 class Settings:
    """Application configuration sourced from environment variables."""
    jwt_secret_key: str = "change-me"
    jwt_algorithm: str = "HS256"
    jwt_access_token_minutes: int = 15
    jwt_refresh_token_days: int = 7
    session_access_cookie_name: str = "calminer_access_token"
    session_refresh_cookie_name: str = "calminer_refresh_token"
    session_cookie_secure: bool = False
    session_cookie_domain: Optional[str] = None
    session_cookie_path: str = "/"
    session_header_name: str = "Authorization"
    session_header_prefix: str = "Bearer"
    session_allow_header_fallback: bool = True
    admin_email: str = "admin@calminer.local"
    admin_username: str = "admin"
    admin_password: str = "ChangeMe123!"
    admin_roles: tuple[str, ...] = ("admin",)
    admin_force_reset: bool = False
    pricing_default_payable_pct: float = 100.0
    pricing_default_currency: str | None = "USD"
    pricing_moisture_threshold_pct: float = 8.0
    pricing_moisture_penalty_per_pct: float = 0.0
    @classmethod
    def from_environment(cls) -> "Settings":
        """Construct settings from environment variables."""
        return cls(
            jwt_secret_key=os.getenv("CALMINER_JWT_SECRET", "change-me"),
            jwt_algorithm=os.getenv("CALMINER_JWT_ALGORITHM", "HS256"),
            jwt_access_token_minutes=cls._int_from_env(
                "CALMINER_JWT_ACCESS_MINUTES", 15
            ),
            jwt_refresh_token_days=cls._int_from_env(
                "CALMINER_JWT_REFRESH_DAYS", 7
            ),
            session_access_cookie_name=os.getenv(
                "CALMINER_SESSION_ACCESS_COOKIE", "calminer_access_token"
            ),
            session_refresh_cookie_name=os.getenv(
                "CALMINER_SESSION_REFRESH_COOKIE", "calminer_refresh_token"
            ),
            session_cookie_secure=cls._bool_from_env(
                "CALMINER_SESSION_COOKIE_SECURE", False
            ),
            session_cookie_domain=os.getenv("CALMINER_SESSION_COOKIE_DOMAIN"),
            session_cookie_path=os.getenv("CALMINER_SESSION_COOKIE_PATH", "/"),
            session_header_name=os.getenv(
                "CALMINER_SESSION_HEADER_NAME", "Authorization"
            ),
            session_header_prefix=os.getenv(
                "CALMINER_SESSION_HEADER_PREFIX", "Bearer"
            ),
            session_allow_header_fallback=cls._bool_from_env(
                "CALMINER_SESSION_ALLOW_HEADER_FALLBACK", True
            ),
            admin_email=os.getenv(
                "CALMINER_SEED_ADMIN_EMAIL", "admin@calminer.local"
            ),
            admin_username=os.getenv(
                "CALMINER_SEED_ADMIN_USERNAME", "admin"
            ),
            admin_password=os.getenv(
                "CALMINER_SEED_ADMIN_PASSWORD", "ChangeMe123!"
            ),
            admin_roles=cls._parse_admin_roles(
                os.getenv("CALMINER_SEED_ADMIN_ROLES")
            ),
            admin_force_reset=cls._bool_from_env(
                "CALMINER_SEED_FORCE", False
            ),
            pricing_default_payable_pct=cls._float_from_env(
                "CALMINER_PRICING_DEFAULT_PAYABLE_PCT", 100.0
            ),
            pricing_default_currency=cls._optional_str(
                "CALMINER_PRICING_DEFAULT_CURRENCY", "USD"
            ),
            pricing_moisture_threshold_pct=cls._float_from_env(
                "CALMINER_PRICING_MOISTURE_THRESHOLD_PCT", 8.0
            ),
            pricing_moisture_penalty_per_pct=cls._float_from_env(
                "CALMINER_PRICING_MOISTURE_PENALTY_PER_PCT", 0.0
            ),
        )
    @staticmethod
    def _int_from_env(name: str, default: int) -> int:
        raw_value = os.getenv(name)
        if raw_value is None:
            return default
        try:
            return int(raw_value)
        except ValueError:
            return default
    @staticmethod
    def _bool_from_env(name: str, default: bool) -> bool:
        raw_value = os.getenv(name)
        if raw_value is None:
            return default
        lowered = raw_value.strip().lower()
        if lowered in {"1", "true", "yes", "on"}:
            return True
        if lowered in {"0", "false", "no", "off"}:
            return False
        return default
    @staticmethod
    def _parse_admin_roles(raw_value: str | None) -> tuple[str, ...]:
        if not raw_value:
            return ("admin",)
        parts = [segment.strip()
                 for segment in raw_value.split(",") if segment.strip()]
        if "admin" not in parts:
            parts.insert(0, "admin")
        seen: set[str] = set()
        ordered: list[str] = []
        for role_name in parts:
            if role_name not in seen:
                ordered.append(role_name)
                seen.add(role_name)
        return tuple(ordered)
    @staticmethod
    def _float_from_env(name: str, default: float) -> float:
        raw_value = os.getenv(name)
        if raw_value is None:
            return default
        try:
            return float(raw_value)
        except ValueError:
            return default
    @staticmethod
    def _optional_str(name: str, default: str | None = None) -> str | None:
        raw_value = os.getenv(name)
        if raw_value is None or raw_value.strip() == "":
            return default
        return raw_value.strip()
    def jwt_settings(self) -> JWTSettings:
        """Build runtime JWT settings compatible with token helpers."""
        return JWTSettings(
            secret_key=self.jwt_secret_key,
            algorithm=self.jwt_algorithm,
            access_token_ttl=timedelta(minutes=self.jwt_access_token_minutes),
            refresh_token_ttl=timedelta(days=self.jwt_refresh_token_days),
        )
    def session_settings(self) -> SessionSettings:
        """Provide transport configuration for session tokens."""
        return SessionSettings(
            access_cookie_name=self.session_access_cookie_name,
            refresh_cookie_name=self.session_refresh_cookie_name,
            cookie_secure=self.session_cookie_secure,
            cookie_domain=self.session_cookie_domain,
            cookie_path=self.session_cookie_path,
            header_name=self.session_header_name,
            header_prefix=self.session_header_prefix,
            allow_header_fallback=self.session_allow_header_fallback,
        )
    def admin_bootstrap_settings(self) -> AdminBootstrapSettings:
        """Return configured admin bootstrap settings."""
        return AdminBootstrapSettings(
            email=self.admin_email,
            username=self.admin_username,
            password=self.admin_password,
            roles=self.admin_roles,
            force_reset=self.admin_force_reset,
        )
    def pricing_metadata(self) -> PricingMetadata:
        """Build pricing metadata defaults."""
        return PricingMetadata(
            default_payable_pct=self.pricing_default_payable_pct,
            default_currency=self.pricing_default_currency,
            moisture_threshold_pct=self.pricing_moisture_threshold_pct,
            moisture_penalty_per_pct=self.pricing_moisture_penalty_per_pct,
        )
@lru_cache(maxsize=1)
 def get_settings() -> Settings:
    """Return cached application settings."""
    return Settings.from_environment()
--- a/config/setup_staging.env.example
+++ b/config/setup_staging.env.example
@@ -1,11 +0,0 @@
 # Sample environment configuration for staging deployment
 DATABASE_HOST=staging-db.internal
 DATABASE_PORT=5432
 DATABASE_NAME=calminer_staging
 DATABASE_USER=calminer_app
 DATABASE_PASSWORD=<app-password>
 # Admin connection used for provisioning database and roles
 DATABASE_SUPERUSER=postgres
 DATABASE_SUPERUSER_PASSWORD=<admin-password>
 DATABASE_SUPERUSER_DB=postgres
--- a/config/setup_test.env.example
+++ b/config/setup_test.env.example
@@ -1,14 +0,0 @@
 # Sample environment configuration for running scripts/setup_database.py against a test instance
 DATABASE_DRIVER=postgresql
 DATABASE_HOST=postgres
 DATABASE_PORT=5432
 DATABASE_NAME=calminer_test
 DATABASE_USER=calminer_test
 DATABASE_PASSWORD=<test-password>
 # optional: specify schema if different from 'public'
 #DATABASE_SCHEMA=public
 # Admin connection used for provisioning database and roles
 DATABASE_SUPERUSER=postgres
 DATABASE_SUPERUSER_PASSWORD=<superuser-password>
 DATABASE_SUPERUSER_DB=postgres
--- a/dependencies.py
+++ b/dependencies.py
@@ -0,0 +1,281 @@
 from __future__ import annotations
 from collections.abc import Callable, Iterable, Generator
 from fastapi import Depends, HTTPException, Request, status
 from config.settings import Settings, get_settings
 from models import Project, Role, Scenario, User
 from services.authorization import (
    ensure_project_access as ensure_project_access_helper,
    ensure_scenario_access as ensure_scenario_access_helper,
    ensure_scenario_in_project as ensure_scenario_in_project_helper,
 )
 from services.exceptions import AuthorizationError, EntityNotFoundError
 from services.security import JWTSettings
 from services.session import (
    AuthSession,
    SessionStrategy,
    SessionTokens,
    build_session_strategy,
    extract_session_tokens,
 )
 from services.unit_of_work import UnitOfWork
 from services.importers import ImportIngestionService
 from services.pricing import PricingMetadata
 from services.scenario_evaluation import ScenarioPricingConfig, ScenarioPricingEvaluator
 from services.repositories import pricing_settings_to_metadata
 def get_unit_of_work() -> Generator[UnitOfWork, None, None]:
    """FastAPI dependency yielding a unit-of-work instance."""
    with UnitOfWork() as uow:
        yield uow
 _IMPORT_INGESTION_SERVICE = ImportIngestionService(lambda: UnitOfWork())
 def get_import_ingestion_service() -> ImportIngestionService:
    """Provide singleton import ingestion service."""
    return _IMPORT_INGESTION_SERVICE
 def get_application_settings() -> Settings:
    """Provide cached application settings instance."""
    return get_settings()
 def get_pricing_metadata(
    settings: Settings = Depends(get_application_settings),
    uow: UnitOfWork = Depends(get_unit_of_work),
 ) -> PricingMetadata:
    """Return pricing metadata defaults sourced from persisted pricing settings."""
    stored = uow.get_pricing_metadata()
    if stored is not None:
        return stored
    fallback = settings.pricing_metadata()
    seed_result = uow.ensure_default_pricing_settings(metadata=fallback)
    return pricing_settings_to_metadata(seed_result.settings)
 def get_pricing_evaluator(
    metadata: PricingMetadata = Depends(get_pricing_metadata),
 ) -> ScenarioPricingEvaluator:
    """Provide a configured scenario pricing evaluator."""
    return ScenarioPricingEvaluator(ScenarioPricingConfig(metadata=metadata))
 def get_jwt_settings() -> JWTSettings:
    """Provide JWT runtime configuration derived from settings."""
    return get_settings().jwt_settings()
 def get_session_strategy(
    settings: Settings = Depends(get_application_settings),
 ) -> SessionStrategy:
    """Yield configured session transport strategy."""
    return build_session_strategy(settings.session_settings())
 def get_session_tokens(
    request: Request,
    strategy: SessionStrategy = Depends(get_session_strategy),
 ) -> SessionTokens:
    """Extract raw session tokens from the incoming request."""
    existing = getattr(request.state, "auth_session", None)
    if isinstance(existing, AuthSession):
        return existing.tokens
    tokens = extract_session_tokens(request, strategy)
    request.state.auth_session = AuthSession(tokens=tokens)
    return tokens
 def get_auth_session(
    request: Request,
    tokens: SessionTokens = Depends(get_session_tokens),
 ) -> AuthSession:
    """Provide authentication session context for the current request."""
    existing = getattr(request.state, "auth_session", None)
    if isinstance(existing, AuthSession):
        return existing
    if tokens.is_empty:
        session = AuthSession.anonymous()
    else:
        session = AuthSession(tokens=tokens)
    request.state.auth_session = session
    return session
 def get_current_user(
    session: AuthSession = Depends(get_auth_session),
 ) -> User | None:
    """Return the current authenticated user if present."""
    return session.user
 def require_current_user(
    session: AuthSession = Depends(get_auth_session),
 ) -> User:
    """Ensure that a request is authenticated and return the user context."""
    if session.user is None or session.tokens.is_empty:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Authentication required.",
        )
    return session.user
 def require_authenticated_user(
    user: User = Depends(require_current_user),
 ) -> User:
    """Ensure the current user account is active."""
    if not user.is_active:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="User account is disabled.",
        )
    return user
 def _user_role_names(user: User) -> set[str]:
    roles: Iterable[Role] = getattr(user, "roles", []) or []
    return {role.name for role in roles}
 def require_roles(*roles: str) -> Callable[[User], User]:
    """Dependency factory enforcing membership in one of the given roles."""
    required = tuple(role.strip() for role in roles if role.strip())
    if not required:
        raise ValueError("require_roles requires at least one role name")
    def _dependency(user: User = Depends(require_authenticated_user)) -> User:
        if user.is_superuser:
            return user
        role_names = _user_role_names(user)
        if not any(role in role_names for role in required):
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail="Insufficient permissions for this action.",
            )
        return user
    return _dependency
 def require_any_role(*roles: str) -> Callable[[User], User]:
    """Alias of require_roles for readability in some contexts."""
    return require_roles(*roles)
 def require_project_resource(*, require_manage: bool = False) -> Callable[[int], Project]:
    """Dependency factory that resolves a project with authorization checks."""
    def _dependency(
        project_id: int,
        user: User = Depends(require_authenticated_user),
        uow: UnitOfWork = Depends(get_unit_of_work),
    ) -> Project:
        try:
            return ensure_project_access_helper(
                uow,
                project_id=project_id,
                user=user,
                require_manage=require_manage,
            )
        except EntityNotFoundError as exc:
            raise HTTPException(
                status_code=status.HTTP_404_NOT_FOUND,
                detail=str(exc),
            ) from exc
        except AuthorizationError as exc:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=str(exc),
            ) from exc
    return _dependency
 def require_scenario_resource(
    *, require_manage: bool = False, with_children: bool = False
 ) -> Callable[[int], Scenario]:
    """Dependency factory that resolves a scenario with authorization checks."""
    def _dependency(
        scenario_id: int,
        user: User = Depends(require_authenticated_user),
        uow: UnitOfWork = Depends(get_unit_of_work),
    ) -> Scenario:
        try:
            return ensure_scenario_access_helper(
                uow,
                scenario_id=scenario_id,
                user=user,
                require_manage=require_manage,
                with_children=with_children,
            )
        except EntityNotFoundError as exc:
            raise HTTPException(
                status_code=status.HTTP_404_NOT_FOUND,
                detail=str(exc),
            ) from exc
        except AuthorizationError as exc:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=str(exc),
            ) from exc
    return _dependency
 def require_project_scenario_resource(
    *, require_manage: bool = False, with_children: bool = False
 ) -> Callable[[int, int], Scenario]:
    """Dependency factory ensuring a scenario belongs to the given project and is accessible."""
    def _dependency(
        project_id: int,
        scenario_id: int,
        user: User = Depends(require_authenticated_user),
        uow: UnitOfWork = Depends(get_unit_of_work),
    ) -> Scenario:
        try:
            return ensure_scenario_in_project_helper(
                uow,
                project_id=project_id,
                scenario_id=scenario_id,
                user=user,
                require_manage=require_manage,
                with_children=with_children,
            )
        except EntityNotFoundError as exc:
            raise HTTPException(
                status_code=status.HTTP_404_NOT_FOUND,
                detail=str(exc),
            ) from exc
        except AuthorizationError as exc:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=str(exc),
            ) from exc
    return _dependency
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -0,0 +1,60 @@
 version: "3.8"
 services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        APT_CACHE_URL: ${APT_CACHE_URL:-}
    environment:
      - ENVIRONMENT=development
      - DEBUG=true
      - LOG_LEVEL=DEBUG
      # Override database to use local postgres service
      - DATABASE_HOST=postgres
      - DATABASE_PORT=5432
      - DATABASE_USER=calminer
      - DATABASE_PASSWORD=calminer_password
      - DATABASE_NAME=calminer_db
      - DATABASE_DRIVER=postgresql
      # Development-specific settings
      - CALMINER_EXPORT_MAX_ROWS=1000
      - CALMINER_IMPORT_MAX_ROWS=10000
    volumes:
      # Mount source code for live reloading (if using --reload)
      - .:/app:ro
      # Override logs volume to local for easier access
      - ./logs:/app/logs
    ports:
      - "8003:8003"
    # Override command for development with reload
    command:
      [
        "uvicorn",
        "main:app",
        "--host",
        "0.0.0.0",
        "--port",
        "8003",
        "--reload",
        "--workers",
        "1",
      ]
    depends_on:
      - postgres
    restart: unless-stopped
  postgres:
    environment:
      - POSTGRES_USER=calminer
      - POSTGRES_PASSWORD=calminer_password
      - POSTGRES_DB=calminer_db
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped
 volumes:
  postgres_data:
--- a/docker-compose.postgres.yml
+++ b/docker-compose.postgres.yml
@@ -1,23 +0,0 @@
 version: "3.9"
 services:
  postgres:
    image: postgres:16-alpine
    container_name: calminer_postgres_local
    restart: unless-stopped
    environment:
      POSTGRES_DB: calminer_local
      POSTGRES_USER: calminer
      POSTGRES_PASSWORD: secret
    ports:
      - "5433:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U calminer -d calminer_local"]
      interval: 10s
      timeout: 5s
      retries: 10
    volumes:
      - postgres_data:/var/lib/postgresql/data
 volumes:
  postgres_data:
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -0,0 +1,77 @@
 version: "3.8"
 services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        APT_CACHE_URL: ${APT_CACHE_URL:-}
    environment:
      - ENVIRONMENT=production
      - DEBUG=false
      - LOG_LEVEL=WARNING
      # Database configuration - must be provided externally
      - DATABASE_HOST=${DATABASE_HOST}
      - DATABASE_PORT=${DATABASE_PORT:-5432}
      - DATABASE_USER=${DATABASE_USER}
      - DATABASE_PASSWORD=${DATABASE_PASSWORD}
      - DATABASE_NAME=${DATABASE_NAME}
      - DATABASE_DRIVER=postgresql
      # Production-specific settings
      - CALMINER_EXPORT_MAX_ROWS=100000
      - CALMINER_IMPORT_MAX_ROWS=100000
      - CALMINER_EXPORT_METADATA=true
      - CALMINER_IMPORT_STAGING_TTL=3600
    ports:
      - "8003:8003"
    depends_on:
      postgres:
        condition: service_healthy
    restart: unless-stopped
    # Production health checks
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8003/health"]
      interval: 60s
      timeout: 30s
      retries: 5
      start_period: 60s
    # Resource limits for production
    deploy:
      resources:
        limits:
          cpus: "1.0"
          memory: 1G
        reservations:
          cpus: "0.5"
          memory: 512M
  postgres:
    environment:
      - POSTGRES_USER=${DATABASE_USER}
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB=${DATABASE_NAME}
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped
    # Production postgres health check
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${DATABASE_USER} -d ${DATABASE_NAME}"]
      interval: 60s
      timeout: 30s
      retries: 5
      start_period: 60s
    # Resource limits for postgres
    deploy:
      resources:
        limits:
          cpus: "1.0"
          memory: 2G
        reservations:
          cpus: "0.5"
          memory: 1G
 volumes:
  postgres_data:
--- a/docker-compose.staging.yml
+++ b/docker-compose.staging.yml
@@ -0,0 +1,62 @@
 version: "3.8"
 services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        APT_CACHE_URL: ${APT_CACHE_URL:-}
    environment:
      - ENVIRONMENT=staging
      - DEBUG=false
      - LOG_LEVEL=INFO
      # Database configuration - can be overridden by external env
      - DATABASE_HOST=${DATABASE_HOST:-postgres}
      - DATABASE_PORT=${DATABASE_PORT:-5432}
      - DATABASE_USER=${DATABASE_USER:-calminer}
      - DATABASE_PASSWORD=${DATABASE_PASSWORD}
      - DATABASE_NAME=${DATABASE_NAME:-calminer_db}
      - DATABASE_DRIVER=postgresql
      # Staging-specific settings
      - CALMINER_EXPORT_MAX_ROWS=50000
      - CALMINER_IMPORT_MAX_ROWS=50000
      - CALMINER_EXPORT_METADATA=true
      - CALMINER_IMPORT_STAGING_TTL=600
    ports:
      - "8003:8003"
    depends_on:
      - postgres
    restart: unless-stopped
    # Health check for staging
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8003/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
  postgres:
    environment:
      - POSTGRES_USER=${DATABASE_USER:-calminer}
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB=${DATABASE_NAME:-calminer_db}
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped
    # Health check for postgres
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "pg_isready -U ${DATABASE_USER:-calminer} -d ${DATABASE_NAME:-calminer_db}",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
 volumes:
  postgres_data:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,38 @@
 version: "3.8"
 services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "8003:8003"
    environment:
      # Environment-specific variables should be set in override files
      - ENVIRONMENT=${ENVIRONMENT:-production}
      - DATABASE_HOST=${DATABASE_HOST:-postgres}
      - DATABASE_PORT=${DATABASE_PORT:-5432}
      - DATABASE_USER=${DATABASE_USER}
      - DATABASE_PASSWORD=${DATABASE_PASSWORD}
      - DATABASE_NAME=${DATABASE_NAME}
      - DATABASE_DRIVER=postgresql
    depends_on:
      - postgres
    volumes:
      - ./logs:/app/logs
    restart: unless-stopped
  postgres:
    image: postgres:17
    environment:
      - POSTGRES_USER=${DATABASE_USER}
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB=${DATABASE_NAME}
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped
 volumes:
  postgres_data:
--- a/docs/architecture/01_introduction_and_goals.md
+++ b/docs/architecture/01_introduction_and_goals.md
@@ -1,62 +0,0 @@
 ---
 title: "01 — Introduction and Goals"
 description: "System purpose, stakeholders, and high-level goals; project introduction and business/technical goals."
 status: draft
 ---
 # 01 — Introduction and Goals
 ## Purpose
 CalMiner aims to provide a comprehensive platform for mining project scenario analysis, enabling stakeholders to make informed decisions based on data-driven insights.
 ## Stakeholders
 - **Project Managers**: Require tools for scenario planning and risk assessment.
 - **Data Analysts**: Need access to historical data and simulation results for analysis.
 - **Executives**: Seek high-level insights and reporting for strategic decision-making.
 ## High-Level Goals
 1. **Comprehensive Scenario Analysis**: Enable users to create and analyze multiple project scenarios to assess risks and opportunities.
 2. **Data-Driven Decision Making**: Provide stakeholders with the insights needed to make informed decisions based on simulation results.
 3. **User-Friendly Interface**: Ensure the platform is accessible and easy to use for all stakeholders, regardless of technical expertise.
 ## System Overview
 FastAPI application that collects mining project inputs, persists scenario-specific records, and surfaces aggregated insights. The platform targets Monte Carlo driven planning, with deterministic CRUD features in place and simulation logic staged for future work.
 Frontend components are server-rendered Jinja2 templates, with Chart.js powering the dashboard visualization. The backend leverages SQLAlchemy for ORM mapping to a PostgreSQL database.
 ### Runtime Flow
 1. Users navigate to form templates or API clients to manage scenarios, parameters, and operational data.
 2. FastAPI routers validate payloads with Pydantic models, then delegate to SQLAlchemy sessions for persistence.
 3. Simulation runs (placeholder `services/simulation.py`) will consume stored parameters to emit iteration results via `/api/simulations/run`.
 4. Reporting requests POST simulation outputs to `/api/reporting/summary`; the reporting service calculates aggregates (count, min/max, mean, median, percentiles, standard deviation, variance, and tail-risk metrics at the 95% confidence level).
 5. `templates/Dashboard.html` fetches summaries, renders metric cards, and plots distribution charts with Chart.js for stakeholder review.
 ### Current implementation status (summary)
 - Currency normalization, simulation scaffold, and reporting service exist; see [quickstart](../quickstart.md) for full status and migration instructions.
 ## MVP Features (migrated)
 The following MVP features and priorities were defined during initial planning.
 ### Prioritized Features
 1. **Scenario Creation and Management** (High Priority): Allow users to create, edit, and delete scenarios. Rationale: Core functionality for what-if analysis.
 1. **Parameter Input and Validation** (High Priority): Input process parameters with validation. Rationale: Ensures data integrity for simulations.
 1. **Monte Carlo Simulation Run** (High Priority): Execute simulations and store results. Rationale: Key differentiator for risk analysis.
 1. **Basic Reporting** (Medium Priority): Display NPV, IRR, EBITDA from simulation results. Rationale: Essential for decision-making.
 1. **Cost Tracking Dashboard** (Medium Priority): Visualize CAPEX and OPEX. Rationale: Helps monitor expenses.
 1. **Consumption Monitoring** (Low Priority): Track resource consumption. Rationale: Useful for optimization.
 1. **User Authentication** (Medium Priority): Basic login/logout. Rationale: Security for multi-user access.
 1. **Export Results** (Low Priority): Export simulation data to CSV/PDF. Rationale: For external analysis.
 ### Rationale for Prioritization
 - High: Core simulation and scenario features first.
 - Medium: Reporting and auth for usability.
 - Low: Nice-to-haves after basics.
--- a/docs/architecture/02_architecture_constraints.md
+++ b/docs/architecture/02_architecture_constraints.md
@@ -1,175 +0,0 @@
 ---
 title: "02 — Architecture Constraints"
 description: "Document imposed constraints: technical, organizational, regulatory, and environmental constraints that affect architecture decisions."
 status: skeleton
 ---
 # 02 — Architecture Constraints
 ## Technical Constraints
 > e.g., choice of FastAPI, PostgreSQL, SQLAlchemy, Chart.js, Jinja2 templates.
 The architecture of CalMiner is influenced by several technical constraints that shape its design and implementation:
 1. **Framework Selection**: The choice of FastAPI as the web framework imposes constraints on how the application handles requests, routing, and middleware. FastAPI's asynchronous capabilities must be leveraged appropriately to ensure optimal performance.
 2. **Database Technology**: The use of PostgreSQL as the primary database system dictates the data modeling, querying capabilities, and transaction management strategies. SQLAlchemy ORM is used for database interactions, which requires adherence to its conventions and limitations.
 3. **Frontend Technologies**: The decision to use Jinja2 for server-side templating and Chart.js for data visualization influences the structure of the frontend code and the way dynamic content is rendered.
 4. **Simulation Logic**: The Monte Carlo simulation logic must be designed to efficiently handle large datasets and perform computations within the constraints of the chosen programming language (Python) and its libraries.
 ## Organizational Constraints
 > e.g., team skillsets, development workflows, CI/CD pipelines.
 Restrictions arising from organizational factors include:
 1. **Team Expertise**: The development team’s familiarity with FastAPI, SQLAlchemy, and frontend technologies like Jinja2 and Chart.js influences the architecture choices to ensure maintainability and ease of development.
 2. **Development Processes**: The adoption of Agile methodologies and CI/CD pipelines (using Gitea Actions) shapes the architecture to support continuous integration, automated testing, and deployment practices.
 3. **Collaboration Tools**: The use of specific collaboration and version control tools (e.g., Gitea) affects how code is managed, reviewed, and integrated, impacting the overall architecture and development workflow.
 4. **Documentation Standards**: The requirement for comprehensive documentation (as seen in the `docs/` folder) necessitates an architecture that is well-structured and easy to understand for both current and future team members.
 5. **Knowledge Sharing**: The need for effective knowledge sharing and onboarding processes influences the architecture to ensure that it is accessible and understandable for new team members.
 6. **Resource Availability**: The availability of hardware, software, and human resources within the organization can impose constraints on the architecture, affecting decisions related to scalability, performance, and feature implementation.
 ## Regulatory Constraints
 > e.g., data privacy laws, industry standards.
 Regulatory constraints that impact the architecture of CalMiner include:
 1. **Data Privacy Compliance**: The architecture must ensure compliance with data privacy regulations such as GDPR or CCPA, which may dictate how user data is collected, stored, and processed.
 2. **Industry Standards**: Adherence to industry-specific standards and best practices may influence the design of data models, security measures, and reporting functionalities.
 3. **Auditability**: The system may need to incorporate logging and auditing features to meet regulatory requirements, affecting the architecture of data storage and access controls.
 4. **Data Retention Policies**: Regulatory requirements regarding data retention and deletion may impose constraints on how long certain types of data can be stored, influencing database design and data lifecycle management.
 5. **Security Standards**: Compliance with security standards (e.g., ISO/IEC 27001) may necessitate the implementation of specific security measures, such as encryption, access controls, and vulnerability management, which impact the overall architecture.
 ## Environmental Constraints
 > e.g., deployment environments, cloud provider limitations.
 Environmental constraints affecting the architecture include:
 1. **Deployment Environments**: The architecture must accommodate various deployment environments (development, testing, production) with differing configurations and resource allocations.
 2. **Cloud Provider Limitations**: If deployed on a specific cloud provider, the architecture may need to align with the provider's services, limitations, and best practices, such as using managed databases or specific container orchestration tools.
 3. **Containerization**: The use of Docker for containerization imposes constraints on how the application is packaged, deployed, and scaled, influencing the architecture to ensure compatibility with container orchestration platforms.
 4. **Scalability Requirements**: The architecture must be designed to scale efficiently based on anticipated load and usage patterns, considering the limitations of the chosen infrastructure.
 ## Performance Constraints
 > e.g., response time requirements, scalability needs.
 Current performance constraints include:
 1. **Response Time Requirements**: The architecture must ensure that the system can respond to user requests within a specified time frame, which may impact design decisions related to caching, database queries, and API performance.
 2. **Scalability Needs**: The system should be able to handle increased load and user traffic without significant degradation in performance, necessitating a scalable architecture that can grow with demand.
 ## Security Constraints
 > e.g., authentication mechanisms, data encryption standards.
 ## Budgetary Constraints
 > e.g., licensing costs, infrastructure budgets.
 ## Time Constraints
 > e.g., project deadlines, release schedules.
 ## Interoperability Constraints
 > e.g., integration with existing systems, third-party services.
 ## Maintainability Constraints
 > e.g., code modularity, documentation standards.
 ## Usability Constraints
 > e.g., user interface design principles, accessibility requirements.
 ## Data Constraints
 > e.g., data storage formats, data retention policies.
 ## Deployment Constraints
 > e.g., deployment environments, cloud provider limitations.
 ## Testing Constraints
 > e.g., testing frameworks, test coverage requirements.
 ## Localization Constraints
 > e.g., multi-language support, regional settings.
 ## Versioning Constraints
 > e.g., API versioning strategies, backward compatibility.
 ## Monitoring Constraints
 > e.g., logging standards, performance monitoring tools.
 ## Backup and Recovery Constraints
 > e.g., data backup frequency, disaster recovery plans.
 ## Development Constraints
 > e.g., coding languages, frameworks, libraries to be used or avoided.
 ## Collaboration Constraints
 > e.g., communication tools, collaboration platforms.
 ## Documentation Constraints
 > e.g., documentation tools, style guides.
 ## Training Constraints
 > e.g., training programs, skill development initiatives.
 ## Support Constraints
 > e.g., support channels, response time expectations.
 ## Legal Constraints
 > e.g., compliance requirements, intellectual property considerations.
 ## Ethical Constraints
 > e.g., ethical considerations in data usage, user privacy.
 ## Environmental Impact Constraints
 > e.g., energy consumption considerations, sustainability goals.
 ## Innovation Constraints
 > e.g., limitations on adopting new technologies, risk tolerance for experimentation.
 ## Cultural Constraints
 > e.g., organizational culture, team dynamics affecting development practices.
 ## Stakeholder Constraints
 > e.g., stakeholder expectations, communication preferences.
 ## Change Management Constraints
 > e.g., processes for handling changes, version control practices.
 ## Resource Constraints
 > e.g., availability of hardware, software, and human resources.
 ## Process Constraints
 > e.g., development methodologies (Agile, Scrum), project management tools.
 ## Quality Constraints
 > e.g., code quality standards, testing requirements.
--- a/docs/architecture/03_context_and_scope.md
+++ b/docs/architecture/03_context_and_scope.md
@@ -1,57 +0,0 @@
 ---
 title: "03 — Context and Scope"
 description: "Describe system context, external actors, and the scope of the architecture."
 status: draft
 ---
 # 03 — Context and Scope
 ## System Context
 The CalMiner system operates within the context of mining project management, providing tools for scenario analysis and decision support. It interacts with various data sources, including historical project data and real-time operational metrics.
 ## External Actors
 - **Project Managers**: Utilize the platform for scenario planning and risk assessment.
 - **Data Analysts**: Analyze simulation results and derive insights.
 - **Executives**: Review high-level reports and dashboards for strategic decision-making.
 ## Scope of the Architecture
 The architecture encompasses the following key areas:
 1. **Data Ingestion**: Mechanisms for collecting and processing data from various sources.
 2. **Data Storage**: Solutions for storing and managing historical and real-time data.
 3. **Simulation Engine**: Core algorithms and models for scenario analysis.
   3.1. **Modeling Framework**: Tools for defining and managing simulation models.
   3.2. **Parameter Management**: Systems for handling input parameters and configurations.
   3.3. **Execution Engine**: Infrastructure for running simulations and processing results.
   3.4. **Result Storage**: Systems for storing simulation outputs for analysis and reporting.
 4. **Financial Reporting**: Tools for generating reports and visualizations based on simulation outcomes.
 5. **Risk Assessment**: Frameworks for identifying and evaluating potential project risks.
 6. **Profitability Analysis**: Modules for calculating and analyzing project profitability metrics.
 7. **User Interface**: Design and implementation of the user-facing components of the system.
 8. **Security and Compliance**: Measures to ensure data security and regulatory compliance.
 9. **Scalability and Performance**: Strategies for ensuring the system can handle increasing data volumes and user loads.
 10. **Integration Points**: Interfaces for integrating with external systems and services.
 11. **Monitoring and Logging**: Systems for tracking system performance and user activity.
 12. **Maintenance and Support**: Processes for ongoing system maintenance and user support.
 ## Diagram
 ```mermaid
 sequenceDiagram
    participant PM as Project Manager
    participant DA as Data Analyst
    participant EX as Executive
    participant CM as CalMiner System
    PM->>CM: Create and manage scenarios
    DA->>CM: Analyze simulation results
    EX->>CM: Review reports and dashboards
    CM->>PM: Provide scenario planning tools
    CM->>DA: Deliver analysis insights
    CM->>EX: Generate high-level reports
 ```
 This diagram illustrates the key components of the CalMiner system and their interactions with external actors.
--- a/docs/architecture/04_solution_strategy.md
+++ b/docs/architecture/04_solution_strategy.md
@@ -1,49 +0,0 @@
 ---
 title: "04 — Solution Strategy"
 description: "High-level solution strategy describing major approaches, technology choices, and trade-offs."
 status: draft
 ---
 # 04 — Solution Strategy
 This section outlines the high-level solution strategy for implementing the CalMiner system, focusing on major approaches, technology choices, and trade-offs.
 ## Client-Server Architecture
 - **Backend**: FastAPI serves as the backend framework, providing RESTful APIs for data management, simulation execution, and reporting. It leverages SQLAlchemy for ORM-based database interactions with PostgreSQL.
 - **Frontend**: Server-rendered Jinja2 templates deliver dynamic HTML views, enhanced with Chart.js for interactive data visualizations. This approach balances performance and simplicity, avoiding the complexity of a full SPA.
 - **Middleware**: Custom middleware handles JSON validation to ensure data integrity before processing requests.
 ## Technology Choices
 - **FastAPI**: Chosen for its high performance, ease of use, and modern features like async support and automatic OpenAPI documentation.
 - **PostgreSQL**: Selected for its robustness, scalability, and support for complex queries, making it suitable for handling the diverse data needs of mining project management.
 - **SQLAlchemy**: Provides a flexible and powerful ORM layer, facilitating database interactions while maintaining code readability and maintainability.
 - **Chart.js**: Utilized for its simplicity and effectiveness in rendering interactive charts, enhancing the user experience on the dashboard.
 - **Jinja2**: Enables server-side rendering of HTML templates, allowing for dynamic content generation while keeping the frontend lightweight.
 - **Pydantic**: Used for data validation and serialization, ensuring that incoming request payloads conform to expected schemas.
 - **Docker**: Employed for containerization, ensuring consistent deployment across different environments and simplifying dependency management.
 - **Redis**: Used as an in-memory data store to cache frequently accessed data, improving application performance and reducing database load.
 ## Trade-offs
 - **Server-Rendered vs. SPA**: Opted for server-rendered templates over a single-page application (SPA) to reduce complexity and improve initial load times, at the cost of some interactivity.
 - **Synchronous vs. Asynchronous**: While FastAPI supports async operations, the initial implementation focuses on synchronous request handling for simplicity, with plans to introduce async features as needed.
 - **Monolithic vs. Microservices**: The initial architecture follows a monolithic approach for ease of development and deployment, with the possibility of refactoring into microservices as the system scales.
 - **In-Memory Caching**: Implementing Redis for caching introduces additional infrastructure complexity but significantly enhances performance for read-heavy operations.
 - **Database Choice**: PostgreSQL was chosen over NoSQL alternatives due to the structured nature of the data and the need for complex querying capabilities, despite potential scalability challenges.
 - **Technology Familiarity**: Selected technologies align with the team's existing skill set to minimize the learning curve and accelerate development, even if some alternatives may offer marginally better performance or features.
 - **Extensibility vs. Simplicity**: The architecture is designed to be extensible for future features (e.g., Monte Carlo simulation engine) while maintaining simplicity in the initial implementation to ensure timely delivery of core functionalities.
 ## Future Considerations
 - **Scalability**: As the user base grows, consider transitioning to a microservices architecture and implementing load balancing strategies.
 - **Asynchronous Processing**: Introduce asynchronous task queues (e.g., Celery) for long-running simulations to improve responsiveness.
 - **Enhanced Frontend**: Explore the possibility of integrating a frontend framework (e.g., React or Vue.js) for more dynamic user interactions in future iterations.
 - **Advanced Analytics**: Plan for integrating advanced analytics and machine learning capabilities to enhance simulation accuracy and reporting insights.
 - **Security Enhancements**: Implement robust authentication and authorization mechanisms to protect sensitive data and ensure compliance with industry standards.
 - **Continuous Integration/Continuous Deployment (CI/CD)**: Establish CI/CD pipelines to automate testing, building, and deployment processes for faster and more reliable releases.
 - **Monitoring and Logging**: Integrate monitoring tools (e.g., Prometheus, Grafana) and centralized logging solutions (e.g., ELK stack) to track application performance and troubleshoot issues effectively.
 - **User Feedback Loop**: Implement mechanisms for collecting user feedback to inform future development priorities and improve user experience.
 - **Documentation**: Maintain comprehensive documentation for both developers and end-users to facilitate onboarding and effective use of the system.
 - **Testing Strategy**: Develop a robust testing strategy, including unit, integration, and end-to-end tests, to ensure code quality and reliability as the system evolves.
--- a/docs/architecture/04_solution_strategy/04_01_implementation_plan_20251020.md
+++ b/docs/architecture/04_solution_strategy/04_01_implementation_plan_20251020.md
@@ -1,110 +0,0 @@
 # Implementation Plan 2025-10-20
 This file contains the implementation plan (MVP features, steps, and estimates).
 ## Project Setup
 1. Connect to PostgreSQL database with schema `calminer`.
 1. Create and activate a virtual environment and install dependencies via `requirements.txt`.
 1. Define database environment variables in `.env` (e.g., `DATABASE_DRIVER`, `DATABASE_HOST`, `DATABASE_PORT`, `DATABASE_USER`, `DATABASE_PASSWORD`, `DATABASE_NAME`, optional `DATABASE_SCHEMA`).
 1. Configure FastAPI entrypoint in `main.py` to include routers.
 ## Feature: Scenario Management
 ### Scenario Management — Steps
 1. Create `models/scenario.py` for scenario CRUD.
 1. Implement API endpoints in `routes/scenarios.py` (GET, POST, PUT, DELETE).
 1. Write unit tests in `tests/unit/test_scenario.py`.
 1. Build UI component `components/ScenarioForm.html`.
 ## Feature: Process Parameters
 ### Parameters — Steps
 1. Create `models/parameters.py` for process parameters.
 1. Implement Pydantic schemas in `routes/parameters.py`.
 1. Add validation middleware in `middleware/validation.py`.
 1. Write unit tests in `tests/unit/test_parameter.py`.
 1. Build UI component `components/ParameterInput.html`.
 ## Feature: Stochastic Variables
 ### Stochastic Variables — Steps
 1. Create `models/distribution.py` for variable distributions.
 1. Implement API routes in `routes/distributions.py`.
 1. Write Pydantic schemas and validations.
 1. Write unit tests in `tests/unit/test_distribution.py`.
 1. Build UI component `components/DistributionEditor.html`.
 ## Feature: Cost Tracking
 ### Cost Tracking — Steps
 1. Create `models/capex.py` and `models/opex.py`.
 1. Implement API routes in `routes/costs.py`.
 1. Write Pydantic schemas for CAPEX/OPEX.
 1. Write unit tests in `tests/unit/test_costs.py`.
 1. Build UI component `components/CostForm.html`.
 ## Feature: Consumption Tracking
 ### Consumption Tracking — Steps
 1. Create models for consumption: `chemical_consumption.py`, `fuel_consumption.py`, `water_consumption.py`, `scrap_consumption.py`.
 1. Implement API routes in `routes/consumption.py`.
 1. Write Pydantic schemas for consumption data.
 1. Write unit tests in `tests/unit/test_consumption.py`.
 1. Build UI component `components/ConsumptionDashboard.html`.
 ## Feature: Production Output
 ### Production Output — Steps
 1. Create `models/production_output.py`.
 1. Implement API routes in `routes/production.py`.
 1. Write Pydantic schemas for production output.
 1. Write unit tests in `tests/unit/test_production.py`.
 1. Build UI component `components/ProductionChart.html`.
 ## Feature: Equipment Management
 ### Equipment Management — Steps
 1. Create `models/equipment.py` for equipment data.
 1. Implement API routes in `routes/equipment.py`.
 1. Write Pydantic schemas for equipment.
 1. Write unit tests in `tests/unit/test_equipment.py`.
 1. Build UI component `components/EquipmentList.html`.
 ## Feature: Maintenance Logging
 ### Maintenance Logging — Steps
 1. Create `models/maintenance.py` for maintenance events.
 1. Implement API routes in `routes/maintenance.py`.
 1. Write Pydantic schemas for maintenance logs.
 1. Write unit tests in `tests/unit/test_maintenance.py`.
 1. Build UI component `components/MaintenanceLog.html`.
 ## Feature: Monte Carlo Simulation Engine
 ### Monte Carlo Engine — Steps
 1. Implement Monte Carlo logic in `services/simulation.py`.
 1. Persist results in `models/simulation_result.py`.
 1. Expose endpoint in `routes/simulations.py`.
 1. Write integration tests in `tests/unit/test_simulation.py`.
 1. Build UI component `components/SimulationRunner.html`.
 ## Feature: Reporting / Dashboard
 ### Reporting / Dashboard — Steps
 1. Implement report calculations in `services/reporting.py`.
 1. Add detailed and summary endpoints in `routes/reporting.py`.
 1. Write unit tests in `tests/unit/test_reporting.py`.
 1. Enhance UI in `components/Dashboard.html` with charts.
 See [UI and Style](../13_ui_and_style.md) for the UI template audit, layout guidance, and next steps.
--- a/docs/architecture/05_building_block_view.md
+++ b/docs/architecture/05_building_block_view.md
@@ -1,57 +0,0 @@
 ---
 title: "05 — Building Block View"
 description: "Explain the static structure: modules, components, services and their relationships."
 status: draft
 ---
 # 05 — Building Block View
 ## Architecture overview
 This overview complements [architecture](README.md) with a high-level map of CalMiner's module layout and request flow.
 Refer to the detailed architecture chapters in `docs/architecture/`:
 - Module map & components: [Building Block View](05_building_block_view.md)
 - Request flow & runtime interactions: [Runtime View](06_runtime_view.md)
 - Simulation roadmap & strategy: [Solution Strategy](04_solution_strategy.md)
 ## System Components
 ### Backend
 - **FastAPI application** (`main.py`): entry point that configures routers, middleware, and startup/shutdown events.
 - **Routers** (`routes/`): modular route handlers for scenarios, parameters, costs, consumption, production, equipment, maintenance, simulations, and reporting. Each router defines RESTful endpoints, request/response schemas, and orchestrates service calls.
  - leveraging a shared dependency module (`routes/dependencies.get_db`) for SQLAlchemy session management.
 - **Models** (`models/`): SQLAlchemy ORM models representing database tables and relationships, encapsulating domain entities like Scenario, CapEx, OpEx, Consumption, ProductionOutput, Equipment, Maintenance, and SimulationResult.
 - **Services** (`services/`): business logic layer that processes data, performs calculations, and interacts with models. Key services include reporting calculations and Monte Carlo simulation scaffolding.
 - **Database** (`config/database.py`): sets up the SQLAlchemy engine and session management for PostgreSQL interactions.
 ### Frontend
 - **Templates** (`templates/`): Jinja2 templates for server-rendered HTML views, extending a shared base layout with a persistent sidebar for navigation.
 - **Static Assets** (`static/`): CSS and JavaScript files for styling and interactivity. Shared CSS variables in `static/css/main.css` define the color palette, while page-specific JS modules in `static/js/` handle dynamic behaviors.
 - **Reusable partials** (`templates/partials/components.html`): macro library that standardises select inputs, feedback/empty states, and table wrappers so pages remain consistent while keeping DOM hooks stable for existing JavaScript modules.
 ### Middleware & Utilities
 - **Middleware** (`middleware/validation.py`): applies JSON validation before requests reach routers.
 - **Testing** (`tests/unit/`): pytest suite covering route and service behavior, including UI rendering checks and negative-path router validation tests to ensure consistent HTTP error semantics. Playwright end-to-end coverage is planned for core smoke flows (dashboard load, scenario inputs, reporting) and will attach in CI once scaffolding is completed.
 ## Module Map (code)
 - `scenario.py`: central scenario entity with relationships to cost, consumption, production, equipment, maintenance, and simulation results.
 - `capex.py`, `opex.py`: financial expenditures tied to scenarios.
 - `consumption.py`, `production_output.py`: operational data tables.
 - `equipment.py`, `maintenance.py`: asset management models.
 - `simulation_result.py`: stores Monte Carlo iteration outputs.
 ## Service Layer
 - `reporting.py`: computes aggregates (count, min/max, mean, median, percentiles, standard deviation, variance, tail-risk metrics) from simulation results.
 - `simulation.py`: scaffolds Monte Carlo simulation logic (currently in-memory; persistence planned).
 - `currency.py`: handles currency normalization for cost tables.
 - `utils.py`: shared helper functions (e.g., statistical calculations).
 - `validation.py`: JSON schema validation middleware.
 - `database.py`: SQLAlchemy engine and session setup.
 - `dependencies.py`: FastAPI dependency injection for DB sessions.
--- a/docs/architecture/06_runtime_view.md
+++ b/docs/architecture/06_runtime_view.md
@@ -1,288 +0,0 @@
 ---
 title: "06 — Runtime View"
 description: "Describe runtime aspects: request flows, lifecycle of key interactions, and runtime components."
 status: draft
 ---
 # 06 — Runtime View
 ## Overview
 The runtime view focuses on the dynamic behavior of the CalMiner application during execution. It illustrates how various components interact to fulfill user requests, process data, and generate outputs. Key runtime scenarios include scenario management, parameter input handling, cost tracking, consumption tracking, production output recording, equipment management, maintenance logging, Monte Carlo simulations, and reporting.
 ## Request Flow
 1. **User Interaction**: A user interacts with the web application through the UI, triggering actions such as creating a scenario, inputting parameters, or generating reports.
 2. **API Request**: The frontend sends HTTP requests (GET, POST, PUT, DELETE) to the appropriate API endpoints defined in the `routes/` directory.
 3. **Routing**: The FastAPI framework routes the incoming requests to the corresponding route handlers.
 4. **Service Layer**: Route handlers invoke services from the `services/` directory to process the business logic.
 5. **Database Interaction**: Services interact with the database via ORM models defined in the `models/` directory to perform CRUD operations.
 6. **Response Generation**: After processing, services return data to the route handlers, which format the response (JSON or HTML) and send it back to the frontend.
 7. **UI Update**: The frontend updates the UI based on the response, rendering new data or updating existing views.
 8. **Reporting Pipeline**: For reporting, data is aggregated from various sources, processed to generate statistics, and presented in the dashboard using Chart.js.
 9. **Monte Carlo Simulations**: Stochastic simulations are executed in the backend, generating probabilistic outcomes that are stored temporarily and used for risk analysis in reports.
 10. **Error Handling**: Throughout the process, error handling mechanisms ensure that exceptions are caught and appropriate responses are sent back to the user.
 Request flow diagram:
 ```mermaid
 sequenceDiagram
   participant User
   participant Frontend
   participant API
   participant Service
   participant Database
   User->>Frontend: Interact with UI
   Frontend->>API: Send HTTP Request
   API->>Service: Route to Handler
   Service->>Database: Perform CRUD Operation
   Database-->>Service: Return Data
   Service-->>API: Return Processed Data
   API-->>Frontend: Send Response
   Frontend-->>User: Update UI
   participant Reporting
   Service->>Reporting: Aggregate Data
   Reporting-->>Service: Return Report Data
   Service-->>API: Return Report Response
   API-->>Frontend: Send Report Data
   Frontend-->>User: Render Report
   participant Simulation
   Service->>Simulation: Execute Monte Carlo Simulation
   Simulation-->>Service: Return Simulation Results
   Service-->>API: Return Simulation Data
   API-->>Frontend: Send Simulation Data
   Frontend-->>User: Display Simulation Results
 ```
 ## Key Runtime Scenarios
 ### Scenario Management
 1. User accesses the scenario list via the UI.
 2. The frontend sends a GET request to `/api/scenarios`.
 3. The `ScenarioService` retrieves scenarios from the database.
 4. The response is rendered in the UI.
 5. For scenario creation, the user submits a form, triggering a POST request to `/api/scenarios`, which the `ScenarioService` processes to create a new scenario in the database.
 6. The UI updates to reflect the new scenario.
 Scenario management diagram:
 ```mermaid
 sequenceDiagram
   participant User
   participant Frontend
   participant API
   participant ScenarioService
   participant Database
   User->>Frontend: Access Scenario List
   Frontend->>API: GET /api/scenarios
   API->>ScenarioService: Route to Handler
   ScenarioService->>Database: Retrieve Scenarios
   Database-->>ScenarioService: Return Scenarios
   ScenarioService-->>API: Return Scenario Data
   API-->>Frontend: Send Response
   Frontend-->>User: Render Scenario List
   User->>Frontend: Submit New Scenario Form
   Frontend->>API: POST /api/scenarios
   API->>ScenarioService: Route to Handler
   ScenarioService->>Database: Create New Scenario
   Database-->>ScenarioService: Confirm Creation
   ScenarioService-->>API: Return New Scenario Data
   API-->>Frontend: Send Response
   Frontend-->>User: Update UI with New Scenario
 ```
 ### Process Parameter Input
 1. User navigates to the parameter input form.
 2. The frontend fetches existing parameters via a GET request to `/api/parameters`.
 3. The `ParameterService` retrieves parameters from the database.
 4. The response is rendered in the UI.
 5. For parameter updates, the user submits a form, triggering a PUT request to `/api/parameters/:id`, which the `ParameterService` processes to update the parameter in the database.
 6. The UI updates to reflect the changes.
 Parameter input diagram:
 ```mermaid
 sequenceDiagram
   participant User
   participant Frontend
   participant API
   participant ParameterService
   participant Database
   User->>Frontend: Navigate to Parameter Input Form
   Frontend->>API: GET /api/parameters
   API->>ParameterService: Route to Handler
   ParameterService->>Database: Retrieve Parameters
   Database-->>ParameterService: Return Parameters
   ParameterService-->>API: Return Parameter Data
   API-->>Frontend: Send Response
   Frontend-->>User: Render Parameter Form
   User->>Frontend: Submit Parameter Update Form
   Frontend->>API: PUT /api/parameters/:id
   API->>ParameterService: Route to Handler
   ParameterService->>Database: Update Parameter
   Database-->>ParameterService: Confirm Update
   ParameterService-->>API: Return Updated Parameter Data
   API-->>Frontend: Send Response
   Frontend-->>User: Update UI with Updated Parameter
 ```
 ### Cost Tracking
 1. User accesses the cost tracking view.
 2. The frontend sends a GET request to `/api/costs` to fetch existing cost records.
 3. The `CostService` retrieves cost data from the database.
 4. The response is rendered in the UI.
 5. For cost updates, the user submits a form, triggering a PUT request to `/api/costs/:id`, which the `CostService` processes to update the cost record in the database.
 6. The UI updates to reflect the changes.
 Cost tracking diagram:
 ```mermaid
 sequenceDiagram
   participant User
   participant Frontend
   participant API
   participant CostService
   participant Database
   User->>Frontend: Access Cost Tracking View
   Frontend->>API: GET /api/costs
   API->>CostService: Route to Handler
   CostService->>Database: Retrieve Cost Records
   Database-->>CostService: Return Cost Data
   CostService-->>API: Return Cost Data
   API-->>Frontend: Send Response
   Frontend-->>User: Render Cost Tracking View
   User->>Frontend: Submit Cost Update Form
   Frontend->>API: PUT /api/costs/:id
   API->>CostService: Route to Handler
   CostService->>Database: Update Cost Record
   Database-->>CostService: Confirm Update
   CostService-->>API: Return Updated Cost Data
   API-->>Frontend: Send Response
   Frontend-->>User: Update UI with Updated Cost Data
 ```
 ## Reporting Pipeline and UI Integration
 1. **Data Sources**
   - Scenario-linked calculations (costs, consumption, production) produce raw figures stored in dedicated tables (`capex`, `opex`, `consumption`, `production_output`).
   - Monte Carlo simulations (currently transient) generate arrays of `{ "result": float }` tuples that the dashboard or downstream tooling passes directly to reporting endpoints.
 2. **API Contract**
   - `POST /api/reporting/summary` accepts a JSON array of result objects and validates shape through `_validate_payload` in `routes/reporting.py`.
   - On success it returns a structured payload (`ReportSummary`) containing count, mean, median, min/max, standard deviation, and percentile values, all as floats.
 3. **Service Layer**
   - `services/reporting.generate_report` converts the sanitized payload into descriptive statistics using Python’s standard library (`statistics` module) to avoid external dependencies.
   - The service remains stateless; no database read/write occurs, which keeps summary calculations deterministic and idempotent.
   - Extended KPIs (surfaced in the API and dashboard):
     - `variance`: population variance computed as the square of the population standard deviation.
     - `percentile_5` and `percentile_95`: lower and upper tail interpolated percentiles for sensitivity bounds.
     - `value_at_risk_95`: 5th percentile threshold representing the minimum outcome within a 95% confidence band.
     - `expected_shortfall_95`: mean of all outcomes at or below the `value_at_risk_95`, highlighting tail exposure.
 4. **UI Consumption**
   - `templates/Dashboard.html` posts the user-provided dataset to the summary endpoint, renders metric cards for each field, and charts the distribution using Chart.js.
   - `SUMMARY_FIELDS` now includes variance, 5th/10th/90th/95th percentiles, and tail-risk metrics (VaR/Expected Shortfall at 95%); tooltip annotations surface the tail metrics alongside the percentile line chart.
   - Error handling surfaces HTTP failures inline so users can address malformed JSON or backend availability issues without leaving the page.
 Reporting pipeline diagram:
 ```mermaid
 sequenceDiagram
   participant User
   participant Frontend
   participant API
   participant ReportingService
   User->>Frontend: Input Data for Reporting
   Frontend->>API: POST /api/reporting/summary
   API->>ReportingService: Route to Handler
   ReportingService->>ReportingService: Validate Payload
   ReportingService->>ReportingService: Compute Statistics
   ReportingService-->>API: Return Report Summary
   API-->>Frontend: Send Report Summary
   Frontend-->>User: Render Report Metrics and Charts
 ```
 ## Monte Carlo Simulation Execution
 1. User initiates a Monte Carlo simulation via the UI.
 2. The frontend sends a POST request to `/api/simulations/run` with simulation parameters.
 3. The `SimulationService` executes the Monte Carlo logic, generating stochastic results.
 4. The results are temporarily stored and returned to the frontend.
 5. The UI displays the simulation results and allows users to trigger reporting based on these outcomes.
 6. The reporting pipeline processes the simulation results as described above.
 7. Error handling ensures that any issues during simulation execution are communicated back to the user.
 8. Monte Carlo simulation diagram:
 ```mermaid
 sequenceDiagram
   participant User
   participant Frontend
   participant API
   participant SimulationService
   User->>Frontend: Input Simulation Parameters
   Frontend->>API: POST /api/simulations/run
   API->>SimulationService: Route to Handler
   SimulationService->>SimulationService: Execute Monte Carlo Logic
   SimulationService-->>API: Return Simulation Results
   API-->>Frontend: Send Simulation Results
   Frontend-->>User: Render Simulation Results
 ```
 ## Error Handling
 Throughout the runtime processes, error handling mechanisms are implemented to catch exceptions and provide meaningful feedback to users. Common error scenarios include:
 - Invalid input data
 - Database connection issues
 - Simulation execution errors
 - Reporting calculation failures
 - API endpoint unavailability
 - Timeouts during long-running operations
 - Unauthorized access attempts
 - Data validation failures
 - Resource not found errors
 Error handling diagram:
 ```mermaid
 sequenceDiagram
   participant User
   participant Frontend
   participant API
   participant Service
   User->>Frontend: Perform Action
   Frontend->>API: Send Request
   API->>Service: Route to Handler
   Service->>Service: Process Request
   alt Success
       Service-->>API: Return Data
       API-->>Frontend: Send Response
       Frontend-->>User: Update UI
   else Error
       Service-->>API: Return Error
       API-->>Frontend: Send Error Response
       Frontend-->>User: Display Error Message
   end
 ```
--- a/docs/architecture/07_deployment_view.md
+++ b/docs/architecture/07_deployment_view.md
@@ -1,88 +0,0 @@
 ---
 title: "07 — Deployment View"
 description: "Describe deployment topology, infrastructure components, and environments (dev/stage/prod)."
 status: draft
 ---
 <!-- markdownlint-disable-next-line MD025 -->
 # 07 — Deployment View
 ## Deployment Topology
 The CalMiner application is deployed using a multi-tier architecture consisting of the following layers:
 1. **Client Layer**: This layer consists of web browsers that interact with the application through a user interface rendered by Jinja2 templates and enhanced with JavaScript (Chart.js for dashboards).
 2. **Web Application Layer**: This layer hosts the FastAPI application, which handles API requests, business logic, and serves HTML templates. It communicates with the database layer for data persistence.
 3. **Database Layer**: This layer consists of a PostgreSQL database that stores all application data, including scenarios, parameters, costs, consumption, production outputs, equipment, maintenance logs, and simulation results.
 4. **Caching Layer**: This layer uses Redis to cache frequently accessed data and improve application performance.
 ## Infrastructure Components
 The infrastructure components for the application include:
 - **Web Server**: Hosts the FastAPI application and serves API endpoints.
 - **Database Server**: PostgreSQL database for persisting application data.
 - **Static File Server**: Serves static assets such as CSS, JavaScript, and image files.
 - **Reverse Proxy (optional)**: An Nginx or Apache server can be used as a reverse proxy.
 - **Containerization**: Docker images are generated via the repository `Dockerfile`, using a multi-stage build to keep the final runtime minimal.
 - **CI/CD Pipeline**: Automated pipelines (Gitea Actions) run tests, build/push Docker images, and trigger deployments.
 - **Cloud Infrastructure (optional)**: The application can be deployed on cloud platforms.
 ## Environments
 The application can be deployed in multiple environments to support development, testing, and production:
 ### Development Environment
 The development environment is set up for local development and testing. It includes:
 - Local PostgreSQL instance (docker compose recommended, script available at `docker-compose.postgres.yml`)
 - FastAPI server running in debug mode
 ### Testing Environment
 The testing environment is set up for automated testing and quality assurance. It includes:
 - Staging PostgreSQL instance
 - FastAPI server running in testing mode
 - Automated test suite (e.g., pytest) for running unit and integration tests
 ### Production Environment
 The production environment is set up for serving live traffic and includes:
 - Production PostgreSQL instance
 - FastAPI server running in production mode
 - Load balancer (e.g., Nginx) for distributing incoming requests
 - Monitoring and logging tools for tracking application performance
 ## Containerized Deployment Flow
 The Docker-based deployment path aligns with the solution strategy documented in [04 — Solution Strategy](04_solution_strategy.md) and the CI practices captured in [14 — Testing & CI](14_testing_ci.md).
 ### Image Build
 - The multi-stage `Dockerfile` installs dependencies in a builder layer (including system compilers and Python packages) and copies only the required runtime artifacts to the final image.
 - Build arguments are minimal; database configuration is supplied at runtime via granular variables (`DATABASE_DRIVER`, `DATABASE_HOST`, `DATABASE_PORT`, `DATABASE_USER`, `DATABASE_PASSWORD`, `DATABASE_NAME`, optional `DATABASE_SCHEMA`). Secrets and configuration should be passed via environment variables or an orchestrator.
 - The resulting image exposes port `8000` and starts `uvicorn main:app` (s. [README.md](../../README.md)).
 ### Runtime Environment
 - For single-node deployments, run the container alongside PostgreSQL/Redis using Docker Compose or an equivalent orchestrator.
 - A reverse proxy (e.g., Nginx) terminates TLS and forwards traffic to the container on port `8000`.
 - Migrations must be applied prior to rolling out a new image; automation can hook into the deploy step to run `scripts/run_migrations.py`.
 ### CI/CD Integration
 - Gitea Actions workflows reside under `.gitea/workflows/`.
 - `test.yml` executes the pytest suite using cached pip dependencies.
 - `build-and-push.yml` logs into the container registry, rebuilds the Docker image using GitHub Actions cache-backed layers, and pushes `latest` (and additional tags as required).
 - `deploy.yml` connects to the target host via SSH, pulls the pushed tag, stops any existing container, and launches the new version.
 - Required secrets: `REGISTRY_URL`, `REGISTRY_USERNAME`, `REGISTRY_PASSWORD`, `SSH_HOST`, `SSH_USERNAME`, `SSH_PRIVATE_KEY`.
 - Extend these workflows when introducing staging/blue-green deployments; keep cross-links with [14 — Testing & CI](14_testing_ci.md) up to date.
 ## Integrations and Future Work (deployment-related)
 - **Persistence of results**: `/api/simulations/run` currently returns in-memory results; next iteration should persist to `simulation_result` and reference scenarios.
 - **Deployment**: implement infrastructure-as-code (e.g., Terraform/Ansible) to provision the hosting environment and maintain parity across dev/stage/prod.
--- a/docs/architecture/08_concepts.md
+++ b/docs/architecture/08_concepts.md
@@ -1,63 +0,0 @@
 ---
 title: "08 — Concepts"
 description: "Document key concepts, domain models, and terminology used throughout the architecture documentation."
 status: draft
 ---
 # 08 — Concepts
 ## Key Concepts
 ### Scenario
 A `scenario` represents a distinct mining project configuration, encapsulating all relevant parameters, costs, consumption, production outputs, equipment, maintenance logs, and simulation results. Each scenario is independent, allowing users to model and analyze different mining strategies.
 ### Parameterization
 Parameters are defined for each scenario to capture inputs such as resource consumption rates, production targets, cost factors, and equipment specifications. Parameters can have fixed values or be linked to probability distributions for stochastic simulations.
 ### Monte Carlo Simulation
 The Monte Carlo simulation engine allows users to perform risk analysis by running multiple iterations of a scenario with varying input parameters based on defined probability distributions. This helps in understanding the range of possible outcomes and their associated probabilities.
 ## Domain Model
 The domain model consists of the following key entities:
 - `Scenario`: Represents a mining project configuration.
 - `Parameter`: Input values for scenarios, which can be fixed or probabilistic.
 - `Cost`: Tracks capital and operational expenditures.
 - `Consumption`: Records resource usage.
 - `ProductionOutput`: Captures production metrics.
 - `Equipment`: Represents mining equipment associated with a scenario.
 - `Maintenance`: Logs maintenance events for equipment.
 - `SimulationResult`: Stores results from Monte Carlo simulations.
 - `Distribution`: Defines probability distributions for stochastic parameters.
 - `User`: Represents application users and their roles.
 - `Report`: Generated reports summarizing scenario analyses.
 - `Dashboard`: Visual representation of key performance indicators and metrics.
 - `AuditLog`: Tracks changes and actions performed within the application.
 - `Notification`: Alerts and messages related to scenario events and updates.
 - `Tag`: Labels for categorizing scenarios and other entities.
 - `Attachment`: Files associated with scenarios, such as documents or images.
 - `Version`: Tracks different versions of scenarios and their configurations.
 ### Detailed Domain Models
 See [Domain Models](08_concepts/08_01_domain_models.md) document for detailed class diagrams and entity relationships.
 ## Data Model Highlights
 - `scenario`: central entity describing a mining scenario; owns relationships to cost, consumption, production, equipment, and maintenance tables.
 - `capex`, `opex`: monetary tracking linked to scenarios.
 - `consumption`: resource usage entries parameterized by scenario and description.
 - `parameter`: scenario inputs with base `value` and optional distribution linkage via `distribution_id`, `distribution_type`, and JSON `distribution_parameters` to support simulation sampling.
 - `production_output`: production metrics per scenario.
 - `equipment` and `maintenance`: equipment inventory and maintenance events with dates/costs.
 - `simulation_result`: staging table for future Monte Carlo outputs (not yet populated by `run_simulation`).
 Foreign keys secure referential integrity between domain tables and their scenarios, enabling per-scenario analytics.
 ### Detailed Data Models
 See [Data Models](08_concepts/08_02_data_models.md) document for detailed ER diagrams and table descriptions.
--- a/docs/architecture/08_concepts/08_02_data_models.md
+++ b/docs/architecture/08_concepts/08_02_data_models.md
@@ -1,106 +0,0 @@
 # Data Models
 ## Data Model Highlights
 - `scenario`: central entity describing a mining scenario; owns relationships to cost, consumption, production, equipment, and maintenance tables.
 - `capex`, `opex`: monetary tracking linked to scenarios.
 - `consumption`: resource usage entries parameterized by scenario and description.
 - `parameter`: scenario inputs with base `value` and optional distribution linkage via `distribution_id`, `distribution_type`, and JSON `distribution_parameters` to support simulation sampling.
 - `production_output`: production metrics per scenario.
 - `equipment` and `maintenance`: equipment inventory and maintenance events with dates/costs.
 - `simulation_result`: staging table for future Monte Carlo outputs (not yet populated by `run_simulation`).
 Foreign keys secure referential integrity between domain tables and their scenarios, enabling per-scenario analytics.
 ## Schema Diagrams
 ```mermaid
 erDiagram
    SCENARIO ||--o{ CAPEX : has
    SCENARIO ||--o{ OPEX : has
    SCENARIO ||--o{ CONSUMPTION : has
    SCENARIO ||--o{ PARAMETER : has
    SCENARIO ||--o{ PRODUCTION_OUTPUT : has
    SCENARIO ||--o{ EQUIPMENT : has
    EQUIPMENT ||--o{ MAINTENANCE : has
    SCENARIO ||--o{ SIMULATION_RESULT : has
    SCENARIO {
        int id PK
        string name
        string description
        datetime created_at
        datetime updated_at
    }
    CAPEX {
        int id PK
        int scenario_id FK
        float amount
        string description
        datetime created_at
        datetime updated_at
    }
    OPEX {
        int id PK
        int scenario_id FK
        float amount
        string description
        datetime created_at
        datetime updated_at
    }
    CONSUMPTION {
        int id PK
        int scenario_id FK
        string resource_type
        float quantity
        string description
        datetime created_at
        datetime updated_at
    }
    PRODUCTION_OUTPUT {
        int id PK
        int scenario_id FK
        float tonnage
        float recovery_rate
        float revenue
        datetime created_at
        datetime updated_at
    }
    EQUIPMENT {
        int id PK
        int scenario_id FK
        string name
        string type
        datetime created_at
        datetime updated_at
    }
    MAINTENANCE {
        int id PK
        int equipment_id FK
        date maintenance_date
        float cost
        string description
        datetime created_at
        datetime updated_at
    }
    SIMULATION_RESULT {
        int id PK
        int scenario_id FK
        json result_data
        datetime created_at
        datetime updated_at
    }
    PARAMETER {
        int id PK
        int scenario_id FK
        string name
        float value
        int distribution_id FK
        string distribution_type
        json distribution_parameters
        datetime created_at
        datetime updated_at
    }
 ```
--- a/docs/architecture/09_architecture_decisions.md
+++ b/docs/architecture/09_architecture_decisions.md
@@ -1,5 +0,0 @@
 # 09 — Architecture Decisions
 Status: skeleton
 Record important architectural decisions, their rationale, and alternatives considered.
--- a/docs/architecture/10_quality_requirements.md
+++ b/docs/architecture/10_quality_requirements.md
@@ -1,5 +0,0 @@
 # 10 — Quality Requirements
 Status: skeleton
 List non-functional requirements (performance, scalability, reliability, security) and measurable acceptance criteria.
--- a/docs/architecture/11_technical_risks.md
+++ b/docs/architecture/11_technical_risks.md
@@ -1,5 +0,0 @@
 # 11 — Technical Risks
 Status: skeleton
 Document potential technical risks, mitigation strategies, and monitoring suggestions.
--- a/docs/architecture/12_glossary.md
+++ b/docs/architecture/12_glossary.md
@@ -1,5 +0,0 @@
 # 12 — Glossary
 Status: skeleton
 Project glossary and definitions for domain-specific terms.
--- a/docs/architecture/13_ui_and_style.md
+++ b/docs/architecture/13_ui_and_style.md
@@ -1,85 +0,0 @@
 # 13 — UI, templates and styling
 Status: migrated
 This chapter collects UI integration notes, reusable template components, styling audit points and per-page UI data/actions.
 ## Reusable Template Components
 To reduce duplication across form-centric pages, shared Jinja macros live in `templates/partials/components.html`.
 - `select_field(...)`: renders labeled `<select>` controls with consistent placeholder handling and optional preselection. Existing JavaScript modules continue to target the generated IDs, so template calls must pass the same identifiers (`consumption-form-scenario`, etc.).
 - `feedback(...)` and `empty_state(...)`: wrap status messages in standard classes (`feedback`, `empty-state`) with optional `hidden` toggles so scripts can control visibility without reimplementing markup.
 - `table_container(...)`: provides a semantic wrapper and optional heading around tabular content; the `{% call %}` body supplies the `<thead>`, `<tbody>`, and `<tfoot>` elements while the macro applies the `table-container` class and manages hidden state.
 Pages like `templates/consumption.html` and `templates/costs.html` already consume these helpers to keep markup aligned while preserving existing JavaScript selectors.
 Import macros via:
 ```jinja
 {% from "partials/components.html" import select_field, feedback, table_container with context %}
 ```
 ## Styling Audit Notes (2025-10-21)
 - **Spacing**: Panels (`section.panel`) sometimes lack consistent vertical rhythm between headings, form grids, and tables. Extra top/bottom margin utilities would help align content.
 - **Typography**: Headings rely on browser defaults; font-size scale is uneven between `<h2>` and `<h3>`. Define explicit scale tokens (e.g., `--font-size-lg`) for predictable sizing.
 - **Forms**: `.form-grid` uses fixed column gaps that collapse on small screens; introduce responsive grid rules to stack gracefully below ~768px.
 - **Tables**: `.table-container` wrappers need overflow handling for narrow viewports; consider `overflow-x: auto` with padding adjustments.
 - **Feedback/Empty states**: Messages use default font weight and spacing; a utility class for margin/padding would ensure consistent separation from forms or tables.
 ## Per-page data & actions
 Short reference of per-page APIs and primary actions used by templates and scripts.
 - Scenarios (`templates/ScenarioForm.html`):
  - Data: `GET /api/scenarios/`
  - Actions: `POST /api/scenarios/`
 - Parameters (`templates/ParameterInput.html`):
  - Data: `GET /api/scenarios/`, `GET /api/parameters/`
  - Actions: `POST /api/parameters/`
 - Costs (`templates/costs.html`):
  - Data: `GET /api/costs/capex`, `GET /api/costs/opex`
  - Actions: `POST /api/costs/capex`, `POST /api/costs/opex`
 - Consumption (`templates/consumption.html`):
  - Data: `GET /api/consumption/`
  - Actions: `POST /api/consumption/`
 - Production (`templates/production.html`):
  - Data: `GET /api/production/`
  - Actions: `POST /api/production/`
 - Equipment (`templates/equipment.html`):
  - Data: `GET /api/equipment/`
  - Actions: `POST /api/equipment/`
 - Maintenance (`templates/maintenance.html`):
  - Data: `GET /api/maintenance/` (pagination support)
  - Actions: `POST /api/maintenance/`, `PUT /api/maintenance/{id}`, `DELETE /api/maintenance/{id}`
 - Simulations (`templates/simulations.html`):
  - Data: `GET /api/scenarios/`, `GET /api/parameters/`
  - Actions: `POST /api/simulations/run`
 - Reporting (`templates/reporting.html` and `templates/Dashboard.html`):
  - Data: `POST /api/reporting/summary` (accepts arrays of `{ "result": float }` objects)
  - Actions: Trigger summary refreshes and export/download actions.
 ## UI Template Audit (2025-10-20)
 - Existing HTML templates: `ScenarioForm.html`, `ParameterInput.html`, and `Dashboard.html` (reporting summary view).
 - Coverage gaps remain for costs, consumption, production, equipment, maintenance, and simulation workflows—no dedicated templates yet.
 - Shared layout primitives (navigation/header/footer) are absent; current pages duplicate boilerplate markup.
 - Dashboard currently covers reporting metrics but should be wired to a central `/` route once the shared layout lands.
 - Next steps: introduce a `base.html`, refactor existing templates to extend it, and scaffold placeholder pages for the remaining features.
--- a/docs/architecture/14_testing_ci.md
+++ b/docs/architecture/14_testing_ci.md
@@ -1,118 +0,0 @@
 # 14 Testing, CI and Quality Assurance
 This chapter centralizes the project's testing strategy, CI configuration, and quality targets.
 ## Overview
 CalMiner uses a combination of unit, integration, and end-to-end tests to ensure quality.
 ### Frameworks
 - Backend: pytest for unit and integration tests.
 - Frontend: pytest with Playwright for E2E tests.
 - Database: pytest fixtures with psycopg2 for DB tests.
 ### Test Types
 - Unit Tests: Test individual functions/modules.
 - Integration Tests: Test API endpoints and DB interactions.
 - E2E Tests: Playwright for full user flows.
 ### CI/CD
 - Use Gitea Actions for CI/CD; workflows live under `.gitea/workflows/`.
 - `test.yml` runs on every push, provisions a temporary Postgres 16 service, waits for readiness, executes the setup script in dry-run and live modes, installs Playwright browsers, and finally runs the full pytest suite.
 - `build-and-push.yml` builds the Docker image with `docker/build-push-action@v2`, reusing GitHub Actions cache-backed layers, and pushes to the Gitea registry.
 - `deploy.yml` connects to the target host (via `appleboy/ssh-action`) to pull the freshly pushed image and restart the container.
 - Mandatory secrets: `REGISTRY_USERNAME`, `REGISTRY_PASSWORD`, `REGISTRY_URL`, `SSH_HOST`, `SSH_USERNAME`, `SSH_PRIVATE_KEY`.
 - Run tests on pull requests to shared branches; enforce coverage target ≥80% (pytest-cov).
 ### Running Tests
 - Unit: `pytest tests/unit/`
 - E2E: `pytest tests/e2e/`
 - All: `pytest`
 ### Test Directory Structure
 Organize tests under the `tests/` directory mirroring the application structure:
 ````text
 tests/
  unit/
    test_<module>.py
  e2e/
    test_<flow>.py
  fixtures/
    conftest.py
 ```python
 ### Fixtures and Test Data
 - Define reusable fixtures in `tests/fixtures/conftest.py`.
 - Use temporary in-memory databases or isolated schemas for DB tests.
 - Load sample data via fixtures for consistent test environments.
 - Leverage the `seeded_ui_data` fixture in `tests/unit/conftest.py` to populate scenarios with related cost, maintenance, and simulation records for deterministic UI route checks.
 ### E2E (Playwright) Tests
 The E2E test suite, located in `tests/e2e/`, uses Playwright to simulate user interactions in a live browser environment. These tests are designed to catch issues in the UI, frontend-backend integration, and overall application flow.
 #### Fixtures
 - `live_server`: A session-scoped fixture that launches the FastAPI application in a separate process, making it accessible to the browser.
 - `playwright_instance`, `browser`, `page`: Standard `pytest-playwright` fixtures for managing the Playwright instance, browser, and individual pages.
 #### Smoke Tests
 - UI Page Loading: `test_smoke.py` contains a parameterized test that systematically navigates to all UI routes to ensure they load without errors, have the correct title, and display a primary heading.
 - Form Submissions: Each major form in the application has a corresponding test file (e.g., `test_scenarios.py`, `test_costs.py`) that verifies: page loads, create item by filling the form, success message, and UI updates.
 ### Running E2E Tests
 To run the Playwright tests:
 ```bash
 pytest tests/e2e/
 ````
 To run headed mode:
 ```bash
 pytest tests/e2e/ --headed
 ```
 ### Mocking and Dependency Injection
 - Use `unittest.mock` to mock external dependencies.
 - Inject dependencies via function parameters or FastAPI's dependency overrides in tests.
 ### Code Coverage
 - Install `pytest-cov` to generate coverage reports.
 - Run with coverage: `pytest --cov --cov-report=term` (use `--cov-report=html` when visualizing hotspots).
 - Target 95%+ overall coverage. Focus on historically low modules: `services/simulation.py`, `services/reporting.py`, `middleware/validation.py`, and `routes/ui.py`.
 - Latest snapshot (2025-10-21): `pytest --cov=. --cov-report=term-missing` returns **91%** overall coverage.
 ### CI Integration
 `test.yml` encapsulates the steps below:
 - Check out the repository and set up Python 3.10.
 - Configure the runner's apt proxy (if available), install project dependencies (requirements + test extras), and download Playwright browsers.
 - Run `pytest` (extend with `--cov` flags when enforcing coverage).
 > The pip cache step is temporarily disabled in `test.yml` until the self-hosted cache service is exposed (see `docs/ci-cache-troubleshooting.md`).
 `build-and-push.yml` adds:
 - Registry login using repository secrets.
 - Docker image build/push with GHA cache storage (`cache-from/cache-to` set to `type=gha`).
 `deploy.yml` handles:
 - SSH into the deployment host.
 - Pull the tagged image from the registry.
 - Stop, remove, and relaunch the `calminer` container exposing port 8000.
 When adding new workflows, mirror this structure to ensure secrets, caching, and deployment steps remain aligned with the production environment.
--- a/docs/architecture/15_development_setup.md
+++ b/docs/architecture/15_development_setup.md
@@ -1,77 +0,0 @@
 # 15 Development Setup Guide
 This document outlines the local development environment and steps to get the project running.
 ## Prerequisites
 - Python (version 3.10+)
 - PostgreSQL (version 13+)
 - Git
 ## Clone and Project Setup
 ````powershell
 # Clone the repository
 git clone https://git.allucanget.biz/allucanget/calminer.git
 cd calminer
 ```python
 ## Virtual Environment
 ```powershell
 # Create and activate a virtual environment
 python -m venv .venv
 .\.venv\Scripts\Activate.ps1
 ```python
 ## Install Dependencies
 ```powershell
 pip install -r requirements.txt
 ```python
 ## Database Setup
 1. Create database user:
 ```sql
 CREATE USER calminer_user WITH PASSWORD 'your_password';
 ````
 1. Create database:
 ````sql
 CREATE DATABASE calminer;
 ```python
 ## Environment Variables
 1. Copy `.env.example` to `.env` at project root.
 1. Edit `.env` to set database connection details:
 ```dotenv
 DATABASE_DRIVER=postgresql
 DATABASE_HOST=localhost
 DATABASE_PORT=5432
 DATABASE_USER=calminer_user
 DATABASE_PASSWORD=your_password
 DATABASE_NAME=calminer
 DATABASE_SCHEMA=public
 ````
 1. The application uses `python-dotenv` to load these variables. A legacy `DATABASE_URL` value is still accepted if the granular keys are omitted.
 ## Running the Application
 ````powershell
 # Start the FastAPI server
 uvicorn main:app --reload
 ```python
 ## Testing
 ```powershell
 pytest
 ````
 E2E tests use Playwright and a session-scoped `live_server` fixture that starts the app at `http://localhost:8001` for browser-driven tests.
--- a/docs/architecture/README.md
+++ b/docs/architecture/README.md
@@ -1,26 +0,0 @@
 ---
 title: "CalMiner Architecture Documentation"
 description: "arc42-based architecture documentation for the CalMiner project"
 ---
 # Architecture documentation (arc42 mapping)
 This folder mirrors the arc42 chapter structure (adapted to Markdown).
 ## Files
 - [01 Introduction and Goals](01_introduction_and_goals.md)
 - [02 Architecture Constraints](02_architecture_constraints.md)
 - [03 Context and Scope](03_context_and_scope.md)
 - [04 Solution Strategy](04_solution_strategy.md)
 - [05 Building Block View](05_building_block_view.md)
 - [06 Runtime View](06_runtime_view.md)
 - [07 Deployment View](07_deployment_view.md)
 - [08 Concepts](08_concepts.md)
 - [09 Architecture Decisions](09_architecture_decisions.md)
 - [10 Quality Requirements](10_quality_requirements.md)
 - [11 Technical Risks](11_technical_risks.md)
 - [12 Glossary](12_glossary.md)
 - [13 UI and Style](13_ui_and_style.md)
 - [14 Testing & CI](14_testing_ci.md)
 - [15 Development Setup](15_development_setup.md)
--- a/docs/ci-cache-troubleshooting.md
+++ b/docs/ci-cache-troubleshooting.md
@@ -1,27 +0,0 @@
 # CI Cache Troubleshooting
 ## Background
 The test workflow (`.gitea/workflows/test.yml`) uses the `actions/cache` action to reuse the pip download cache located at `~/.cache/pip`. The cache key now hashes both `requirements.txt` and `requirements-test.txt` so the cache stays aligned with dependency changes.
 ## Current Observation
 Recent CI runs report the following warning when the cache step executes:
 ```text
 ::warning::Failed to restore: getCacheEntry failed: connect ETIMEDOUT 172.17.0.5:40181
 Cache not found for input keys: Linux-pip-<hash>, Linux-pip-
 ```
 The timeout indicates the runner cannot reach the cache backend rather than a normal cache miss.
 ## Recommended Follow-Up
 - Confirm that the Actions cache service is enabled for the CI environment (Gitea runners require the cache server URL to be provided via `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_URL`).
 - Verify network connectivity from the runner to the cache service endpoint and ensure required ports are open.
 - After connectivity is restored, rerun the workflow to allow the cache to be populated and confirm subsequent runs restore the cache without warnings.
 ## Interim Guidance
 - The workflow will proceed without cached dependencies, but package installs may take longer.
 - Keep the cache step in place so it begins working automatically once the infrastructure is configured.
--- a/docs/idempotency_audit.md
+++ b/docs/idempotency_audit.md
@@ -1,31 +0,0 @@
 # Setup Script Idempotency Audit (2025-10-25)
 This note captures the current evaluation of idempotent behaviour for `scripts/setup_database.py` and outlines follow-up actions.
 ## Admin Tasks
 - **ensure_database**: guarded by `SELECT 1 FROM pg_database`; re-runs safely. Failure mode: network issues or lack of privileges surface as psycopg2 errors without additional context.
 - **ensure_role**: checks `pg_roles`, creates role if missing, reapplies grants each time. Subsequent runs execute grants again but PostgreSQL tolerates repeated grants.
 - **ensure_schema**: uses `information_schema` guard and respects `--dry-run`; idempotent when schema is `public` or already present.
 ## Application Tasks
 - **initialize_schema**: relies on SQLAlchemy `create_all(checkfirst=True)`; repeatable. Dry-run output remains descriptive.
 - **run_migrations**: new baseline workflow applies `000_base.sql` once and records legacy scripts as applied. Subsequent runs detect the baseline in `schema_migrations` and skip reapplication.
 ## Seeding
 - `seed_baseline_data` seeds currencies and measurement units with upsert logic. Verification now raises on missing data, preventing silent failures.
 - Running `--seed-data` repeatedly performs `ON CONFLICT` updates, making the operation safe.
 ## Outstanding Risks
 1. Baseline migration relies on legacy files being present when first executed; if removed beforehand, old entries are never marked. (Low risk given repository state.)
 2. `ensure_database` and `ensure_role` do not wrap SQL execution errors with additional context beyond psycopg2 messages.
 3. Baseline verification assumes migrations and seeding run in the same process; manual runs of `scripts/seed_data.py` without the baseline could still fail.
 ## Recommended Actions
 - Add regression tests ensuring repeated executions of key CLI paths (`--run-migrations`, `--seed-data`) result in no-op behaviour after the first run.
 - Extend logging/error handling for admin operations to provide clearer messages on repeated failures.
 - Consider a preflight check when migrations directory lacks legacy files but baseline is pending, warning about potential drift.
--- a/docs/logging_audit.md
+++ b/docs/logging_audit.md
@@ -1,29 +0,0 @@
 # Setup Script Logging Audit (2025-10-25)
 The following observations capture current logging behaviour in `scripts/setup_database.py` and highlight areas requiring improved error handling and messaging.
 ## Connection Validation
 - `validate_admin_connection` and `validate_application_connection` log entry/exit messages and raise `RuntimeError` with context if connection fails. This coverage is sufficient.
 - `ensure_database` logs creation states but does not surface connection or SQL exceptions beyond the initial connection acquisition. When the inner `cursor.execute` calls fail, the exceptions bubble without contextual logging.
 ## Migration Runner
 - Lists pending migrations and logs each application attempt.
 - When the baseline is pending, the script logs whether it is a dry-run or live application and records legacy file marking. However, if `_apply_migration_file` raises an exception, the caller re-raises after logging the failure; there is no wrapping message guiding users toward manual cleanup.
 - Legacy migration marking happens silently (just info logs). Failures during the insert into `schema_migrations` would currently propagate without added guidance.
 ## Seeding Workflow
 - `seed_baseline_data` announces each seeding phase and skips verification in dry-run mode with a log breadcrumb.
 - `_verify_seeded_data` warns about missing currencies/units and inactive defaults but does **not** raise errors, meaning CI can pass while the database is incomplete. There is no explicit log when verification succeeds.
 - `_seed_units` logs when the `measurement_unit` table is missing, which is helpful, but the warning is the only feedback; no exception is raised.
 ## Suggested Enhancements
 1. Wrap baseline application and legacy marking in `try/except` blocks that log actionable remediation steps before re-raising.
 2. Promote seed verification failures (missing or inactive records) to exceptions so automated workflows fail fast; add success logs for clarity.
 3. Add contextual logging around currency/measurement-unit insert failures, particularly around `execute_values` calls, to aid debugging malformed data.
 4. Introduce structured logging (log codes or phases) for major steps (`CONNECT`, `MIGRATE`, `SEED`, `VERIFY`) to make scanning log files easier.
 These findings inform the remaining TODO subtasks for enhanced error handling.
--- a/docs/migrations/consolidated_baseline_plan.md
+++ b/docs/migrations/consolidated_baseline_plan.md
@@ -1,53 +0,0 @@
 # Consolidated Migration Baseline Plan
 This note outlines the content and structure of the planned baseline migration (`scripts/migrations/000_base.sql`). The objective is to capture the currently required schema changes in a single idempotent script so that fresh environments only need to apply one SQL file before proceeding with incremental migrations.
 ## Guiding Principles
 1. **Idempotent DDL**: Every `CREATE` or `ALTER` statement must tolerate repeated execution. Use `IF NOT EXISTS` guards or existence checks (`information_schema`) where necessary.
 2. **Order of Operations**: Create reference tables first, then update dependent tables, finally enforce foreign keys and constraints.
 3. **Data Safety**: Default data seeded by migrations should be minimal and in ASCII-only form to avoid encoding issues in various shells and CI logs.
 4. **Compatibility**: The baseline must reflect the schema shape expected by the current SQLAlchemy models, API routes, and seeding scripts.
 ## Schema Elements to Include
 ### 1. `currency` Table
 - Columns: `id SERIAL PRIMARY KEY`, `code VARCHAR(3) UNIQUE NOT NULL`, `name VARCHAR(128) NOT NULL`, `symbol VARCHAR(8)`, `is_active BOOLEAN NOT NULL DEFAULT TRUE`.
 - Index: implicit via unique constraint on `code`.
 - Seed rows matching `scripts.seed_data.CURRENCY_SEEDS` (ASCII-only symbols such as `USD$`, `CAD$`).
 - Upsert logic using `ON CONFLICT (code) DO UPDATE` to keep names/symbols in sync when rerun.
 ### 2. Currency Integration for CAPEX/OPEX
 - Add `currency_id INTEGER` columns with `IF NOT EXISTS` guards.
 - Populate `currency_id` from legacy `currency_code` if the column exists.
 - Default null `currency_id` values to the USD row, then `ALTER` to `SET NOT NULL`.
 - Create `fk_capex_currency` and `fk_opex_currency` constraints with `ON DELETE RESTRICT` semantics.
 - Drop legacy `currency_code` column if it exists (safe because new column holds data).
 ### 3. Measurement Metadata on Consumption/Production
 - Ensure `consumption` and `production_output` tables have `unit_name VARCHAR(64)` and `unit_symbol VARCHAR(16)` columns with `IF NOT EXISTS` guards.
 ### 4. `measurement_unit` Reference Table
 - Columns: `id SERIAL PRIMARY KEY`, `code VARCHAR(64) UNIQUE NOT NULL`, `name VARCHAR(128) NOT NULL`, `symbol VARCHAR(16)`, `unit_type VARCHAR(32) NOT NULL`, `is_active BOOLEAN NOT NULL DEFAULT TRUE`, `created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()`, `updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()`.
 - Assume a simple trigger to maintain `updated_at` is deferred: automate via application layer later; for now, omit trigger.
 - Seed rows matching `MEASUREMENT_UNIT_SEEDS` (ASCII names/symbols). Use `ON CONFLICT (code) DO UPDATE` to keep descriptive fields aligned.
 ### 5. Transaction Handling
 - Wrap the main operations in a single `BEGIN; ... COMMIT;` block.
 - Use subtransactions (`DO $$ ... $$;`) only where conditional logic is required (e.g., checking column existence before backfill).
 ## Migration Tracking Alignment
 - Baseline file will be named `000_base.sql`. After execution, insert a row into `schema_migrations` with filename `000_base.sql` to keep the tracking table aligned.
 - Existing migrations (`20251021_add_currency_and_unit_fields.sql`, `20251022_create_currency_table_and_fks.sql`) remain for historical reference but will no longer be applied to new environments once the baseline is present.
 ## Next Steps
 1. Draft `000_base.sql` reflecting the steps above.
 2. Update `run_migrations` to recognise the baseline file and mark older migrations as applied when the baseline exists.
 3. Provide documentation in `docs/quickstart.md` explaining how to reset an environment using the baseline plus seeds.
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -1,242 +0,0 @@
 # Quickstart & Expanded Project Documentation
 This document contains the expanded development, usage, testing, and migration guidance moved out of the top-level README for brevity.
 ## Development
 To get started locally:
 ```powershell
 # Clone the repository
 git clone https://git.allucanget.biz/allucanget/calminer.git
 cd calminer
 # Create and activate a virtual environment
 python -m venv .venv
 .\.venv\Scripts\Activate.ps1
 # Install dependencies
 pip install -r requirements.txt
 # Start the development server
 uvicorn main:app --reload
 ```
 ## Docker-based setup
 To build and run the application using Docker instead of a local Python environment:
 ```powershell
 # Build the application image (multi-stage build keeps runtime small)
 docker build -t calminer:latest .
 # Start the container on port 8000
 docker run --rm -p 8000:8000 calminer:latest
 # Supply environment variables (e.g., Postgres connection)
 docker run --rm -p 8000:8000 ^
  -e DATABASE_DRIVER="postgresql" ^
  -e DATABASE_HOST="db.host" ^
  -e DATABASE_PORT="5432" ^
  -e DATABASE_USER="calminer" ^
  -e DATABASE_PASSWORD="s3cret" ^
  -e DATABASE_NAME="calminer" ^
  -e DATABASE_SCHEMA="public" ^
  calminer:latest
 ```
 If you maintain a Postgres or Redis dependency locally, consider authoring a `docker compose` stack that pairs them with the app container. The Docker image expects the database to be reachable and migrations executed before serving traffic.
 ## Usage Overview
 - **API base URL**: `http://localhost:8000/api`
 - Key routes include creating scenarios, parameters, costs, consumption, production, equipment, maintenance, and reporting summaries. See the `routes/` directory for full details.
 ## Dashboard Preview
 1. Start the FastAPI server and navigate to `/`.
 2. Review the headline metrics, scenario snapshot table, and cost/activity charts sourced from the current database state.
 3. Use the "Refresh Dashboard" button to pull freshly aggregated data via `/ui/dashboard/data` without reloading the page.
 ## Testing
 Run the unit test suite:
 ```powershell
 pytest
 ```
 E2E tests use Playwright and a session-scoped `live_server` fixture that starts the app at `http://localhost:8001` for browser-driven tests.
 ## Migrations & Baseline
 A consolidated baseline migration (`scripts/migrations/000_base.sql`) captures all schema changes required for a fresh installation. The script is idempotent: it creates the `currency` and `measurement_unit` reference tables, ensures consumption and production records expose unit metadata, and enforces the foreign keys used by CAPEX and OPEX.
 Configure granular database settings in your PowerShell session before running migrations:
 ```powershell
 $env:DATABASE_DRIVER = 'postgresql'
 $env:DATABASE_HOST = 'localhost'
 $env:DATABASE_PORT = '5432'
 $env:DATABASE_USER = 'calminer'
 $env:DATABASE_PASSWORD = 's3cret'
 $env:DATABASE_NAME = 'calminer'
 $env:DATABASE_SCHEMA = 'public'
 python scripts/setup_database.py --run-migrations --seed-data --dry-run
 python scripts/setup_database.py --run-migrations --seed-data
 ```
 The dry-run invocation reports which steps would execute without making changes. The live run applies the baseline (if not already recorded in `schema_migrations`) and seeds the reference data relied upon by the UI and API.
 > ℹ️ The application still accepts `DATABASE_URL` as a fallback if the granular variables are not set.
 ## Database bootstrap workflow
 Provision or refresh a database instance with `scripts/setup_database.py`. Populate the required environment variables (an example lives at `config/setup_test.env.example`) and run:
 ```powershell
 # Load test credentials (PowerShell)
 Get-Content .\config\setup_test.env.example |
  ForEach-Object {
    if ($_ -and -not $_.StartsWith('#')) {
      $name, $value = $_ -split '=', 2
      Set-Item -Path Env:$name -Value $value
    }
  }
 # Dry-run to inspect the planned actions
 python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data --dry-run -v
 # Execute the full workflow
 python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data -v
 ```
 Typical log output confirms:
 - Admin and application connections succeed for the supplied credentials.
 - Database and role creation are idempotent (`already present` when rerun).
 - SQLAlchemy metadata either reports missing tables or `All tables already exist`.
 - Migrations list pending files and finish with `Applied N migrations` (a new database reports `Applied 1 migrations` for `000_base.sql`).
 After a successful run the target database contains all application tables plus `schema_migrations`, and that table records each applied migration file. New installations only record `000_base.sql`; upgraded environments retain historical entries alongside the baseline.
 ### Local Postgres via Docker Compose
 For local validation without installing Postgres directly, use the provided compose file:
 ```powershell
 docker compose -f docker-compose.postgres.yml up -d
 ```
 #### Summary
 1. Start the Postgres container with `docker compose -f docker-compose.postgres.yml up -d`.
 2. Export the granular database environment variables (host `127.0.0.1`, port `5433`, database `calminer_local`, user/password `calminer`/`secret`).
 3. Run the setup script twice: first with `--dry-run` to preview actions, then without it to apply changes.
 4. When finished, stop and optionally remove the container/volume using `docker compose -f docker-compose.postgres.yml down`.
 The service exposes Postgres 16 on `localhost:5433` with database `calminer_local` and role `calminer`/`secret`. When the container is running, set the granular environment variables before invoking the setup script:
 ```powershell
 $env:DATABASE_DRIVER = 'postgresql'
 $env:DATABASE_HOST = '127.0.0.1'
 $env:DATABASE_PORT = '5433'
 $env:DATABASE_USER = 'calminer'
 $env:DATABASE_PASSWORD = 'secret'
 $env:DATABASE_NAME = 'calminer_local'
 $env:DATABASE_SCHEMA = 'public'
 python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data --dry-run -v
 python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data -v
 ```
 When testing is complete, shut down the container (and optional persistent volume) with:
 ```powershell
 docker compose -f docker-compose.postgres.yml down
 docker volume rm calminer_postgres_local_postgres_data  # optional cleanup
 ```
 Document successful runs (or issues encountered) in `.github/instructions/DONE.TODO.md` for future reference.
 ### Seeding reference data
 `scripts/seed_data.py` provides targeted control over the baseline datasets when the full setup script is not required:
 ```powershell
 python scripts/seed_data.py --currencies --units --dry-run
 python scripts/seed_data.py --currencies --units
 ```
 The seeder upserts the canonical currency catalog (`USD`, `EUR`, `CLP`, `RMB`, `GBP`, `CAD`, `AUD`) using ASCII-safe symbols (`USD$`, `EUR`, etc.) and the measurement units referenced by the UI (`tonnes`, `kilograms`, `pounds`, `liters`, `cubic_meters`, `kilowatt_hours`). The setup script invokes the same seeder when `--seed-data` is provided and verifies the expected rows afterward, warning if any are missing or inactive.
 ### Rollback guidance
 `scripts/setup_database.py` now tracks compensating actions when it creates the database or application role. If a later step fails, the script replays those rollback actions (dropping the newly created database or role and revoking grants) before exiting. Dry runs never register rollback steps and remain read-only.
 If the script reports that some rollback steps could not complete—for example because a connection cannot be established—rerun the script with `--dry-run` to confirm the desired end state and then apply the outstanding cleanup manually:
 ```powershell
 python scripts/setup_database.py --ensure-database --ensure-role --dry-run -v
 # Manual cleanup examples when automation cannot connect
 psql -d postgres -c "DROP DATABASE IF EXISTS calminer"
 psql -d postgres -c "DROP ROLE IF EXISTS calminer"
 ```
 After a failure and rollback, rerun the full setup once the environment issues are resolved.
 ### CI pipeline environment
 The `.gitea/workflows/test.yml` job spins up a temporary PostgreSQL 16 container and runs the setup script twice: once with `--dry-run` to validate the plan and again without it to apply migrations and seeds. No external secrets are required; the workflow sets the following environment variables for both invocations and for pytest:
 | Variable | Value | Purpose |
 | --- | --- | --- |
 | `DATABASE_DRIVER` | `postgresql` | Signals the driver to the setup script |
 | `DATABASE_HOST` | `postgres` | Hostname of the Postgres job service container |
 | `DATABASE_PORT` | `5432` | Default service port |
 | `DATABASE_NAME` | `calminer_ci` | Target database created by the workflow |
 | `DATABASE_USER` | `calminer` | Application role used during tests |
 | `DATABASE_PASSWORD` | `secret` | Password for both admin and app role |
 | `DATABASE_SCHEMA` | `public` | Default schema for the tests |
 | `DATABASE_SUPERUSER` | `calminer` | Setup script uses the same role for admin actions |
 | `DATABASE_SUPERUSER_PASSWORD` | `secret` | Matches the Postgres service password |
 | `DATABASE_SUPERUSER_DB` | `calminer_ci` | Database to connect to for admin operations |
 The workflow also updates `DATABASE_URL` for pytest to point at the CI Postgres instance. Existing tests continue to work unchanged, since SQLAlchemy reads the URL exactly as it does locally.
 Because the workflow provisions everything inline, no repository or organization secrets need to be configured for basic CI runs. If you later move the setup step to staging or production pipelines, replace these inline values with secrets managed by the CI platform. When running on self-hosted runners behind an HTTP proxy or apt cache, ensure Playwright dependencies and OS packages inherit the same proxy settings that the workflow configures prior to installing browsers.
 ### Staging environment workflow
 Use the staging checklist in `docs/staging_environment_setup.md` when running the setup script against the shared environment. A sample variable file (`config/setup_staging.env`) records the expected inputs (host, port, admin/application roles); copy it outside the repository or load the values securely via your shell before executing the workflow.
 Recommended execution order:
 1. Dry run with `--dry-run -v` to confirm connectivity and review planned operations. Capture the output to `reports/setup_staging_dry_run.log` (or similar) for auditing.
 2. Execute the live run with the same flags minus `--dry-run` to provision the database, role grants, migrations, and seed data. Save the log as `reports/setup_staging_apply.log`.
 3. Repeat the dry run to verify idempotency and record the result (for example `reports/setup_staging_post_apply.log`).
 Record any issues in `.github/instructions/TODO.md` or `.github/instructions/DONE.TODO.md` as appropriate so the team can track follow-up actions.
 ## Database Objects
 The database contains tables such as `capex`, `opex`, `chemical_consumption`, `fuel_consumption`, `water_consumption`, `scrap_consumption`, `production_output`, `equipment_operation`, `ore_batch`, `exchange_rate`, and `simulation_result`.
 ## Current implementation status (2025-10-21)
 - Currency normalization: a `currency` table and backfill scripts exist; routes accept `currency_id` and `currency_code` for compatibility.
 - Simulation engine: scaffolding in `services/simulation.py` and `/api/simulations/run` return in-memory results; persistence to `models/simulation_result` is planned.
 - Reporting: `services/reporting.py` provides summary statistics used by `POST /api/reporting/summary`.
 - Tests & coverage: unit and E2E suites exist; recent local coverage is >90%.
 - Remaining work: authentication, persist simulation runs, CI/CD and containerization.
 ## Where to look next
 - Architecture overview & chapters: [architecture](architecture/README.md) (per-chapter files under `docs/architecture/`)
 - [Testing & CI](architecture/14_testing_ci.md)
 - [Development setup](architecture/15_development_setup.md)
 - Implementation plan & roadmap: [Solution strategy](architecture/04_solution_strategy.md)
 - Routes: [routes](../routes/)
 - Services: [services](../services/)
 - Scripts: [scripts](../scripts/) (migrations and backfills)
--- a/docs/seed_data_plan.md
+++ b/docs/seed_data_plan.md
@@ -1,78 +0,0 @@
 # Baseline Seed Data Plan
 This document captures the datasets that should be present in a fresh CalMiner installation and the structure required to manage them through `scripts/seed_data.py`.
 ## Currency Catalog
 The `currency` table already exists and is seeded today via `scripts/seed_data.py`. The goal is to keep the canonical list in one place and ensure the default currency (USD) is always active.
 | Code | Name                | Symbol | Notes                                    |
 | ---- | ------------------- | ------ | ---------------------------------------- |
 | USD  | US Dollar           | $      | Default currency (`DEFAULT_CURRENCY_CODE`) |
 | EUR  | Euro                | EUR symbol |                                        |
 | CLP  | Chilean Peso        | $      |                                          |
 | RMB  | Chinese Yuan        | RMB symbol |                                        |
 | GBP  | British Pound       | GBP symbol |                                        |
 | CAD  | Canadian Dollar     | $      |                                          |
 | AUD  | Australian Dollar   | $      |                                          |
 Seeding behaviour:
 - Upsert by ISO code; keep existing name/symbol when updated manually.
 - Ensure `is_active` remains true for USD and defaults to true for new rows.
 - Defer to runtime validation in `routes.currencies` for enforcing default behaviour.
 ## Measurement Units
 UI routes (`routes/ui.py`) currently rely on the in-memory `MEASUREMENT_UNITS` list to populate dropdowns for consumption and production forms. To make this configurable and available to the API, introduce a dedicated `measurement_unit` table and seed it.
 Proposed schema:
 | Column        | Type           | Notes                                |
 | ------------- | -------------- | ------------------------------------ |
 | id            | SERIAL / BIGINT | Primary key.                         |
 | code          | TEXT           | Stable slug (e.g. `tonnes`). Unique. |
 | name          | TEXT           | Display label.                       |
 | symbol        | TEXT           | Short symbol (nullable).             |
 | unit_type     | TEXT           | Category (`mass`, `volume`, `energy`).|
 | is_active     | BOOLEAN        | Default `true` for soft disabling.   |
 | created_at    | TIMESTAMP      | Optional `NOW()` default.            |
 | updated_at    | TIMESTAMP      | Optional `NOW()` trigger/default.    |
 Initial seed set (mirrors existing UI list plus type categorisation):
 | Code            | Name             | Symbol | Unit Type |
 | --------------- | ---------------- | ------ | --------- |
 | tonnes          | Tonnes           | t      | mass      |
 | kilograms       | Kilograms        | kg     | mass      |
 | pounds          | Pounds           | lb     | mass      |
 | liters          | Liters           | L      | volume    |
 | cubic_meters    | Cubic Meters     | m3     | volume    |
 | kilowatt_hours  | Kilowatt Hours   | kWh    | energy    |
 Seeding behaviour:
 - Upsert rows by `code`.
 - Preserve `unit_type` and `symbol` unless explicitly changed via administration tooling.
 - Continue surfacing unit options to the UI by querying this table instead of the static constant.
 ## Default Settings
 The application expects certain defaults to exist:
 - **Default currency**: enforced by `routes.currencies._ensure_default_currency`; ensure seeds keep USD active.
 - **Fallback measurement unit**: UI currently auto-selects the first option in the list. Once units move to the database, expose an application setting to choose a fallback (future work tracked under "Application Settings management").
 ## Seeding Structure Updates
 To support the datasets above:
 1. Extend `scripts/seed_data.py` with a `SeedDataset` registry so each dataset (currencies, units, future defaults) can declare its loader/upsert function and optional dependencies.
 2. Add a `--dataset` CLI selector for targeted seeding while keeping `--all` as the default for `setup_database.py` integrations.
 3. Update `scripts/setup_database.py` to:
   - Run migration ensuring `measurement_unit` table exists.
   - Execute the unit seeder after currencies when `--seed-data` is supplied.
   - Verify post-seed counts, logging which dataset was inserted/updated.
 4. Adjust UI routes to load measurement units from the database and remove the hard-coded list once the table is available.
 This plan aligns with the TODO item for seeding initial data and lays the groundwork for consolidating migrations around a single baseline file that introduces both the schema and seed data in an idempotent manner.
--- a/docs/staging_environment_setup.md
+++ b/docs/staging_environment_setup.md
@@ -1,101 +0,0 @@
 # Staging Environment Setup
 This guide outlines how to provision and validate the CalMiner staging database using `scripts/setup_database.py`. It complements the local and CI-focused instructions in `docs/quickstart.md`.
 ## Prerequisites
 - Network access to the staging infrastructure (VPN or bastion, as required by ops).
 - Provisioned PostgreSQL instance with superuser or delegated admin credentials for maintenance.
 - Application credentials (role + password) dedicated to CalMiner staging.
 - The application repository checked out with Python dependencies installed (`pip install -r requirements.txt`).
 - Optional but recommended: a writable directory (for example `reports/`) to capture setup logs.
 > Replace the placeholder values in the examples below with the actual host, port, and credential details supplied by ops.
 ## Environment Configuration
 Populate the following environment variables before invoking the setup script. Store them in a secure location such as `config/setup_staging.env` (excluded from source control) and load them with `dotenv` or your shell profile.
 | Variable | Description |
 | --- | --- |
 | `DATABASE_HOST` | Staging PostgreSQL hostname or IP (for example `staging-db.internal`). |
 | `DATABASE_PORT` | Port exposed by the staging PostgreSQL service (default `5432`). |
 | `DATABASE_NAME` | CalMiner staging database name (for example `calminer_staging`). |
 | `DATABASE_USER` | Application role used by the FastAPI app (for example `calminer_app`). |
 | `DATABASE_PASSWORD` | Password for the application role. |
 | `DATABASE_SCHEMA` | Optional non-public schema; omit or set to `public` otherwise. |
 | `DATABASE_SUPERUSER` | Administrative role with rights to create roles/databases (for example `calminer_admin`). |
 | `DATABASE_SUPERUSER_PASSWORD` | Password for the administrative role. |
 | `DATABASE_SUPERUSER_DB` | Database to connect to for admin tasks (default `postgres`). |
 | `DATABASE_ADMIN_URL` | Optional DSN that overrides the granular admin settings above. |
 You may also set `DATABASE_URL` for application runtime convenience, but the setup script only requires the values listed in the table.
 ### Loading Variables (PowerShell example)
 ```powershell
 $env:DATABASE_HOST = "staging-db.internal"
 $env:DATABASE_PORT = "5432"
 $env:DATABASE_NAME = "calminer_staging"
 $env:DATABASE_USER = "calminer_app"
 $env:DATABASE_PASSWORD = "<app-password>"
 $env:DATABASE_SUPERUSER = "calminer_admin"
 $env:DATABASE_SUPERUSER_PASSWORD = "<admin-password>"
 $env:DATABASE_SUPERUSER_DB = "postgres"
 ```
 For bash shells, export the same variables using `export VARIABLE=value` or load them through `dotenv`.
 ## Setup Workflow
 Run the setup script in three phases to validate idempotency and capture diagnostics:
 1. **Dry run (diagnostic):**
   ```powershell
   python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data --dry-run -v `
     2>&1 | Tee-Object -FilePath reports/setup_staging_dry_run.log
   ```
   Confirm that the script reports planned actions without failures. If the application role is missing, a dry run will log skip messages until a live run creates the role.
 2. **Apply changes:**
   ```powershell
   python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data -v `
     2>&1 | Tee-Object -FilePath reports/setup_staging_apply.log
   ```
   Verify the log for successful database creation, role grants, migration execution, and seed verification.
 3. **Post-apply dry run:**
   ```powershell
   python scripts/setup_database.py --ensure-database --ensure-role --ensure-schema --initialize-schema --run-migrations --seed-data --dry-run -v `
     2>&1 | Tee-Object -FilePath reports/setup_staging_post_apply.log
   ```
   This run should confirm that all schema objects, migrations, and seed data are already in place.
 ## Validation Checklist
 - [ ] Confirm the staging application can connect using the application DSN (for example, run `pytest tests/e2e/test_smoke.py` against staging or trigger a smoke test workflow).
 - [ ] Inspect `schema_migrations` to ensure the baseline migration (`000_base.sql`) is recorded.
 - [ ] Spot-check seeded reference data (`currency`, `measurement_unit`) for correctness.
 - [ ] Capture and archive the three setup logs in a shared location for audit purposes.
 ## Troubleshooting
 - If the dry run reports skipped actions because the application role does not exist, proceed with the live run; subsequent dry runs will validate as expected.
 - Connection errors usually stem from network restrictions or incorrect credentials. Validate reachability with `psql` or `pg_isready` using the same host/port and credentials.
 - For permission issues during migrations or seeding, confirm the admin role has rights on the target database and that the application role inherits the expected privileges.
 ## Rollback Guidance
 - Database creation and role grants register rollback actions when not running in dry-run mode. If a later step fails, rerun the script without `--dry-run`; it will automatically revoke grants or drop newly created resources as part of the rollback routine.
 - For staged environments where manual intervention is required, coordinate with ops before dropping databases or roles.
 ## Next Steps
 - Keep this document updated as staging infrastructure evolves (for example, when migrating to managed services or rotating credentials).
 - Once staging validation is complete, summarize the outcome in `.github/instructions/DONE.TODO.md` and cross-link the relevant log files.
--- a/k8s/configmap.yaml
+++ b/k8s/configmap.yaml
@@ -0,0 +1,14 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: calminer-config
 data:
  DATABASE_HOST: "calminer-db"
  DATABASE_PORT: "5432"
  DATABASE_USER: "calminer"
  DATABASE_NAME: "calminer_db"
  DATABASE_DRIVER: "postgresql"
  CALMINER_EXPORT_MAX_ROWS: "10000"
  CALMINER_EXPORT_METADATA: "true"
  CALMINER_IMPORT_STAGING_TTL: "300"
  CALMINER_IMPORT_MAX_ROWS: "50000"
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -0,0 +1,54 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: calminer-app
  labels:
    app: calminer
 spec:
  replicas: 3
  selector:
    matchLabels:
      app: calminer
  template:
    metadata:
      labels:
        app: calminer
    spec:
      containers:
        - name: calminer
          image: registry.example.com/calminer:latest
          ports:
            - containerPort: 8003
          envFrom:
            - configMapRef:
                name: calminer-config
            - secretRef:
                name: calminer-secrets
          resources:
            requests:
              memory: "256Mi"
              cpu: "250m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          livenessProbe:
            httpGet:
              path: /health
              port: 8003
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health
              port: 8003
            initialDelaySeconds: 5
            periodSeconds: 5
      initContainers:
        - name: wait-for-db
          image: postgres:17
          command:
            [
              "sh",
              "-c",
              "until pg_isready -h calminer-db -p 5432; do echo waiting for database; sleep 2; done;",
            ]
--- a/k8s/ingress.yaml
+++ b/k8s/ingress.yaml
@@ -0,0 +1,18 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: calminer-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
 spec:
  rules:
    - host: calminer.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: calminer-service
                port:
                  number: 80
--- a/k8s/postgres-service.yaml
+++ b/k8s/postgres-service.yaml
@@ -0,0 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: calminer-db
  labels:
    app: calminer-db
 spec:
  selector:
    app: calminer-db
  ports:
    - port: 5432
      targetPort: 5432
  clusterIP: None # Headless service for StatefulSet
--- a/k8s/postgres.yaml
+++ b/k8s/postgres.yaml
@@ -0,0 +1,48 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: calminer-db
 spec:
  serviceName: calminer-db
  replicas: 1
  selector:
    matchLabels:
      app: calminer-db
  template:
    metadata:
      labels:
        app: calminer-db
    spec:
      containers:
        - name: postgres
          image: postgres:17
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_USER
              value: "calminer"
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: calminer-secrets
                  key: DATABASE_PASSWORD
            - name: POSTGRES_DB
              value: "calminer_db"
          resources:
            requests:
              memory: "256Mi"
              cpu: "250m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          volumeMounts:
            - name: postgres-storage
              mountPath: /var/lib/postgresql/data
  volumeClaimTemplates:
    - metadata:
        name: postgres-storage
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 10Gi
--- a/k8s/secret.yaml
+++ b/k8s/secret.yaml
@@ -0,0 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: calminer-secrets
 type: Opaque
 data:
  DATABASE_PASSWORD: Y2FsbWluZXJfcGFzc3dvcmQ= # base64 encoded 'calminer_password'
  CALMINER_SEED_ADMIN_PASSWORD: Q2hhbmdlTWUxMjMh # base64 encoded 'ChangeMe123!'
--- a/k8s/service.yaml
+++ b/k8s/service.yaml
@@ -0,0 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: calminer-service
  labels:
    app: calminer
 spec:
  selector:
    app: calminer
  ports:
    - port: 80
      targetPort: 8003
      protocol: TCP
  type: ClusterIP
--- a/main.py
+++ b/main.py
@@ -1,27 +1,30 @@
-from routes.distributions import router as distributions_router
+import logging
 from routes.ui import router as ui_router
 from routes.parameters import router as parameters_router
 from typing import Awaitable, Callable
 from fastapi import FastAPI, Request, Response
 from fastapi.staticfiles import StaticFiles
 from middleware.validation import validate_json
 from config.database import Base, engine
 from routes.scenarios import router as scenarios_router
 from routes.costs import router as costs_router
 from routes.consumption import router as consumption_router
 from routes.production import router as production_router
 from routes.equipment import router as equipment_router
 from routes.reporting import router as reporting_router
 from routes.currencies import router as currencies_router
 from routes.simulations import router as simulations_router
 from routes.maintenance import router as maintenance_router
-# Initialize database schema
+from config.settings import get_settings
-Base.metadata.create_all(bind=engine)
+from middleware.auth_session import AuthSessionMiddleware
 from middleware.metrics import MetricsMiddleware
 from middleware.validation import validate_json
 from routes.auth import router as auth_router
 from routes.dashboard import router as dashboard_router
 from routes.imports import router as imports_router
 from routes.exports import router as exports_router
 from routes.projects import router as projects_router
 from routes.reports import router as reports_router
 from routes.scenarios import router as scenarios_router
 from monitoring import router as monitoring_router
 from services.bootstrap import bootstrap_admin, bootstrap_pricing_settings
 app = FastAPI()
 app.add_middleware(AuthSessionMiddleware)
 app.add_middleware(MetricsMiddleware)
 logger = logging.getLogger(__name__)
@app.middleware("http")
 async def json_validation(
@@ -29,18 +32,48 @@ async def json_validation(
 ) -> Response:
    return await validate_json(request, call_next)
 app.mount("/static", StaticFiles(directory="static"), name="static")
-# Include API routers
+@app.get("/health", summary="Container health probe")
 async def health() -> dict[str, str]:
    return {"status": "ok"}
@app.on_event("startup")
 async def ensure_admin_bootstrap() -> None:
    settings = get_settings()
    admin_settings = settings.admin_bootstrap_settings()
    pricing_metadata = settings.pricing_metadata()
    try:
        role_result, admin_result = bootstrap_admin(settings=admin_settings)
        pricing_result = bootstrap_pricing_settings(metadata=pricing_metadata)
        logger.info(
            "Admin bootstrap completed: roles=%s created=%s updated=%s rotated=%s assigned=%s",
            role_result.ensured,
            admin_result.created_user,
            admin_result.updated_user,
            admin_result.password_rotated,
            admin_result.roles_granted,
        )
        logger.info(
            "Pricing settings bootstrap completed: slug=%s created=%s updated_fields=%s impurity_upserts=%s projects_assigned=%s",
            pricing_result.seed.settings.slug,
            pricing_result.seed.created,
            pricing_result.seed.updated_fields,
            pricing_result.seed.impurity_upserts,
            pricing_result.projects_assigned,
        )
    except Exception:  # pragma: no cover - defensive logging
        logger.exception(
            "Failed to bootstrap administrator or pricing settings")
 app.include_router(dashboard_router)
 app.include_router(auth_router)
 app.include_router(imports_router)
 app.include_router(exports_router)
 app.include_router(projects_router)
 app.include_router(scenarios_router)
-app.include_router(parameters_router)
+app.include_router(reports_router)
-app.include_router(distributions_router)
+app.include_router(monitoring_router)
-app.include_router(costs_router)
+
-app.include_router(consumption_router)
+app.mount("/static", StaticFiles(directory="static"), name="static")
 app.include_router(simulations_router)
 app.include_router(production_router)
 app.include_router(equipment_router)
 app.include_router(maintenance_router)
 app.include_router(reporting_router)
 app.include_router(currencies_router)
 app.include_router(ui_router)
--- a/middleware/auth_session.py
+++ b/middleware/auth_session.py
@@ -0,0 +1,194 @@
 from __future__ import annotations
 from dataclasses import dataclass
 from typing import Callable, Iterable, Optional
 from fastapi import Request, Response
 from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
 from starlette.types import ASGIApp
 from config.settings import Settings, get_settings
 from models import User
 from monitoring.metrics import ACTIVE_CONNECTIONS
 from services.exceptions import EntityNotFoundError
 from services.security import (
    JWTSettings,
    TokenDecodeError,
    TokenError,
    TokenExpiredError,
    TokenTypeMismatchError,
    create_access_token,
    create_refresh_token,
    decode_access_token,
    decode_refresh_token,
 )
 from services.session import (
    AuthSession,
    SessionStrategy,
    SessionTokens,
    build_session_strategy,
    clear_session_cookies,
    extract_session_tokens,
    set_session_cookies,
 )
 from services.unit_of_work import UnitOfWork
 _AUTH_SCOPE = "auth"
@dataclass(slots=True)
 class _ResolutionResult:
    session: AuthSession
    strategy: SessionStrategy
    jwt_settings: JWTSettings
 class AuthSessionMiddleware(BaseHTTPMiddleware):
    """Resolve authenticated users from session cookies and refresh tokens."""
    _active_sessions: int = 0
    def __init__(
        self,
        app: ASGIApp,
        *,
        settings_provider: Callable[[], Settings] = get_settings,
        unit_of_work_factory: Callable[[], UnitOfWork] = UnitOfWork,
        refresh_scopes: Iterable[str] | None = None,
    ) -> None:
        super().__init__(app)
        self._settings_provider = settings_provider
        self._unit_of_work_factory = unit_of_work_factory
        self._refresh_scopes = tuple(
            refresh_scopes) if refresh_scopes else (_AUTH_SCOPE,)
    async def dispatch(self, request: Request, call_next: RequestResponseEndpoint) -> Response:
        resolved = self._resolve_session(request)
        # Track active sessions for authenticated users
        if resolved.session.user and resolved.session.user.is_active:
            AuthSessionMiddleware._active_sessions += 1
            ACTIVE_CONNECTIONS.set(AuthSessionMiddleware._active_sessions)
        try:
            response = await call_next(request)
            return response
        finally:
            # Decrement on response
            if resolved.session.user and resolved.session.user.is_active:
                AuthSessionMiddleware._active_sessions = max(
                    0, AuthSessionMiddleware._active_sessions - 1)
                ACTIVE_CONNECTIONS.set(AuthSessionMiddleware._active_sessions)
            self._apply_session(response, resolved)
    def _resolve_session(self, request: Request) -> _ResolutionResult:
        settings = self._settings_provider()
        jwt_settings = settings.jwt_settings()
        strategy = build_session_strategy(settings.session_settings())
        tokens = extract_session_tokens(request, strategy)
        session = AuthSession(tokens=tokens)
        request.state.auth_session = session
        if tokens.access_token:
            if self._try_access_token(session, tokens, jwt_settings):
                return _ResolutionResult(session=session, strategy=strategy, jwt_settings=jwt_settings)
        if tokens.refresh_token:
            self._try_refresh_token(
                session, tokens.refresh_token, jwt_settings)
        return _ResolutionResult(session=session, strategy=strategy, jwt_settings=jwt_settings)
    def _try_access_token(
        self,
        session: AuthSession,
        tokens: SessionTokens,
        jwt_settings: JWTSettings,
    ) -> bool:
        try:
            payload = decode_access_token(
                tokens.access_token or "", jwt_settings)
        except TokenExpiredError:
            return False
        except (TokenDecodeError, TokenTypeMismatchError, TokenError):
            session.mark_cleared()
            return False
        user = self._load_user(payload.sub)
        if not user or not user.is_active or _AUTH_SCOPE not in payload.scopes:
            session.mark_cleared()
            return False
        session.user = user
        session.scopes = tuple(payload.scopes)
        return True
    def _try_refresh_token(
        self,
        session: AuthSession,
        refresh_token: str,
        jwt_settings: JWTSettings,
    ) -> None:
        try:
            payload = decode_refresh_token(refresh_token, jwt_settings)
        except (TokenExpiredError, TokenDecodeError, TokenTypeMismatchError, TokenError):
            session.mark_cleared()
            return
        user = self._load_user(payload.sub)
        if not user or not user.is_active or not self._is_refresh_scope_allowed(payload.scopes):
            session.mark_cleared()
            return
        session.user = user
        session.scopes = tuple(payload.scopes)
        access_token = create_access_token(
            str(user.id),
            jwt_settings,
            scopes=payload.scopes,
        )
        new_refresh = create_refresh_token(
            str(user.id),
            jwt_settings,
            scopes=payload.scopes,
        )
        session.issue_tokens(access_token=access_token,
                             refresh_token=new_refresh)
    def _is_refresh_scope_allowed(self, scopes: Iterable[str]) -> bool:
        candidate_scopes = set(scopes)
        return any(scope in candidate_scopes for scope in self._refresh_scopes)
    def _load_user(self, subject: str) -> Optional[User]:
        try:
            user_id = int(subject)
        except ValueError:
            return None
        with self._unit_of_work_factory() as uow:
            if not uow.users:
                return None
            try:
                user = uow.users.get(user_id, with_roles=True)
            except EntityNotFoundError:
                return None
            return user
    def _apply_session(self, response: Response, resolved: _ResolutionResult) -> None:
        session = resolved.session
        if session.clear_cookies:
            clear_session_cookies(response, resolved.strategy)
            return
        if session.issued_access_token:
            refresh_token = session.issued_refresh_token or session.tokens.refresh_token
            set_session_cookies(
                response,
                access_token=session.issued_access_token,
                refresh_token=refresh_token,
                strategy=resolved.strategy,
                jwt_settings=resolved.jwt_settings,
            )
--- a/middleware/metrics.py
+++ b/middleware/metrics.py
@@ -0,0 +1,58 @@
 from __future__ import annotations
 import time
 from typing import Callable
 from fastapi import Request, Response
 from starlette.middleware.base import BaseHTTPMiddleware
 from monitoring.metrics import observe_request
 from services.metrics import get_metrics_service
 class MetricsMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next: Callable[[Request], Response]) -> Response:
        start_time = time.time()
        response = await call_next(request)
        process_time = time.time() - start_time
        observe_request(
            method=request.method,
            endpoint=request.url.path,
            status=response.status_code,
            seconds=process_time,
        )
        # Store in database asynchronously
        background_tasks = getattr(request.state, "background_tasks", None)
        if background_tasks:
            background_tasks.add_task(
                store_request_metric,
                method=request.method,
                endpoint=request.url.path,
                status_code=response.status_code,
                duration_seconds=process_time,
            )
        return response
 async def store_request_metric(
    method: str, endpoint: str, status_code: int, duration_seconds: float
 ) -> None:
    """Store request metric in database."""
    try:
        service = get_metrics_service()
        service.store_metric(
            metric_name="http_request",
            value=duration_seconds,
            labels={"method": method, "endpoint": endpoint,
                    "status": status_code},
            endpoint=endpoint,
            method=method,
            status_code=status_code,
            duration_seconds=duration_seconds,
        )
    except Exception:
        # Log error but don't fail the request
        pass
--- a/middleware/validation.py
+++ b/middleware/validation.py
@@ -4,7 +4,10 @@ from fastapi import HTTPException, Request, Response
 MiddlewareCallNext = Callable[[Request], Awaitable[Response]]
-async def validate_json(request: Request, call_next: MiddlewareCallNext) -> Response:
+
 async def validate_json(
    request: Request, call_next: MiddlewareCallNext
 ) -> Response:
    # Only validate JSON for requests with a body
    if request.method in ("POST", "PUT", "PATCH"):
        try:
--- a/models/init.py
+++ b/models/init.py
@@ -1,5 +1,50 @@
-"""
+"""Database models and shared metadata for the CalMiner domain."""
-models package initializer. Import the currency model so it's registered
+
-with the shared Base.metadata when the package is imported by tests.
+from .financial_input import FinancialCategory, FinancialInput
-"""
+from .metadata import (
-from . import currency  # noqa: F401
+    COST_BUCKET_METADATA,
    RESOURCE_METADATA,
    STOCHASTIC_VARIABLE_METADATA,
    CostBucket,
    ResourceDescriptor,
    ResourceType,
    StochasticVariable,
    StochasticVariableDescriptor,
 )
 from .performance_metric import PerformanceMetric
 from .pricing_settings import (
    PricingImpuritySettings,
    PricingMetalSettings,
    PricingSettings,
 )
 from .project import MiningOperationType, Project
 from .scenario import Scenario, ScenarioStatus
 from .simulation_parameter import DistributionType, SimulationParameter
 from .user import Role, User, UserRole, password_context
 __all__ = [
    "FinancialCategory",
    "FinancialInput",
    "MiningOperationType",
    "Project",
    "PricingSettings",
    "PricingMetalSettings",
    "PricingImpuritySettings",
    "Scenario",
    "ScenarioStatus",
    "DistributionType",
    "SimulationParameter",
    "ResourceType",
    "CostBucket",
    "StochasticVariable",
    "RESOURCE_METADATA",
    "COST_BUCKET_METADATA",
    "STOCHASTIC_VARIABLE_METADATA",
    "ResourceDescriptor",
    "StochasticVariableDescriptor",
    "User",
    "Role",
    "UserRole",
    "password_context",
    "PerformanceMetric",
 ]
--- a/models/capex.py
+++ b/models/capex.py
@@ -1,65 +0,0 @@
 from sqlalchemy import event, text
 from sqlalchemy import Column, Integer, Float, String, ForeignKey
 from sqlalchemy.orm import relationship
 from config.database import Base
 class Capex(Base):
    __tablename__ = "capex"
    id = Column(Integer, primary_key=True, index=True)
    scenario_id = Column(Integer, ForeignKey("scenario.id"), nullable=False)
    amount = Column(Float, nullable=False)
    description = Column(String, nullable=True)
    currency_id = Column(Integer, ForeignKey("currency.id"), nullable=False)
    scenario = relationship("Scenario", back_populates="capex_items")
    currency = relationship("Currency", back_populates="capex_items")
    def __repr__(self):
        return (
            f"<Capex id={self.id} scenario_id={self.scenario_id} "
            f"amount={self.amount} currency_id={self.currency_id}>"
        )
    @property
    def currency_code(self) -> str:
        return self.currency.code if self.currency else None
    @currency_code.setter
    def currency_code(self, value: str) -> None:
        # store pending code so application code or migrations can pick it up
        setattr(self, "_currency_code_pending",
                (value or "USD").strip().upper())
 # SQLAlchemy event handlers to ensure currency_id is set before insert/update
 def _resolve_currency(mapper, connection, target):
    # If currency_id already set, nothing to do
    if getattr(target, "currency_id", None):
        return
    code = getattr(target, "_currency_code_pending", None) or "USD"
    # Try to find existing currency id
    row = connection.execute(text("SELECT id FROM currency WHERE code = :code"), {
                             "code": code}).fetchone()
    if row:
        cid = row[0]
    else:
        # Insert new currency and attempt to get lastrowid
        res = connection.execute(
            text("INSERT INTO currency (code, name, symbol, is_active) VALUES (:code, :name, :symbol, :active)"),
            {"code": code, "name": code, "symbol": None, "active": True},
        )
        try:
            cid = res.lastrowid
        except Exception:
            # fallback: select after insert
            cid = connection.execute(text("SELECT id FROM currency WHERE code = :code"), {
                                     "code": code}).scalar()
    target.currency_id = cid
 event.listen(Capex, "before_insert", _resolve_currency)
 event.listen(Capex, "before_update", _resolve_currency)
--- a/models/consumption.py
+++ b/models/consumption.py
@@ -1,22 +0,0 @@
 from sqlalchemy import Column, Integer, Float, String, ForeignKey
 from sqlalchemy.orm import relationship
 from config.database import Base
 class Consumption(Base):
    __tablename__ = "consumption"
    id = Column(Integer, primary_key=True, index=True)
    scenario_id = Column(Integer, ForeignKey("scenario.id"), nullable=False)
    amount = Column(Float, nullable=False)
    description = Column(String, nullable=True)
    unit_name = Column(String(64), nullable=True)
    unit_symbol = Column(String(16), nullable=True)
    scenario = relationship("Scenario", back_populates="consumption_items")
    def __repr__(self):
        return (
            f"<Consumption id={self.id} scenario_id={self.scenario_id} "
            f"amount={self.amount} unit={self.unit_symbol or self.unit_name}>"
        )
--- a/models/currency.py
+++ b/models/currency.py
@@ -1,21 +0,0 @@
 from sqlalchemy import Column, Integer, String, Boolean
 from sqlalchemy.orm import relationship
 from config.database import Base
 class Currency(Base):
    __tablename__ = "currency"
    id = Column(Integer, primary_key=True, index=True)
    code = Column(String(3), nullable=False, unique=True, index=True)
    name = Column(String(128), nullable=False)
    symbol = Column(String(8), nullable=True)
    is_active = Column(Boolean, nullable=False, default=True)
    # reverse relationships (optional)
    capex_items = relationship(
        "Capex", back_populates="currency", lazy="select")
    opex_items = relationship("Opex", back_populates="currency", lazy="select")
    def __repr__(self):
        return f"<Currency code={self.code} name={self.name} symbol={self.symbol}>"
--- a/models/distribution.py
+++ b/models/distribution.py
@@ -1,14 +0,0 @@
 from sqlalchemy import Column, Integer, String, JSON
 from config.database import Base
 class Distribution(Base):
    __tablename__ = "distribution"
    id = Column(Integer, primary_key=True, index=True)
    name = Column(String, nullable=False)
    distribution_type = Column(String, nullable=False)
    parameters = Column(JSON, nullable=True)
    def __repr__(self):
        return f"<Distribution id={self.id} name={self.name} type={self.distribution_type}>"
--- a/models/equipment.py
+++ b/models/equipment.py
@@ -1,17 +0,0 @@
 from sqlalchemy import Column, Integer, String, ForeignKey
 from sqlalchemy.orm import relationship
 from config.database import Base
 class Equipment(Base):
    __tablename__ = "equipment"
    id = Column(Integer, primary_key=True, index=True)
    scenario_id = Column(Integer, ForeignKey("scenario.id"), nullable=False)
    name = Column(String, nullable=False)
    description = Column(String, nullable=True)
    scenario = relationship("Scenario", back_populates="equipment_items")
    def __repr__(self):
        return f"<Equipment id={self.id} scenario_id={self.scenario_id} name={self.name}>"
--- a/models/financial_input.py
+++ b/models/financial_input.py
@@ -0,0 +1,74 @@
 from __future__ import annotations
 from datetime import date, datetime
 from enum import Enum
 from typing import TYPE_CHECKING
 from sqlalchemy import (
    Date,
    DateTime,
    Enum as SQLEnum,
    ForeignKey,
    Integer,
    Numeric,
    String,
    Text,
 )
 from sqlalchemy.orm import Mapped, mapped_column, relationship, validates
 from sqlalchemy.sql import func
 from config.database import Base
 from .metadata import CostBucket
 from services.currency import normalise_currency
 if TYPE_CHECKING:  # pragma: no cover
    from .scenario import Scenario
 class FinancialCategory(str, Enum):
    """Enumeration of cost and revenue classifications."""
    CAPITAL_EXPENDITURE = "capex"
    OPERATING_EXPENDITURE = "opex"
    REVENUE = "revenue"
    CONTINGENCY = "contingency"
    OTHER = "other"
 class FinancialInput(Base):
    """Line-item financial assumption attached to a scenario."""
    __tablename__ = "financial_inputs"
    id: Mapped[int] = mapped_column(Integer, primary_key=True)
    scenario_id: Mapped[int] = mapped_column(
        ForeignKey("scenarios.id", ondelete="CASCADE"), nullable=False, index=True
    )
    name: Mapped[str] = mapped_column(String(255), nullable=False)
    category: Mapped[FinancialCategory] = mapped_column(
        SQLEnum(FinancialCategory), nullable=False
    )
    cost_bucket: Mapped[CostBucket | None] = mapped_column(
        SQLEnum(CostBucket), nullable=True
    )
    amount: Mapped[float] = mapped_column(Numeric(18, 2), nullable=False)
    currency: Mapped[str | None] = mapped_column(String(3), nullable=True)
    effective_date: Mapped[date | None] = mapped_column(Date, nullable=True)
    notes: Mapped[str | None] = mapped_column(Text, nullable=True)
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    scenario: Mapped["Scenario"] = relationship(
        "Scenario", back_populates="financial_inputs")
    @validates("currency")
    def _validate_currency(self, key: str, value: str | None) -> str | None:
        return normalise_currency(value)
    def __repr__(self) -> str:  # pragma: no cover
        return f"FinancialInput(id={self.id!r}, scenario_id={self.scenario_id!r}, name={self.name!r})"
--- a/models/import_export_log.py
+++ b/models/import_export_log.py
@@ -0,0 +1,31 @@
 from __future__ import annotations
 from sqlalchemy import Column, DateTime, ForeignKey, Integer, String, Text
 from sqlalchemy.sql import func
 from config.database import Base
 class ImportExportLog(Base):
    """Audit log for import and export operations."""
    __tablename__ = "import_export_logs"
    id = Column(Integer, primary_key=True, index=True)
    action = Column(String(32), nullable=False)  # preview, commit, export
    dataset = Column(String(32), nullable=False)  # projects, scenarios, etc.
    status = Column(String(16), nullable=False)  # success, failure
    filename = Column(String(255), nullable=True)
    row_count = Column(Integer, nullable=True)
    detail = Column(Text, nullable=True)
    user_id = Column(Integer, ForeignKey("users.id"), nullable=True)
    created_at = Column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    def __repr__(self) -> str:  # pragma: no cover
        return (
            f"ImportExportLog(id={self.id}, action={self.action}, "
            f"dataset={self.dataset}, status={self.status})"
        )
--- a/models/maintenance.py
+++ b/models/maintenance.py
@@ -1,23 +0,0 @@
 from sqlalchemy import Column, Date, Float, ForeignKey, Integer, String
 from sqlalchemy.orm import relationship
 from config.database import Base
 class Maintenance(Base):
    __tablename__ = "maintenance"
    id = Column(Integer, primary_key=True, index=True)
    equipment_id = Column(Integer, ForeignKey("equipment.id"), nullable=False)
    scenario_id = Column(Integer, ForeignKey("scenario.id"), nullable=False)
    maintenance_date = Column(Date, nullable=False)
    description = Column(String, nullable=True)
    cost = Column(Float, nullable=False)
    equipment = relationship("Equipment")
    scenario = relationship("Scenario", back_populates="maintenance_items")
    def __repr__(self) -> str:
        return (
            f"<Maintenance id={self.id} equipment_id={self.equipment_id} "
            f"scenario_id={self.scenario_id} date={self.maintenance_date} cost={self.cost}>"
        )
--- a/models/metadata.py
+++ b/models/metadata.py
@@ -0,0 +1,146 @@
 from __future__ import annotations
 from dataclasses import dataclass
 from enum import Enum
 class ResourceType(str, Enum):
    """Primary consumables and resources used in mining operations."""
    DIESEL = "diesel"
    ELECTRICITY = "electricity"
    WATER = "water"
    EXPLOSIVES = "explosives"
    REAGENTS = "reagents"
    LABOR = "labor"
    EQUIPMENT_HOURS = "equipment_hours"
    TAILINGS_CAPACITY = "tailings_capacity"
 class CostBucket(str, Enum):
    """Granular cost buckets aligned with project accounting."""
    CAPITAL_INITIAL = "capital_initial"
    CAPITAL_SUSTAINING = "capital_sustaining"
    OPERATING_FIXED = "operating_fixed"
    OPERATING_VARIABLE = "operating_variable"
    MAINTENANCE = "maintenance"
    RECLAMATION = "reclamation"
    ROYALTIES = "royalties"
    GENERAL_ADMIN = "general_admin"
 class StochasticVariable(str, Enum):
    """Domain variables that typically require probabilistic modelling."""
    ORE_GRADE = "ore_grade"
    RECOVERY_RATE = "recovery_rate"
    METAL_PRICE = "metal_price"
    OPERATING_COST = "operating_cost"
    CAPITAL_COST = "capital_cost"
    DISCOUNT_RATE = "discount_rate"
    THROUGHPUT = "throughput"
@dataclass(frozen=True)
 class ResourceDescriptor:
    """Describes canonical metadata for a resource type."""
    unit: str
    description: str
 RESOURCE_METADATA: dict[ResourceType, ResourceDescriptor] = {
    ResourceType.DIESEL: ResourceDescriptor(unit="L", description="Diesel fuel consumption"),
    ResourceType.ELECTRICITY: ResourceDescriptor(unit="kWh", description="Electrical power usage"),
    ResourceType.WATER: ResourceDescriptor(unit="m3", description="Process and dust suppression water"),
    ResourceType.EXPLOSIVES: ResourceDescriptor(unit="kg", description="Blasting agent consumption"),
    ResourceType.REAGENTS: ResourceDescriptor(unit="kg", description="Processing reagents"),
    ResourceType.LABOR: ResourceDescriptor(unit="hours", description="Direct labor hours"),
    ResourceType.EQUIPMENT_HOURS: ResourceDescriptor(unit="hours", description="Mobile equipment operating hours"),
    ResourceType.TAILINGS_CAPACITY: ResourceDescriptor(unit="m3", description="Tailings storage usage"),
 }
@dataclass(frozen=True)
 class CostBucketDescriptor:
    """Describes reporting label and guidance for a cost bucket."""
    label: str
    description: str
 COST_BUCKET_METADATA: dict[CostBucket, CostBucketDescriptor] = {
    CostBucket.CAPITAL_INITIAL: CostBucketDescriptor(
        label="Initial Capital",
        description="Pre-production capital required to construct the mine",
    ),
    CostBucket.CAPITAL_SUSTAINING: CostBucketDescriptor(
        label="Sustaining Capital",
        description="Ongoing capital investments to maintain operations",
    ),
    CostBucket.OPERATING_FIXED: CostBucketDescriptor(
        label="Fixed Operating",
        description="Fixed operating costs independent of production rate",
    ),
    CostBucket.OPERATING_VARIABLE: CostBucketDescriptor(
        label="Variable Operating",
        description="Costs that scale with throughput or production",
    ),
    CostBucket.MAINTENANCE: CostBucketDescriptor(
        label="Maintenance",
        description="Maintenance and repair expenditures",
    ),
    CostBucket.RECLAMATION: CostBucketDescriptor(
        label="Reclamation",
        description="Mine closure and reclamation liabilities",
    ),
    CostBucket.ROYALTIES: CostBucketDescriptor(
        label="Royalties",
        description="Royalty and streaming obligations",
    ),
    CostBucket.GENERAL_ADMIN: CostBucketDescriptor(
        label="G&A",
        description="Corporate and site general and administrative costs",
    ),
 }
@dataclass(frozen=True)
 class StochasticVariableDescriptor:
    """Metadata describing how a stochastic variable is typically modelled."""
    unit: str
    description: str
 STOCHASTIC_VARIABLE_METADATA: dict[StochasticVariable, StochasticVariableDescriptor] = {
    StochasticVariable.ORE_GRADE: StochasticVariableDescriptor(
        unit="g/t",
        description="Head grade variability across the ore body",
    ),
    StochasticVariable.RECOVERY_RATE: StochasticVariableDescriptor(
        unit="%",
        description="Metallurgical recovery uncertainty",
    ),
    StochasticVariable.METAL_PRICE: StochasticVariableDescriptor(
        unit="$/unit",
        description="Commodity price fluctuations",
    ),
    StochasticVariable.OPERATING_COST: StochasticVariableDescriptor(
        unit="$/t",
        description="Operating cost per tonne volatility",
    ),
    StochasticVariable.CAPITAL_COST: StochasticVariableDescriptor(
        unit="$",
        description="Capital cost overrun/underrun potential",
    ),
    StochasticVariable.DISCOUNT_RATE: StochasticVariableDescriptor(
        unit="%",
        description="Discount rate sensitivity",
    ),
    StochasticVariable.THROUGHPUT: StochasticVariableDescriptor(
        unit="t/d",
        description="Plant throughput variability",
    ),
 }
--- a/models/opex.py
+++ b/models/opex.py
@@ -1,57 +0,0 @@
 from sqlalchemy import event, text
 from sqlalchemy import Column, Integer, Float, String, ForeignKey
 from sqlalchemy.orm import relationship
 from config.database import Base
 class Opex(Base):
    __tablename__ = "opex"
    id = Column(Integer, primary_key=True, index=True)
    scenario_id = Column(Integer, ForeignKey("scenario.id"), nullable=False)
    amount = Column(Float, nullable=False)
    description = Column(String, nullable=True)
    currency_id = Column(Integer, ForeignKey("currency.id"), nullable=False)
    scenario = relationship("Scenario", back_populates="opex_items")
    currency = relationship("Currency", back_populates="opex_items")
    def __repr__(self):
        return (
            f"<Opex id={self.id} scenario_id={self.scenario_id} "
            f"amount={self.amount} currency_id={self.currency_id}>"
        )
    @property
    def currency_code(self) -> str:
        return self.currency.code if self.currency else None
    @currency_code.setter
    def currency_code(self, value: str) -> None:
        setattr(self, "_currency_code_pending",
                (value or "USD").strip().upper())
 def _resolve_currency_opex(mapper, connection, target):
    if getattr(target, "currency_id", None):
        return
    code = getattr(target, "_currency_code_pending", None) or "USD"
    row = connection.execute(text("SELECT id FROM currency WHERE code = :code"), {
                             "code": code}).fetchone()
    if row:
        cid = row[0]
    else:
        res = connection.execute(
            text("INSERT INTO currency (code, name, symbol, is_active) VALUES (:code, :name, :symbol, :active)"),
            {"code": code, "name": code, "symbol": None, "active": True},
        )
        try:
            cid = res.lastrowid
        except Exception:
            cid = connection.execute(text("SELECT id FROM currency WHERE code = :code"), {
                                     "code": code}).scalar()
    target.currency_id = cid
 event.listen(Opex, "before_insert", _resolve_currency_opex)
 event.listen(Opex, "before_update", _resolve_currency_opex)
--- a/models/parameters.py
+++ b/models/parameters.py
@@ -1,26 +0,0 @@
 from typing import Any, Dict, Optional
 from sqlalchemy import ForeignKey, JSON
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from config.database import Base
 class Parameter(Base):
    __tablename__ = "parameter"
    id: Mapped[int] = mapped_column(primary_key=True, index=True)
    scenario_id: Mapped[int] = mapped_column(
        ForeignKey("scenario.id"), nullable=False)
    name: Mapped[str] = mapped_column(nullable=False)
    value: Mapped[float] = mapped_column(nullable=False)
    distribution_id: Mapped[Optional[int]] = mapped_column(
        ForeignKey("distribution.id"), nullable=True)
    distribution_type: Mapped[Optional[str]] = mapped_column(nullable=True)
    distribution_parameters: Mapped[Optional[Dict[str, Any]]] = mapped_column(
        JSON, nullable=True)
    scenario = relationship("Scenario", back_populates="parameters")
    distribution = relationship("Distribution")
    def __repr__(self):
        return f"<Parameter id={self.id} name={self.name} value={self.value}>"
--- a/models/performance_metric.py
+++ b/models/performance_metric.py
@@ -0,0 +1,25 @@
 from __future__ import annotations
 from datetime import datetime
 from sqlalchemy import Column, DateTime, Float, Integer, String
 from sqlalchemy.ext.declarative import declarative_base
 Base = declarative_base()
 class PerformanceMetric(Base):
    __tablename__ = "performance_metrics"
    id = Column(Integer, primary_key=True, index=True)
    timestamp = Column(DateTime, default=datetime.utcnow, index=True)
    metric_name = Column(String, index=True)
    value = Column(Float)
    labels = Column(String)  # JSON string of labels
    endpoint = Column(String, index=True, nullable=True)
    method = Column(String, nullable=True)
    status_code = Column(Integer, nullable=True)
    duration_seconds = Column(Float, nullable=True)
    def __repr__(self) -> str:
        return f"<PerformanceMetric(id={self.id}, name={self.metric_name}, value={self.value})>"
--- a/models/pricing_settings.py
+++ b/models/pricing_settings.py
@@ -0,0 +1,176 @@
 """Database models for persisted pricing configuration settings."""
 from __future__ import annotations
 from datetime import datetime
 from typing import TYPE_CHECKING
 from sqlalchemy import (
    JSON,
    DateTime,
    ForeignKey,
    Integer,
    Numeric,
    String,
    Text,
    UniqueConstraint,
 )
 from sqlalchemy.orm import Mapped, mapped_column, relationship, validates
 from sqlalchemy.sql import func
 from config.database import Base
 from services.currency import normalise_currency
 if TYPE_CHECKING:  # pragma: no cover
    from .project import Project
 class PricingSettings(Base):
    """Persisted pricing defaults applied to scenario evaluations."""
    __tablename__ = "pricing_settings"
    id: Mapped[int] = mapped_column(Integer, primary_key=True)
    name: Mapped[str] = mapped_column(String(128), nullable=False, unique=True)
    slug: Mapped[str] = mapped_column(String(64), nullable=False, unique=True)
    description: Mapped[str | None] = mapped_column(Text, nullable=True)
    default_currency: Mapped[str | None] = mapped_column(
        String(3), nullable=True)
    default_payable_pct: Mapped[float] = mapped_column(
        Numeric(5, 2), nullable=False, default=100.0
    )
    moisture_threshold_pct: Mapped[float] = mapped_column(
        Numeric(5, 2), nullable=False, default=8.0
    )
    moisture_penalty_per_pct: Mapped[float] = mapped_column(
        Numeric(14, 4), nullable=False, default=0.0
    )
    metadata_payload: Mapped[dict | None] = mapped_column(
        "metadata", JSON, nullable=True
    )
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    metal_overrides: Mapped[list["PricingMetalSettings"]] = relationship(
        "PricingMetalSettings",
        back_populates="pricing_settings",
        cascade="all, delete-orphan",
        passive_deletes=True,
    )
    impurity_overrides: Mapped[list["PricingImpuritySettings"]] = relationship(
        "PricingImpuritySettings",
        back_populates="pricing_settings",
        cascade="all, delete-orphan",
        passive_deletes=True,
    )
    projects: Mapped[list["Project"]] = relationship(
        "Project",
        back_populates="pricing_settings",
        cascade="all",
    )
    @validates("slug")
    def _normalise_slug(self, key: str, value: str) -> str:
        return value.strip().lower()
    @validates("default_currency")
    def _validate_currency(self, key: str, value: str | None) -> str | None:
        return normalise_currency(value)
    def __repr__(self) -> str:  # pragma: no cover
        return f"PricingSettings(id={self.id!r}, slug={self.slug!r})"
 class PricingMetalSettings(Base):
    """Contract-specific overrides for a particular metal."""
    __tablename__ = "pricing_metal_settings"
    __table_args__ = (
        UniqueConstraint(
            "pricing_settings_id", "metal_code", name="uq_pricing_metal_settings_code"
        ),
    )
    id: Mapped[int] = mapped_column(Integer, primary_key=True)
    pricing_settings_id: Mapped[int] = mapped_column(
        ForeignKey("pricing_settings.id", ondelete="CASCADE"), nullable=False, index=True
    )
    metal_code: Mapped[str] = mapped_column(String(32), nullable=False)
    payable_pct: Mapped[float | None] = mapped_column(
        Numeric(5, 2), nullable=True)
    moisture_threshold_pct: Mapped[float | None] = mapped_column(
        Numeric(5, 2), nullable=True)
    moisture_penalty_per_pct: Mapped[float | None] = mapped_column(
        Numeric(14, 4), nullable=True
    )
    data: Mapped[dict | None] = mapped_column(JSON, nullable=True)
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    pricing_settings: Mapped["PricingSettings"] = relationship(
        "PricingSettings", back_populates="metal_overrides"
    )
    @validates("metal_code")
    def _normalise_metal_code(self, key: str, value: str) -> str:
        return value.strip().lower()
    def __repr__(self) -> str:  # pragma: no cover
        return (
            "PricingMetalSettings("  # noqa: ISC001
            f"id={self.id!r}, pricing_settings_id={self.pricing_settings_id!r}, "
            f"metal_code={self.metal_code!r})"
        )
 class PricingImpuritySettings(Base):
    """Impurity penalty thresholds associated with pricing settings."""
    __tablename__ = "pricing_impurity_settings"
    __table_args__ = (
        UniqueConstraint(
            "pricing_settings_id",
            "impurity_code",
            name="uq_pricing_impurity_settings_code",
        ),
    )
    id: Mapped[int] = mapped_column(Integer, primary_key=True)
    pricing_settings_id: Mapped[int] = mapped_column(
        ForeignKey("pricing_settings.id", ondelete="CASCADE"), nullable=False, index=True
    )
    impurity_code: Mapped[str] = mapped_column(String(32), nullable=False)
    threshold_ppm: Mapped[float] = mapped_column(
        Numeric(14, 4), nullable=False, default=0.0)
    penalty_per_ppm: Mapped[float] = mapped_column(
        Numeric(14, 4), nullable=False, default=0.0)
    notes: Mapped[str | None] = mapped_column(Text, nullable=True)
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    pricing_settings: Mapped["PricingSettings"] = relationship(
        "PricingSettings", back_populates="impurity_overrides"
    )
    @validates("impurity_code")
    def _normalise_impurity_code(self, key: str, value: str) -> str:
        return value.strip().upper()
    def __repr__(self) -> str:  # pragma: no cover
        return (
            "PricingImpuritySettings("  # noqa: ISC001
            f"id={self.id!r}, pricing_settings_id={self.pricing_settings_id!r}, "
            f"impurity_code={self.impurity_code!r})"
        )
--- a/models/production_output.py
+++ b/models/production_output.py
@@ -1,23 +0,0 @@
 from sqlalchemy import Column, Integer, Float, String, ForeignKey
 from sqlalchemy.orm import relationship
 from config.database import Base
 class ProductionOutput(Base):
    __tablename__ = "production_output"
    id = Column(Integer, primary_key=True, index=True)
    scenario_id = Column(Integer, ForeignKey("scenario.id"), nullable=False)
    amount = Column(Float, nullable=False)
    description = Column(String, nullable=True)
    unit_name = Column(String(64), nullable=True)
    unit_symbol = Column(String(16), nullable=True)
    scenario = relationship(
        "Scenario", back_populates="production_output_items")
    def __repr__(self):
        return (
            f"<ProductionOutput id={self.id} scenario_id={self.scenario_id} "
            f"amount={self.amount} unit={self.unit_symbol or self.unit_name}>"
        )
--- a/models/project.py
+++ b/models/project.py
@@ -0,0 +1,65 @@
 from __future__ import annotations
 from datetime import datetime
 from enum import Enum
 from typing import TYPE_CHECKING, List
 from sqlalchemy import DateTime, Enum as SQLEnum, ForeignKey, Integer, String, Text
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from sqlalchemy.sql import func
 from config.database import Base
 if TYPE_CHECKING:  # pragma: no cover
    from .scenario import Scenario
    from .pricing_settings import PricingSettings
 class MiningOperationType(str, Enum):
    """Supported mining operation categories."""
    OPEN_PIT = "open_pit"
    UNDERGROUND = "underground"
    IN_SITU_LEACH = "in_situ_leach"
    PLACER = "placer"
    QUARRY = "quarry"
    MOUNTAINTOP_REMOVAL = "mountaintop_removal"
    OTHER = "other"
 class Project(Base):
    """Top-level mining project grouping multiple scenarios."""
    __tablename__ = "projects"
    id: Mapped[int] = mapped_column(Integer, primary_key=True, index=True)
    name: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
    location: Mapped[str | None] = mapped_column(String(255), nullable=True)
    operation_type: Mapped[MiningOperationType] = mapped_column(
        SQLEnum(MiningOperationType), nullable=False, default=MiningOperationType.OTHER
    )
    description: Mapped[str | None] = mapped_column(Text, nullable=True)
    pricing_settings_id: Mapped[int | None] = mapped_column(
        ForeignKey("pricing_settings.id", ondelete="SET NULL"),
        nullable=True,
    )
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    scenarios: Mapped[List["Scenario"]] = relationship(
        "Scenario",
        back_populates="project",
        cascade="all, delete-orphan",
        passive_deletes=True,
    )
    pricing_settings: Mapped["PricingSettings | None"] = relationship(
        "PricingSettings",
        back_populates="projects",
    )
    def __repr__(self) -> str:  # pragma: no cover - helpful for debugging
        return f"Project(id={self.id!r}, name={self.name!r})"
--- a/models/scenario.py
+++ b/models/scenario.py
@@ -1,39 +1,88 @@
-from sqlalchemy import Column, Integer, String, DateTime, func
+from __future__ import annotations
-from sqlalchemy.orm import relationship
+
-from models.simulation_result import SimulationResult
+from datetime import date, datetime
-from models.capex import Capex
+from enum import Enum
-from models.opex import Opex
+from typing import TYPE_CHECKING, List
-from models.consumption import Consumption
+
-from models.production_output import ProductionOutput
+from sqlalchemy import (
-from models.equipment import Equipment
+    Date,
-from models.maintenance import Maintenance
+    DateTime,
    Enum as SQLEnum,
    ForeignKey,
    Integer,
    Numeric,
    String,
    Text,
 )
 from sqlalchemy.orm import Mapped, mapped_column, relationship, validates
 from sqlalchemy.sql import func
 from config.database import Base
 from services.currency import normalise_currency
 from .metadata import ResourceType
 if TYPE_CHECKING:  # pragma: no cover
    from .financial_input import FinancialInput
    from .project import Project
    from .simulation_parameter import SimulationParameter
 class ScenarioStatus(str, Enum):
    """Lifecycle states for project scenarios."""
    DRAFT = "draft"
    ACTIVE = "active"
    ARCHIVED = "archived"
 class Scenario(Base):
-    __tablename__ = "scenario"
+    """A specific configuration of assumptions for a project."""
-    id = Column(Integer, primary_key=True, index=True)
+    __tablename__ = "scenarios"
    name = Column(String, unique=True, nullable=False)
    description = Column(String)
    created_at = Column(DateTime(timezone=True), server_default=func.now())
    updated_at = Column(DateTime(timezone=True), onupdate=func.now())
    parameters = relationship("Parameter", back_populates="scenario")
    simulation_results = relationship(
        SimulationResult, back_populates="scenario")
    capex_items = relationship(
        Capex, back_populates="scenario")
    opex_items = relationship(
        Opex, back_populates="scenario")
    consumption_items = relationship(
        Consumption, back_populates="scenario")
    production_output_items = relationship(
        ProductionOutput, back_populates="scenario")
    equipment_items = relationship(
        Equipment, back_populates="scenario")
    maintenance_items = relationship(
        Maintenance, back_populates="scenario")
-    # relationships can be defined later
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, index=True)
-    def __repr__(self):
+    project_id: Mapped[int] = mapped_column(
-        return f"<Scenario id={self.id} name={self.name}>"
+        ForeignKey("projects.id", ondelete="CASCADE"), nullable=False, index=True
    )
    name: Mapped[str] = mapped_column(String(255), nullable=False)
    description: Mapped[str | None] = mapped_column(Text, nullable=True)
    status: Mapped[ScenarioStatus] = mapped_column(
        SQLEnum(ScenarioStatus), nullable=False, default=ScenarioStatus.DRAFT
    )
    start_date: Mapped[date | None] = mapped_column(Date, nullable=True)
    end_date: Mapped[date | None] = mapped_column(Date, nullable=True)
    discount_rate: Mapped[float | None] = mapped_column(
        Numeric(5, 2), nullable=True)
    currency: Mapped[str | None] = mapped_column(String(3), nullable=True)
    primary_resource: Mapped[ResourceType | None] = mapped_column(
        SQLEnum(ResourceType), nullable=True
    )
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    project: Mapped["Project"] = relationship(
        "Project", back_populates="scenarios")
    financial_inputs: Mapped[List["FinancialInput"]] = relationship(
        "FinancialInput",
        back_populates="scenario",
        cascade="all, delete-orphan",
        passive_deletes=True,
    )
    simulation_parameters: Mapped[List["SimulationParameter"]] = relationship(
        "SimulationParameter",
        back_populates="scenario",
        cascade="all, delete-orphan",
        passive_deletes=True,
    )
    @validates("currency")
    def _normalise_currency(self, key: str, value: str | None) -> str | None:
        # Normalise to uppercase ISO-4217; raises when the code is malformed.
        return normalise_currency(value)
    def __repr__(self) -> str:  # pragma: no cover
        return f"Scenario(id={self.id!r}, name={self.name!r}, project_id={self.project_id!r})"
--- a/models/simulation_parameter.py
+++ b/models/simulation_parameter.py
@@ -0,0 +1,80 @@
 from __future__ import annotations
 from datetime import datetime
 from enum import Enum
 from typing import TYPE_CHECKING
 from sqlalchemy import (
    JSON,
    DateTime,
    Enum as SQLEnum,
    ForeignKey,
    Integer,
    Numeric,
    String,
 )
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from sqlalchemy.sql import func
 from config.database import Base
 from .metadata import ResourceType, StochasticVariable
 if TYPE_CHECKING:  # pragma: no cover
    from .scenario import Scenario
 class DistributionType(str, Enum):
    """Supported stochastic distribution families for simulations."""
    NORMAL = "normal"
    TRIANGULAR = "triangular"
    UNIFORM = "uniform"
    LOGNORMAL = "lognormal"
    CUSTOM = "custom"
 class SimulationParameter(Base):
    """Probability distribution settings for scenario simulations."""
    __tablename__ = "simulation_parameters"
    id: Mapped[int] = mapped_column(Integer, primary_key=True)
    scenario_id: Mapped[int] = mapped_column(
        ForeignKey("scenarios.id", ondelete="CASCADE"), nullable=False, index=True
    )
    name: Mapped[str] = mapped_column(String(255), nullable=False)
    distribution: Mapped[DistributionType] = mapped_column(
        SQLEnum(DistributionType), nullable=False
    )
    variable: Mapped[StochasticVariable | None] = mapped_column(
        SQLEnum(StochasticVariable), nullable=True
    )
    resource_type: Mapped[ResourceType | None] = mapped_column(
        SQLEnum(ResourceType), nullable=True
    )
    mean_value: Mapped[float | None] = mapped_column(
        Numeric(18, 4), nullable=True)
    standard_deviation: Mapped[float | None] = mapped_column(
        Numeric(18, 4), nullable=True)
    minimum_value: Mapped[float | None] = mapped_column(
        Numeric(18, 4), nullable=True)
    maximum_value: Mapped[float | None] = mapped_column(
        Numeric(18, 4), nullable=True)
    unit: Mapped[str | None] = mapped_column(String(32), nullable=True)
    configuration: Mapped[dict | None] = mapped_column(JSON, nullable=True)
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    scenario: Mapped["Scenario"] = relationship(
        "Scenario", back_populates="simulation_parameters"
    )
    def __repr__(self) -> str:  # pragma: no cover
        return (
            f"SimulationParameter(id={self.id!r}, scenario_id={self.scenario_id!r}, "
            f"name={self.name!r})"
        )
--- a/models/simulation_result.py
+++ b/models/simulation_result.py
@@ -1,14 +0,0 @@
 from sqlalchemy import Column, Integer, Float, ForeignKey
 from sqlalchemy.orm import relationship
 from config.database import Base
 class SimulationResult(Base):
    __tablename__ = "simulation_result"
    id = Column(Integer, primary_key=True, index=True)
    scenario_id = Column(Integer, ForeignKey("scenario.id"), nullable=False)
    iteration = Column(Integer, nullable=False)
    result = Column(Float, nullable=False)
    scenario = relationship("Scenario", back_populates="simulation_results")
--- a/models/user.py
+++ b/models/user.py
@@ -0,0 +1,176 @@
 from __future__ import annotations
 from datetime import datetime
 from typing import List, Optional
 from passlib.context import CryptContext
 try:  # pragma: no cover - defensive compatibility shim
    import importlib.metadata as importlib_metadata
    import argon2  # type: ignore
    setattr(argon2, "__version__", importlib_metadata.version("argon2-cffi"))
 except Exception:
    pass
 from sqlalchemy import (
    Boolean,
    DateTime,
    ForeignKey,
    Integer,
    String,
    Text,
    UniqueConstraint,
 )
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from sqlalchemy.sql import func
 from config.database import Base
 # Configure password hashing strategy. Argon2 provides strong resistance against
 # GPU-based cracking attempts, aligning with the security plan.
 password_context = CryptContext(schemes=["argon2"], deprecated="auto")
 class User(Base):
    """Authenticated platform user with optional elevated privileges."""
    __tablename__ = "users"
    __table_args__ = (
        UniqueConstraint("email", name="uq_users_email"),
        UniqueConstraint("username", name="uq_users_username"),
    )
    id: Mapped[int] = mapped_column(Integer, primary_key=True)
    email: Mapped[str] = mapped_column(String(255), nullable=False)
    username: Mapped[str] = mapped_column(String(128), nullable=False)
    password_hash: Mapped[str] = mapped_column(String(255), nullable=False)
    is_active: Mapped[bool] = mapped_column(
        Boolean, nullable=False, default=True)
    is_superuser: Mapped[bool] = mapped_column(
        Boolean, nullable=False, default=False)
    last_login_at: Mapped[datetime | None] = mapped_column(
        DateTime(timezone=True), nullable=True
    )
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    role_assignments: Mapped[List["UserRole"]] = relationship(
        "UserRole",
        back_populates="user",
        cascade="all, delete-orphan",
        foreign_keys="UserRole.user_id",
    )
    roles: Mapped[List["Role"]] = relationship(
        "Role",
        secondary="user_roles",
        primaryjoin="User.id == UserRole.user_id",
        secondaryjoin="Role.id == UserRole.role_id",
        viewonly=True,
        back_populates="users",
    )
    def set_password(self, raw_password: str) -> None:
        """Hash and store a password for the user."""
        self.password_hash = self.hash_password(raw_password)
    @staticmethod
    def hash_password(raw_password: str) -> str:
        """Return the Argon2 hash for a clear-text password."""
        return password_context.hash(raw_password)
    def verify_password(self, candidate_password: str) -> bool:
        """Validate a password against the stored hash."""
        if not self.password_hash:
            return False
        return password_context.verify(candidate_password, self.password_hash)
    def __repr__(self) -> str:  # pragma: no cover - helpful for debugging
        return f"User(id={self.id!r}, email={self.email!r})"
 class Role(Base):
    """Role encapsulating a set of permissions."""
    __tablename__ = "roles"
    id: Mapped[int] = mapped_column(Integer, primary_key=True)
    name: Mapped[str] = mapped_column(String(64), nullable=False, unique=True)
    display_name: Mapped[str] = mapped_column(String(128), nullable=False)
    description: Mapped[str | None] = mapped_column(Text, nullable=True)
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    assignments: Mapped[List["UserRole"]] = relationship(
        "UserRole",
        back_populates="role",
        cascade="all, delete-orphan",
        foreign_keys="UserRole.role_id",
    )
    users: Mapped[List["User"]] = relationship(
        "User",
        secondary="user_roles",
        primaryjoin="Role.id == UserRole.role_id",
        secondaryjoin="User.id == UserRole.user_id",
        viewonly=True,
        back_populates="roles",
    )
    def __repr__(self) -> str:  # pragma: no cover - helpful for debugging
        return f"Role(id={self.id!r}, name={self.name!r})"
 class UserRole(Base):
    """Association between users and roles with assignment metadata."""
    __tablename__ = "user_roles"
    __table_args__ = (
        UniqueConstraint("user_id", "role_id", name="uq_user_roles_user_role"),
    )
    user_id: Mapped[int] = mapped_column(
        Integer,
        ForeignKey("users.id", ondelete="CASCADE"),
        primary_key=True,
    )
    role_id: Mapped[int] = mapped_column(
        Integer,
        ForeignKey("roles.id", ondelete="CASCADE"),
        primary_key=True,
    )
    granted_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    granted_by: Mapped[Optional[int]] = mapped_column(
        Integer,
        ForeignKey("users.id", ondelete="SET NULL"),
        nullable=True,
    )
    user: Mapped["User"] = relationship(
        "User",
        foreign_keys=[user_id],
        back_populates="role_assignments",
    )
    role: Mapped["Role"] = relationship(
        "Role",
        foreign_keys=[role_id],
        back_populates="assignments",
    )
    granted_by_user: Mapped[Optional["User"]] = relationship(
        "User",
        foreign_keys=[granted_by],
    )
    def __repr__(self) -> str:  # pragma: no cover - debugging helper
        return f"UserRole(user_id={self.user_id!r}, role_id={self.role_id!r})"
--- a/monitoring/init.py
+++ b/monitoring/init.py
@@ -0,0 +1,117 @@
 from __future__ import annotations
 from datetime import datetime, timedelta
 from typing import Optional
 from fastapi import APIRouter, Depends, Query, Response
 from prometheus_client import CONTENT_TYPE_LATEST, generate_latest
 from sqlalchemy.orm import Session
 from config.database import get_db
 from services.metrics import MetricsService
 router = APIRouter(prefix="/metrics", tags=["monitoring"])
@router.get("", summary="Prometheus metrics endpoint", include_in_schema=False)
 async def metrics_endpoint() -> Response:
    payload = generate_latest()
    return Response(content=payload, media_type=CONTENT_TYPE_LATEST)
@router.get("/performance", summary="Get performance metrics")
 async def get_performance_metrics(
    metric_name: Optional[str] = Query(
        None, description="Filter by metric name"),
    hours: int = Query(24, description="Hours back to look"),
    db: Session = Depends(get_db),
 ) -> dict:
    """Get aggregated performance metrics."""
    service = MetricsService(db)
    start_time = datetime.utcnow() - timedelta(hours=hours)
    if metric_name:
        metrics = service.get_metrics(
            metric_name=metric_name, start_time=start_time)
        aggregated = service.get_aggregated_metrics(
            metric_name, start_time=start_time)
        return {
            "metric_name": metric_name,
            "period_hours": hours,
            "aggregated": aggregated,
            "recent_samples": [
                {
                    "timestamp": m.timestamp.isoformat(),
                    "value": m.value,
                    "labels": m.labels,
                    "endpoint": m.endpoint,
                    "method": m.method,
                    "status_code": m.status_code,
                    "duration_seconds": m.duration_seconds,
                }
                for m in metrics[:50]  # Last 50 samples
            ],
        }
    # Return summary for all metrics
    all_metrics = service.get_metrics(start_time=start_time, limit=1000)
    metric_types = {}
    for m in all_metrics:
        if m.metric_name not in metric_types:
            metric_types[m.metric_name] = []
        metric_types[m.metric_name].append(m.value)
    summary = {}
    for name, values in metric_types.items():
        summary[name] = {
            "count": len(values),
            "avg": sum(values) / len(values) if values else 0,
            "min": min(values) if values else 0,
            "max": max(values) if values else 0,
        }
    return {
        "period_hours": hours,
        "summary": summary,
    }
@router.get("/health", summary="Detailed health check with metrics")
 async def detailed_health(db: Session = Depends(get_db)) -> dict:
    """Get detailed health status with recent metrics."""
    service = MetricsService(db)
    last_hour = datetime.utcnow() - timedelta(hours=1)
    # Get request metrics from last hour
    request_metrics = service.get_metrics(
        metric_name="http_request", start_time=last_hour
    )
    if request_metrics:
        durations = []
        error_count = 0
        for m in request_metrics:
            if m.duration_seconds is not None:
                durations.append(m.duration_seconds)
            if m.status_code is not None:
                if m.status_code >= 400:
                    error_count += 1
        total_requests = len(request_metrics)
        avg_duration = sum(durations) / len(durations) if durations else 0
        error_rate = error_count / total_requests if total_requests > 0 else 0
    else:
        avg_duration = 0
        error_rate = 0
        total_requests = 0
    return {
        "status": "ok",
        "timestamp": datetime.utcnow().isoformat(),
        "metrics": {
            "requests_last_hour": total_requests,
            "avg_response_time_seconds": avg_duration,
            "error_rate": error_rate,
        },
    }
--- a/monitoring/metrics.py
+++ b/monitoring/metrics.py
@@ -0,0 +1,108 @@
 from __future__ import annotations
 from prometheus_client import Counter, Histogram, Gauge
 IMPORT_DURATION = Histogram(
    "calminer_import_duration_seconds",
    "Duration of import preview and commit operations",
    labelnames=("dataset", "action", "status"),
 )
 IMPORT_TOTAL = Counter(
    "calminer_import_total",
    "Count of import operations",
    labelnames=("dataset", "action", "status"),
 )
 EXPORT_DURATION = Histogram(
    "calminer_export_duration_seconds",
    "Duration of export operations",
    labelnames=("dataset", "status", "format"),
 )
 EXPORT_TOTAL = Counter(
    "calminer_export_total",
    "Count of export operations",
    labelnames=("dataset", "status", "format"),
 )
 # General performance metrics
 REQUEST_DURATION = Histogram(
    "calminer_request_duration_seconds",
    "Duration of HTTP requests",
    labelnames=("method", "endpoint", "status"),
 )
 REQUEST_TOTAL = Counter(
    "calminer_request_total",
    "Count of HTTP requests",
    labelnames=("method", "endpoint", "status"),
 )
 ACTIVE_CONNECTIONS = Gauge(
    "calminer_active_connections",
    "Number of active connections",
 )
 DB_CONNECTIONS = Gauge(
    "calminer_db_connections",
    "Number of database connections",
 )
 # Business metrics
 PROJECT_OPERATIONS = Counter(
    "calminer_project_operations_total",
    "Count of project operations",
    labelnames=("operation", "status"),
 )
 SCENARIO_OPERATIONS = Counter(
    "calminer_scenario_operations_total",
    "Count of scenario operations",
    labelnames=("operation", "status"),
 )
 SIMULATION_RUNS = Counter(
    "calminer_simulation_runs_total",
    "Count of Monte Carlo simulation runs",
    labelnames=("status",),
 )
 SIMULATION_DURATION = Histogram(
    "calminer_simulation_duration_seconds",
    "Duration of Monte Carlo simulations",
    labelnames=("status",),
 )
 def observe_import(action: str, dataset: str, status: str, seconds: float) -> None:
    IMPORT_TOTAL.labels(dataset=dataset, action=action, status=status).inc()
    IMPORT_DURATION.labels(dataset=dataset, action=action,
                           status=status).observe(seconds)
 def observe_export(dataset: str, status: str, export_format: str, seconds: float) -> None:
    EXPORT_TOTAL.labels(dataset=dataset, status=status,
                        format=export_format).inc()
    EXPORT_DURATION.labels(dataset=dataset, status=status,
                           format=export_format).observe(seconds)
 def observe_request(method: str, endpoint: str, status: int, seconds: float) -> None:
    REQUEST_TOTAL.labels(method=method, endpoint=endpoint, status=status).inc()
    REQUEST_DURATION.labels(method=method, endpoint=endpoint,
                            status=status).observe(seconds)
 def observe_project_operation(operation: str, status: str = "success") -> None:
    PROJECT_OPERATIONS.labels(operation=operation, status=status).inc()
 def observe_scenario_operation(operation: str, status: str = "success") -> None:
    SCENARIO_OPERATIONS.labels(operation=operation, status=status).inc()
 def observe_simulation(status: str, duration_seconds: float) -> None:
    SIMULATION_RUNS.labels(status=status).inc()
    SIMULATION_DURATION.labels(status=status).observe(duration_seconds)
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -0,0 +1,44 @@
 [tool.black]
 line-length = 80
 target-version = ['py310']
 include = '\\.pyi?$'
 exclude = '''
 /(
  .git
  | .hg
  | .mypy_cache
  | .tox
  | .venv
  | build
  | dist
 )/
 '''
 [tool.pytest.ini_options]
 pythonpath = ["."]
 testpaths = ["tests"]
 addopts = "-ra --strict-config --strict-markers --cov=. --cov-report=term-missing --cov-report=xml --cov-fail-under=80"
 markers = [
    "asyncio: marks tests as async (using pytest-asyncio)",
 ]
 [tool.coverage.run]
 branch = true
 source = ["."]
 omit = [
  "tests/*",
  "alembic/*",
  "scripts/*",
  "main.py",
  "routes/reports.py",
  "services/reporting.py",
 ]
 [tool.coverage.report]
 skip_empty = true
 show_missing = true
 [tool.bandit]
 exclude_dirs = ["alembic", "scripts"]
 skips = ["B101", "B601"]  # B101: assert_used, B601: shell_injection (may be false positives)
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -0,0 +1,2 @@
 -r requirements.txt
 alembic
--- a/requirements-test.txt
+++ b/requirements-test.txt
@@ -1,5 +1,9 @@
 pytest
 pytest-asyncio
 pytest-cov
 pytest-httpx
-playwright
+python-jose
-pytest-playwright
+ruff
 black
 mypy
 bandit
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 fastapi
 pydantic
 uvicorn
 sqlalchemy
 psycopg2-binary
@@ -7,3 +8,9 @@ httpx
 jinja2
 pandas
 numpy
 passlib
 argon2-cffi
 python-jose
 python-multipart
 openpyxl
 prometheus-client
--- a/routes/init.py
+++ b/routes/init.py
@@ -0,0 +1 @@
 """API route registrations."""
--- a/routes/auth.py
+++ b/routes/auth.py
@@ -0,0 +1,484 @@
 from __future__ import annotations
 from datetime import datetime, timedelta, timezone
 from typing import Any, Iterable
 from fastapi import APIRouter, Depends, HTTPException, Request, UploadFile, status
 from fastapi.responses import HTMLResponse, RedirectResponse
 from fastapi.templating import Jinja2Templates
 from pydantic import ValidationError
 from starlette.datastructures import FormData
 from dependencies import (
    get_auth_session,
    get_jwt_settings,
    get_session_strategy,
    get_unit_of_work,
    require_current_user,
 )
 from models import Role, User
 from schemas.auth import (
    LoginForm,
    PasswordResetForm,
    PasswordResetRequestForm,
    RegistrationForm,
 )
 from services.exceptions import EntityConflictError
 from services.security import (
    JWTSettings,
    TokenDecodeError,
    TokenExpiredError,
    TokenTypeMismatchError,
    create_access_token,
    create_refresh_token,
    decode_access_token,
    hash_password,
    verify_password,
 )
 from services.session import (
    AuthSession,
    SessionStrategy,
    clear_session_cookies,
    set_session_cookies,
 )
 from services.repositories import RoleRepository, UserRepository
 from services.unit_of_work import UnitOfWork
 router = APIRouter(tags=["Authentication"])
 templates = Jinja2Templates(directory="templates")
 _PASSWORD_RESET_SCOPE = "password-reset"
 _AUTH_SCOPE = "auth"
 def _template(
    request: Request,
    template_name: str,
    context: dict[str, Any],
    *,
    status_code: int = status.HTTP_200_OK,
 ) -> HTMLResponse:
    return templates.TemplateResponse(
        request,
        template_name,
        context,
        status_code=status_code,
    )
 def _validation_errors(exc: ValidationError) -> list[str]:
    return [error.get("msg", "Invalid input.") for error in exc.errors()]
 def _scopes(include: Iterable[str]) -> list[str]:
    return list(include)
 def _normalise_form_data(form_data: FormData) -> dict[str, str]:
    normalised: dict[str, str] = {}
    for key, value in form_data.multi_items():
        if isinstance(value, UploadFile):
            str_value = value.filename or ""
        else:
            str_value = str(value)
        normalised[key] = str_value
    return normalised
 def _require_users_repo(uow: UnitOfWork) -> UserRepository:
    if not uow.users:
        raise RuntimeError("User repository is not initialised")
    return uow.users
 def _require_roles_repo(uow: UnitOfWork) -> RoleRepository:
    if not uow.roles:
        raise RuntimeError("Role repository is not initialised")
    return uow.roles
@router.get("/login", response_class=HTMLResponse, include_in_schema=False, name="auth.login_form")
 def login_form(request: Request) -> HTMLResponse:
    return _template(
        request,
        "login.html",
        {
            "form_action": request.url_for("auth.login_submit"),
            "errors": [],
            "username": "",
        },
    )
@router.post("/login", include_in_schema=False, name="auth.login_submit")
 async def login_submit(
    request: Request,
    uow: UnitOfWork = Depends(get_unit_of_work),
    jwt_settings: JWTSettings = Depends(get_jwt_settings),
    session_strategy: SessionStrategy = Depends(get_session_strategy),
 ):
    form_data = _normalise_form_data(await request.form())
    try:
        form = LoginForm(**form_data)
    except ValidationError as exc:
        return _template(
            request,
            "login.html",
            {
                "form_action": request.url_for("auth.login_submit"),
                "errors": _validation_errors(exc),
            },
            status_code=status.HTTP_400_BAD_REQUEST,
        )
    identifier = form.username
    users_repo = _require_users_repo(uow)
    user = _lookup_user(users_repo, identifier)
    errors: list[str] = []
    if not user or not verify_password(form.password, user.password_hash):
        errors.append("Invalid username or password.")
    elif not user.is_active:
        errors.append("Account is inactive. Contact an administrator.")
    if errors:
        return _template(
            request,
            "login.html",
            {
                "form_action": request.url_for("auth.login_submit"),
                "errors": errors,
                "username": identifier,
            },
            status_code=status.HTTP_400_BAD_REQUEST,
        )
    assert user is not None  # mypy hint - guarded above
    user.last_login_at = datetime.now(timezone.utc)
    access_token = create_access_token(
        str(user.id),
        jwt_settings,
        scopes=_scopes((_AUTH_SCOPE,)),
    )
    refresh_token = create_refresh_token(
        str(user.id),
        jwt_settings,
        scopes=_scopes((_AUTH_SCOPE,)),
    )
    response = RedirectResponse(
        request.url_for("dashboard.home"),
        status_code=status.HTTP_303_SEE_OTHER,
    )
    set_session_cookies(
        response,
        access_token=access_token,
        refresh_token=refresh_token,
        strategy=session_strategy,
        jwt_settings=jwt_settings,
    )
    return response
@router.get("/logout", include_in_schema=False, name="auth.logout")
 async def logout(
    request: Request,
    _: User = Depends(require_current_user),
    session: AuthSession = Depends(get_auth_session),
    session_strategy: SessionStrategy = Depends(get_session_strategy),
 ) -> RedirectResponse:
    session.mark_cleared()
    redirect_url = request.url_for(
        "auth.login_form").include_query_params(logout="1")
    response = RedirectResponse(
        redirect_url,
        status_code=status.HTTP_303_SEE_OTHER,
    )
    clear_session_cookies(response, session_strategy)
    return response
 def _lookup_user(users_repo: UserRepository, identifier: str) -> User | None:
    if "@" in identifier:
        return users_repo.get_by_email(identifier.lower(), with_roles=True)
    return users_repo.get_by_username(identifier, with_roles=True)
@router.get("/register", response_class=HTMLResponse, include_in_schema=False, name="auth.register_form")
 def register_form(request: Request) -> HTMLResponse:
    return _template(
        request,
        "register.html",
        {
            "form_action": request.url_for("auth.register_submit"),
            "errors": [],
            "form_data": None,
        },
    )
@router.post("/register", include_in_schema=False, name="auth.register_submit")
 async def register_submit(
    request: Request,
    uow: UnitOfWork = Depends(get_unit_of_work),
 ):
    form_data = _normalise_form_data(await request.form())
    try:
        form = RegistrationForm(**form_data)
    except ValidationError as exc:
        return _registration_error_response(request, _validation_errors(exc))
    errors: list[str] = []
    users_repo = _require_users_repo(uow)
    roles_repo = _require_roles_repo(uow)
    uow.ensure_default_roles()
    if users_repo.get_by_email(form.email):
        errors.append("Email is already registered.")
    if users_repo.get_by_username(form.username):
        errors.append("Username is already taken.")
    if errors:
        return _registration_error_response(request, errors, form)
    user = User(
        email=form.email,
        username=form.username,
        password_hash=hash_password(form.password),
        is_active=True,
        is_superuser=False,
    )
    try:
        created = users_repo.create(user)
    except EntityConflictError:
        return _registration_error_response(
            request,
            ["An account with this username or email already exists."],
            form,
        )
    viewer_role = _ensure_viewer_role(roles_repo)
    if viewer_role is not None:
        users_repo.assign_role(
            user_id=created.id,
            role_id=viewer_role.id,
            granted_by=created.id,
        )
    redirect_url = request.url_for(
        "auth.login_form").include_query_params(registered="1")
    return RedirectResponse(
        redirect_url,
        status_code=status.HTTP_303_SEE_OTHER,
    )
 def _registration_error_response(
    request: Request,
    errors: list[str],
    form: RegistrationForm | None = None,
 ) -> HTMLResponse:
    context = {
        "form_action": request.url_for("auth.register_submit"),
        "errors": errors,
        "form_data": form.model_dump(exclude={"password", "confirm_password"}) if form else None,
    }
    return _template(
        request,
        "register.html",
        context,
        status_code=status.HTTP_400_BAD_REQUEST,
    )
 def _ensure_viewer_role(roles_repo: RoleRepository) -> Role | None:
    viewer = roles_repo.get_by_name("viewer")
    if viewer:
        return viewer
    return roles_repo.get_by_name("viewer")
@router.get(
    "/forgot-password",
    response_class=HTMLResponse,
    include_in_schema=False,
    name="auth.password_reset_request_form",
 )
 def password_reset_request_form(request: Request) -> HTMLResponse:
    return _template(
        request,
        "forgot_password.html",
        {
            "form_action": request.url_for("auth.password_reset_request_submit"),
            "errors": [],
            "message": None,
        },
    )
@router.post(
    "/forgot-password",
    include_in_schema=False,
    name="auth.password_reset_request_submit",
 )
 async def password_reset_request_submit(
    request: Request,
    uow: UnitOfWork = Depends(get_unit_of_work),
    jwt_settings: JWTSettings = Depends(get_jwt_settings),
 ):
    form_data = _normalise_form_data(await request.form())
    try:
        form = PasswordResetRequestForm(**form_data)
    except ValidationError as exc:
        return _template(
            request,
            "forgot_password.html",
            {
                "form_action": request.url_for("auth.password_reset_request_submit"),
                "errors": _validation_errors(exc),
                "message": None,
            },
            status_code=status.HTTP_400_BAD_REQUEST,
        )
    users_repo = _require_users_repo(uow)
    user = users_repo.get_by_email(form.email)
    if not user:
        return _template(
            request,
            "forgot_password.html",
            {
                "form_action": request.url_for("auth.password_reset_request_submit"),
                "errors": [],
                "message": "If an account exists, a reset link has been sent.",
            },
        )
    token = create_access_token(
        str(user.id),
        jwt_settings,
        scopes=_scopes((_PASSWORD_RESET_SCOPE,)),
        expires_delta=timedelta(hours=1),
    )
    reset_url = request.url_for(
        "auth.password_reset_form").include_query_params(token=token)
    return RedirectResponse(reset_url, status_code=status.HTTP_303_SEE_OTHER)
@router.get(
    "/reset-password",
    response_class=HTMLResponse,
    include_in_schema=False,
    name="auth.password_reset_form",
 )
 def password_reset_form(
    request: Request,
    token: str | None = None,
    jwt_settings: JWTSettings = Depends(get_jwt_settings),
 ) -> HTMLResponse:
    errors: list[str] = []
    if not token:
        errors.append("Missing password reset token.")
    else:
        try:
            payload = decode_access_token(token, jwt_settings)
            if _PASSWORD_RESET_SCOPE not in payload.scopes:
                errors.append("Invalid token scope.")
        except TokenExpiredError:
            errors.append(
                "Token has expired. Please request a new password reset.")
        except (TokenDecodeError, TokenTypeMismatchError):
            errors.append("Invalid password reset token.")
    return _template(
        request,
        "reset_password.html",
        {
            "form_action": request.url_for("auth.password_reset_submit"),
            "token": token,
            "errors": errors,
        },
        status_code=status.HTTP_400_BAD_REQUEST if errors else status.HTTP_200_OK,
    )
@router.post(
    "/reset-password",
    include_in_schema=False,
    name="auth.password_reset_submit",
 )
 async def password_reset_submit(
    request: Request,
    uow: UnitOfWork = Depends(get_unit_of_work),
    jwt_settings: JWTSettings = Depends(get_jwt_settings),
 ):
    form_data = _normalise_form_data(await request.form())
    try:
        form = PasswordResetForm(**form_data)
    except ValidationError as exc:
        return _template(
            request,
            "reset_password.html",
            {
                "form_action": request.url_for("auth.password_reset_submit"),
                "token": form_data.get("token"),
                "errors": _validation_errors(exc),
            },
            status_code=status.HTTP_400_BAD_REQUEST,
        )
    try:
        payload = decode_access_token(form.token, jwt_settings)
    except TokenExpiredError:
        return _reset_error_response(
            request,
            form.token,
            "Token has expired. Please request a new password reset.",
        )
    except (TokenDecodeError, TokenTypeMismatchError):
        return _reset_error_response(
            request,
            form.token,
            "Invalid password reset token.",
        )
    if _PASSWORD_RESET_SCOPE not in payload.scopes:
        return _reset_error_response(
            request,
            form.token,
            "Invalid password reset token scope.",
        )
    users_repo = _require_users_repo(uow)
    user_id = int(payload.sub)
    user = users_repo.get(user_id)
    if not user:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
    user.set_password(form.password)
    if not user.is_active:
        user.is_active = True
    redirect_url = request.url_for(
        "auth.login_form").include_query_params(reset="1")
    return RedirectResponse(
        redirect_url,
        status_code=status.HTTP_303_SEE_OTHER,
    )
 def _reset_error_response(request: Request, token: str, message: str) -> HTMLResponse:
    return _template(
        request,
        "reset_password.html",
        {
            "form_action": request.url_for("auth.password_reset_submit"),
            "token": token,
            "errors": [message],
        },
        status_code=status.HTTP_400_BAD_REQUEST,
    )
--- a/routes/consumption.py
+++ b/routes/consumption.py
@@ -1,50 +0,0 @@
 from typing import List, Optional
 from fastapi import APIRouter, Depends, status
 from pydantic import BaseModel, ConfigDict, PositiveFloat, field_validator
 from sqlalchemy.orm import Session
 from models.consumption import Consumption
 from routes.dependencies import get_db
 router = APIRouter(prefix="/api/consumption", tags=["Consumption"])
 class ConsumptionBase(BaseModel):
    scenario_id: int
    amount: PositiveFloat
    description: Optional[str] = None
    unit_name: Optional[str] = None
    unit_symbol: Optional[str] = None
    @field_validator("unit_name", "unit_symbol")
    @classmethod
    def _normalize_text(cls, value: Optional[str]) -> Optional[str]:
        if value is None:
            return None
        stripped = value.strip()
        return stripped or None
 class ConsumptionCreate(ConsumptionBase):
    pass
 class ConsumptionRead(ConsumptionBase):
    id: int
    model_config = ConfigDict(from_attributes=True)
@router.post("/", response_model=ConsumptionRead, status_code=status.HTTP_201_CREATED)
 def create_consumption(item: ConsumptionCreate, db: Session = Depends(get_db)):
    db_item = Consumption(**item.model_dump())
    db.add(db_item)
    db.commit()
    db.refresh(db_item)
    return db_item
@router.get("/", response_model=List[ConsumptionRead])
 def list_consumption(db: Session = Depends(get_db)):
    return db.query(Consumption).all()
--- a/routes/costs.py
+++ b/routes/costs.py
@@ -1,119 +0,0 @@
 from typing import List, Optional
 from fastapi import APIRouter, Depends
 from pydantic import BaseModel, ConfigDict, field_validator
 from sqlalchemy.orm import Session
 from models.capex import Capex
 from models.opex import Opex
 from routes.dependencies import get_db
 router = APIRouter(prefix="/api/costs", tags=["Costs"])
 # Pydantic schemas for CAPEX and OPEX
 class _CostBase(BaseModel):
    scenario_id: int
    amount: float
    description: Optional[str] = None
    currency_code: Optional[str] = "USD"
    currency_id: Optional[int] = None
    @field_validator("currency_code")
    @classmethod
    def _normalize_currency(cls, value: Optional[str]) -> str:
        code = (value or "USD").strip().upper()
        return code[:3] if len(code) > 3 else code
 class CapexCreate(_CostBase):
    pass
 class CapexRead(_CostBase):
    id: int
    # use from_attributes so Pydantic reads attributes off SQLAlchemy model
    model_config = ConfigDict(from_attributes=True)
    # optionally include nested currency info
    currency: Optional["CurrencyRead"] = None
 class OpexCreate(_CostBase):
    pass
 class OpexRead(_CostBase):
    id: int
    model_config = ConfigDict(from_attributes=True)
    currency: Optional["CurrencyRead"] = None
 class CurrencyRead(BaseModel):
    id: int
    code: str
    name: Optional[str] = None
    symbol: Optional[str] = None
    is_active: Optional[bool] = True
    model_config = ConfigDict(from_attributes=True)
 # forward refs
 CapexRead.model_rebuild()
 OpexRead.model_rebuild()
 # Capex endpoints
@router.post("/capex", response_model=CapexRead)
 def create_capex(item: CapexCreate, db: Session = Depends(get_db)):
    payload = item.model_dump()
    # Prefer explicit currency_id if supplied
    cid = payload.get("currency_id")
    if not cid:
        code = (payload.pop("currency_code", "USD") or "USD").strip().upper()
        currency_cls = __import__(
            "models.currency", fromlist=["Currency"]).Currency
        currency = db.query(currency_cls).filter_by(code=code).one_or_none()
        if currency is None:
            currency = currency_cls(code=code, name=code, symbol=None)
            db.add(currency)
            db.flush()
        payload["currency_id"] = currency.id
    db_item = Capex(**payload)
    db.add(db_item)
    db.commit()
    db.refresh(db_item)
    return db_item
@router.get("/capex", response_model=List[CapexRead])
 def list_capex(db: Session = Depends(get_db)):
    return db.query(Capex).all()
 # Opex endpoints
@router.post("/opex", response_model=OpexRead)
 def create_opex(item: OpexCreate, db: Session = Depends(get_db)):
    payload = item.model_dump()
    cid = payload.get("currency_id")
    if not cid:
        code = (payload.pop("currency_code", "USD") or "USD").strip().upper()
        currency_cls = __import__(
            "models.currency", fromlist=["Currency"]).Currency
        currency = db.query(currency_cls).filter_by(code=code).one_or_none()
        if currency is None:
            currency = currency_cls(code=code, name=code, symbol=None)
            db.add(currency)
            db.flush()
        payload["currency_id"] = currency.id
    db_item = Opex(**payload)
    db.add(db_item)
    db.commit()
    db.refresh(db_item)
    return db_item
@router.get("/opex", response_model=List[OpexRead])
 def list_opex(db: Session = Depends(get_db)):
    return db.query(Opex).all()
--- a/routes/currencies.py
+++ b/routes/currencies.py
@@ -1,191 +0,0 @@
 from typing import Dict, List, Optional
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from pydantic import BaseModel, ConfigDict, Field, field_validator
 from sqlalchemy.orm import Session
 from sqlalchemy.exc import IntegrityError
 from models.currency import Currency
 from routes.dependencies import get_db
 router = APIRouter(prefix="/api/currencies", tags=["Currencies"])
 DEFAULT_CURRENCY_CODE = "USD"
 DEFAULT_CURRENCY_NAME = "US Dollar"
 DEFAULT_CURRENCY_SYMBOL = "$"
 class CurrencyBase(BaseModel):
    name: str = Field(..., min_length=1, max_length=128)
    symbol: Optional[str] = Field(default=None, max_length=8)
    @staticmethod
    def _normalize_symbol(value: Optional[str]) -> Optional[str]:
        if value is None:
            return None
        value = value.strip()
        return value or None
    @field_validator("name")
    @classmethod
    def _strip_name(cls, value: str) -> str:
        return value.strip()
    @field_validator("symbol")
    @classmethod
    def _strip_symbol(cls, value: Optional[str]) -> Optional[str]:
        return cls._normalize_symbol(value)
 class CurrencyCreate(CurrencyBase):
    code: str = Field(..., min_length=3, max_length=3)
    is_active: bool = True
    @field_validator("code")
    @classmethod
    def _normalize_code(cls, value: str) -> str:
        return value.strip().upper()
 class CurrencyUpdate(CurrencyBase):
    is_active: Optional[bool] = None
 class CurrencyActivation(BaseModel):
    is_active: bool
 class CurrencyRead(CurrencyBase):
    id: int
    code: str
    is_active: bool
    model_config = ConfigDict(from_attributes=True)
 def _ensure_default_currency(db: Session) -> Currency:
    existing = (
        db.query(Currency)
        .filter(Currency.code == DEFAULT_CURRENCY_CODE)
        .one_or_none()
    )
    if existing:
        return existing
    default_currency = Currency(
        code=DEFAULT_CURRENCY_CODE,
        name=DEFAULT_CURRENCY_NAME,
        symbol=DEFAULT_CURRENCY_SYMBOL,
        is_active=True,
    )
    db.add(default_currency)
    try:
        db.commit()
    except IntegrityError:
        db.rollback()
        existing = (
            db.query(Currency)
            .filter(Currency.code == DEFAULT_CURRENCY_CODE)
            .one()
        )
        return existing
    db.refresh(default_currency)
    return default_currency
 def _get_currency_or_404(db: Session, code: str) -> Currency:
    normalized = code.strip().upper()
    currency = (
        db.query(Currency)
        .filter(Currency.code == normalized)
        .one_or_none()
    )
    if currency is None:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="Currency not found")
    return currency
@router.get("/", response_model=List[CurrencyRead])
 def list_currencies(
    include_inactive: bool = Query(
        False, description="Include inactive currencies"),
    db: Session = Depends(get_db),
 ):
    _ensure_default_currency(db)
    query = db.query(Currency)
    if not include_inactive:
        query = query.filter(Currency.is_active.is_(True))
    currencies = query.order_by(Currency.code).all()
    return currencies
@router.post("/", response_model=CurrencyRead, status_code=status.HTTP_201_CREATED)
 def create_currency(payload: CurrencyCreate, db: Session = Depends(get_db)):
    code = payload.code
    existing = (
        db.query(Currency)
        .filter(Currency.code == code)
        .one_or_none()
    )
    if existing is not None:
        raise HTTPException(
            status_code=status.HTTP_409_CONFLICT,
            detail=f"Currency '{code}' already exists",
        )
    currency = Currency(
        code=code,
        name=payload.name,
        symbol=CurrencyBase._normalize_symbol(payload.symbol),
        is_active=payload.is_active,
    )
    db.add(currency)
    db.commit()
    db.refresh(currency)
    return currency
@router.put("/{code}", response_model=CurrencyRead)
 def update_currency(code: str, payload: CurrencyUpdate, db: Session = Depends(get_db)):
    currency = _get_currency_or_404(db, code)
    if payload.name is not None:
        setattr(currency, "name", payload.name)
    if payload.symbol is not None or payload.symbol == "":
        setattr(
            currency,
            "symbol",
            CurrencyBase._normalize_symbol(payload.symbol),
        )
    if payload.is_active is not None:
        code_value = getattr(currency, "code")
        if code_value == DEFAULT_CURRENCY_CODE and payload.is_active is False:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail="The default currency cannot be deactivated.",
            )
        setattr(currency, "is_active", payload.is_active)
    db.add(currency)
    db.commit()
    db.refresh(currency)
    return currency
@router.patch("/{code}/activation", response_model=CurrencyRead)
 def toggle_currency_activation(code: str, body: CurrencyActivation, db: Session = Depends(get_db)):
    currency = _get_currency_or_404(db, code)
    code_value = getattr(currency, "code")
    if code_value == DEFAULT_CURRENCY_CODE and body.is_active is False:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail="The default currency cannot be deactivated.",
        )
    setattr(currency, "is_active", body.is_active)
    db.add(currency)
    db.commit()
    db.refresh(currency)
    return currency
--- a/Show More
+++ b/Show More