calminer/changelog.md

Changelog

2025-11-09

• Captured current implementation status, requirements coverage, missing features, and prioritized roadmap in calminer-docs/implementation_status.md to guide future development.
• Added core SQLAlchemy domain models, shared metadata descriptors, and Alembic migration setup (with initial schema snapshot) to establish the persistence layer foundation.
• Introduced repository and unit-of-work helpers for projects, scenarios, financial inputs, and simulation parameters to support service-layer operations.
• Added SQLite-backed pytest coverage for repository and unit-of-work behaviours to validate persistence interactions.
• Exposed project and scenario CRUD APIs with validated schemas and integrated them into the FastAPI application.
• Connected project and scenario routers to new Jinja2 list/detail/edit views with HTML forms and redirects.
• Implemented FR-009 client-side enhancements with responsive navigation toggle, mobile-first scenario tables, and shared asset loading across templates.
• Added scenario comparison validator, FastAPI comparison endpoint, and comprehensive unit tests to enforce FR-009 validation rules through API errors.
• Delivered a new dashboard experience with templates/dashboard.html, dedicated styling, and a FastAPI route supplying real project/scenario metrics via repository helpers.
• Extended repositories with count/recency utilities and added pytest coverage, including a dashboard rendering smoke test validating empty-state messaging.
• Brought project and scenario detail pages plus their forms in line with the dashboard visuals, adding metric cards, layout grids, and refreshed CTA styles.
• Reordered project route registration to prioritize static UI paths, eliminating 422 errors on /projects/ui and /projects/create, and added pytest smoke coverage for the navigation endpoints.
• Added end-to-end integration tests for project and scenario lifecycles, validating HTML redirects, template rendering, and API interactions, and updated ProjectRepository.get to deduplicate joined loads for detail views.
• Updated all Jinja2 template responses to the new Starlette signature to eliminate deprecation warnings while keeping request-aware context available to the templates.
• Introduced services/security.py to centralize Argon2 password hashing utilities and JWT creation/verification with typed payloads, and added pytest coverage for hashing, expiry, tampering, and token type mismatch scenarios.
• Added routes/auth.py with registration, login, and password reset flows, refreshed auth templates with error messaging, wired navigation links, and introduced end-to-end pytest coverage for the new forms and token flows.
• Implemented cookie-based authentication session middleware with automatic access token refresh, logout handling, navigation adjustments, and documentation/test updates capturing the new behaviour.
• Delivered idempotent seeding utilities with scripts/initial_data.py, entry-point runner scripts/00_initial_data.py, documentation updates, and pytest coverage to verify role/admin provisioning.
• Secured project and scenario routers with RBAC guard dependencies, enforced repository access checks via helper utilities, and aligned template routes with FastAPI dependency injection patterns.

2025-11-10

• Extended authorization helper layer with project/scenario ownership lookups, integrated them into FastAPI dependencies, refreshed pytest fixtures to keep the suite authenticated, and documented the new patterns across RBAC plan and security guides.
• Added dedicated pytest coverage for guard dependencies, exercising success plus failure paths (missing session, inactive user, missing roles, project/scenario access errors) via tests/test_dependencies_guards.py.
• Added integration tests in tests/test_authorization_integration.py verifying anonymous 401 responses, role-based 403s, and authorized project manager flows across API and UI endpoints.
• Implemented environment-driven admin bootstrap settings, wired the bootstrap_admin helper into FastAPI startup, added pytest coverage for creation/idempotency/reset logic, and documented operational guidance in the RBAC plan and security concept.
• Retired the legacy authentication RBAC implementation plan document after migrating its guidance into live documentation and synchronized the contributor instructions to reflect the removal.