Merge branch 'dev' into docker

Add start script for backend server initialization and update .gitignore
2026-01-06 12:31:29 -06:00 · 2026-01-06 12:30:26 -06:00 · 2026-01-05 13:01:16 -06:00 · 2026-01-05 12:58:22 -06:00 · 2025-12-26 17:33:40 -06:00 · 2025-12-26 16:50:21 -06:00
31 changed files with 168 additions and 1731 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,83 +0,0 @@
 # Git
 .git
 .gitignore
 # Python
 __pycache__
 *.py[cod]
 *$py.class
 *.so
 .Python
 build/
 develop-eggs/
 dist/
 downloads/
 eggs/
 .eggs/
 lib/
 lib64/
 parts/
 sdist/
 var/
 wheels/
 *.egg-info/
 .installed.cfg
 *.egg
 # Virtual environments
 venv/
 ENV/
 env/
 .venv/
 # IDE
 .idea/
 .vscode/
 *.swp
 *.swo
 *~
 # Testing
 .pytest_cache/
 .coverage
 htmlcov/
 .tox/
 .nox/
 # Environment files (will be mounted or passed via env vars)
 .env
 .env.local
 .env.*.local
 *.env
 # Logs
 *.log
 logs/
 # Database
 *.db
 *.sqlite3
 # Alembic
 alembic/versions/__pycache__/
 # Docker
 Dockerfile
 docker-compose*.yml
 .docker/
 # Documentation
 *.md
 docs/
 # Temporary files
 tmp/
 temp/
 *.tmp
 # OS files
 .DS_Store
 Thumbs.db
 # Uploads (will be mounted as volume)
 uploads/
--- a/.env.example
+++ b/.env.example
@@ -6,10 +6,6 @@ JWT_SECRET=your-secret-key-change-this-in-production
 JWT_ALGORITHM=HS256
 ACCESS_TOKEN_EXPIRE_MINUTES=30
 # Settings Encryption (for database-stored sensitive settings)
 # Generate with: python -c "import secrets; print(secrets.token_urlsafe(64))"
 SETTINGS_ENCRYPTION_KEY=your-encryption-key-generate-with-command-above
 # SMTP Email Configuration (Port 465 - SSL/TLS)
 SMTP_HOST=p.konceptkit.com
 SMTP_PORT=465
@@ -32,14 +28,7 @@ SMTP_FROM_NAME=LOAF Membership
 # Frontend URL
 FRONTEND_URL=http://localhost:3000
-# Backend URL (for webhook URLs and API references)
+# Stripe Configuration (for future payment integration)
 # Used to construct Stripe webhook URL shown in Admin Settings
 BACKEND_URL=http://localhost:8000
 # Stripe Configuration (NOW DATABASE-DRIVEN via Admin Settings page)
 # Configure Stripe credentials through the Admin Settings UI (requires SETTINGS_ENCRYPTION_KEY)
 # No longer requires .env variables - managed through database for dynamic updates
 # Legacy .env variables below are deprecated:
 # STRIPE_SECRET_KEY=sk_test_...
 # STRIPE_WEBHOOK_SECRET=whsec_...
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 .env
 .venv
 # ============================================================================
 # Python Backend .gitignore
 # For FastAPI + PostgreSQL + Cloudflare R2 + Stripe
@@ -8,6 +10,7 @@
 .env.*
 !.env.example
 .envrc
 .sh
 # ===== Python =====
 # Byte-compiled / optimized / DLL files
@@ -245,9 +248,6 @@ temp_uploads/
 tmp/
 temporary/
 # Generated SQL files (from scripts)
 create_superadmin.sql
 # CSV imports
 imports/*.csv
 !imports/.gitkeep
--- a/42
+++ b/42
@@ -1,40 +1,20 @@
-# Backend Dockerfile - FastAPI with Python
+# Use an official Python image (Linux)
-FROM python:3.11-slim
+FROM python:3.12-slim
-# Set environment variables
+# Set a working directory
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV PYTHONPATH=/app
 # Set work directory
 WORKDIR /app
-# Install system dependencies
+# Copy dependency list
 RUN apt-get update && apt-get install -y \
    gcc \
    libpq-dev \
    curl \
    && rm -rf /var/lib/apt/lists/*
 # Install Python dependencies
 COPY requirements.txt .
 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir -r requirements.txt
-# Copy application code
+# Install dependencies
 RUN pip3 install --no-cache-dir -r requirements.txt
 # Copy the rest of the project
 COPY . .
-# Create non-root user for security
+# Expose port (whatever your backend runs on)
 RUN adduser --disabled-password --gecos '' appuser && \
    chown -R appuser:appuser /app
 USER appuser
 # Expose port
 EXPOSE 8000
-# Health check
+# Run exactly your command
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+CMD ["python", "-m", "uvicorn", "server:app", "--host", "0.0.0.0", "--port", "8000", "--reload"]
    CMD curl -f http://localhost:8000/health || exit 1
 # Run the application
 CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "8000"]
--- a/pycache/auth.cpython-310.pyc
+++ b/pycache/auth.cpython-310.pyc
--- a/pycache/calendar_service.cpython-310.pyc
+++ b/pycache/calendar_service.cpython-310.pyc
--- a/pycache/database.cpython-310.pyc
+++ b/pycache/database.cpython-310.pyc
--- a/pycache/database.cpython-312.pyc
+++ b/pycache/database.cpython-312.pyc
--- a/pycache/email_service.cpython-310.pyc
+++ b/pycache/email_service.cpython-310.pyc
--- a/pycache/models.cpython-310.pyc
+++ b/pycache/models.cpython-310.pyc
--- a/pycache/models.cpython-312.pyc
+++ b/pycache/models.cpython-312.pyc
--- a/pycache/payment_service.cpython-310.pyc
+++ b/pycache/payment_service.cpython-310.pyc
--- a/pycache/payment_service.cpython-312.pyc
+++ b/pycache/payment_service.cpython-312.pyc
--- a/pycache/r2_storage.cpython-310.pyc
+++ b/pycache/r2_storage.cpython-310.pyc
--- a/pycache/server.cpython-310.pyc
+++ b/pycache/server.cpython-310.pyc
--- a/pycache/server.cpython-312.pyc
+++ b/pycache/server.cpython-312.pyc
--- a/pycache/wordpress_parser.cpython-310.pyc
+++ b/pycache/wordpress_parser.cpython-310.pyc
--- a/alembic/versions/4fa11836f7fd_add_role_audit_fields.py
+++ b/alembic/versions/4fa11836f7fd_add_role_audit_fields.py
@@ -1,48 +0,0 @@
 """add_role_audit_fields
 Revision ID: 4fa11836f7fd
 Revises: 013_sync_permissions
 Create Date: 2026-01-16 17:21:40.514605
 """
 from typing import Sequence, Union
 from alembic import op
 import sqlalchemy as sa
 from sqlalchemy.dialects.postgresql import UUID
 # revision identifiers, used by Alembic.
 revision: str = '4fa11836f7fd'
 down_revision: Union[str, None] = '013_sync_permissions'
 branch_labels: Union[str, Sequence[str], None] = None
 depends_on: Union[str, Sequence[str], None] = None
 def upgrade() -> None:
    # Add role audit trail columns
    op.add_column('users', sa.Column('role_changed_at', sa.DateTime(timezone=True), nullable=True))
    op.add_column('users', sa.Column('role_changed_by', UUID(as_uuid=True), nullable=True))
    # Create foreign key constraint to track who changed the role
    op.create_foreign_key(
        'fk_users_role_changed_by',
        'users', 'users',
        ['role_changed_by'], ['id'],
        ondelete='SET NULL'
    )
    # Create index for efficient querying by role change date
    op.create_index('idx_users_role_changed_at', 'users', ['role_changed_at'])
 def downgrade() -> None:
    # Drop index first
    op.drop_index('idx_users_role_changed_at')
    # Drop foreign key constraint
    op.drop_constraint('fk_users_role_changed_by', 'users', type_='foreignkey')
    # Drop columns
    op.drop_column('users', 'role_changed_by')
    op.drop_column('users', 'role_changed_at')
--- a/alembic/versions/956ea1628264_add_stripe_transaction_metadata.py
+++ b/alembic/versions/956ea1628264_add_stripe_transaction_metadata.py
@@ -1,76 +0,0 @@
 """add_stripe_transaction_metadata
 Revision ID: 956ea1628264
 Revises: ec4cb4a49cde
 Create Date: 2026-01-20 22:00:01.806931
 """
 from typing import Sequence, Union
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision: str = '956ea1628264'
 down_revision: Union[str, None] = 'ec4cb4a49cde'
 branch_labels: Union[str, Sequence[str], None] = None
 depends_on: Union[str, Sequence[str], None] = None
 def upgrade() -> None:
    # Add Stripe transaction metadata to subscriptions table
    op.add_column('subscriptions', sa.Column('stripe_payment_intent_id', sa.String(), nullable=True))
    op.add_column('subscriptions', sa.Column('stripe_charge_id', sa.String(), nullable=True))
    op.add_column('subscriptions', sa.Column('stripe_invoice_id', sa.String(), nullable=True))
    op.add_column('subscriptions', sa.Column('payment_completed_at', sa.DateTime(timezone=True), nullable=True))
    op.add_column('subscriptions', sa.Column('card_last4', sa.String(4), nullable=True))
    op.add_column('subscriptions', sa.Column('card_brand', sa.String(20), nullable=True))
    op.add_column('subscriptions', sa.Column('stripe_receipt_url', sa.String(), nullable=True))
    # Add indexes for Stripe transaction IDs in subscriptions
    op.create_index('idx_subscriptions_payment_intent', 'subscriptions', ['stripe_payment_intent_id'])
    op.create_index('idx_subscriptions_charge_id', 'subscriptions', ['stripe_charge_id'])
    op.create_index('idx_subscriptions_invoice_id', 'subscriptions', ['stripe_invoice_id'])
    # Add Stripe transaction metadata to donations table
    op.add_column('donations', sa.Column('stripe_charge_id', sa.String(), nullable=True))
    op.add_column('donations', sa.Column('stripe_customer_id', sa.String(), nullable=True))
    op.add_column('donations', sa.Column('payment_completed_at', sa.DateTime(timezone=True), nullable=True))
    op.add_column('donations', sa.Column('card_last4', sa.String(4), nullable=True))
    op.add_column('donations', sa.Column('card_brand', sa.String(20), nullable=True))
    op.add_column('donations', sa.Column('stripe_receipt_url', sa.String(), nullable=True))
    # Add indexes for Stripe transaction IDs in donations
    op.create_index('idx_donations_payment_intent', 'donations', ['stripe_payment_intent_id'])
    op.create_index('idx_donations_charge_id', 'donations', ['stripe_charge_id'])
    op.create_index('idx_donations_customer_id', 'donations', ['stripe_customer_id'])
 def downgrade() -> None:
    # Remove indexes from donations
    op.drop_index('idx_donations_customer_id', table_name='donations')
    op.drop_index('idx_donations_charge_id', table_name='donations')
    op.drop_index('idx_donations_payment_intent', table_name='donations')
    # Remove columns from donations
    op.drop_column('donations', 'stripe_receipt_url')
    op.drop_column('donations', 'card_brand')
    op.drop_column('donations', 'card_last4')
    op.drop_column('donations', 'payment_completed_at')
    op.drop_column('donations', 'stripe_customer_id')
    op.drop_column('donations', 'stripe_charge_id')
    # Remove indexes from subscriptions
    op.drop_index('idx_subscriptions_invoice_id', table_name='subscriptions')
    op.drop_index('idx_subscriptions_charge_id', table_name='subscriptions')
    op.drop_index('idx_subscriptions_payment_intent', table_name='subscriptions')
    # Remove columns from subscriptions
    op.drop_column('subscriptions', 'stripe_receipt_url')
    op.drop_column('subscriptions', 'card_brand')
    op.drop_column('subscriptions', 'card_last4')
    op.drop_column('subscriptions', 'payment_completed_at')
    op.drop_column('subscriptions', 'stripe_invoice_id')
    op.drop_column('subscriptions', 'stripe_charge_id')
    op.drop_column('subscriptions', 'stripe_payment_intent_id')
--- a/alembic/versions/ec4cb4a49cde_add_system_settings_table.py
+++ b/alembic/versions/ec4cb4a49cde_add_system_settings_table.py
@@ -1,68 +0,0 @@
 """add_system_settings_table
 Revision ID: ec4cb4a49cde
 Revises: 4fa11836f7fd
 Create Date: 2026-01-16 18:16:00.283455
 """
 from typing import Sequence, Union
 from alembic import op
 import sqlalchemy as sa
 from sqlalchemy.dialects.postgresql import UUID
 # revision identifiers, used by Alembic.
 revision: str = 'ec4cb4a49cde'
 down_revision: Union[str, None] = '4fa11836f7fd'
 branch_labels: Union[str, Sequence[str], None] = None
 depends_on: Union[str, Sequence[str], None] = None
 def upgrade() -> None:
    # Create enum for setting types (only if not exists)
    op.execute("""
        DO $$ BEGIN
            CREATE TYPE settingtype AS ENUM ('plaintext', 'encrypted', 'json');
        EXCEPTION
            WHEN duplicate_object THEN null;
        END $$;
    """)
    # Create system_settings table
    op.execute("""
        CREATE TABLE system_settings (
            id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
            setting_key VARCHAR(100) UNIQUE NOT NULL,
            setting_value TEXT,
            setting_type settingtype NOT NULL DEFAULT 'plaintext'::settingtype,
            description TEXT,
            updated_by UUID REFERENCES users(id) ON DELETE SET NULL,
            created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
            updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
            is_sensitive BOOLEAN NOT NULL DEFAULT FALSE
        );
        COMMENT ON COLUMN system_settings.setting_key IS 'Unique setting identifier (e.g., stripe_secret_key)';
        COMMENT ON COLUMN system_settings.setting_value IS 'Setting value (encrypted if setting_type is encrypted)';
        COMMENT ON COLUMN system_settings.setting_type IS 'Type of setting: plaintext, encrypted, or json';
        COMMENT ON COLUMN system_settings.description IS 'Human-readable description of the setting';
        COMMENT ON COLUMN system_settings.updated_by IS 'User who last updated this setting';
        COMMENT ON COLUMN system_settings.is_sensitive IS 'Whether this setting contains sensitive data';
    """)
    # Create indexes
    op.create_index('idx_system_settings_key', 'system_settings', ['setting_key'])
    op.create_index('idx_system_settings_updated_at', 'system_settings', ['updated_at'])
 def downgrade() -> None:
    # Drop indexes
    op.drop_index('idx_system_settings_updated_at')
    op.drop_index('idx_system_settings_key')
    # Drop table
    op.drop_table('system_settings')
    # Drop enum
    op.execute('DROP TYPE IF EXISTS settingtype')
--- a/create_superadmin.py
+++ b/create_superadmin.py
@@ -1,15 +1,38 @@
 #!/usr/bin/env python3
 """
 Create Superadmin User Script
-Directly creates a superadmin user in the database for LOAF membership platform
+Generates a superadmin user with hashed password for LOAF membership platform
 """
 import bcrypt
 import sys
 import os
 from getpass import getpass
-# Add the backend directory to path for imports
+def generate_password_hash(password: str) -> str:
-sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+    """Generate bcrypt hash for password"""
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
 def generate_sql(email: str, password_hash: str, first_name: str, last_name: str) -> str:
    """Generate SQL INSERT statement"""
    return f"""
 -- Create Superadmin User
 INSERT INTO users (
    id, email, password_hash, first_name, last_name,
    status, role, email_verified, created_at, updated_at
 ) VALUES (
    gen_random_uuid(),
    '{email}',
    '{password_hash}',
    '{first_name}',
    '{last_name}',
    'active',
    'superadmin',
    true,
    NOW(),
    NOW()
 );
 """
 def main():
    print("=" * 70)
@@ -17,15 +40,6 @@ def main():
    print("=" * 70)
    print()
    # Check for DATABASE_URL
    from dotenv import load_dotenv
    load_dotenv()
    database_url = os.getenv("DATABASE_URL")
    if not database_url:
        print("❌ DATABASE_URL not found in environment or .env file")
        sys.exit(1)
    # Get user input
    email = input("Email address: ").strip()
    if not email or '@' not in email:
@@ -54,89 +68,31 @@ def main():
        sys.exit(1)
    print()
-    print("Creating superadmin user...")
+    print("Generating password hash...")
    password_hash = generate_password_hash(password)
-    try:
+    print("✅ Password hash generated")
-        # Import database dependencies
+    print()
-        from sqlalchemy import create_engine, text
+    print("=" * 70)
-        from passlib.context import CryptContext
+    print("SQL STATEMENT")
    print("=" * 70)
-        # Create password hash
+    sql = generate_sql(email, password_hash, first_name, last_name)
-        pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+    print(sql)
        password_hash = pwd_context.hash(password)
-        # Connect to database
+    # Save to file
-        engine = create_engine(database_url)
+    output_file = "create_superadmin.sql"
    with open(output_file, 'w') as f:
        f.write(sql)
-        with engine.connect() as conn:
+    print("=" * 70)
-            # Check if user already exists
+    print(f"✅ SQL saved to: {output_file}")
-            result = conn.execute(
+    print()
-                text("SELECT id FROM users WHERE email = :email"),
+    print("Run this command to create the user:")
-                {"email": email}
+    print(f"  psql -U postgres -d loaf_new -f {output_file}")
-            )
+    print()
-            if result.fetchone():
+    print("Or copy the SQL above and run it directly in psql")
-                print(f"❌ User with email '{email}' already exists")
+    print("=" * 70)
                sys.exit(1)
            # Insert superadmin user
            conn.execute(
                text("""
                    INSERT INTO users (
                        id, email, password_hash, first_name, last_name,
                        phone, address, city, state, zipcode, date_of_birth,
                        status, role, email_verified,
                        newsletter_subscribed, accepts_tos,
                        created_at, updated_at
                    ) VALUES (
                        gen_random_uuid(),
                        :email,
                        :password_hash,
                        :first_name,
                        :last_name,
                        '',
                        '',
                        '',
                        '',
                        '',
                        '1990-01-01',
                        'active',
                        'superadmin',
                        true,
                        false,
                        true,
                        NOW(),
                        NOW()
                    )
                """),
                {
                    "email": email,
                    "password_hash": password_hash,
                    "first_name": first_name,
                    "last_name": last_name
                }
            )
            conn.commit()
        print()
        print("=" * 70)
        print("✅ Superadmin user created successfully!")
        print("=" * 70)
        print()
        print(f"  Email:      {email}")
        print(f"  Name:       {first_name} {last_name}")
        print(f"  Role:       superadmin")
        print(f"  Status:     active")
        print()
        print("You can now log in with these credentials.")
        print("=" * 70)
    except ImportError as e:
        print(f"❌ Missing dependency: {e}")
        print("   Run: pip install sqlalchemy psycopg2-binary passlib python-dotenv")
        sys.exit(1)
    except Exception as e:
        print(f"❌ Database error: {e}")
        sys.exit(1)
 if __name__ == "__main__":
    try:
@@ -144,3 +100,6 @@ if __name__ == "__main__":
    except KeyboardInterrupt:
        print("\n\n❌ Cancelled by user")
        sys.exit(1)
    except Exception as e:
        print(f"\n❌ Error: {e}")
        sys.exit(1)
--- a/database.py
+++ b/database.py
@@ -1,7 +1,6 @@
 from sqlalchemy import create_engine
 from sqlalchemy.ext.declarative import declarative_base
 from sqlalchemy.orm import sessionmaker
 from sqlalchemy.pool import QueuePool
 import os
 from dotenv import load_dotenv
 from pathlib import Path
@@ -11,21 +10,7 @@ load_dotenv(ROOT_DIR / '.env')
 DATABASE_URL = os.environ.get('DATABASE_URL', 'postgresql://user:password@localhost:5432/membership_db')
-# Configure engine with connection pooling and connection health checks
+engine = create_engine(DATABASE_URL)
 engine = create_engine(
    DATABASE_URL,
    poolclass=QueuePool,
    pool_size=5,              # Keep 5 connections open
    max_overflow=10,          # Allow up to 10 extra connections during peak
    pool_pre_ping=True,       # CRITICAL: Test connections before using them
    pool_recycle=3600,        # Recycle connections every hour (prevents stale connections)
    echo=False,               # Set to True for SQL debugging
    connect_args={
        'connect_timeout': 10,  # Timeout connection attempts after 10 seconds
        'options': '-c statement_timeout=30000'  # 30 second query timeout
    }
 )
 SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
 Base = declarative_base()
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,14 @@
 services:
  backend:
    build:
      context: .
      dockerfile: Dockerfile # Use Dockerfile.prod for production
    ports:
      - "8000:8000"
    env_file:
      - .env
    environment:
      DATABASE_URL: ${DATABASE_URL}
    volumes:
      - .:/app # sync code for hot reload
--- a/encryption_service.py
+++ b/encryption_service.py
@@ -1,122 +0,0 @@
 """
 Encryption service for sensitive settings stored in database.
 Uses Fernet symmetric encryption (AES-128 in CBC mode with HMAC authentication).
 The encryption key is derived from a master secret stored in .env.
 """
 import os
 import base64
 from cryptography.fernet import Fernet
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from cryptography.hazmat.backends import default_backend
 class EncryptionService:
    """Service for encrypting and decrypting sensitive configuration values"""
    def __init__(self):
        # Get master encryption key from environment
        # This should be a long, random string (e.g., 64 characters)
        # Generate one with: python -c "import secrets; print(secrets.token_urlsafe(64))"
        self.master_secret = os.environ.get('SETTINGS_ENCRYPTION_KEY')
        if not self.master_secret:
            raise ValueError(
                "SETTINGS_ENCRYPTION_KEY environment variable not set. "
                "Generate one with: python -c \"import secrets; print(secrets.token_urlsafe(64))\""
            )
        # Derive encryption key from master secret using PBKDF2HMAC
        # This adds an extra layer of security
        kdf = PBKDF2HMAC(
            algorithm=hashes.SHA256(),
            length=32,
            salt=b'systemsettings',  # Fixed salt (OK for key derivation from strong secret)
            iterations=100000,
            backend=default_backend()
        )
        key = base64.urlsafe_b64encode(kdf.derive(self.master_secret.encode()))
        self.cipher = Fernet(key)
    def encrypt(self, plaintext: str) -> str:
        """
        Encrypt a plaintext string.
        Args:
            plaintext: The string to encrypt
        Returns:
            Base64-encoded encrypted string
        """
        if not plaintext:
            return ""
        encrypted_bytes = self.cipher.encrypt(plaintext.encode())
        return encrypted_bytes.decode('utf-8')
    def decrypt(self, encrypted: str) -> str:
        """
        Decrypt an encrypted string.
        Args:
            encrypted: The base64-encoded encrypted string
        Returns:
            Decrypted plaintext string
        Raises:
            cryptography.fernet.InvalidToken: If decryption fails (wrong key or corrupted data)
        """
        if not encrypted:
            return ""
        decrypted_bytes = self.cipher.decrypt(encrypted.encode())
        return decrypted_bytes.decode('utf-8')
    def is_encrypted(self, value: str) -> bool:
        """
        Check if a value appears to be encrypted (starts with Fernet token format).
        This is a heuristic check - not 100% reliable but useful for validation.
        Args:
            value: String to check
        Returns:
            True if value looks like a Fernet token
        """
        if not value:
            return False
        # Fernet tokens are base64-encoded and start with version byte (gAAAAA...)
        # They're always > 60 characters
        try:
            return len(value) > 60 and value.startswith('gAAAAA')
        except:
            return False
 # Global encryption service instance
 # Initialize on module import so it fails fast if encryption key is missing
 try:
    encryption_service = EncryptionService()
 except ValueError as e:
    print(f"WARNING: {e}")
    print("Encryption service will not be available.")
    encryption_service = None
 def get_encryption_service() -> EncryptionService:
    """
    Get the global encryption service instance.
    Raises:
        ValueError: If encryption service is not initialized (missing SETTINGS_ENCRYPTION_KEY)
    """
    if encryption_service is None:
        raise ValueError(
            "Encryption service not initialized. Set SETTINGS_ENCRYPTION_KEY environment variable."
        )
    return encryption_service
--- a/migrations/000_initial_schema.sql
+++ b/migrations/000_initial_schema.sql
@@ -94,30 +94,6 @@ BEGIN;
 -- SECTION 2: Create Core Tables
 -- ============================================================================
 -- Import Jobs table (must be created before users due to FK reference)
 CREATE TABLE IF NOT EXISTS import_jobs (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    filename VARCHAR NOT NULL,
    status importjobstatus NOT NULL DEFAULT 'processing',
    total_rows INTEGER DEFAULT 0,
    processed_rows INTEGER DEFAULT 0,
    success_count INTEGER DEFAULT 0,
    error_count INTEGER DEFAULT 0,
    error_log JSONB DEFAULT '[]'::jsonb,
    -- WordPress import enhancements
    field_mapping JSONB DEFAULT '{}'::jsonb,
    wordpress_metadata JSONB DEFAULT '{}'::jsonb,
    imported_user_ids JSONB DEFAULT '[]'::jsonb,
    rollback_at TIMESTAMP WITH TIME ZONE,
    rollback_by UUID,  -- Will be updated with FK after users table exists
    started_by UUID,  -- Will be updated with FK after users table exists
    started_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
    completed_at TIMESTAMP WITH TIME ZONE
 );
 -- Users table
 CREATE TABLE IF NOT EXISTS users (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
@@ -127,7 +103,6 @@ CREATE TABLE IF NOT EXISTS users (
    password_hash VARCHAR NOT NULL,
    email_verified BOOLEAN NOT NULL DEFAULT FALSE,
    email_verification_token VARCHAR UNIQUE,
    email_verification_expires TIMESTAMP WITH TIME ZONE,
    -- Personal Information
    first_name VARCHAR NOT NULL,
@@ -138,6 +113,7 @@ CREATE TABLE IF NOT EXISTS users (
    state VARCHAR(2),
    zipcode VARCHAR(10),
    date_of_birth DATE,
    bio TEXT,
    -- Profile
    profile_photo_url VARCHAR,
@@ -161,44 +137,20 @@ CREATE TABLE IF NOT EXISTS users (
    -- Status & Role
    status userstatus NOT NULL DEFAULT 'pending_email',
    role userrole NOT NULL DEFAULT 'guest',
-    role_id UUID,  -- For dynamic RBAC
+    role_id UUID,  -- For dynamic RBAC (added in later migration)
-    -- Newsletter Preferences
+    -- Rejection Tracking
-    newsletter_subscribed BOOLEAN DEFAULT TRUE,
+    rejection_reason TEXT,
-    newsletter_publish_name BOOLEAN DEFAULT FALSE NOT NULL,
+    rejected_at TIMESTAMP WITH TIME ZONE,
-    newsletter_publish_photo BOOLEAN DEFAULT FALSE NOT NULL,
+    rejected_by UUID REFERENCES users(id),
    newsletter_publish_birthday BOOLEAN DEFAULT FALSE NOT NULL,
    newsletter_publish_none BOOLEAN DEFAULT FALSE NOT NULL,
    -- Volunteer Interests
    volunteer_interests JSONB DEFAULT '[]'::jsonb,
    -- Scholarship Request
    scholarship_requested BOOLEAN DEFAULT FALSE NOT NULL,
    scholarship_reason TEXT,
    -- Directory Settings
    show_in_directory BOOLEAN DEFAULT FALSE NOT NULL,
    directory_email VARCHAR,
    directory_bio TEXT,
    directory_address VARCHAR,
    directory_phone VARCHAR,
    directory_dob DATE,
    directory_partner_name VARCHAR,
    -- Password Reset
    password_reset_token VARCHAR,
    password_reset_expires TIMESTAMP WITH TIME ZONE,
    force_password_change BOOLEAN DEFAULT FALSE NOT NULL,
    -- Terms of Service
    accepts_tos BOOLEAN DEFAULT FALSE NOT NULL,
    tos_accepted_at TIMESTAMP WITH TIME ZONE,
    -- Membership
    member_since DATE,
    accepts_tos BOOLEAN DEFAULT FALSE,
    tos_accepted_at TIMESTAMP WITH TIME ZONE,
    newsletter_subscribed BOOLEAN DEFAULT TRUE,
-    -- Reminder Tracking
+    -- Reminder Tracking (from migration 004)
    email_verification_reminders_sent INTEGER DEFAULT 0 NOT NULL,
    last_email_verification_reminder_at TIMESTAMP WITH TIME ZONE,
    event_attendance_reminders_sent INTEGER DEFAULT 0 NOT NULL,
@@ -208,21 +160,12 @@ CREATE TABLE IF NOT EXISTS users (
    renewal_reminders_sent INTEGER DEFAULT 0 NOT NULL,
    last_renewal_reminder_at TIMESTAMP WITH TIME ZONE,
    -- Rejection Tracking
    rejection_reason TEXT,
    rejected_at TIMESTAMP WITH TIME ZONE,
    rejected_by UUID REFERENCES users(id),
    -- WordPress Import Tracking
    import_source VARCHAR(50),
    import_job_id UUID REFERENCES import_jobs(id),
    wordpress_user_id BIGINT,
    wordpress_registered_date TIMESTAMP WITH TIME ZONE,
    -- Role Change Audit Trail
    role_changed_at TIMESTAMP WITH TIME ZONE,
    role_changed_by UUID REFERENCES users(id) ON DELETE SET NULL,
    -- Timestamps
    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
@@ -312,23 +255,11 @@ CREATE TABLE IF NOT EXISTS subscription_plans (
    name VARCHAR NOT NULL,
    description TEXT,
    price_cents INTEGER NOT NULL,
-    billing_cycle VARCHAR NOT NULL DEFAULT 'yearly',
+    billing_cycle VARCHAR NOT NULL DEFAULT 'annual',
    stripe_price_id VARCHAR,  -- Legacy, deprecated
    -- Configuration
    active BOOLEAN NOT NULL DEFAULT TRUE,
-
+    features JSONB DEFAULT '[]'::jsonb,
    -- Custom billing cycle fields (for recurring date ranges like Jan 1 - Dec 31)
    custom_cycle_enabled BOOLEAN DEFAULT FALSE NOT NULL,
    custom_cycle_start_month INTEGER,
    custom_cycle_start_day INTEGER,
    custom_cycle_end_month INTEGER,
    custom_cycle_end_day INTEGER,
    -- Dynamic pricing fields
    minimum_price_cents INTEGER DEFAULT 3000 NOT NULL,
    suggested_price_cents INTEGER,
    allow_donation BOOLEAN DEFAULT TRUE NOT NULL,
    -- Timestamps
    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
@@ -350,21 +281,13 @@ CREATE TABLE IF NOT EXISTS subscriptions (
    status subscriptionstatus DEFAULT 'active',
    start_date TIMESTAMP WITH TIME ZONE NOT NULL,
    end_date TIMESTAMP WITH TIME ZONE,
    next_billing_date TIMESTAMP WITH TIME ZONE,
    -- Payment Details
    amount_paid_cents INTEGER,
    base_subscription_cents INTEGER NOT NULL,
    donation_cents INTEGER DEFAULT 0 NOT NULL,
    -- Stripe transaction metadata (for validation and audit)
    stripe_payment_intent_id VARCHAR,
    stripe_charge_id VARCHAR,
    stripe_invoice_id VARCHAR,
    payment_completed_at TIMESTAMP WITH TIME ZONE,
    card_last4 VARCHAR(4),
    card_brand VARCHAR(20),
    stripe_receipt_url VARCHAR,
    -- Manual Payment Support
    manual_payment BOOLEAN DEFAULT FALSE NOT NULL,
    manual_payment_notes TEXT,
@@ -396,14 +319,6 @@ CREATE TABLE IF NOT EXISTS donations (
    stripe_payment_intent_id VARCHAR,
    payment_method VARCHAR,
    -- Stripe transaction metadata (for validation and audit)
    stripe_charge_id VARCHAR,
    stripe_customer_id VARCHAR,
    payment_completed_at TIMESTAMP WITH TIME ZONE,
    card_last4 VARCHAR(4),
    card_brand VARCHAR(20),
    stripe_receipt_url VARCHAR,
    -- Metadata
    notes TEXT,
    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
@@ -551,10 +466,29 @@ CREATE TABLE IF NOT EXISTS user_invitations (
    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
 );
-- Add FK constraints to import_jobs (now that users table exists)
+-- Import Jobs table
-ALTER TABLE import_jobs
+CREATE TABLE IF NOT EXISTS import_jobs (
-    ADD CONSTRAINT fk_import_jobs_rollback_by FOREIGN KEY (rollback_by) REFERENCES users(id),
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    ADD CONSTRAINT fk_import_jobs_started_by FOREIGN KEY (started_by) REFERENCES users(id);
+
    filename VARCHAR NOT NULL,
    status importjobstatus NOT NULL DEFAULT 'processing',
    total_rows INTEGER DEFAULT 0,
    processed_rows INTEGER DEFAULT 0,
    success_count INTEGER DEFAULT 0,
    error_count INTEGER DEFAULT 0,
    error_log JSONB DEFAULT '[]'::jsonb,
    -- WordPress import enhancements
    field_mapping JSONB DEFAULT '{}'::jsonb,
    wordpress_metadata JSONB DEFAULT '{}'::jsonb,
    imported_user_ids JSONB DEFAULT '[]'::jsonb,
    rollback_at TIMESTAMP WITH TIME ZONE,
    rollback_by UUID REFERENCES users(id),
    started_by UUID REFERENCES users(id),
    started_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
    completed_at TIMESTAMP WITH TIME ZONE
 );
 -- Import Rollback Audit table (for tracking rollback operations)
 CREATE TABLE IF NOT EXISTS import_rollback_audit (
@@ -608,18 +542,12 @@ CREATE INDEX IF NOT EXISTS idx_subscriptions_user_id ON subscriptions(user_id);
 CREATE INDEX IF NOT EXISTS idx_subscriptions_plan_id ON subscriptions(plan_id);
 CREATE INDEX IF NOT EXISTS idx_subscriptions_status ON subscriptions(status);
 CREATE INDEX IF NOT EXISTS idx_subscriptions_stripe_subscription_id ON subscriptions(stripe_subscription_id);
 CREATE INDEX IF NOT EXISTS idx_subscriptions_payment_intent ON subscriptions(stripe_payment_intent_id);
 CREATE INDEX IF NOT EXISTS idx_subscriptions_charge_id ON subscriptions(stripe_charge_id);
 CREATE INDEX IF NOT EXISTS idx_subscriptions_invoice_id ON subscriptions(stripe_invoice_id);
 -- Donations indexes
 CREATE INDEX IF NOT EXISTS idx_donation_user ON donations(user_id);
 CREATE INDEX IF NOT EXISTS idx_donation_type ON donations(donation_type);
 CREATE INDEX IF NOT EXISTS idx_donation_status ON donations(status);
 CREATE INDEX IF NOT EXISTS idx_donation_created ON donations(created_at);
 CREATE INDEX IF NOT EXISTS idx_donation_payment_intent ON donations(stripe_payment_intent_id);
 CREATE INDEX IF NOT EXISTS idx_donation_charge_id ON donations(stripe_charge_id);
 CREATE INDEX IF NOT EXISTS idx_donation_customer_id ON donations(stripe_customer_id);
 -- Import Jobs indexes
 CREATE INDEX IF NOT EXISTS idx_import_jobs_status ON import_jobs(status);
--- a/models.py
+++ b/models.py
@@ -137,10 +137,6 @@ class User(Base):
    wordpress_user_id = Column(BigInteger, nullable=True, comment="Original WordPress user ID")
    wordpress_registered_date = Column(DateTime(timezone=True), nullable=True, comment="Original WordPress registration date")
    # Role Change Audit Trail
    role_changed_at = Column(DateTime(timezone=True), nullable=True, comment="Timestamp when role was last changed")
    role_changed_by = Column(UUID(as_uuid=True), ForeignKey('users.id', ondelete='SET NULL'), nullable=True, comment="Admin who changed the role")
    created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
    updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
@@ -149,7 +145,6 @@ class User(Base):
    events_created = relationship("Event", back_populates="creator")
    rsvps = relationship("EventRSVP", back_populates="user")
    subscriptions = relationship("Subscription", back_populates="user", foreign_keys="Subscription.user_id")
    role_changer = relationship("User", foreign_keys=[role_changed_by], remote_side="User.id", post_update=True)
 class Event(Base):
    __tablename__ = "events"
@@ -238,15 +233,6 @@ class Subscription(Base):
    donation_cents = Column(Integer, default=0, nullable=False)  # Additional donation amount
    # Note: amount_paid_cents = base_subscription_cents + donation_cents
    # Stripe transaction metadata (for validation and audit)
    stripe_payment_intent_id = Column(String, nullable=True, index=True)  # Initial payment transaction ID
    stripe_charge_id = Column(String, nullable=True, index=True)  # Actual charge reference
    stripe_invoice_id = Column(String, nullable=True, index=True)  # Invoice reference
    payment_completed_at = Column(DateTime(timezone=True), nullable=True)  # Exact payment timestamp from Stripe
    card_last4 = Column(String(4), nullable=True)  # Last 4 digits of card
    card_brand = Column(String(20), nullable=True)  # Visa, Mastercard, etc.
    stripe_receipt_url = Column(String, nullable=True)  # Link to Stripe receipt
    # Manual payment fields
    manual_payment = Column(Boolean, default=False, nullable=False)  # Whether this was a manual offline payment
    manual_payment_notes = Column(Text, nullable=True)  # Admin notes about the payment
@@ -278,17 +264,9 @@ class Donation(Base):
    # Payment details
    stripe_checkout_session_id = Column(String, nullable=True)
-    stripe_payment_intent_id = Column(String, nullable=True, index=True)
+    stripe_payment_intent_id = Column(String, nullable=True)
    payment_method = Column(String, nullable=True)  # card, bank_transfer, etc.
    # Stripe transaction metadata (for validation and audit)
    stripe_charge_id = Column(String, nullable=True, index=True)  # Actual charge reference
    stripe_customer_id = Column(String, nullable=True, index=True)  # Customer ID if created
    payment_completed_at = Column(DateTime(timezone=True), nullable=True)  # Exact payment timestamp from Stripe
    card_last4 = Column(String(4), nullable=True)  # Last 4 digits of card
    card_brand = Column(String(20), nullable=True)  # Visa, Mastercard, etc.
    stripe_receipt_url = Column(String, nullable=True)  # Link to Stripe receipt
    # Metadata
    notes = Column(Text, nullable=True)
    created_at = Column(DateTime(timezone=True), default=lambda: datetime.now(timezone.utc))
@@ -531,36 +509,3 @@ class ImportRollbackAudit(Base):
    # Relationships
    import_job = relationship("ImportJob")
    admin_user = relationship("User", foreign_keys=[rolled_back_by])
 # ============================================================
 # System Settings Models
 # ============================================================
 class SettingType(enum.Enum):
    plaintext = "plaintext"
    encrypted = "encrypted"
    json = "json"
 class SystemSettings(Base):
    """System-wide configuration settings stored in database"""
    __tablename__ = "system_settings"
    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
    setting_key = Column(String(100), unique=True, nullable=False, index=True)
    setting_value = Column(Text, nullable=True)
    setting_type = Column(SQLEnum(SettingType), default=SettingType.plaintext, nullable=False)
    description = Column(Text, nullable=True)
    updated_by = Column(UUID(as_uuid=True), ForeignKey("users.id", ondelete="SET NULL"), nullable=True)
    created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), nullable=False)
    updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc), nullable=False)
    is_sensitive = Column(Boolean, default=False, nullable=False)
    # Relationships
    updater = relationship("User", foreign_keys=[updated_by])
    # Index on updated_at for audit queries
    __table_args__ = (
        Index('idx_system_settings_updated_at', 'updated_at'),
    )
--- a/payment_service.py
+++ b/payment_service.py
@@ -11,9 +11,11 @@ from datetime import datetime, timezone, timedelta
 # Load environment variables
 load_dotenv()
-# NOTE: Stripe credentials are now database-driven
+# Initialize Stripe with secret key
-# These .env fallbacks are kept for backward compatibility only
+stripe.api_key = os.getenv("STRIPE_SECRET_KEY")
-# The actual credentials are loaded dynamically from system_settings table
+
 # Stripe webhook secret for signature verification
 STRIPE_WEBHOOK_SECRET = os.getenv("STRIPE_WEBHOOK_SECRET")
 def create_checkout_session(
    user_id: str,
@@ -21,15 +23,11 @@ def create_checkout_session(
    plan_id: str,
    stripe_price_id: str,
    success_url: str,
-    cancel_url: str,
+    cancel_url: str
    db = None
 ):
    """
    Create a Stripe Checkout session for subscription payment.
    Args:
        db: Database session (optional, for reading Stripe credentials from database)
    Args:
        user_id: User's UUID
        user_email: User's email address
@@ -41,28 +39,6 @@ def create_checkout_session(
    Returns:
        dict: Checkout session object with session ID and URL
    """
    # Load Stripe API key from database if available
    if db:
        try:
            # Import here to avoid circular dependency
            from models import SystemSettings, SettingType
            from encryption_service import get_encryption_service
            setting = db.query(SystemSettings).filter(
                SystemSettings.setting_key == 'stripe_secret_key'
            ).first()
            if setting and setting.setting_value:
                encryption_service = get_encryption_service()
                stripe.api_key = encryption_service.decrypt(setting.setting_value)
        except Exception as e:
            # Fallback to .env if database read fails
            print(f"Failed to read Stripe key from database: {e}")
            stripe.api_key = os.getenv("STRIPE_SECRET_KEY")
    else:
        # Fallback to .env if no db session
        stripe.api_key = os.getenv("STRIPE_SECRET_KEY")
    try:
        # Create Checkout Session
        checkout_session = stripe.checkout.Session.create(
@@ -98,14 +74,13 @@ def create_checkout_session(
        raise Exception(f"Stripe error: {str(e)}")
-def verify_webhook_signature(payload: bytes, sig_header: str, db=None) -> dict:
+def verify_webhook_signature(payload: bytes, sig_header: str) -> dict:
    """
    Verify Stripe webhook signature and construct event.
    Args:
        payload: Raw webhook payload bytes
        sig_header: Stripe signature header
        db: Database session (optional, for reading webhook secret from database)
    Returns:
        dict: Verified webhook event
@@ -113,32 +88,9 @@ def verify_webhook_signature(payload: bytes, sig_header: str, db=None) -> dict:
    Raises:
        ValueError: If signature verification fails
    """
    # Load webhook secret from database if available
    webhook_secret = None
    if db:
        try:
            from models import SystemSettings
            from encryption_service import get_encryption_service
            setting = db.query(SystemSettings).filter(
                SystemSettings.setting_key == 'stripe_webhook_secret'
            ).first()
            if setting and setting.setting_value:
                encryption_service = get_encryption_service()
                webhook_secret = encryption_service.decrypt(setting.setting_value)
        except Exception as e:
            print(f"Failed to read webhook secret from database: {e}")
            webhook_secret = os.getenv("STRIPE_WEBHOOK_SECRET")
    else:
        webhook_secret = os.getenv("STRIPE_WEBHOOK_SECRET")
    if not webhook_secret:
        raise ValueError("STRIPE_WEBHOOK_SECRET not configured")
    try:
        event = stripe.Webhook.construct_event(
-            payload, sig_header, webhook_secret
+            payload, sig_header, STRIPE_WEBHOOK_SECRET
        )
        return event
    except ValueError as e:
--- a/requirements.txt
+++ b/requirements.txt
@@ -31,7 +31,7 @@ motor==3.3.1
 msal==1.27.0
 mypy==1.18.2
 mypy_extensions==1.1.0
-numpy==2.3.5
+numpy==2.2.6
 oauthlib==3.3.1
 packaging==25.0
 pandas==2.3.3
--- a/seed_permissions_rbac.py
+++ b/seed_permissions_rbac.py
@@ -118,40 +118,6 @@ PERMISSIONS = [
    {"code": "permissions.audit", "name": "View Permission Audit Log", "description": "View permission change audit logs", "module": "permissions"},
 ]
 # Default system roles that must exist
 DEFAULT_ROLES = [
    {
        "code": "guest",
        "name": "Guest",
        "description": "Default role for new registrations with no special permissions",
        "is_system_role": True
    },
    {
        "code": "member",
        "name": "Member",
        "description": "Active paying members with access to member-only content",
        "is_system_role": True
    },
    {
        "code": "finance",
        "name": "Finance",
        "description": "Financial management role with access to payments, subscriptions, and reports",
        "is_system_role": True
    },
    {
        "code": "admin",
        "name": "Admin",
        "description": "Board members with full management access except RBAC",
        "is_system_role": True
    },
    {
        "code": "superadmin",
        "name": "Superadmin",
        "description": "Full system access including RBAC management",
        "is_system_role": True
    },
 ]
 # Default permission assignments for dynamic roles
 DEFAULT_ROLE_PERMISSIONS = {
    "guest": [],  # Guests have no permissions
@@ -230,34 +196,7 @@ def seed_permissions():
            print(f"\n⚠️  WARNING: Tables not fully cleared! Stopping.")
            return
-        # Step 2: Create default system roles
+        # Step 2: Create permissions
        print(f"\n👤 Creating {len(DEFAULT_ROLES)} system roles...")
        role_map = {}
        for role_data in DEFAULT_ROLES:
            # Check if role already exists
            existing_role = db.query(Role).filter(Role.code == role_data["code"]).first()
            if existing_role:
                print(f"  • {role_data['name']}: Already exists, updating...")
                existing_role.name = role_data["name"]
                existing_role.description = role_data["description"]
                existing_role.is_system_role = role_data["is_system_role"]
                role_map[role_data["code"]] = existing_role
            else:
                print(f"  • {role_data['name']}: Creating...")
                role = Role(
                    code=role_data["code"],
                    name=role_data["name"],
                    description=role_data["description"],
                    is_system_role=role_data["is_system_role"]
                )
                db.add(role)
                role_map[role_data["code"]] = role
        db.commit()
        print(f"✓ Created/updated {len(DEFAULT_ROLES)} system roles")
        # Step 3: Create permissions
        print(f"\n📝 Creating {len(PERMISSIONS)} permissions...")
        permission_map = {}  # Map code to permission object
@@ -274,13 +213,13 @@ def seed_permissions():
        db.commit()
        print(f"✓ Created {len(PERMISSIONS)} permissions")
-        # Step 4: Verify roles exist
+        # Step 3: Get all roles from database
-        print("\n🔍 Verifying dynamic roles...")
+        print("\n🔍 Fetching dynamic roles...")
        roles = db.query(Role).all()
        role_map = {role.code: role for role in roles}
        print(f"✓ Found {len(roles)} roles: {', '.join(role_map.keys())}")
-        # Step 5: Assign permissions to roles
+        # Step 4: Assign permissions to roles
        print("\n🔐 Assigning permissions to roles...")
        from models import UserRole  # Import for enum mapping
@@ -319,7 +258,7 @@ def seed_permissions():
            db.commit()
            print(f"  ✓ {role.name}: Assigned {len(permission_codes)} permissions")
-        # Step 6: Summary
+        # Step 5: Summary
        print("\n" + "=" * 80)
        print("📊 SEEDING SUMMARY")
        print("=" * 80)
@@ -334,8 +273,7 @@ def seed_permissions():
        for module, count in sorted(modules.items()):
            print(f"  • {module.capitalize()}: {count} permissions")
-        print(f"\nTotal system roles created: {len(DEFAULT_ROLES)}")
+        print(f"\nTotal permissions created: {len(PERMISSIONS)}")
        print(f"Total permissions created: {len(PERMISSIONS)}")
        print(f"Total role-permission mappings: {total_assigned}")
        print("\n✅ Permission seeding completed successfully!")
        print("\nNext step: Restart backend server")
--- a/server.py
+++ b/server.py
--- a/start.sh
+++ b/start.sh
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 # Exit immediately if a command fails
 set -e
 # Activate virtual environment
 source .venv/bin/activate
 # Start the backend
 python -m uvicorn server:app --reload --port 8000
Author	SHA1	Message	Date
kayela	38e5f5377a	Merge branch 'dev' into docker	2026-01-06 12:31:29 -06:00
kayela	e06f18ce17	Add start script for backend server initialization and update .gitignore	2026-01-06 12:30:26 -06:00
kayela	84285861cc	Merge branch 'dev' into docker	2026-01-05 13:01:16 -06:00
kayela	56d1b97261	docker deleted	2026-01-05 12:58:22 -06:00
kayela	6b6173bd5b	Refactor docker-compose.yml by removing unnecessary lines and cleaning up formatting	2025-12-26 17:33:40 -06:00
kayela	cf8d38a4a4	Remove database service configuration from docker-compose	2025-12-26 16:50:21 -06:00
kayela	09712e52bb	Merge remote-tracking branch 'origin/dev' into docker	2025-12-26 16:47:24 -06:00
kayela	366245acc7	Add database service configuration to docker-compose	2025-12-24 13:00:42 -06:00
kayela	a75bf743f4	Merge remote-tracking branch 'origin/dev' into docker	2025-12-24 12:46:32 -06:00
kayela	fb369977d0	Update compiled Python bytecode for server module	2025-12-24 12:30:09 -06:00
kayela	1ed9aa0994	Merge remote-tracking branch 'origin' into docker	2025-12-19 12:51:56 -06:00
kayela-c	04783f66f1	docker set up	2025-12-13 12:23:28 -06:00